Re: Red Hat Network updates

From: Steven Leikeim (steven@enel.ucalgary.ca)
Date: 02/28/03

  • Next message: Steve Bremer: "Re: Red Hat Network updates" 
    Date: Fri, 28 Feb 2003 11:24:50 -0700
From: Steven Leikeim <steven@enel.ucalgary.ca>
To: focus-linux@securityfocus.com

    On Thu, Feb 27, 2003 at 12:33:35PM -0500, Jennifer Fountain wrote:
    > Hi All:
    >
    > I wanted your opinion about retrieving updates from the red hat network via the rh agent. I absolutely love the fact that Red hat emails you with updates and the agent (acting like the windows update agent or did windows steal this from rh:)) can retrieve these updates. However, I am not sure how "secure" or if I should be concerned about this process. What is the consensus from everyone? Good tool? Shouldn't use it because...?
    >

    My comments on how "secure" it is are based on my experiences in setting
    up a "current" server. This is an implmentation of a server for the up2date
    tools. (http://current.tigris.org)

    There are a number of factors which Red Hat is using to keep the facility
    secure:
            - The service is supplied over an https connection and an SSL
              key is locally stored on your machine to verify the connection.
            - up2date will NOT proceed if it gets an RPM that is not signed
              by an appropriate key (Red Hat's by default).
            - up2date is careful to not update certain rpms automatically.
              Kernel updates are not automatic, nor will it update rpms that
              have had configuration changes made to them. This behaviour is,
              of course, configurable.
            - If you're REALLY concerned, you can run up2date manually and choose
              which updates you want at any given time!!

    There may be other security factors I'm not aware of, but these are the
    main points I would be concerned about. 

    -- 
Steven Leikeim                        |
University of Calgary                 |   There are lies, damned lies,
Department of Electrical Engineering  |        and statistics.

    Relevant Pages

    • Re: write with cURL
      ... It takes time to set up an account for you, process the billing, etc. ... Sorry, my servers are secure. ... Nothing you have told me shows me you know how to lock down a server so that it is secure - other than to use the server's file security. ...
      (alt.php)
    • Re: NT4 -> Win2K3 question
      ... disable SMB signing for the Workstation or Server service on a domain ... Get Secure! ... The File Replication Service Event log test ... controller to the following destination domain ...
      (microsoft.public.windows.server.migration)
    • [OT] Re: RSA implementation, please comment.
      ... on a separate server is actually a very good idea, ... This web front uses a well defined and secure ... Don't store the private key on the server. ... Every client gets a smartcard for the decryption (or a HSM, ...
      (comp.lang.perl.misc)
    • Re: Word 2007 Missing User Level Securitty - ARRRGGGGHHHH What were they thinking?
      ... File servers aren't secure? ... Access predates Windows security, ... database system has never been updated or kept current. ... the OS-based database server product, ...
      (microsoft.public.access.security)
    • Re: local admin account password
      ... >> except its based on something specific about the server. ... >> more recovery console and don't think cached logins will work. ... >> The DB file would be encrypted with EFS so only the limited user SQL ... >> and the app itself doesn't really need to be secure as the ...
      (Focus-Microsoft)