Keeping Up With DoD Security Requirements In Linux?

ers81239 writes "I've recently become a Linux administrator within the Department of Defense. I am surprised to find out that the DoD actually publishes extensive guidance on minimum software versions. I guess that isn't so surprising, but the version numbers are. Kernel 2.6.30, ntp 4.2.4p7-RC2, OpenSSL 9.8k and the openssh to match, etc. The surprising part is that these are very fresh versions which are not included in many distributions. We use SUSE Enterprise quite a bit, but even openSUSE factory (their word for unstable) doesn't have these packages. Tarballing on this many systems is a nightmare and even then some things just don't seem to work. I don't have time to track down every possible lib/etc/opt/local/share path that different packages try to use by default. I think that this really highlights the trade-offs of stability and security. I have called Novell to ask about it. When vulnerabilities are found in software, they backport the patches into whatever version of the software they are currently supporting. The problem here is that doesn't give me a guarantee that the backport fixes the problem for which this upgrade is required (My requirements say to install version x or higher). There is also the question of how quickly they are providing the backports. I'm hoping that there are 100s of DoD Linux administrators reading this who can bombard me with solutions. How do you balance security with stability?"

I am surprised

[ls671]

I thought the DoD would forbid to run newer versions that haven't been ran and scrutinized enough by a lot of people.

I though they would do like many big iron companies that run older versions with security patches applied. I mean if I remember right, no later than last week, exploits were found in newer versions like Linux kernel 2.6.30 and Firefox 3.5. I think this is more likely to happen with newer releases of software than with older releases tested through the years.

   

Re:I am surprised

[Dragon_Hilord]

I think there might be some changelog analysis going on too. If you see "Huge exploit xyz fixed in this patch", you're more likely to use the new, untested version just because a known exploit is closed. With security software, they're always usually fixing, improving, and generally securing their software.

I personally keep pretty up-to-date, and I can understand that a government agency would want to be completely on top of things.

"It's safer"

Re:I am surprised

[vertinox]

I thought the DoD would forbid to run newer versions that haven't been ran and scrutinized enough by a lot of people.

Depends on who you work for and what you do.

Not everything various DoD employees do is related to a "super secret project".

A lot of stuff in the DoD doesn't really have the need or want to be super scrutinized. Some of the stuff that they do is as boring as public relations and kitchen supplies.

Re:I am surprised

[characterZer0]

Some of the stuff that they do is as boring as public relations and kitchen supplies.

Why would they possibly need the latest kernel version?

Re:I am surprised

Yeah... In my experience, it's getting a new distribution approved that's a total nightmare.

There's only one Linux machine in the lab where I work, running 2.4.

There was an attempt to get a new machine into that lab with a 2.6 series kernel on it, but the paperwork took so long that the machine's need passed (workarounds were found) and it was moved to a nonsecure lab.

Re:I am surprised

[Midnight+Thunder]

Some of the stuff that they do is as boring as public relations and kitchen supplies.

Why would they possibly need the latest kernel version?

They probably believe it provides the kitchen sink ;)

Re:I am surprised

Why would they possibly need the latest kernel version?

Because exploits are fixed in the latest version, along with new bugs ;-)

Re:I am surprised

[piojo]

Why would they possibly need the latest kernel version?

Wasn't there a kernel root exploit publicized (and patched) a few days ago?

Re:I am surprised

You mean boring like invoices for $30000.00 toilet seats?

Re:I am surprised

[RichardJenkins]

The submitter says using back-ported security fixes (presumably from some official repository) is not an option because it doesn't give a guarantee of fixing the vulnerability the original update was for. If this is a problem I'm curious as to why he thinks manually installing the latest versions is any better. Is someone being paid to guarantee the efficacy of security fixes but only in those latest versions? If that is the case why not just pay them to audit the back-ported fixes in a repository instead? If you're using Linux and have been shrewd enough to install all of your applications through the distribution maintainers repository, then the sweet-spot between security and stability *is* using back-ported security fixes.

Re:I am surprised

If you think they are really buying toilet seats with that money rather than just using that as cover for what they are really buying you are terribly naive.

Re:I am surprised

[opec]

A lot of stuff in the DoD doesn't really have the need or want to be super scrutinized. Some of the stuff that they do is as boring as public relations and kitchen supplies.

That's what they want you to think.

Re:I am surprised

[jmkaza]

Regardless of what the actual machine does, it's still attached to the DoD's primary network, which has a lot of less boring info traversing it. By securing the boring stuff, you can keep it from becoming a host to those looking for the other stuff.

Re:I am surprised

[NeverVotedBush]

If the SE features were enabled or oddly, if some audio package was installed (I forget the name). It was due to an optimization done by the compiler.

Re:I am surprised

One Solution for Multiple Systems.
"PATCHLINK" by Lumension

Any organization especially the DOD should have a Security Department running regular scans of there network, in addition to using something like "PATCHLINK" or 1 of Many Open Source Tools available.

Re:I am surprised

[pizza_milkshake]

Why would they possibly need the latest kernel version?

Because the people who write the requirements need to justify their jobs.

Re:I am surprised

[TheRaven64]

And yet they're recommending a kernel version which is known to be exploitable, so it sounds a lot like they are just picking arbitrary random numbers.

Re:I am surprised

They wanted to use OpenBSD and stop worrying altogether, however Theo de Raadt was put in the Axis of Evil Best Hits collection. There below Bin Laden and above Kim Jong Il, so they have to use Windows or its Soviet alternative Linux.
The difference is that in Windows your system is full of holes while in Linux, holes fill your system.

Re:I am surprised

[MaskedSlacker]

It isn't that HE thinks manually installing the latest versions is any better, it's that the person writing the requirements does.

Re:I am surprised

Whooooooooooooooosh...

Re:I am surprised

[noz]

I'm pretty sure you didn't mean to imply that Firefox is a part of Linux, but you did.

And this is why I have arguments with my Windows admin friends (I'm Faust) about how many security flaws "Linux" has. Arrrrgh!
But I don't need to preach this to the /. crowd. Just be careful with this stuff.

Re:I am surprised

DOD is being exceeding stupid to the point of insanity. They are proposing to use a linux kernel that does not have the capability of shredding files by using a GUI like kernel 2.4 used to do with KDE 3.1. In SuSE 9.0 with kernel 2.4 and KDE 3.1, the shredder was implemented with Konqueror and could be configured to do a DOD acceptable Gutmann style 35 pass shred. Now the DOD wants to use a linux that cannot be shredded! Bet that Kim Jong Il and Tan Sshwe and Fidel and BinLaden and Mulelah Omar and the blind shake of egypt are just jumping with joy...not to mention the Chinese who will now be REAL......LLLLLLLYYY be able to spy good on stoooopid American defense type that believe own lies and pernicious propaganda about 'magnetic media'. Wonder how much Linus Torvalds was paid or threatened with to take the shredder out of the kernel. No one is going to ever believe otherwise.

Re:I am surprised

[slashdot_commentator]

Its not as treacherous as it sounds. Security through obscurity. It does theoretically allow a vulnerable machine to be accessible to the network, but it makes the network collective less vulnerable to a targeted hack into the system, for botnet or node search. This is sort of what some security pundits were referring to when talking about a diverse OS ecosystem better able to survive a virus.

Also, the reality is you're not going to keep any machine, accessible through a network, 100% secure. They all become insecure as soon as someone devises a "new" exploit. I was under the impression that only the SELinux (or similar) versions would be allowed on a DoD network. Even if there is a hole with minor versions, the security layers will work in the same manner. If the security level is low (enough to permit access to the internet through a firewall/proxy) there's no crime in using a more conventional OS release. I guess the policy will have to be reviewed once ksplice(?) kernels allow for near simultaneous updates across a network.

Re:I am surprised

[ls671]

I think you missed the point my post was trying to make. I was talking about software. It applies as well when newer versions of Windows come out. This is a principle above the OS that you are using that is pretty well known.

Another poster has stated it better than I did :

"the sweet-spot between security and stability *is* using back-ported security fixes."

Linux and Firefox were only examples, the holes did NOT exist in previous versions of Linux, same for Firefox. They are newly introduced holes that go with newer releases of software. Back-ported security fixes ensure that you only fix the existing holes without introducing new ones. ;-))

Re:I am surprised

[donaldm]

I run Fedora 11 and normally keep up with the latest updates including the kernel. On my machine:

1. kernel-2.6.29.5-191.fc11.x86_64
2. ntp-4.2.4p7-2.fc11.x86_64
3. openssl-0.9.8k-5.fc11.x86_64
4. openssh-5.2p1-2.fc11.x86_64

Ok that was just a few and it appears that Fedora 11 is a bit behind considering that this distro is fairly cutting edge and IMHO not appropriate for current enterprise usage. The DoD people who suggest really bleeding edge releases appear to have a crystal ball which must tell them that that these releases are fine for their use especially in light of the so called following 2.6.30 kernel exploit . Woops! I think resumes need to be typed up :)

Re:I am surprised

[ls671]

Another poster has stated it better than I did :

"the sweet-spot between security and stability *is* using back-ported security fixes."

No need to upgrade to the most recent version ! ;-))

In fact the most recent version is considered less safe because of new holes that might have been just recently introduced and that nobody had a chance to discover yet.

Re:I am surprised

[Proteus+Child]

They actually pick the last known stable revision made available by the company/distro/manufacturer. The people who bless that release do not seem to be the ones who actually read the changelogs, the code, or anything else that has to do with the package or application in question.

Re:I am surprised

That probably is not true.
An official patch from the company/manufacturer is an official patch to a vulnerability. Case in point, Redhat's foobar-1.2.6-el5-23.17.42.i386.rpm. If you read the Redhat advisory for the application foobar, that RH release has a couple of fixes for a bunch of vulnerabilities that were in the installed version 1.2.6-el5-22.17.40. So, the admins download the package, do the voodoo chicken dance to get the patch blessed locally, and install the patch.
I'm very curious to know what kinds of bugs the official patches aren't guaranteed to fix.

Re:I am surprised

[fernlyn]

I am really suprised ... I am amazed you can get anything to work .. you best security is the firewall not patching the os, not that the os should be left to get out of date. anyway sounds like great fun F:)

Re:I am surprised

I think that was the point of that comment.

Grindstone

[autocracy]

You'll probably have to solve it by using build scripts and tarballs. If you're feeling really ambitious, up the ladder and find out why it's only by version. Finding versions for each distro is probably more work for the people who do the list.

Re:Grindstone

[jd]

The most logical thing, surely, is to have a script that grabs the latest source, build suitable binary RPMs and a binary DEB, and then move these files to the correct directory for a repository manager.

(For RPMs, you could simply use the distro-supplied SPEC file and have the script replace values as needed. This only breaks when files are added/deleted, which usually doesn't happen.)

Alternatively, standardize on Slackware and banish the distro-specific issues to history. The drawbacks are less support and fewer fixes, but since the DoD can't track or test all variants, it's reasonable to assume they only track issues for the vanilla version. Distro-modded versions could have flaws added ad well as flaws removed, and in the DoD, it's better to have an absence of known threats.

Re:Grindstone

[rve]

If you're feeling really ambitious, up the ladder and find out why it's only by version.

That one is easy: this is how you work with software from Sun or IBM

Re:Grindstone

[turbidostato]

"The most logical thing, surely, is to have a script that grabs the latest source, build suitable binary RPMs and a binary DEB, and then move these files to the correct directory for a repository manager."

Which, more or less, is exactly what it's done at the distribution level... and then you find that it takes about two years to stabilize the compatibility problems that arises with such a practice.

Then you look elsewhere and find that's what Debian does (to name an example) and that's why it takes Debian about two years to produce a new Stable release (I mention Debian, but Red Hat is more or less about the same, as it is SUSE or Slackware or anyone else). And then you recognize that you are just reinventing the wheel -for the worse, and that you are much better backporting security fixes just like Debian does or else recognizing that by your original procedure (grabbing latests sources, compiling them and pushing them to your computers) you are no better than using Debian Unstable (which it's obviously not so great for a production environment) and that even then, redoing their work is again just reinventing the wheel for the worse.

Re:Grindstone

[CortoMaltese]

The most logical thing, surely, is to have a script that grabs the latest source, build suitable binary RPMs and a binary DEB, and then move these files to the correct directory for a repository manager.

Those scripts sound a lot like Gentoo Portage to me.

Re:Grindstone

[jd]

I'd agree with you, but I've identified quite a few packages where the source used is over two years old. (ATLAS springs to mind.)

The mix of old source and new source is likely one big reason for stability problems. Another is that dependency trees are often not properly regenerated, so what you end up with is binaries linking to stuff that no longer exists or has a different ABI.

I'd be happy to use Debian Unstable, or for that matter, most distributions, but I'm becoming very tired of the seriously broken package management strategies and am considering scrapping the distro I currently use and replacing it will a personally-rolled one.

Trust me, it won't be worse than Debian Unstable. It may take me longer to apply updates, and it will certainly be harder work, but I know that I know what I'm doing, whereas I do NOT know that any distro out there knows what it is doing, and I have seen nothing that gives me confidence.

The problem as stated is somewhat different to my situation, but runs into the same underlying problem. They cannot rely on a given distro using up-to-date sources, and in fact know that distros routinely won't. Since this violates the DoD criteria, they have to find an alternative.

Since you will NEVER convince people to move away from package managers in those environments, an internal distro is the only way to go.

Scientific Linux is precisely this sort of internal distro, with the sole difference that it was eventually released for others to use. So it has been done, and has been done Very Well. Thus, it is provably not necessarily "for the worse".

Re:Grindstone

[jd]

Essentially, yes. It's a variant of the Portage system that rolls RPMs and DEBs suitable for other distros, but really that's all it is. It is possible you could adapt RPM-building and DEB-building scripts, along with Portage, to do everything needed.

(Oh, you also need each of the distros in a virtual machine, so that you can build the package to the requirements of each.)

Re:Grindstone

[turbidostato]

"am considering scrapping the distro I currently use and replacing it will a personally-rolled one."

Probably because you never did so. It's an homungous work amount but certainly you can try: either LFS, Slackware or Gentoo would probably be proper starting points.

"It may take me longer to apply updates, and it will certainly be harder work"

For any production environment that alone is quite an operative definition for "worse".

"They cannot rely on a given distro using up-to-date sources, and in fact know that distros routinely won't."

The point being that they are doing so for quite valid and strong reasons.

"Since you will NEVER convince people to move away from package managers in those environments, an internal distro is the only way to go [...] Scientific Linux is precisely this sort of internal distro, with the sole difference that it was eventually released for others to use. So it has been done, and has been done Very Well. Thus, it is provably not necessarily "for the worse"."

There's only one little obstacle to overcome (well, three indeed): time, effort... money.

And about Scientific Linux, I think it proves my point much more than yours: it is not an internally develop distro but a heavily based on Red Hat one with a bunch of packages with local value... not even the CERN (which certainly has the ability, the money and probably would take advantage to do it) feel that to be such a great idea. The very first FAQ from their page states this:
Q. What is Scientific Linux?
A. Scientific Linux is in essence, a commercial enterprise linux distribution, recompiled.
What we have done is taken the source code from Enterprise (in srpm form) and recompiled them. The resulting binaries (now in rpm form) are then ours to do with as we desire as long as we follow the license from that original source code, which we are doing.
We then bundle all these binaries into a linux distribution that is as close to the commercial enterprise distribution as we can get it. The goal is to ensure that if a program runs and is certified on the commercial enterprise linux distribution, then it will run on the corresponding Scientific release.

See? "a linux distribution that is as close to the commercial enterprise distribution as we can get it" They are doing this for licensing/redistributing, not for using different versions, thus taking away the burden of integrating latest version from upstream and then dealing with its bugs and integration problems.

You said you found Debian Unstable "seriously broken", with problems regarding linking to uncompatible ABIs (or APIs) -of course, nothing else should be expected from an integration/development version: why do you think you won't find those very problems on your own rolled system? Are they going to disappear just because it was you the one that compiled it? Ask the Gentoo people then. It's only that now it will be *you* the one to deal with all that problems instead of spreading on others (while your help will certainly be welcomed) the burden to produce a polished system... after a while.

Of course it's doable: Debian does it with the strengh of about 1000 pairs of hands to the task. It can be even done on a "solo show" fashion as Patrick Volkerding can ascertain but then you must ask yourself: "will I be up to the task?" and specially, "will it be worth the effort or are there any good enough alternatives economically more sensible?"

Re:Grindstone

[jd]

The short answer is that I used to do this all the time. Back in the days of MCC and SLS, I would use those as construction platforms and then rebuild everything from source. These days, it's easier than it was back then - I don't have to edit all those damnable configuration files for X for a start, and thankfully most configuration systems are relatively automated. I hate compiling Perl.

I switched to distros that used packages because they were supposed to be easier, but frankly I've not found that to be true. Kernels are a bigger pain than ever, dependency hell reigns in a way I never suffered from source, and I routinely have to rebuild the database from the ground up because the package managers always corrupt it.

Sure, source is slower, but it is infinitely more robust. I speaketh from having used Linux from 0.1 to the present day, having used 386BSD (long before the existing BSDs were out) and having seen admin after admin blow up Solaris and other Unixes by relying on the package manager to do the right thing.

Who sets those minimum versions?

[PingXao]

I smell something fishy. Sounds to me like whoever is making money off securing DoD systems is also involved in specifying what versions to use. If you run something that's been battle tested and known to be "safe" (relative term) then there's no money to be made.

Here's a cheap way to make DoD Linux systems safe: don't connect them to the public internet, period.

Re:Who sets those minimum versions?

[Jaysyn]

The few DOD installations that my company has wired had two completely separate, very secure, physical networks. Big air gap between the secure PCs & the internet.

Re:Who sets those minimum versions?

[YrWrstNtmr]

Jesus christ on a crutch. If I see this stupidly retarded statement one more time...
If you've been here on /.more than about 3 seconds, you would have come across a little tidbit of information alluding to the different networks within the US DoD, and their various levels of security. Not everything that lives on a hard drive in the DoD is sooper sekrit and needs to be cut off from the outside world.

Some of these networks are truly open. Some are only acecssible from a .mil domain. Some are not connected to the internet at all, and split with an air gap. And some even more restrictive than that.

Your oh so insightful remark is also a cheap way to hamper operations.
We need a -1 Dumbass.

Re:Who sets those minimum versions?

[Bromskloss]

Some are not connected to the internet at all, and split with an air gap.

This "air gap", I see mentioned several times, what is it, really? The entire building floating on an air cushion?

And some even more restrictive than that.

You're getting me curious! What are those networks like?

Re:Who sets those minimum versions?

[Obyron]

An air gap means the network isn't connected to the public internet, or to unsecured networks. The "air gap" is the open air between the secure computers and the insecure computers. At present most networking gear has a hard time routing packets through open air, but I hear they're ginning up a new RFC to address that.

Re:Who sets those minimum versions?

[HomelessInLaJolla]

I hear they're ginning up a new RFC to address that

As with most military projects it has been in the works for a long time.

Re:Who sets those minimum versions?

[A.+B3ttik]

Above dude is a little cryptic so I'll risk being redundant:

An air gap just means that the computer networks aren't physically connected to each other at all. They exist entirely on separate networks, and the secure one usually isn't connected to any network with computers outside the building, much less on the internet.

Re:Who sets those minimum versions?

[jonbryce]

My Netgear box routes packets over open air without too much trouble.

Re:Who sets those minimum versions?

Whoooooosh!

Re:Who sets those minimum versions?

[JWSmythe]

    If I was working on something that needed real security, I'd prefer a steel reinforced concrete gap with armed guards outside. But I guess an air gap would do. It doesn't do much for the physical security though. :)

Re:Who sets those minimum versions?

[megamerican]

Your oh so insightful remark is also a cheap way to hamper operations.
We need a -1 Dumbass.

I think a +1 Bad Example would be more appropriate. Have it be karma neutral like +1 Funny. Even if you are a total failure you can still be used as a bad example!

Re:Who sets those minimum versions?

[Deltaspectre]

802.11(b,g,n)?

Re:Who sets those minimum versions?

[lennier]

"And some even more restrictive than that.

You're getting me curious! What are those networks like?"

Their TCP three-way handshake goes like this: SYN SYN NACK.

Welcome, BARACK.OBAMA@WHITEHOUSE.GOV, to area52.31337.nopeeping.nuh-uh.icu.goaway.clubhouse.nwo.mil.
Your security clasification: ACCESS DENIED
Would you like to play a game?

$ls
NO
$cat .
NOPE
$pwd
AS IF
$cd ..
YEAH RIGHT

It simplifies things immensely.

Re:Who sets those minimum versions?

[Freetardo+Jones]

At present most networking gear has a hard time routing packets through open air

That's weird. My 8 year old wireless router seems to handle routing packets through the open air just fine. *shrug*

Re:Who sets those minimum versions?

Uh, a locked series of rooms... Biometric locks... Guards with guns... Come on! Use your imagination! Yes, sci-fi takes this to an extreme, but sometimes it is real.

Re:Who sets those minimum versions?

Would that be the entire 802.* - series of RFCs?

Re:Who sets those minimum versions?

[godrik]

GP deserves it -1 dumbass but the question is still valid. Who the hell choose in an administratoin that needs security sofwares that are not tested yet ? It seems strange to me.

Re:Who sets those minimum versions?

Actually, "air gap" is a cliche from power electrics meaning: don't trust switches to isolate a circuit, instead chop a big enough gap in the circuit to visually verify that no current can flow (spark gap width may vary, inquire within for unusual voltages).

And when applied to networks, they mean don't trust software, switches, or routers, but make sure there is no physical transport path that could be misconfigured and leak.

And yes, buildings hanging suspended inside other buildings is something more secure, applying this "cut it off from the world" idea to other things like vibration, thermal signature, electro-magnetics, etc. Serious installations could have local power re-generation to prevent leakage over power feeds, and dummy loads to deter covert analysis of facility activity via power loads or heat output. This is conceptually similar to transmitting noise in between encrypted messages to prevent traffic analysis. At the very least, these methods are all published out there, and someone can decide how many of them are worth pursuing in a design. Not to mention the guards with guns waiting on the other side of the one-way mirrors and hidden doors.

Re:Who sets those minimum versions?

New RFC? It's been out over 10 years now (April, 1999):

RFC2549 - IP over Avian Carriers with Quality of Service

Re:Who sets those minimum versions?

As well as the 1990 original:

RFC 149: A Standard for the Transmission of IP Datagrams on Avian Carriers

Re:Who sets those minimum versions?

I've actually seen air gap regulation where system A must have so many feet of air between system B. This is one reason my security guy won't let me have a KVM between my low security and high security system (because then the VGA, mouse and keyboard cables would violate the air gap regulation because they would get t0o close together at the back of the KVM box....(seriously)). It doesn't matter that everyone else at other facilities has them. The biggest security related problems I see are related to the fact that too many government IT security guys, are paper pushers who can barley operate MS Outlook rather then technical people.

Re:Who sets those minimum versions?

Get your head out of the clouds!

Re:Who sets those minimum versions?

[drinkypoo]

You're getting me curious! What are those networks like?

I can give you some examples of their restrictions, and I didn't even see the room. In fact, I was supporting an enterprise management package used at their site, and I wasn't even allowed to know where their site was. They're not allowed to have any communications lines or devices inside the room, so doing support involved talking to three people really; one person actually on the phone, shouting to the guy holding open the door, shouting to the guy sitting at the keyboard. And keep in mind that this is a Unix-based site (I forget which one, sorry, it wasn't the interesting part of the call) and I'm giving them CLI commands... punctuation and all. Amazingly enough, I never had to repeat anything. This suggests to me that everyone over there was competent, which further suggests that it was actually an important site :)

The door on the room closes and locks itself per restrictions, and propping it is a big big big no-no, hence the guy in the doorway. You can't use a walkie talkie in the room let alone a telephone of any sort, hence the shouting. And the support tech is only allowed to know as much as he needs to know to answer your call. So that's what the next step is, I guess, after the air gap.

Re:Who sets those minimum versions?

I would have thought that publishing the numbers would be disclosing confidential information whatever the background of the servers involved?

Re:Who sets those minimum versions?

[nicodoggie]

Wait. am I getting this right? There was an RFC for standardizing the use of Carrier Pigeons for IP Datagrams?

Re:Who sets those minimum versions?

You're getting me curious! What are those networks like?

Mandatory EM shielding around the area, and you can only use an abacus. (So, still slightly better than a 2.4 kernel)

Re:Who sets those minimum versions?

Try this: CATNIP

http://tools.ietf.org/html/rfc1707

Re:Who sets those minimum versions?

[dna_(c)(tm)(r)]

At present most networking gear has a hard time routing packets through open air, but I hear they're ginning up a new RFC to address that.

You only need one idiot^H^H^H^H^Huser with a WiFi router inside. Granted, that's more of an Enterprise problem than a DoD problem. Probably.

Re:Who sets those minimum versions?

Here's a cheap way to make DoD Linux systems safe: don't connect them to the public internet, period.

What do you propose they do when they need to connect it to a private intranet? What about one with explicit requirements for software connected to the intranet?
 
  Work gets extremely cumbersome when instead of pulling some files from a network share you have to use another machine, burn a cd, and transfer the files to a *nix box.

Doing your job?

[NewmanKU]

"I don't have time to track down every possible lib/etc/opt/local/share path that different packages try to use by default."

Sorry to sound like a jerk, but isn't this what you're paid to do?

Re:Doing your job?

[Aphoxema]

Sorry to sound like a jerk, but isn't this what you're paid to do?

What, create time?

Re:Doing your job?

working smarter vs working harder?

Re:Doing your job?

[Midnight+Thunder]

Sorry to sound like a jerk, but isn't this what you're paid to do?

While it might be, is that any reason not to want to find a software solution to make his life easier? Heck, I thought that was what software solutions were all about? Also, have you considered it might not be his only job?

Re:Doing your job?

[HomelessInLaJolla]

is that any reason not to want to find a software solution to make his life easier?

That sounds great in theory but, mostly, it is the excuse of the incompetent who would like to have someone else do the work while they gather all the credit. The conceptual progression is no different than cheating on homework beginning in second grade.

I thought that was what software solutions were all about?

I think we've come a long way from the original path of software solutions. The system began as people who had computers at their disposal and who enjoyed working with them. They created solutions--heck, they created their own problems. They found new hardware, or new software, or new applications, and they had a simple interest to put things together and make them work. They created software solutions. Some of them began to sell their software solutions to people who needed them. The most inventive minds, however, continued to create their own solutions.

I think the largest problem is that management has even forgotten this. They want the job done. They do not want to spend money on it, they do not want to wait for it to happen, whatever the need is the managers want it done, now, at no cost. Part of this is just the crap rolling down hill from upper management who want something to report to the executives, and the executives just want to have material for their latest bout of grandstanding and speeches at various dinners, conferences, get-togethers, or golf outings, to have that edge to be able to feed to the investment partners, so that the numbers which drive their salaries and bonuses will go up. So the investment partners want something, that makes the executives want something, that means upper management wants something, that means middle management wants something, that means that front line managers want something done, and that means someone must do it.

So, rather than seeing people who have a genuine interest in developing and advancing computer, hardware, software, and programming technologies and art forms... we have an enormous population of what amounts to slightly more technically trained button pushing monkeys. These monkeys are slightly better than previous generations of monkeys in that these monkeys have been trained to be able to recognize more technical language and can follow the mouse pointer across the screen with their eyes.

I don't think the DoD wants "purchase, install, and deploy" monkeys--though quite likely the managers who will administer the posted position will (because monkeys are easier to push around and ride for their own professional profit than a real thinking human being). I think the requirements are set attempting to find those candidates who really and truly have a desire to work with those systems.

Re:Doing your job?

[JWSmythe]

    Really....

    "Sorry, I can't be bothered with finding this, so I'll ask Slashdot how to do it without trying."

    I would think his problem should be pretty simple. SuSE does have a package manager, right? You can uninstall the vendor package, and install your own. Voila, problem gone.

    I've been known to do both the tarball method, and the source method. It's really not *that* painful to build things from source directly on the machines in question. Writing a script to log in and do something like

echo "To: me@dod.gov\nSubject: " > /tmp/somemsg
hostname >> /tmp/somemsg
echo "somepkg\n\n\n" >> /tmp/somemsg

rpm --erase somepkg >> /tmp/somemsg
cd /usr/src/
wget http://internal.dod.gov/srcs/somepkg.tar.gz
tar xpzf somepkg.tar.gz
cd somepkg ./configure && make && make install >> /tmp/somemsg
sendmail -t /tmp/somemsg

cd ..
rm -rf somepkg
rm somepkg.tar.gz
rm /tmp/somemsg

DOD Repository

[Jaysyn]

Can you set up your own private DOD repository to hold those newer versions? Beats updating a ton of PCs manually.

Re:DOD Repository

[Protocron]

Yeah, I worked at shitty little web hosting company and they had their own repository server for updates to all of the managed servers. The admin team has at least three security guys who's job it was to QA the repository on pretty much a daily basis. They monitored for security patches and posted them to the repository as soon as possible. And we supported about 4 different OS's at the time.
I can't see why you won't have your own repository with a few people who knew deb/rpm package building for your specific repositories. And then it's just a matter of standardization. "Here are the OS we support."

Security Breach!

[barnyjr]

"I've recently ***been fired from my job for telling everyone I'm*** a Linux administrator within the Department of Defense." ... fixed.

Re:Security Breach!

seriously, who would post sensitive information about themselves and details about their network, for the whole internet to see....back to security 101 for you..

Re:Security Breach!

[JWSmythe]

Ya, I'm pretty sure that's a no-no. Unless he didn't really work for DoD, and he was just hoping that blurb would make him browny points with the Slashdot crowd. Reading the comments so far, it doesn't look like it made him any new friends. :)

Re:Security Breach!

Exactly. As soon as I saw the post I thought the person was a dumbass for providing distro identification, OS/software versions, and revealing any information at all about how their systems are managed.

That is, of course, if it is a real post.

And if he is being literal in the DoD publishing the software requirements, that is also a security issue. Having in-house standards is one thing but if they are available to any potential adversaries, all you have done is let them figure out the best attacks without revealing themselves through reconnaissance and scanning.

But I agree. This person failed the very basic aspects of security and undermined the first lines of defense.

Re:Security Breach!

Or it's a low-risk phishing attack and he really is hoping that DoD admins fill him in on what the procedures are.

This whole topic is bad news.

Re:Security Breach!

[palegray.net]

Speaking as an ex-radioman on subs, yes, this is a huge no-no. He's probably already fired, and should be if he isn't.

Re:Security Breach!

[JWSmythe]

Oh my ..... You know radioman, I hadn't really thought, but....

    I hadn't bothered to look, but if you look a little bit ... Well, lets just make a trail.

    From the posting, you see his Slashdot username.
    From the username, you can look at his public Slashdot profile.
    From his profile, you can see his site.
    From his site, you can see where he's deployed; what he brought with him; the names, types, brands and models of equipment; the type of satellite uplinks he's using; the way he's distributing his traffic for his unit; the military unit size and his position; and HIS REAL NAME. With that, you can find his rank, home town, and the community college he graduated from.

    Sorry. I wasn't trying, and I'm not a bad guy. I have no special clearances, no secret methods of finding information. I'm just some guy out there. The bad guys can be worse. Don't expect that your only enemy is a sitting in the shade under his camel cleaning his AK-47. Your enemy could come from anywhere. Keep your secrets SECRET. It could be a matter of life or death. Each little slip up builds the big picture of who you are. You gave up a whole lot of stuff just in your question, that shouldn't be otherwise known.

    If I were the DoD investigating this leak, there would already be someone dispatched to your tent.

    If I were the enemy, I may be looking to eavesdrop on your communications.

    Since I'm just an American civilian, I'm saying "Oh shit, he said too much."

Re:Security Breach!

[palegray.net]

You hit the nail pretty much on the head. There are good reasons DoD personnel go through all those "silly" information awareness courses. Apparently, none of that sunk in with this individual. I hadn't bothered to follow the trail at all, knowing others undoubtedly already have.

Re:Security Breach!

[palegray.net]

I don't think this dude's headed back to Security 101, or anywhere with a whole lot of freedom of movement for that matter.

On the upside, you get to meet interesting people in prison.

Re:Security Breach!

[Isaac-Lew]

What if he's just a contractor? (I'm speaking rhetorically...most likely a contractor would just get fired).

Re:Security Breach!

[palegray.net]

Actually, there are serious laws in place that affect anyone working with privileged access to information, from Confidential through TS and up. Being a private citizen (i.e. contractor) just means we won't get prosecuted under the UCMJ in addition to the various federal statutes he's broken.

Unfortunately for the submitter, even minor digging into his background seems to indicate that he's likely still subject to the UCMJ due to prior Army service.

Re:Security Breach!

[superslacker87]

Considering I'm about to go to the desert I went ahead and decided to see what the fuss was about. Looking at his site, do you know what I see?

Specs for a civilian network. Any one of you could go buy this exact same equipment and field it in your own back yard. Nothing he posted on that page has anything to do with the military network node system used while deployed. To be sure, there are satellites involved in the government network in Iraq and Afghanistan, but nothing there was listed I would use when I set up my network down there for military use.

Let the process work.

[tprox]

Apply for a waiver on those requirements :)

Re:Let the process work.

Ding ding ding, we have a winner!

Re:Let the process work.

[MaerD]

Please Mod this up. I have not worked for the DOD, but I worked for a Linux vendor that had DOD customers.

This came up all the time, and for the major Linux vendors (SUSE, Red Hat) either a waiver or looking at a "We're running RHEL/SLES X with updates" type blanket exception was the best solution.

Re:Let the process work.

[bcong]

He's not kidding. The waiver is called a Plan of Action and Milestone (POA&M) if he's going by the DoD/DISA IA vulnerabilities and their vulnerability management system. This is the only way they can actually set maintenance schedules. A lot of the admins submit these 'waivers' with a plan of action which includes quarterly or monthly patch days, otherwise they'd have to run patches every other day, possibly breaking their applications and services. It's a lot easier to bulk patch and test the app/service once a month or quarter than every day. The frequency of DoD IA notices is so high that this is the only manageable solution.

A few things

[lymond01]

1) Does the DoD contribute heavily to security software programs or packages? If so, they probably know which libraries are needed as they've been using them to provide the updates.

2) Maintenance of multiple server systems is always difficult. This is why Rocks was developed and why some develop their own startup and build scripts for clusters or server farms. Advanced scripting techniques are a must in a large environment.

3) Even if DoD doesn't contribute, they'll always point out the latest stable software and security fix. If you're talking about the defense of the country, how could you say, "We recommend this version...the one with the security hole that was fixed in the next version."

Re:A few things

[kubitus]

Maybe that is the department for Cyber-Warfare going to the community to collect the wisdom of the crowd to find vulnerabilities to exploit by themseves?

Open Source makes, compared to Proprietary Closed Code, hiding Trojans more difficult!

repo

[arnodf]

add my repository, it has all the latest versions of everything, trust me, just update everything from my repo, you won't regret it...

Re:repo

LOL! Yeah, yeah, use this guy's repo *wink* *wink*, it's not compromised at all... rofl

Rolling Distrobution

[iVasto]

If you need to stay cutting edge, why not use a rolling distrobution such as Arch or Gentoo? You could also set up your own repository where you build the Suse packages once and then push them out to all systems.

Re:Rolling Distrobution

[chrysalis]

I second this.

Arch Linux and Funtoo can fit the bill.

Re:Rolling Distrobution

[HalWasRight]

Just because Gentoo CAN roll out new versions quickly doesn't mean the ebuild maintainers actually do!

Re:Rolling Distrobution

Or slackware + pkgsrc. Honestly, even without pkgsrc, running slackware does get you a huge leg up over SuSE et al. because of minimal patching, so building your own packages from upstream source (of w/e version) is trivial by comparison.

Re:Rolling Distrobution

[jimicus]

Oh dear me no. No, no and thrice no.

Gentoo is great for learning how to fix things that are broken. That's because it's not uncommon to find a new version you want to install breaks something - eg. the config file syntax has changed subtly and the ebuild doesn't warn you of this before you carry out the upgrade. The longer you leave between doing an emerge -uD world, the more likely this is to happen.

And while you should keep a separate test network to test these things on, IME the test network is never quite a 100% accurate representation of the real one.

Learning how to fix things that are broken is good practice for any Linux admin. But putting a distribution that is driven by a desire to remain up to date at the expense of manageability into an installation that's meant to meet military specs?

Re:Rolling Distrobution

[m1xram]

Let's take it a step further. Why not have the DoD make DoD Linux SS (super secret) version and DoD Linux RE (regular edition) with the specific packages they want. Lots of people roll their own, why not the DoD? Then the DoD posts the links to their new distros on DistroWatch.org.

Re:Rolling Distrobution

Parent post needs modding up. Both Arch and Gentoo also make it dead easy to roll your own packages. Gentoo even comes with tools to make a build server from which you can then pull binaries to your other machines.

Re:Rolling Distrobution

[True+Grit]

Gentoo is great for learning how to fix things that are broken.

Even assuming this breakage happens as often as you imply (not my experience), where does it say that *you* have to fix the problem? When something fails to download/build/verify, I just wait till the devs fix it. Your current system isn't touched until the final install step, and I honestly can't remember the last time I saw the final install step fail.

config file syntax has changed subtly

Config files are normally updated at install time. For those that you want to control changes to, you use something like dispatch-conf or etc-update to review changes before allowing them, at which point you'll notice the change - if you're paying attention (if you aren't then don't blame Gentoo). Of all the kinds of breakage I see, this kind is the rarest, IMO. Most breakage is of the failed-compile variety, at which point you just mask that version of the package and wait for the fixed version.

Re:Rolling Distrobution

[Tsunayoshi]

Because only the major vendors have been approved for use within the DOD?

Been there done that for 9+ years...it all really depends on how much common sense your IT security group has and how tech savvy they are. My favorite place was where the head IT security guy was an avid computer geek, so when the new vulnerability lists came out, as long as we could provide a memo for the record explaining how we mitigated the vulnerability (backporting the fix, upgrading to the next version, removing the software, etc.), he signed off on it.

Contrast that to another DOD job where no one wanted to put their signature on anything, so no one would sign a waiver for anything that had a vulnerability. This included running NIS/NIS+/or LDAP on the unix network. So as a result, we had over 200 servers supporting about 100 different projects, each with their own passwd/shadow/group files. Yet the same people allowed a Windows Active Directory domain to be ran on the network (and no, we weren't allowed to use AD as an LDAP server for the unix systems, because the unix ldap client had a vulnerability.)

If you've ever had to work with the DISA STIGs, you'll know how much of a piece of crap most of their scripts are w/r/t checking that you've performed the required lockdowns per the guides. One example for Solaris 10, one of the checks was to see if a certain service was running (I forget which at the moment). It performed the check by grep'ing for the service in inetd.conf, and seeing if it was commented out. Well, for Solaris 10, management of that service was moved to the SMF facility, so the line didn't exist in inetd.conf. The script wasn't updated for Solaris 10, and since the script wasn't written to handle the case where the line didn't exist, it would give a false positive hit and say you were running the vulnerability. We had to spend 30 minutes explaining this to very non-techy auditor, and finally after still not getting it he basically threw his hands in the air and said "fuck it, I believe you" and let us pass on that ONE lockdown. Multiply that by a couple dozen. Makes for a long week during your annual inspections.

Re:Rolling Distrobution

Umm... why would the DoD want post links to their "Super Secret" version of Linux to anyone, even DistroWatch.org?

Re:Rolling Distrobution

Yes, Arch Linux is the way to go. Gentoo has too many management problems, and anyway doesn't keep its packages as up-to-date, as quickly, as Arch.

Arch hasn't been around for 9+ years, so the DoD naturally doesn't have it on certain approval registries. Gummint contracts are cash cows for 'Enterprise' products - Arch doesn't have that PR, but deserves it from us foot soldiers. The DoD is huge, and you're not going to tell me that only Enterprise XYZ is allowed. It depends on the department and the policies. Think about embedded Linux going into all those war machines, for example - every one of them a custom Linux rollup. If there is any choice, use Arch, and if not, work on getting it approved in your area.

