LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Risk report: Four years of Red Hat Enterprise Linux 4 (Red Hat Magazine)

[Posted March 10, 2009 by jake]

Mark Cox, Red Hat's director of security response, has released another of his annual reports on the security risks associated with Red Hat Enterprise Linux. It would be nice to see more distributions doing this kind of reporting on the number of vulnerabilities handled, what their severity was, and how quickly they were addressed. "The aim of this report was to get a measure of the security risk to users of Red Hat Enterprise Linux 4 during the first four years since release. We’ve shown that although on the surface it looks like Red Hat released a large number of security advisories, many of them do not apply to usual or default installations, and only a very small subset are a high risk."
(Log in to post comments)

Risk report: Four years of Red Hat Enterprise Linux 4 (Red Hat Magazine)

Posted Mar 11, 2009 23:31 UTC (Wed) by dps (subscriber, #5725) [Link]

There is one metric that is missing: the number of issues sufficient to cause a CERT advisory was, AFAIK, nil. Windows probably managed more than 100 for things that you would expect to be installed.

Some of the extra for window is due to exploits for bugs which affected multiple platform being designed to work with windows. I think that windows is a load of features with some security added later, instead of a design which only adds features after a security impact assessment.

Enabling services *does* add security risks on all operating systems, for example file servers make access to sensitive files easier. This is impossible to fix. You can get most of the benefit of file servers, and a lot more security, by using firewalls to prevent access to file servers from the wider internet.

Similarly backups are targets for theft but I suspect most people think the benefits are more than the risks, which can be reduced by spending money. Buying a good quality data safe and using it probably has the best cost/benefit ratio. You can also buy, given a lot of money, "dump in the cable" boxes which encrypted the data being backed up.

Wearing my system admin hat, I used to say "You can have that but must accepting these risks. Do you want to proceed?", and frequently the answer was "no".

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds