Security

A discussion of Operating System Security could take quite a while but there are some points which we should defnitely mention in the scope of this discussion.

Build Security In

People are Lazy, especially admins. In general, this is a good thing. Being lazy means that we tend to automate repeated tasks, but laziness can be seriously harmful when it comes to Security. This is why it is so important that security be built in, that it be relatively easy to deploy and that it be testable.

Many security issues are caused by misconfiguration, which we've covered with Reading the Manual, so we'll concentrate on keeping your software up to date.

Your install methodology should lead to a known state that it is known to be secure and hardened against attack. There is no point in having a great automated install procedure if the end result is an exploitable installation. For this reason the final procedure in your installation should be a current security update.

Your installation should contain an automated security update procedure, that is triggered at least daily. In summary, it should check that the current version of every software package you have installed is up to date. If it's not, the administrator should be notified. As we've covered earlier, this is a feature of apticron.

Security should also be built-in by means of the Operating System itself having an active, responsive and responsible security team that releases updates in an Open and Timely manner.

Ongoing Process

As the old maxim goes, Security is not a Product, it is a Process. It is important that security be viewed as-such, the security is the fact that your installations are polling for updates daily. It's also important that security be constantly reviewed, it is always going to be a rapidly moving target.

Whilst Firewalls and IDS's have a limited use, don't waste time on them better spent on actually securing your systems. Treat Firewalls and IDS's as optional add-ons with some minor benifits, remember that they do not make your system in any respect more secure. They are just tools that will help you identify attacks.