Anonymous Coward.

Dump SuSE (SLES)

Military Mirror

[RichMan]

If it is an issue I am surprised there is not a military mirror.

Why would not CyberCommand (or whatever it is called) maintain a mirror of OS they approve of.
It is easy enough to set up and they can log all the machines to make an inventory. Even make sub-mirrors for different commands.

Re:Military Mirror

[neowolf]

That was my first thought. If the DOD requires specific versions- they should maintain repositories of them on their own servers. Perhaps one on their secure/classified network, and one on a more accessible network. They could be writable by only a few key people, so their chances of become corrupted would be very low.

Re:Military Mirror

I work in the Air Force and deal heavily with the systems and network folks because my job deals with web communications between very geographically separated bases. Unfortunately, I have not been able to have direct access to many of the poeple who operate and maintain many of the servers on which I depend. In my discussions with some of the more senior level staff they indicated that several of the systems on which I rely were running linux, but only specifically approved versions by the NSA. Perhaps the NSA has some guildlines or procedures for applying/testing/approving patches for various version of linux in the DoD?

Re:Military Mirror

[nahdude812]

They probably want to departmentalize that to a certain extent; a single source for all military computers would mean a single point of compromise for all military networks.

There are also networks isolated by an air gap which have no outside connection but should still be running patched software.

Re:Military Mirror

[drinkypoo]

Shouldn't they just be able to get whatever version of Linux the NSA is running, complete with a working SElinux? Seems to me like anything else is a huge, stupid duplication of effort.

Re:Military Mirror

[Hyppy]

"working SElinux"

Mythical situations do not belong.

Tarballing? Maybe you should try...

"Tarballing on this many systems is nightmare and even then some things just don't seem to work."

Maybe you should try untarballing. :-)

Switch distros?

[HFShadow]

Take a look at gentoo, it'll definitely be bleeding edge enough to have the latest versions. Ubuntu server might satisfy your needs too.

Re:Switch distros?

[$RANDOMLUSER]

Running a local Gentoo rsync server would be my first choice. You update one box, everybody else updates from there.

Re:Switch distros?

[BluePeppers]

I wouldn't take gentoo, you'll spend all day updating (and most of the night). I suggest Arch linux, for: a, Binary repos b, Easy packaging c, Source install tracking d, Up to date repo's (relatively) e, Rolling release distribution f, Packages are easy to mark out of date

Re:Switch distros?

[Lord+Ender]

Why on earth would you need to update all the time? If it were me, I would install gentoo once, then only update those packages on the DoD's list.

Re:Switch distros?

[dpilot]

One addendum to the Gentoo thing...

If you're running a "real shop", in other words many boxes that you want to keep in sync, dedicate one or a few as "binhost servers". Compile there, and the rest of the machines just fetch binaries.

Only problem is that it defuses the usual "waiting to compile" Gentoo jokes.

Re:Switch distros?

[arndawg]

One addendum to the Gentoo thing...

If you're running a "real shop", in other words many boxes that you want to keep in sync, dedicate one or a few as "binhost servers". Compile there, and the rest of the machines just fetch binaries.

Only problem is that it defuses the usual "waiting to compile" Gentoo jokes.

Also you have no excuse to slack off because "you're compiling". But yeah. That's what i do. Hardened gentoo. Local Rsync, BINHOST and DistCC. Compiling time is a none-issue. :) Oh and remember to add glsa-check to your cron and mail when something important comes up. :) I also have a "staging" server with all the services installed. Just to see that all is working before distributing everything to the other servers.

Re:Switch distros?

[bcong]

Neither Gentoo nor Ubuntu is on the certified products list....and therefore DoD won't/can't use it. Welcome to the Government, the land of red tape. http://www.niap-ccevs.org/cc-scheme/vpl/

Re:Switch distros?

[Bert64]

Gentoo lets you build binary packages too, build the packages on one box and send binaries to the rest... That way you can update what you need to and leave what you don't, with binary packages dependencies often have to be replaced too... For example, something built against glibc 2.8 will require glibc 2.8 at runtime, even if its perfectly capable of being compiled against a much older version.

Re:Switch distros?

[Bent+Mind]

Neither Gentoo nor Ubuntu is on the certified products list....

So do any of the approved distributions have the required library versions, or is this one of those "We require you to have 10 years experience with Office 2010" type of things?

Re:Switch distros?

[dpilot]

For all the "waiting to compile" jokes, Gentoo is a highly servicable distribution.

Really, Gentoo has also been called a meta-distribution, because of its customization capabilities. In that light, it can be highly appropriate for a "controlled shop", where more-or-less locked-down systems are centrally administered.

Re:Switch distros?

[Culture20]

gentoo hardened. http://www.gentoo.org/proj/en/hardened/
you want.

Re:Switch distros?

[turbidostato]

"Why on earth would you need to update all the time? If it were me, I would install gentoo once, then only update those packages on the DoD's list."

You don't think they came up with a list saying "kernel 2.6.30" a year ago, do you? That list basically ends up saying "use the latest published releases" so, yes, you need updating all the time to stay up to the list.

Re:Switch distros?

[skiman1979]

I'd love to run Gentoo on my box, but the IT department requires Red Hat or Windows XP/Vista. :(

Re:Switch distros?

[True+Grit]

you need updating all the time to stay up to the list.

Did you miss the GP's "then only update those packages on the DoD's list."?

Unless that DoD list constitutes the bulk of a Linux system (100+ packages? - TFA only mentions 4!), then you still won't be "updating all the time", so your point is?

Re:Switch distros?

With portage, do you sync a full list of the latest packages available, perhaps daily to keep an up-to-date list of what's out there. However, only packages in your world file (the ones he would install for DoD) would ever get updated. With a custom rsync server you could restrict your package list to the necessities & you would further reduce excess sync time/resources. A binhost server on the strongest machine(s), as mentioned, could do all the number-crunching and provide compiled binaries for all of your boxes.

Re:Switch distros?

Gentoo isn't as bleeding edge as you'd think (for some stuff it can be behind Debian).

Re:Switch distros?

[turbidostato]

"Did you miss the GP's "then only update those packages on the DoD's list."?"

No. As I didn't miss the (my remark) "*extensive* guidance on minimum software versions" and the "etc" part.

"Unless that DoD list constitutes the bulk of a Linux system (100+ packages? - TFA only mentions 4!), then you still won't be "updating all the time", so your point is?"

TFA mentions *explicitly* four packages, and then an "etc" and an "extensive guidance": I take this for the list to be quite longer than just the four packages explicitly mentioned so my point is exactly what it was: "updating all the time to stay up to the list", not to talk about the constant flux of bugs due to integration problems that such a practice would arise.

Re:Switch distros?

[n0tquitesane]

You can also use distcc to speed up the creation of those binaries.

NQS

Re:Switch distros?

[True+Grit]

I take this for the list to be quite longer than just the four

Well, until we see the size, and content, of this list, we really have no way of knowing which of us is "right". :)

"updating all the time to stay up to the list", not to talk about the constant flux of bugs due to integration problems that such a practice would arise.

Integration problems exist for binary-based distros as well. I was responding to the implication that this would somehow be impossible with a source-based distro because the "building" part would allegedly consume "all the time". That is false.

Living on the bleeding edge creates exactly the same problems for both binary and source-based distros. If this list really does force you far out onto the bleeding edge, then it won't matter what kind of distro you use as a solution, there will be difficulties in any case, but a source-based distro won't make it any *harder*.

However, if your need is to adapt to this "list" for a large number of targets, then using a source-based "meta-distro" might make the *administration* of your whole system easier, where the customized building and integration is done once on a fast machine then distributed out to all the targets. As always, it depends on the specifics.

security and stability

How do you balance security with stability?

Those who give up a little security for temporary stability deserve neither. -Ben F. Ranklin

Wrong

DOD does not mandate software versions for the most part. The notion that DOD requires kernel 2.6.30 right now is completely wrong.

They mandate patching specific vulnerabilities, but that doesn't require upgrading to the latest software version. RHEL is a great example of a distribution that patches vulnerabilities without updating to the latest major versions of specific software, and RHEL is widely used by the government and military.

*shrug*

[forgottenusername]

You're going to need time (or a team) and some custom solutions. You're looking for something like pkgsrc methodology where you can push the same packages out on different machines regardless of their distro, and some really great management software for it all.. like puppet or something along those lines.

This all sounds like a kludge and the Wrong Thing to Do(tm).

If the Linux distros in question are the same, you could probably leverage the distros package management system. For instance it wouldn't be all that difficult in Debian realistically, depending on which packages they were worried about. Desktop, forget it, nightmare city.

I foresee a lot of testbed work!

Something seems wrong though, I'd be surprised if there wasn't either a secure internal repo or a more sane way that "always get the latest!! omgz".

euh?

'I'm hoping that there are 100s of DoD Linux administrators reading this who can bombard me with solutions.'

So you guys don't speak to each other? No mailing list, nothing?

Surprising???

[croddy]

The surprising part is that these are very fresh versions which are not included in many distributions.

that's not surprising, or you're not paid to administer linux systems.

really, now.

Re:Surprising???

[arth1]

That the fresh versions aren't included in many distros shouldn't be surprising. However, that the DoD demands these bleeding edge versions should raise an eyebrow.
I can't see how they can possibly have done a thorough job at certifying something when it's just out the door and bugs are still being weeded out.

If I were to set up a highly secure system, I would probably go with Trusted Solaris from a few years back, or something similarly well tested, like Red Hat Enterprise Linux (kernel 2.6.18) with SElinux in strict mode, and a file system that zeroes files on errors (like XFS, which was good enough for Trusted Irix and CS2 certification).

If the DoD really demands kernel 2.6.30 and other bleeding edge versions, I would suggest looking into who makes money on this, and their relations to the people who suggest and sign the policies.

I take exceptions!

[SoupIsGood+Food]

Get ready for paperwork! You will need to apply for exceptions for everything that's out of compliance... I've worked in similar institutions, tho not the DoD, but most places run this the same way. The list of software in compliance is usually generated by the infosec team, and it's more of a wish-list than a demand... but to pass your audit, you will need to have permission to run out-of-spec software, and document why it's out of spec (vendor doesn't support that ver) and what you're using instead (the ver. the vendor supports). This is generally so the pen-test, NIDS and Intrusion Response people know what they're dealing with.

Have a chat with your info security shop - they'll walk you through it, and they're secretly envious of unix admins. They yearn for your aura of splendor and awe.

Re:I take exceptions!

[DigitalLogic]

And I bet no one reads the paperwork either. I used to have to write reports on what I did not fix equipment. Since I susupected no one read my reports, I put in things like "repaired the space time rip." And sure enough, no one has questioned my repair methods.

Easiest answer

[kyliaar]

The biggest problem that I think you are experiencing is that you seem to have an expectation that mandated requirements in a governmental sphere are completely sane and workable. I am trying to see how I can phrase this without just making a sweeping generalization about the inefficiency and beauracracy that is attached to things run by the state. In general, I would say that the primary reason for this is that, in the public sphere, it is easier to attempt to solve a problem (real or imagined) by taking another thing on top of the pile rather sorting through issues and finding the actual root cause and resolving that.

So, having said that, don't expect all policies to make sense while working for DoD. If you are fine with that, just do what you are told as best you can with plenty of CYOA. If you are not fine with it, don't try to fight it. Go work elsewhere.

Roll yer own packages

[drspliff]

Back when I was managing SuSE systems we had our own local mirror of the main updates repository, and another repository of custom packages rolled in-house. The documentation ( http://en.opensuse.org/Creating_YaST_Installation_Sources ) covers this pretty well.

Either way there's no excuse to be compiling packages on each server and managing the usual /usr/local & /opt mess, not to mention with autoyast iirc you can configure it to update packages at specific times of the day unless there's a reboot necessary (and even to reboot automagically for new kernels)

The Solution!

[iYk6]

Run Debian Stable. Have a few members of DOD join the Debian Security Team. Everybody wins/profits!

I understand

[HomelessInLaJolla]

The desired effect is not what you think it is. The desired effect is not to ensure that the particular update releases of packages are whatever they are; that is a secondary and obligatory requirement. The desired effect is to ensure that anyone who is attempting to deploy a Linux type solution in the DoD has the requisite skills and understanding to create a stable system beginning with those requirements.

Imagine if the spec was "use distro XYZ". Great. Installers have become fairly streamlined and even newbs are able to install a given distro. If the spec was for older, more stable releases, then there would be little incentive to fill positions with people who are motivated to advance the technologies. The specs do not need to be completely bleeding edge and, for the sake of conceptual security and practical updates, the specs should be a little behind the latest releases hot off the press.

Tarballing on this many systems is nightmare and even then some things just don't seem to work.

Obviously I, as a homeless man, would be much more qualified for the position than you. I enjoy the challenge of inventing my own systematic solution for situations that are "nightmares" or "just don't seem to work". My skill set is likely to be precisely what they are looking for.

But DoD cannot have me. I work only for God. DoD is free to give me money, they are free to provide a place for me to live, they are free to provide an office and systems for me to use... but the very first moment that my manager tries to pull any of that political office crap where he covers up his complete blithering idiocy by invoking his age or the level of his academic degree then they would have to kiss my beautiful a$$ because I would walk out the door on a dime and not even bother to leave a single penny in change. Eff 'em to the end.

So, no matter how much more highly qualified I am than any other candidate for any given position, the fact that I refuse to put up with political bullsh*t from old men who feel that their age, combined with their white hair and their funny moustaches, entitles them to do whatever they want means that employers will happily accept a less qualified, but weaker willed, candidate.

The loss is theirs.

Just email him

[Hadlock]

Find the guy's email address of who writes those specs (located somewhere on the doc, I'm sure), or it's on the server that hosts those docs, and email him and ask him where your local depository for the latest .mil approved packages are.

Weigh each vulnerability individually

[Bryan_Casto]

There are many, many ways to deal with this, but fortunately while DoD says "update to this specific version," what they really mean is "close this specific vulnerability." Get used to hearing about IAVMs and VMS (Vulnerability Management System).

Taking the case of OpenSSL specifically, it's not uncommon for there to be patches released for vulnerabilities affecting a previous version. If you're using a vendor like Redhat (and in the mind of DoD, Redhat/SuSE = Linux, and nothing else) what you'll end up with is a version of OpenSSL that appears vulnerable, but in fact has a backported patch applied to the vulnerable distribution. Once you've applied the updated RPM, you can say in good conscience that you've mitigated the vulnerability, and you can close the finding.

Where it gets stickier is where you have code that depends on a specific version of a library that might be vulnerable. In that case, you need to dig in and understand the specific uses and how you might be able to mitigate the vulnerability by turning off a publicly listening service or applying some strict file controls, or maybe you don't exercise the vulnerable function in the library and can justify it that way.

Ultimately, you have to be able to convince your DAA (Designated Approving Authority) to accept the risk. If you can't immediately close the issue, you have the option of doing a POAM (Plan of Action and Mitigations) that will outline how you're going to mitigate the issue until you can close it.

There are a ton resources, but specifically I'd start here:

http://iase.disa.mil

You also might find this interesting as a way to secure Redhat machines:

http://people.redhat.com/jnemmers/STIG/

Feel free to contact me if you have more specific questions as well.

Re:Weigh each vulnerability individually

[HBI]

A good post by someone familiar with IA the military way. Why does your karma suck?

trust the vendor

[OlRickDawson]

First of all, if you work for the Navy, the distribution must be within DADMS, so you can't just run any random distribution. I also run a few linux machines for the DoD (the Navy specifically). The rules are enforced by the scanners. I take the vendor's (RedHat in my case) backported patch at their word, that they have fixed it. If you read their patch documentation, when the security alert is issued, that they have implemented the patch. The network security scanner doesn't pick up that you have patched it, because the version number doesn't match. I submit the RedHat's patch document with the report, as evidence that I have done it. It satisfies the auditors, because, to them, it's no worse than trusting Microsoft that they have patched their stuff. I don't have the time to investigate and test to see if the vendor actually fixed the problem with their backported patch. I leave that for the security exports to ping on them if they failed to do their job. Besides, that's what I'm paying RedHat for. I don't have the time to make sure that Microsoft fixed all of their stuff either. I patch and go, and document it what I have done. As long as their is a paper trail to prove that you have been patching, all is well.

Re:trust the vendor

[idiotnot]

DADMS is DoN-only for a reason; nobody else has the NMCI problem, and it didn't exist prior to NMCI. It's somewhat disconcerting to sit in on a meeting for a joint POR system, and have flag officers wonder WTF the Navy isn't implementing. "Uh, it's not in DADMS, sir." Sparks fly to say the least.

That said, the procedure is pretty simple, and since DITSCAP/DIACAP provide for it, you run specific vendor patches for whatever vendor-supported OS you're running (sorry Gentoo fanboys, roll-your-own isn't allowed in production systems). The Unix SRR script *should* be able to figure out if the backport is applied in a vendor-supplied patch, and pronounce it okay.

(The SRR scripts are publicly-available to everyone; if you're not running a commercial distro, you'll probably get some weird results, but it's still pretty good at picking out possible problems, even on systems that aren't officially-supported. I've run it on everything from Debian, including GNU/Hurd to OS X. http://iase.disa.mil/stigs/SRR/index.html)

If something is revealed that's not accurate, you document:
a) why you can't fix it (i.e. whatever system is running on top ceases to work, the vendor refuses to fix, the vendor is tango uniform, it's Wednesday and you don't feel like it, etc.),
b) why the scanner goofed up and picked out a problem that doesn't exist (yes, this version is different, but the vendor backported the fix [with proper vendor reference] to this, which is applied).
or
c) the fix hasn't been released and fully tested yet.

Cases a and c are what a POA&M is for, which is normally submitted along with the accreditation package, and updated periodically.

Re:trust the vendor

NMCI sucks.

It's a trap!

[bugnuts]

I'm hoping that there are 100s of DoD Linux administrators reading this who can bombard me with solutions. How do you balance security with stability?"

Computer security configuration data is on a need-to-know basis. Anyone revealing UCI will be receiving a call or visit from an armed person who had his sense of humor surgically removed. :-)

/workedtoolongforDOE

Simple:

[alexborges]

1) Go to redhat.com
2) Contract them for a largish consulting period and have them do a package channel for you guys
3) Dump suse
4) live happily ever after.

If you need fresh RPMs on RHEL use koji

[Nicolas+MONNET]

RHEL5 is getting a little stale and we often need more recent versions for various reasons; I found that downloading SRPMs from koji.fedoraproject.org and recompiling them on RHEL usually worked. The only annoying thing is that from F11 on the RPM compression has changed and RHEL can't unpack them; so I have to unpack them on my Fedora system first.
Then I just build them, sign them with our GPG key, and copy them over to our loca repo, and just run "createrepo." It's not that big a deal.

Re:If you need fresh RPMs on RHEL use koji

[salimma]

Or get the sources straight from CVS -- the downside is you won't know whether a particular revision results in a successful build or not, without checking Koji.

Re:If you need fresh RPMs on RHEL use koji

[cowbutt]

Actually, it's F11's signatures that have changed; the compression is still gzip. You can bypass the 'unpack on a Fedora box' step by using rpm2cpio, then extracting the cpio archive.

Just Stick to Vendor Packages and Document It All

You install the latest security patch packages from your distribution vendor (on a reasonable schedule) and that's it. (Never install a non-vendor package if you can help it.) As IAVAs are published, do the quick research to determine if it even applies to the vendor's package and, if so, what update is necessary (for most IAVAs, it should be pretty simple to trace it back to an advisory from your vendor): then you'll have the documentation when needed to present to your IAO or DAA. (For bonus points, share this information on Intellipedia to help others :-)

Where are you finding these "requirements"?

