- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Re: Redhat Kickstart OS Image
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-19-2014 09:54 AM
тАО05-19-2014 09:54 AM
Redhat Kickstart OS Image
Greetings!
I wanted to get a list of OS Packages (RHEL) that are safe to install as part of OS image, we get lots of request from apps for some packagaes/tools etc., for apps, also please which may be unsafe to install due to security concerns, Any ideas??
Regards
Simon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-20-2014 06:57 AM
тАО05-20-2014 06:57 AM
Re: Redhat Kickstart OS Image
I don't think there is any software that can be qualified absolutely as "safe".
Also, your security concerns may be different depending on your local situation (e.g. a completely stand-alone, non-internet-connected network inside a secure building is very different security-wise from a world-wide Internet-accessible web server that is not protected by any external firewall).
The rule of thumb is: the less software there is, the less potential for bugs and security weaknesses. So don't install things you don't need.
Even so, there might be three major classes of software packages:
- regular tools and libraries for the local users, with no SUID/SGID components or network services: these can only do what the user with a shell access could do on his/her own, so they are the safest type. However, if subjected to malicious data, even these can be sometimes used for evil purposes.
- packages containing locally-accessible SUID/SGID binaries: these can allow users to do some things they otherwise couldn't, and may allow a malicious local user to get root access if they contain a bug. Think carefully before installing.
- Network-accessible services. Anyone that can access them over the network can also potentially attack them, so any extra services increase the number of ways your server can be attacked. Don't install if you don't have a clear idea how these will be used. You should also have a plan for configuring/restricting the services you install to suit your requirements. Most network services in RHEL are now disabled by default, and they must be configured or at least deliberately enabled. A notable exception is sshd: in RHEL 6, it is by default enabled and even allows root logins. If your server is not protected by any firewall to restrict SSH access, you should disallow direct root logins and seriously consider allowing SSH access with SSH key-based authentication only. Otherwise anyone on the Internet can try and brute-force your root password.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-20-2014 10:48 AM
тАО05-20-2014 10:48 AM
Re: Redhat Kickstart OS Image
I understand the security issue, but this is a complex situation, rpms need root to install and apps cannot install it, so have to depend on SA's. I really wanted to know how different companies handle this situation. Like may be a list of packages that are OK to be approved for install, This should be a problem for almost any SA.
Simon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-22-2014 07:43 AM
тАО08-22-2014 07:43 AM
Re: Redhat Kickstart OS Image
Simon,
MK is absoultely right. It is ongoing process to close the bugs/vulnerability which are reported by security team on the packages are installed. If you need to close them without the help of SA's , try to get sudo access and install updated packages.