On Thu, Apr 18, 2013 at 10:31:35PM -0500, Stan Hoeppner wrote: > Second, your methodology doesn't scale. For large scale operations > installing new kernel patches every few weeks simply isn't financially > feasible/responsible. Even a junior admin's salary is better spent on > things other than managing mass kernel upgrades. If one builds > minimalist kernels one dramatically decreases frequency of mandatory > kernel security patches. The security related flaws are typically in > subsystems that are not part of a minimalist kernel.
This is not necessarily true for everyone. There are a lot of local factors to take into account. In a large, heterogenous environment, there's a significant investment of time required to properly manage rolling your own kernels across different distributions and versions thereof, plus the required time and expertise to assess each and every security release regarding a kernel to make a proper assessment as to whether you are vulnerable or not, on a system by system basis. Managing the roll-out of distribution kernel updates, even if you might not be relying on the specific feature that is vulnerable, can be a more pragmatic choice. It certainly is at my place of work. There have been interesting examples of vulnerabilities in kernel modules that people aren't using but can still be exploited, if the system can be coerced into loading the module. Esoteric network protocols are one interesting example. An insufficiently-careful look at a security update may mean such a vulnerability is left lurking, because it's in a feature one doesn't need. Even if you don't build those modules as part of your minimalist kernel, there are some situations where a third party can build a module for your running kernel and the machine be coerced into loading it (I think there was that bug regarding where cores go during segfaults which was one such vector). On that note, one of the best tips I've ever received regarding keeping systems secure is to disable module loading at run time, once the system has all the necessary modules loaded to provide the service it is supposed do. As a side effect this would prevent you from updating kernel modules whilst keeping the host up. Of course, you may mean disabling module support when you say minimalist kernel. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130419140918.GB7014@debian