[SpaFF]

I am a Linux administrator at a DoD site. I have never seen anything that says that you must run kernel 2.6.30 or anything like that. Can you please provide a link to where you read this? (links to CAC-authenticated websites are ok)

DoD I-8500.2 requires you to run an OS that is EAL certified at a certain level depending on your classification. The only Linux distributions I know of that have EAL certification are SLES (9 and 10) and RHEL (4 and 5). I keep hearing about people that run things like Fedora, CentOS, and Ubuntu on DoD networks, but I have no idea how they get away with that.

As far as software versions go, what versions you must be at are dictated by IAV-A, IAV-B, and IAV-T notices. The IAV-A may say that there is a vulnerability that affects kernel versions = 2.6.30 and that you must go to 2.6.30 to be compliant, but as long as your vendor's kernel version addresses the CVEs that the IAV-A references then you are covered.

Re:Where are you finding these "requirements"?

[Arakageeta]

What about STIGs (http://iase.disa.mil/stigs/stig/index.html)? Complete STIG compliance is a pain in the ass. Bastille Linux (is it dead?) doesn't even get you there half of the way.

Re:Where are you finding these "requirements"?

[JimmytheGeek]

Yep - STIG compliance is a pain, esp. if your linux box is an appliance, not a general-purpose multi-user box. I do think it cool they appear to care about securing their systems, though.

Re:Where are you finding these "requirements"?

In my humble experience running sites for the DOJ, which for the most part follows NIST recommendations, they'll take anything as long as you pay a consultant to come in and certify the system.

In my cases, I follow the current EAL3 configuration guidelines and submit the configuration for certification. $27,000 and 1 day of futile attempts to compromise the system later, it's approved and I can start rolling it out.

While official EAL certification is only available on a few distributions, the things they do to make those distributions compliant are publicly documented, and you can replicate the configuration on any distribution.

Re:Where are you finding these "requirements"?

Bingo, this guy wins the cookie. Automatic scanning with tools like ISS and Retina just look at the minimum version numbers and keep flagging the RHEL machines every time, and not just for kernel vulnerabilities. Those tools don't know about backported patches and everytime they get run, I have to document that our systems are in fact compliant with the IAVAs.

I think most people are ignoring the EAL requirement in 8500.2, since its impossible to comply with it. As soon as you apply a service pack or patch, you've rendered any EAL testing null and void. Catch-22, its either the configuration that was EAL evaluated or its been patched.

Keep in mind that STIGS are a "guideline" and you can deviate so long as your documentation shows why and your DAA approves.

(funny, but my Capcha word was "defenses")

Re:Where are you finding these "requirements"?

[godrik]

have you looked here ? http://www.microsoft.com/gettingWindowsAtDoD/NewSoftwarePolicy

Re:Where are you finding these "requirements"?

Depending on your department there are some things you file waivers for or POAMs, its honestly not that hard to stay in compliance anymore as the government and Linux vendors have publically available kickstarts that do minimal installations and configuration then there are tools like this http://kbase.redhat.com/faq/docs/DOC-11331 which shows multiple ways to verify CVEs against packages on RHEL including a yum package extension you can install then query for which package solves which CVE(which are listed in the SRR scans run against the Linux hosts).

Suse may have something similar but I never ran across it.

Re:Where are you finding these "requirements"?

Security in that realm is very relative to how tied into the security bureaucracy you are. I can read a spec or regulation that says something like "only use an OS if its EAL certified" then later read a brief about a major three letter agency using something like a rack full of Fedora systems.

a what path?

[AliasMarlowe]

I've got several Linux systems, and not one of them has a lib/etc/opt/local/share directory!

It's simple, really

[KGBear]

In this, like in many other things, the Windows way of thinking has poisoned the issue. The way Windows people think, reinforced by Microsoft's implementation of Patch Tuesday, has been picked up by systems auditors and managers and bureaucrats everywhere. So the mantra today is that you must patch. Hurry! There's a new version! If you don't install it now we're all gonna die! This comes from the fact that that is a pretty simple metric that can be written in policies and checked during audits.

If you lose data or your system gets abused and you're patched to the latest version you're off the hook. If you don't have the latest patch however you're fired. Even if the latest patch fixes a local privilege escalation on libgd2 and all your server does is DHCP and it was actually exploited by someone cleverly guessing your co-worker's password.

Same thing with firewalls: if all you run is a web server, I say you make sure nothing else is running that opens any ports. It's no use to setup a firewall, because the thing that is most vulnerable, port 80, will need to be open anyway. But get caught without a firewall in some places and you're fired.

It's a lot easier to write a meaningless list of requirements than to think about needs and policies and design the requirements

It's a lot safer to follow some dumb list of requirements than to try to understand what your systems are doing and configure accordingly

It's a lot easier for an auditor to check a list of requirements against the output of some version-checker than to actually know what these things do

It's the dumbing down of engineering that passes for systems administration these days. It's the Windows way of thinking.

Re:It's simple, really

[laughingskeptic]

This is a social phenomenon to which you are observing Microsoft's reaction. Corporate policies rarely create trends, more often than not they reflect them. This is essentially the same phenomenom that has parents thinking there is a predator around every corner -- the shrinking of the information globe and increased exposure to bad things happening 'somewhere' makes people react in statistically irrational ways.

Re:It's simple, really

[skiman1979]

I couldn't agree more. All those compliance checklists auditors use to "secure" systems really get in the way sometimes. Do you really want to have requirements for complex passwords with a 3 invalid attempt lockout and a screen saver with a 10 minute inactivity lock on a weapon system? If I was out in a war zone and I was getting shot at, the last thing I'd want to do is have to enter a password, on tiny buttons, while wearing thick gloves, to unlock my rifle.

Re:It's simple, really

They're also the requirements that must be followed. Period. Full stop. If they aren't (even if it means hardening a box more than the docs say it has to be), the box gets pulled and rebuilt by someone else. You, as the admin who originally built the box, may not get to keep your job because you didn't follow the spec.

Easy Solution

Why is this a problem in the first place? Whoever the contractor is suppliying the software should be responsible for keeping it up to date, even if it means producing its own software packages and providing them in a secure manner. Isn't that in the freakin' contract? If not, why not? And if you're the "contractor", just do your job. problem solved.

Backports FTW

[jwriney]

Congratulations. It's now your job to check every *single* *freaking* *package* where the DISA specs proscribe a particular version, and see whether or not your vendor backported the security fix. Usually the DISA specs will contain a vulnerability id (CVE-ID or similar) that you can reference against. Google is your friend. The overall process is murder. It's a big reason why I got out of government IT. On a related note, I find the Linux vendor practice of keeping old version numbers, but backporting new fixes into their own trees (Red Hat's "version x.y.z-ELsomeothernumber" system for example) to be categorically infuriating, but that's a different rant. --jwriney

Check out Security Blanket

Have you checked out Security Blanket yet (http://www.trustedcs.com/securityblanket)? Currently they support RHEL/CentOS/OEL 4 & 5 (x86, 32 and 64 bit), and Solaris 10 (x86 and SPARC). I believe support for Fedora 10 is due shortly, and SUSE support is also on the roadmap. The tool can scan a particular box for compliance with various security guidelines, and if any issues are found can automatically remediate the problem, including undoing this remediation at a later date. There are pre-built compliance 'profiles' to address guidelines such as CIS, DISA STIG, PCI DSS, and others. Each profile is composed of individual modules (such as a minimum number of characters in a password), so custom profiles may be built.

maybe DoD needs to build their own distro

[nobodylocalhost]

Just build it off of slackware and distribute the whole thing using apt. That way, you just need to build the whole thing on one set of systems and distribute out to all the boxen you need to update/install.

Re:maybe DoD needs to build their own distro

[digsbo]

Yes, except I would recommend using the same Linux distributions already in place, but adding your own package server to their repository list (or better yet, create a local mirror, modifying only the packages you need).

For example, if you were running an RPM based distribution, create a YUM server, add it to the existing machine's /etc/yum.conf, and set up a nice little makefile system to easily build new RPMs from the .tar.gz packages; that way you only do the build once.

RPM makes it easy to create packages out of .tar.gz files, I would guess other distribution formats would as well (i.e. you can run alien on RPMs to get .deb files).

I feel your pain...

[The+Mighty+Bill]

As a former DoD Linux admin (one of the first for that organization), the best way I've found to keep everything in sync is to build updates yourself (essentially, you're doing the vendors work for them). I know of the guidelines you speak of and the regular advisories and it was quite a task to implement something reasonable. In the end though, the only way I could both satisfy both the security concerns and maintain the rpm database integrity was to build updated versions of the vulnerable software myself and install them.

`rpmbuild` is definitely your friend. Build a template spec, then as you need to update versions, you just modify a few details and away you go.

I worked primarily with Red Hat at the time (though I am working with SuSE now) and had the same problems you've described. They (the vendors) typically do not update quickly enough and if you ask them for direct support, you usually get the run around. The "minimum" version issue is particular painful, as it will show up, even if the vendor backports (I'm assuming you're catching these when running the "unix" scan util).

So long as the updated rpm "provides" everything the old version did, you should have no dependency issues. Good luck.

Do it once, distribute it with M23

[burni]

I think it can be adapted for Suse

http://en.wikipedia.org/wiki/M23_software_distribution_system

Here's a solution

[lwsimon]

Holy crap, I have an answer for this.

Run ArchLinux - pacman is *perfect* for this role. Just set up a local repository and have your client image include only it. Set up a cron job on the image to do a "pacman -Syu" nightly - that's "update your package list from the repo, and install any newer versions"

Then you have a test system that you can test new versions on, and when you're ready to launch, update that package in your local repo. That night, all your clients will update to the new version.

The only thing this wouldn't address is adding packages to the systems en masse - but even this could be done in a slightly hackish way - just add the new packages as dependencies for the new version of an existing package - or better yet, roll you own PKGBUILD that installs nothing, but has all the dependencies for packages not part of the ghost image.

Arch is pretty up-to-date on package versions, and since pacman compiles from source, you can roll your own if you need something before it comes out in the official repos.

Security takes precidence

[Xanthvar]

The reason that you are required to use version x.y.z or newer is because, there are security vulnerabilities with the earlier versions, and (generally speaking) if it is connected to NIPRNET and publicly facing, it is a matter of WHEN it gets hit, not IF. This is why there is a STIG, and why you need to periodically run it against your production boxes to keep them current.

