DCAWD.com

So, if you're running, maintaining or building RedHat (or Fedora) you might want to look into these clippings:

linky one.

linky two.

Basically, a few boxes were compromised and taken offline.

The biggest concern is this: They've (RedHat) released a new package signing key as well as an OpenSSH blacklist script.

Could be ugly if left unchanged.

While there is no definitive evidence that the Fedora key has been
compromised, because Fedora packages are distributed via multiple
third-party mirrors and repositories, we have decided to convert to new
Fedora signing keys. This may require affirmative steps from every
Fedora system owner or administrator. We will widely and clearly
communicate any such steps to help users when available.

IBtinfoilhats

uh... neat.

schvin wrote:uh... neat.

yea, that was pretty much the expected reply on this.

greeeeat.

*itals for sarcasm

In connection with the incident, the intruder was able to get a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only) signed.

glad we aren't running either package.

uh, yeah, but i'd like to know a bit more before i trust the other ones...

oh I'm keeping an eye on this, no doubt...

On the surface at least, it doesn't look as bad as the whole Debian SSL mess.

Oopsie! My Bad!

Duh!

Mr Kleen wrote:oh I'm keeping an eye on this, no doubt...

Ditto.

This is why we went with (yes, I can hear the groans already) Solaris on the newest spooky machine. I had the choice of Linux, Solaris, or XP (there's no Vista STIG, and what I really wanted was Vista; it has sixteen procs, and the XP kernel just can't do it, while the Vista kernel can, and the users are more familiar with it), and while I like and mostly trust Linux, Sun just doesn't fu*k around. Take a Sun machine (even if it's an HP), STIG that sucker, run it through all the auditing, put it behind a locked door with access control, on a secure network, and, mostly, feel safe. The key is, if it's a workstation, it don't gotta run bind, inetd, postfix/sendmail/qmail, or any of the other demons (I used "demons" intentionally, not "daemons") that lurk in the evil world of black hattery.

In my opinion, and it's worth precisely squat as I spam these forums (sorry, it's been a while), Solaris 5.11 (I think I have 05-08 here) and its acls and RBACs have actually exceeded OpenBSD in terms of userland/local access security. I think Theo's got them beat on the network stack, but then on a closed network with crypto keys that change and the DISA and other overlords watch, I'm less worried about GOBBLES getting hold of sshd.

However, often these choices are left out of our hands. Sorry to hear your life got more complicated, Colin.

avriette wrote:Sun just doesn't fu*k around. Take a Sun machine (even if it's an HP), STIG that sucker, run it through all the auditing, put it behind a locked door with access control, on a secure network, and, mostly, feel safe. The key is, if it's a workstation, it don't gotta run bind, inetd, postfix/sendmail/qmail, or any of the other demons (I used "demons" intentionally, not "daemons") that lurk in the evil world of black hattery.

In my opinion, and it's worth precisely squat as I spam these forums (sorry, it's been a while), Solaris 5.11 (I think I have 05-08 here) and its acls and RBACs have actually exceeded OpenBSD in terms of userland/local access security. I think Theo's got them beat on the network stack, but then on a closed network with crypto keys that change and the DISA and other overlords watch, I'm less worried about GOBBLES getting hold of sshd.

I have to agree with him one these points. In the Real World (TM), I've seen Sun kick a lot of ass with security and MTBF.