HPE Community
Operating System - Linux
1753605 Members
6105 Online
108797 Solutions
New Discussion юеВ

Re: Redhat Kickstart OS Image

 
Simon_G
Occasional Advisor

тАО05-19-2014 09:54 AM

тАО05-19-2014 09:54 AM

Redhat Kickstart OS Image

Greetings!

 

I wanted to get a list of  OS Packages (RHEL) that are safe to install as part of OS image, we get lots of request from apps for some packagaes/tools etc., for apps, also please which may be unsafe to install due to security concerns, Any ideas??

 

Regards

 

Simon

0 Kudos
Reply
3 REPLIES 3
Matti_Kurkela
Honored Contributor

тАО05-20-2014 06:57 AM

тАО05-20-2014 06:57 AM

Re: Redhat Kickstart OS Image

I don't think there is any software that can be qualified absolutely as "safe".


Also, your security concerns may be different depending on your local situation (e.g. a completely stand-alone, non-internet-connected network inside a secure building is very different security-wise from a world-wide Internet-accessible web server that is not protected by any external firewall).

 

The rule of thumb is: the less software there is, the less potential for bugs and security weaknesses. So don't install things you don't need.

 

Even so, there might be three major classes of software packages:

 

  1. regular tools and libraries for the local users, with no SUID/SGID components or network services: these can only do what the user with a shell access could do on his/her own, so they are the safest type. However, if subjected to malicious data, even these can be sometimes used for evil purposes.
  2. packages containing locally-accessible SUID/SGID binaries: these can allow users to do some things they otherwise couldn't, and may allow a malicious local user to get root access if they contain a bug. Think carefully before installing.
  3. Network-accessible services. Anyone that can access them over the network can also potentially attack them, so any extra services increase the number of ways your server can be attacked. Don't install if you don't have a clear idea how these will be used. You should also have a plan for configuring/restricting the services you install to suit your requirements. Most network services in RHEL are now disabled by default, and they must be configured or at least deliberately enabled. A notable exception is sshd: in RHEL 6, it is by default enabled and even allows root logins. If your server is not protected by any firewall to restrict SSH access, you should disallow direct root logins and seriously consider allowing SSH access with SSH key-based authentication only. Otherwise anyone on the Internet can try and brute-force your root password.
MK
Reply
Simon_G
Occasional Advisor

тАО05-20-2014 10:48 AM

тАО05-20-2014 10:48 AM

Re: Redhat Kickstart OS Image

Thanks MK

I understand the security issue, but this is a complex situation, rpms need root to install and apps cannot install it, so have to depend on SA's. I really wanted to know how different companies handle this situation. Like may be a list of packages that are OK to be approved for install, This should be a problem for almost any SA.

Simon
0 Kudos
Reply
ymahesh81
Occasional Advisor

тАО08-22-2014 07:43 AM

тАО08-22-2014 07:43 AM

Re: Redhat Kickstart OS Image

Simon,

 

MK is absoultely right. It is ongoing process to close the bugs/vulnerability which are reported by security team on the packages are installed. If you need to close them without the help of SA's , try to get sudo access and install updated packages.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.