On Mon, May 18, 2009 at 11:51:02AM +0500, Yuriy Grishin wrote:
> Hi, Joachim
>
> I've got that you wanted to say.
> There are some tools for that are available.
> The main problem is that they detect an intrusion *after* the server is
> compromised.
> Intrusion detection systems are good but intrusion prevention systems
> are better.
It is true that a properly updated database might reduce the window of
opportunity for an attacker (then again, so does regularly running
pkg_add -ui, or if you are willing to put in a little more work, reading
a list like Full-Disclosure and reacting to new vulnerabilities
immediately). However, if you cannot afford to be compromised, "patch
management" isn't going to help you: you'll have to run programs that
don't have holes in the first place.
This really isn't impossible, especially not for server-side software.
In other words, I personally don't really see the value of your proposed
database. As far as possible, I run secure software; and as far as
possible, I keep up to date on the latest known exploits for software
that I run.
Joachim
