|
|
Subscribe / Log in / New account

Cox: Six years of Red Hat Enterprise Linux 4

[Posted August 17, 2011 by jake]

Red Hat security team lead Mark J. Cox writes about the "Six Years of Red Hat Enterprise Linux 4" report [PDF] on his blog. It looks at the vulnerabilities that were found and fixed in RHEL 4, along with their severity. "The data we publish is interesting to get a feel for the risk of running Enterprise Linux, but isn't really useful for comparisons with other distributions, or operating systems. One important difference is that it is Red Hat policy to count vulnerabilities and allocate CVE names to all issues that we fix, including ones that are found internally. This is not true for many other vendors including folks like Microsoft and Adobe who do not count or disclose issues they fix which were found internally."
to post comments

Cox: Six years of Red Hat Enterprise Linux 4

Posted Aug 18, 2011 12:14 UTC (Thu) by colo (guest, #45564) [Link] (2 responses)

It somewhat startles me that even Red Hat seems to think they have to create their corporate PDFs using proprietary technolgy running on a competitor's non-free OS:

$ pdfinfo RHEL4_RiskReport_6yr_wp_5732067_0311_ma_web.pdf | fgrep Creator
Creator: Adobe InDesign CS5 (7.0.3)

Why not use LaTeX/pdflatex? :)

Cox: Six years of Red Hat Enterprise Linux 4

Posted Aug 18, 2011 12:58 UTC (Thu) by pjones (subscriber, #31722) [Link] (1 responses)

It's certainly not a company policy to do so - as an RH employee I'm fairly surprised Mark didn't use OpenOffice to generate this.

Cox: Six years of Red Hat Enterprise Linux 4

Posted Aug 18, 2011 13:03 UTC (Thu) by mjcox@redhat.com (guest, #31775) [Link]

The source is openoffice (the first few years were docbook), then the design folks do the PDF creation and add the style and better diagrams. It's a shame that the links get lost which is why i've been keeping the mini-reports for RHEL5 and RHEL6 in HTML.

Cox: Six years of Red Hat Enterprise Linux 4

Posted Aug 18, 2011 16:35 UTC (Thu) by jspaleta (subscriber, #50639) [Link] (1 responses)

Just in case Mr. Cox is still reading along in the comment thread.

You know what I would find interesting? I'd like to see a similar broadside which looks at the vulnerabilities in terms of the value of selinux to mitigate risk to security issues.

The information with regard to selinux impact is in the text of each security notice from RH, but you kinda have to dig for it to get a sense of how valuable selinux is to risk mitigation. And buried information like that is is a wasted opportunity to communicate the value of the tech more widely. There is probably some utility in writing up a broadside that communicates the real world impact on relying on the default selinux policy.

Specific questions I'd like to see answered in an selinux impact broadside.

1)What is the quantifiable difference in vulnerability risk for a RHEL 4 system with default selinux policy enabled versus an selinux disabled system over the full 6 years?

2)How many vulnerabilities which were not mitigated by default selinux policy could have been avoided with more restrictive policy adjustments? And what are the functionality tradeoffs in each case?

-jef

Cox: Six years of Red Hat Enterprise Linux 4

Posted Aug 21, 2011 8:53 UTC (Sun) by farnz (subscriber, #17727) [Link]

One slight enhancement to your second request; RHEL supports targeted SELinux policy, but also has a strict policy. How many vulnerabilities would have been mitigated by SELinux strict policy, but not by the supported targeted policy?


Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds