Re: FreeBSD Security Survey

Mon, 22 May 2006 19:41:22 -0700 



Finally, it only takes one security failure in the update process for
someone undesirable to "own" all the FreeBSD machines that have been
left in this default mode.  Despite the best efforts of FreeBSD
developers, FreeBSD will always contain bugs and some of them will
be security holes.  Any automatic update process needs to balance
the benefits of reducing the number of unpatched boxes against the
risks of the update system being subverted.



I couldn't agree more. One of the major problems with 
unattended/automatic updating is that it is hard to filter them. I don't 
install updates on a system that doesn't _need_ them.



I think that the solution to this problem lies in a reliable and 
comprehensive notification mechanism for admins that tells them to 
upgrade once some part (base or ports) of the system is vulnerable to 
attacks. And as a second part of the solution, I'd like to see handy 
tools to ease the actual upgrading process for the admin.



The notification mechanism is okay via mailing lists, although that 
requires an admin to memorize a list of installed packages/ports which 
can be a pain with lots of boxes to take care of. Personally, I like the 
way portaudit works, notifying me (via the daily run) of any pending 
issues. It's a very effective system mainly because it keeps nagging you 
every day and makes it hard to forget about an issue that still applies.



In a different corner is portupgrade which basically constitutes a 
highly usable tool but has minor annoyances that really complicate 
things. For example, when upgrading MySQL -- even with mysql_enable=YES 
in rc.conf, portupgrade will stop the sever but not restart it. Is there 
any plausible reason for this behaviour? I can't think of any. In fact, 
I resort to

# portupgrade mysql-server && /usr/local/etc/rc.d/mysql restart

which is really annyoing if a lot of services will be upgraded that 
aren't automatically restarted. This would be a good thing to take care of.



All in all: FreeBSD is my system of choice for servers, Gentoo for 
workstations (which is pretty much like a Linux-flavoured FreeBSD). 
Especially due to the still almost painless way of keeping the system 
current.


Cheers
Clemens
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"























					Reply via email to