2

I used to use ASL for my server protection. This is an overall security suite for your server. One of the things it did is update or patch the kernel.

I do not use it anymore, should I manually update or patch my the kernel. If so how do I do this, what are the best recources.

I'm on CentOS 5.4

Saif Bechan
  • 10,960
  • 10
  • 42
  • 63

3 Answers3

4

I agree with what Sataincpuppy said. To answer the how often:

  1. Set a regular schedule that works for your company.
  2. Consider watching a security page for any critical vulnerabilities that might require updates sooner than your normal schedule.

With updates you must always know how to roll back as well, so make sure you know how to select the previous kernel in grub as the default if for some reason the update gives you problems.

Also, don't just worry about the kernel, for instance, if this is a Apache web server you better keep an eye on those updates as well.

RE Repo For Security Updates:
The default repos shold be fine unless maybe you have special high security needs. If you only want security updates just only use the security plugin:

yum update --security
Kyle Brandt
  • 83,619
  • 74
  • 305
  • 448
  • Oh, I see some posts about yum security not working with CentOS, not sure if that is still the case or not. http://serverfault.com/questions/2673/yum-security-for-centos – Kyle Brandt Apr 15 '10 at 15:56
  • Yes definitely subscribe to the CentOS security mailing list. Read and understand the alerts and how they pertain to your setup. If it's a kernel update that involves a remote exploit or a security in a driver that my system is using then I'll normally schedule a maintenance window that night to restart the server. Otherwise I'll just wait for my weekly maintenance window and take care of it then. – 3dinfluence Apr 15 '10 at 16:12
  • 3dinfluence: Ya, I don't know about the actual numbers but my impression has been those most of them are local only (ie privileged escalation) so they can probably wait a little bit unless you have high security needs or local untrusted users. – Kyle Brandt Apr 15 '10 at 16:15
  • Yeah that's been my experience as well and none of my public facing servers have local users. – 3dinfluence Apr 15 '10 at 16:21
  • Can you guys recomend a good mailing list to me. I have looked at the CentOS main website, but is this one the best to use? – Saif Bechan Apr 15 '10 at 20:49
3

Well, I don't know if it's left any significant holes, but from a pure paranoia point of view, I'd update the kernel.

I wouldn't bother doing it manually though, unless you're using a custom kernel. The kernel is updated all the time: shouldn't be too hard to find a "new" version to update to, and you can just do the update with Yum.

Satanicpuppy
  • 5,946
  • 1
  • 17
  • 18
  • 1
    +1 Using prebuild kernel images from YUM probably makes the most sense, the one thing worth mentioning in addition is that after a kernel update you need a reboot for the new kernel to be used (one of the few updates with Linux that does). There is fancy new stuff that can allow you to avoid reboots, but that is somewhat cutting edge. – Kyle Brandt Apr 15 '10 at 15:41
  • Can you recommend any good repo's for these kernel updates. – Saif Bechan Apr 15 '10 at 15:46
1

Yes, security holes are found all the time in the Linux kernel. Often they are minor issues that probably wont affect you, but there are occasional major security holes that you should really upgrade to fix. As mentioned by the devil's dog, you can do this upgrade easily with yum. Also note that for pretty much all Linux software upgrades, you do not need to reboot, the kernel is the one place where you do need to reboot to use the new version (there are hacks to switch to a new kernel without rebooting, eg 'ksplice', but I would not recommend it. Seems too risky to me, I'd rather just do a standard reboot).

davr
  • 1,729
  • 3
  • 14
  • 25