Recent OS Updates

As a new user to Fedora, it seems there have been many OS updates recently. My observation only comes as It seems needed global cybersecurity is continually on the rise. So from a holistic approach, are these recent updates a proactive approach to the recent hacking news or is this just normal?

My inquiry only stems from my own desire to better understand managing my OS, personal computer security, online security, and how my specific personal and business tech/networking needs fit in to it all.

Thanks in advance for any thoughts, opinions, or facts on the matter.

dbcupr

Updating once a week or two should be fine in most cases.
Though the high priority updates are best applied ASAP.
E.g. in case of a workstation, that should be a browser.
Reading update info can be helpful in determining severity.

Just some personal thoughts. The first security measure is: know what you are doing. Second: update your system.
However, personally, since I don’t have network constraints (i.e. I’m not on a metered connection that cost money per GB) I like to update my system every day.

Any tips to get to this level, I read and I have been doing books like Intro to Command Line, but I just feel I only scratch the surface. I am not against doing the work or heavy lifting, but any advice/direction to cut through some of the crap would be appreciated.

If not to forward to ask, what would you outline as a “get up to speed” starter kit for newbies?

Respectfully,
dbcupr

You can easily search and find many different tutorials on the CLI and bash scripting, or python, or perl, or html, or … There really is no “read this and you are up to speed” approach.

Learning is a lifetime task and every time you master something new it leads you to another thing new. Every time you ask yourself “how do I?” or “what if?” it leads to another learning experience. With almost 30 years using linux I am still far from “THE expert” since most things can be done in a myriad of ways.

Read, ask questions, practice, practice, make mistake, fix it, practice, identify possible problem, ask questions, prevent it, practice, repeat ad infinitum.
That is what will get you up to speed.

Fedora is a distro that updates quite often, not only for providing security updates but also new versions of applications and other software components. Personally, I would have preferred a more conservative upgrade strategy focused on stability but it also works as a testbed for RHEL so it has to serve this role as well. Of course, you can control what you update according to your judgement.

This is less relevant to Fedora, but could be interesting or useful for you. I had an eye opening experience when trying to get our server passed for PCI Compliance (see Find Out If Patch Number ( CVE ) Has Been Applied To RHEL / CentOS Linux - nixCraft) . Our server was in the cloud running a slightly old version of CentOS, which had its package versions locked at a certain level. Let’s say the libssh2 package has recently been patched to fix an exploit CVE-2020-1001, taking it from version 1.1 to 1.2 (hypothetical numbers). These exploits are usually given a CVE number. The security consultants who were validating our server looked at our package versions, saw that our libssh2 package was at a version released before the exploit had been patched, 1.1. What I learned was that the fix for important exploits are often backported to earlier versions of such libraries, so our libssh2 v1.1 actually did include the fix. I had to manually run rpm -q --changelog libssh2, look for the entry saying that CVE-2020-1001 fix was included in this package, and give the info to the security consultants to satisfy them. It was all rather arduous and annoying but I understood the concerns.

You may find reading such as Find Out If Patch Number ( CVE ) Has Been Applied To RHEL / CentOS Linux - nixCraft interesting, or google around the subject yourself if terms like CVE and PCI are new to you.

You don’t say if you’re coming from another Linux distro in which there were fewer OS updates. Do you have past experience, or do you simply feel that the number of packages needing updating on Fedora seems high as a gut feeling? Take a look at what actual packages are being updated each time. If it’s all X server, mesa, python etc then quite possibly they are simply bug fixes to those packages. More security related packages such as libssh2 are likely to be security fixes, although not necessarily. You’d have to look at the changelog to see what has actually changed for each one, or use the --security flag to dnf upgrade which seems to only fetch packages marked as being a security upgrade (I haven’t tried this myself). Personally I’m simply happy to install whatever has been released, though I generally put it off until a time I’m happy to reboot, which is not mandatory but updating packages while a lot is running on a machine can lead to weird behaviour and crashes.

In our case we needed to be PCI compliant because we were planning to let users type their credit card info into a web form on our website which would be posted to our server and processed. If you are going to hold or store such sensitive information the credit card companies require your server to be demonstrably secure from hacking or interception. Changing to an off-site solution, such as redirecting the user to Paypal or other third party gateway to receive the credit card info, relieved us of the requirement since we no longer had any visibility of the card info.

I’m refering to update policy:

Regards.,

It’s normal. There’s always some package or other that’s been updated. Also it’s characteristic of fedora to keep up to date with the latest package releases. Judging just from personal experience, OpenSuse has a similar frequency of updates day to day for bug fixes; Fedora is better about integrating upstream changes for new hardware. You can set the software application not to install updates automatically if you want more control. It’s very rare for any issue to occur as a result of an update though

Both yum and dnf have multiple options to address this without having to check the changelog of each rpm. Take a look at the options ‘–security’, ‘–sec-severity’ and ‘–advisory’ (or ‘–advisories’ for multiple CVEs). That last is probably what you should have used to satisfy your security consultant’s concerns.

