[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: what's your Debian uptime?

On Thu, Apr 18, 2013 at 10:31:35PM -0500, Stan Hoeppner wrote:
> Second, your methodology doesn't scale.  For large scale operations
> installing new kernel patches every few weeks simply isn't financially
> feasible/responsible.  Even a junior admin's salary is better spent on
> things other than managing mass kernel upgrades.  If one builds
> minimalist kernels one dramatically decreases frequency of mandatory
> kernel security patches.  The security related flaws are typically in
> subsystems that are not part of a minimalist kernel.

This is not necessarily true for everyone. There are a lot of local factors to
take into account. In a large, heterogenous environment, there's a significant
investment of time required to properly manage rolling your own kernels across
different distributions and versions thereof, plus the required time and
expertise to assess each and every security release regarding a kernel to make
a proper assessment as to whether you are vulnerable or not, on a system by
system basis.  Managing the roll-out of distribution kernel updates, even if
you might not be relying on the specific feature that is vulnerable, can be a
more pragmatic choice. It certainly is at my place of work.

There have been interesting examples of vulnerabilities in kernel modules that
people aren't using but can still be exploited, if the system can be coerced 
into loading the module. Esoteric network protocols are one interesting example.
An insufficiently-careful look at a security update may mean such a vulnerability
is left lurking, because it's in a feature one doesn't need. Even if you don't
build those modules as part of your minimalist kernel, there are some situations
where a third party can build a module for your running kernel and the machine
be coerced into loading it (I think there was that bug regarding where cores go
during segfaults which was one such vector).

On that note, one of the best tips I've ever received regarding keeping systems
secure is to disable module loading at run time, once the system has all the
necessary modules loaded to provide the service it is supposed do.  As a side
effect this would prevent you from updating kernel modules whilst keeping the
host up.

Of course, you may mean disabling module support when you say minimalist kernel.

Reply to: