Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
View Poll Results: How often do you upgrade your kernel?
The one that is in my head: never...
My Linux ones: Only when I'm forced to do it(newer kernel needed by new software).
Agreed. There have been times where I've waited 2+ years and mitigated the risk (and things were fine). This is for a server that I treat as a production machine, though its for my own use and isn't business-affiliated. For a network that is exclusively Linux though (or close to it), I'd probably have a more frequent upgrade plan.
The only correct answer for a machine that's connected to the net is "each time there's a new stable release". Unfortunately there's no such option in the poll, I will vote more than once a month because that's roughly every two weeks I think.
I'm pretty much with Jesús above -- I follow the patches on kernel.org, and when one either is security related, or fixes or improves something related to my hardware (or in the case of major (?) version increases like from 2.6.30 -> 2.6.31), I generally patch up to that release and rebuild. Sometimes this means rebuilding more than once per month, and sometimes less often. I voted for option 4.
Believe it or not, due to office change control procedures and/or politics, it's not always possible to perform frequent kernel upgrades. It's easy to take a hard line on this (which I agree with, BTW), but when the boss man refuses and you have a mortgage to pay, you'll likely adhere to the formal policy.
I voted "once a year". That's what it realistically is on certain production systems.
Indeed business agreements dictate different upgrade routines but for a net-facing SOHO machine to only receive updates on a yearly basis or more just does not seem right IMHO. For me personally it's within 24 hours of time of update for (almost all) machines.
Indeed business agreements dictate different upgrade routines but for a net-facing SOHO machine to only receive updates on a yearly basis or more just does not seem right IMHO. For me personally it's within 24 hours of time of update for (almost all) machines.
Since there is at least one local level privilege escalation exploit a year that is a pretty bad move to do it only once a year or less.
I've been using fanout to run a yum update and then reboot multiple servers at once.
Then I have fanout run uname to make sure the kernel upgrade took effect. Sometimes I have to change grup, or yum has a dependency problem that needs fixing.
For workstations that don't contain anything critical you can live with the same kernel for 20 years if that's your boss' wish, but for a production machine that's exposed to the net, that's just plain wrong. If that's the boss' policy, so be it, but that doesn't make it any better.
I know you have no control over that, but it like everything wrong in life: you can ignore it or try to change it.
So how about machines that are not part of the critical infrastructure but may serve as springboard to other systems?..
It depends on the kind of access they have to the critical systems. Anything containing sensible info should be secured as much as possible. It needs to be evaluated on a case by case basis.
In general, I never neglect any machine, even if it's function is apparently trivial.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.