For example:
# dnf upgrade-to --advisory cve-2020-1001
Last metadata expiration check: 2:13:30 ago on Tue 29 Dec 2020 18:17:57.
No security updates needed, but 0 updates available
Dependencies resolved.
Nothing to do.
Complete!

I get you, it would be lovely if a concise, single piece of information would satisfy them I admit I didn’t know about --security and similar flags back then, but as I recall, they were treating us as one of many clients and had an automated system that simply made a request against our sshd port (port scanning us as required, we had to whitelist their IP to let them do this because of course we have a good firewall system and don’t run sshd on a standard port) and detect the package version from the response, and then tell us we are not secure based on the simple number reported, without looking into what fixes have been backported into that version. I had to respond to each entry in their automated report. It was extremely frustrating (this being the first time I’d had to deal with CVE’s). They were very pleasant when I had need to call them up and work through things, but the basis of their system was all automatic.

Then, they had us install software that regularly scanned files on our server to make sure customer credit card numbers hadn’t been logged anywhere, which I understand but was also super annoying. We had plenty of false positives among the many data that are logged that I had to manually tick off as “not a problem” (logged SHA etc that look like card numbers). In the end we binned the entire endeavour and switched to an offsite payment gateway.

It was a good lesson in how security is important and non-trivial

I have only dabbled with other OS and my experience is very limited. I would say I only have done a few mods to conf files in command line, and for the most part been very conservative when doing mods or configuring. I purchased a laptop for testing and as of now have only successfully installed a few distros and landed back on Fedora as I am looking for a security minded OS.

On another distro and forum I found that I was often told to bypass or ignore some messages that appeared to be “bugs” or “possible security” issues to keep the OS working. I am in noway saying that what I was told was malicious or wrong. My gut just told me that I should try and dig and find the answers to what I am trying to achieve.

I am currently reading through a book called Mastering Linux Security and Hardening and am working within Boxes on an Ubuntu server following the tutorials. I really want to get off the Windows/Mac train and do more for myself. I fell in love with Apple Mac years ago and that is a continual money pit. They make things easy, just keep paying them. Windows has a lot of good features I like, but it is another money pit just to keep it secure and the addition of resource hogging from the security software needing run on Windows.

I think computersavvy hit the nail on the head, I need to start breaking things and fixing them to better learn. After reading all of your great posts/replies (that I so appreciate), I thought about my goals and I will take small steps with a somewhat organized approach:

• Installing OS and configuring hardware (including keeping things updated)
• learning to backup (correctly)
• configuring firewall
• getting my computers talking to each other (home network)
• super securing web browsing and email

I will try and break down each of these more microscopically and try not to chase so many rabbits down the wrong holes. I get overwhelmed sometimes to find I have spent a lot of time and energy on things not meeting my goals. There is so much interesting information out there, maybe I got ADD (haha) who knows.

Thanks again to everyone, I’m sure I will have more questions on this journey.

If security is your first priority, it’s possible that openbsd might be better to your liking.

I personally prefer linux for it’s wider HW support and bigger community (and consequently available software/applications), and fedora has been my goto distro for several years, partly because I work mainly with RHEL, and partly because I have learned to appreciate the fedora way of doing things (almost no proprietary software in official repos, dnf vs. apt/dpkg mess, etc.).

That said, openbsd is one of the most security focused OSes out there, and with quite tech-savvy community, so depending on your personal preferences, it might be of interest to you too.

I was not saying you should intentionally break things, especially on a production server. My intent was that you should not be afraid to try things (hopefully on a backup server) and see if it causes problems.

In an administrators world there is no shortcut to gaining experience. You have to be willing to try, research, try again, and communicate with your peers and mentors with specifics so either successes or failures become learning experiences. In my experience it is often that problems remain unseen until they bite you and you need to be ready to fix the issue without waiting. Often the quick fix may be ugly but the cleanup can be done behind the scenes.

Your point about securing web browsing and email is important if you support many users (or even a few who do not take adequate precautions). I believe that is the most common attack vector on any system.

I have used fedora and its associates starting when linux was new and redhat provided it on CDs. Selinux as configured on fedora helps with security a lot as far as confining actions done, but also can be frustrating when tracking down why something does not work as expected. I suggest you study that aspect of security as well.

computersavvy,

I understand what you are saying and do not plan to intentionally break things, and have no plans to do so. What I meant was I

understand what you are saying and will probably more than likely break things as I am so new to Linux.

I’m in noway looking for the quick and easy answer and I have much respect for someone such as yourself that has put in the time and got a clearer handle on things from the hard word that you have put in. I can only hope to get valuable input from yourself and others alike as I reign in / organize my own learning path and again appreciate your time to point me in a direction. Please bare with me, as I am sure to request opinion/direction/thoughts.

Respectfully,
dbcupr

Thank you dletai, I have chosen Fedora specifically due to the Selinux and taking this track as of now. I am somewhat nomadic, but feel at home here at Fedora, but who knows. Thank you for the valuable input and advice,