If you are a DoD admin, then you have been briefed on why you need to do this, I'm not going to waste time talking about it here. Failure to remain current is a reason for DISA to shut off your connection.

The scenario that there is a vulnerability, but there isn't a fix for it available yet, and you are at the mercy of volunteers to fix it, is the one of the nightmares of DoD policy makers. This is why they often argue for non open source software, because the idea is if they pay for it, then they have someone's feet they can hold to the fire(not literally, but figuratively, anyway) to get it updated! (Yes, I realize that this isn't really the case often, and closed source can take forever to close a hole, but this is the argument... facts don't always come into play when lobbyists get involved).

I always thought DoD would be the perfect place for open source software, where they could build an approved flavor of Linux, set up an approved distro site, and then hash everything to make sure that you were running version that was blessed by security to help alleviate trying to support everyone's own custom setup. Unfortunately, there are several major problems that I see with this:

1. You are beholden to the vendor of your product, and what they say they support. This is part of the bane of COTS. Not everything is developed to run on Trusted Solaris. You use whats out there in the world, not what DoD has hardened. This makes sense for budgetary purposes, but is sometimes at odds with security. "Oh, we realize that there is a vulnerability in the subsystem, but we don't support the upgrade because it breaks out system." This is also why there are so many system still running IE6.. because the java apps that were written by the tons don't work on IE7 or later (or better yet, a non M$ browser) because they don't want to update the code (or can't because the guy who cobbled the original together is no longer there, and no one else understands what the heck he did...)

2. DoD or at least the military, doesn't want to be in the development business. They only have a finite amount of bodies, which they can devote to war fighting, and don't want to waste them on support roles (try not to laugh to hard, I know they don't do a good job of this either, but that is the concept anyway). They get around this by hiring civilians and contracting support roles out, but often, this leads to enormous amounts of oversight and administrative overhead (and don't forget about the opportunity to line the PORK barrel while you are at it), and suddenly what was an inexpensive concept is not a multi-million dollar monster with a life of its own.

3. It's far easier to find vulnerabilities that it is to fix them. Also, systems have gotten so complex, and with so many components, and at times a house of cards looks more stable than a server (DCTS, I'm looking at you).

I think China might have the right idea. Mandate your own OS, and only let it be used for official purposes. This is a great idea on paper, but in practice it would run afoul of the issues mentioned above. It might work for China if they don't have a lot of modernization or a bunch of legacy systems already, that would need to be converted. They may have the willpower to want to spend the money needed to make everything happen, but I don't see the US doing this anytime soon. It is probably going to take some very painful lapses to occur before this will take place.

I apologize if I seem like for the over use of acronyms, but hey, this is about a DoD system :)

As far as the OP goes, you might talk to some guys who are main

Arch Linux

[NaNO2x]

I'd recommend checking out Arch, it is a bleeding edge distro that also makes recompilation quite easy. There are a lot of smart people working on it and the documentation is quite good. Arch follows the KISS principle and keeps their repositories fairly light while letting the community handle the masses of programs.

Anyway, I recommend checking it out here: http://www.archlinux.org/

Submit a Waiver

[vldragon]

When working for the DoD, no matter what you problem is the their is a waiver process for it. If anything it will give you more time to figure out a solution.

Obey the rules.

[irregular_hero]

First rule about DoD security and stability? Don't talk about DoD security and stability. :>

For RHEL, you can use CLIP

Clip will solve a lot of the problems for you. CLIP can be found here:
http://oss.tresys.com/projects/clip

RedHat also backports security fixes. To verify if redhat addresses certain vulnerabilities, I look them up here:
http://web.nvd.nist.gov/

DISA Auditors

[KiboMaster]

I do IA work for the DoD. I primarily do Certification and Accreditation for the Department of Navy. The DoD 8500.2 controls require your operating systems to be Common Criteria certified. The EAL level is going to depend on your classification. There are several Linux distributions that have gone through the certification process. For specific versions of specific software (Linux Kernel, OpenSSL etc.) you're probably referring to the IAVA (IAV-A, IAV-B IAV-T) notices. These are specific known vulnerabilities that usually come from CVE or some other repository. They change as often as I change my underwear (insert joke about average slashdotter here). It would be impossible to keep a system up to date without significantly breaking functionality.

The thing I keep seeing is lazy DISA auditors that see the STIG's as black and white. Most of the testers I've run into aren't technical people. They run the automated SRR scripts and ding you for having your kernel version out of spec. If I were to sit them down and ask why a particular control was an open finding they'd tell me "Because the STIG said so" without digging deeper as to why.

The most recent test I was on, the testing team hit the sys admins for an out of date Kernel on a VMWare ESX box. VMWare uses a highly customized version of RHEL. Installing the most recent Kernel would turn the box into a paperweight. The best advice I can give you is to first check with the tester to find out exactly what the vulnerability is and what their recommended fix action is. Depending on your tester you may be wasting your time. I've see far too many tester leave comments like "Not up to STIG compliance". Check with your vendor to see if they have issued a patch to address that vulnerability. Once you have that information you can place your comments into a POA&M and go back to your DAA and explain why a given open finding isn't really a finding and/or won't be fixed. You can also look into mitigation factors to see if you can reduce the severity. Many controls will state "If you're doing X, Y and Z this finding may be reduced from a CAT I to a CAT II".

Good luck with your C&A and be glad you're not on the documentation side of things :^)

Re:DISA Auditors

[pckone]

There are a lot of audits that are never filtered through the stupidity filter before you get pinged. It seems that somewhere around 95% of the IA guys have never done any kind of actual IT work. You end up having to explain every single vulnerability over and over(and they still never get it).

Re:DISA Auditors

[KiboMaster]

Any idiot can run an SRR. You actually have to know what you're doing to be able to look at the results and say "Yes that really is a finding... or No that's a false positive." Our clients are starting to come around to the concept that it pays to have someone do the analysis. If you don't, you'll end up having to go through the analysis phase yourself and then have go back and fight your auditor.

These sound like local SSO rules not DoD

[iccaros]

I know of no DOD requirement for use of specific Version of software.. People confuse Local Security (SSO's) rules with DoD Wide. I would like to know which document they are reading. When you get your system accredited you have to list software and versions in the SSP/SSAA and if you upgrade you also have to do a change to the SSP/SSAA. as for back ports.. They are fine as long as you can test and show that they do what they say, and contain nothing else.. No patch is to be put on a DoD system with out vetting. the patch. your ISSO or SSO will give you guidance. if you are the admin you should have a contact for them. also DoD rules all depend on who you report to, DoDIIS, US Army, SSO Navy? DISA they all have there own rules, a lot matches. Then you have your local accrediter, or better known as the person who is responsible if your system is compermised. this person is the only one who sets version numbers, and a lot of them just say the newest with no knowledge. Disclaimer, I am a government contractor who does System Design and System Accredidation.

Address the vulnerability specified in the CVE.

I'm also a DoD *NIX admin. Any TCNO patching I perform on Linux or UNIX systems is driven by TCNO's which link directly or indirectly to CVE's. My advice is the same as your's: dig deeper to the CVE level. If the CVE is addressed, document it. After all, the directive is to address the vulnerability -- not needlessly apply software. A close relationship with your IA officer is also important: inform him/her of what's necessary and share information. He/she has to report compliance.

air gape

I bet your router wouldn't do so hot after its been stuffed inside a bag marked "evidence" and you're sitting in a cozy windowless room trying to explain how and why you hooked up your gear to the private secure WAN. (hint: shrugging won't go over to well :)

A hundred bucks of commodity hardware + open source software can easily find a wireless device to a reasonable degree of accuracy inside/around a building, especially consumer junk on that terrible quality short range 2.4ghz band. Any sane setup will at the very least have a box 24/7 logging all wireless activity in range, and its not like theres ethernet cables laying around in unsecured spaces for you to play with at your leisure.

STIGs

[bjverzal]

I have one word for, if it is a word -- STIGs! Gotta love 'em!

One solution

[Bruha]

Setup a few servers to host the patches and pay someone to turn those newer versions into valid rpm and deb packages so they can be used to patch said systems.

Past that, the policy needs to be reviewed. If they're patching because of a physical vuln vs a remote attack then that's just plain stupid. If the system is properly secured according to TSSCI etc then it's not a huge issue to ensure upgrades for at the keyboard attacks. If you lack phys security then you have much bigger problems, any linux system can be owned in minutes if you can get your hands on it.

Polish your resume

[wiredlogic]

You ought get to work polishing your resume. Discretion is key in the defense community and blabbing about your job on Slashdot is a bad idea. For a start you should have phrased the question in a more vague manner rather than outright naming your employer. They will find out who you are and you can kiss any any access permissions goodbye in the near future.

How to get any computer related stuff you want...

[rocker_wannabe]

All you need to do is establish a relationship with a vendor that sells to the government and has what you think you want. Tell them up front that you want them to bid on your purchase request, however that works at your facility, and give them their product number. The purchasing department usually isn't very technical and has no way of verifying whether the item meets the specs or not so they take the vendors word for it. If anybody questions it later you can just blame the vendor for shipping the wrong item.

Remember, with the government you can only try your best then cover your ass in case someone tries to screw you.

Really secure computers

[DragonHawk]

"You're getting me curious! What are those networks like?"

Things start getting really secure when you go classified. (There's plenty that's sensitive or deserving of security that ain't classified.)

Right away, classified generally means no connections to public networks/communications. (It's in theory possible, with sufficiently sophisticated security software, but practically never done.) Air gap. The only way to transfer data off the secure "island" is via hand-carried media (sneakernet). For most systems, any media mounted on the system is automatically classified to the highest level of the information on the system, so you can't get data *off* easily, either.

Things are classified CONFIDENTIAL, SECRET, or TOP SECRET (in order of increasing sensitivity). To work with something classified, you have to have a personal security clearance at least as good as the classified stuff. Getting a clearance requires filling out a giant form with your life history, including where you've lived, where you've worked, where you went to school, who knew you at all those places, etc. A background investigation follows. The higher the clearance, the more through the investigation.

A lot of classified systems are stand-alone, meaning a single computer with no network. Often, the hard drive will be in a removable carrier. When the system isn't in use, the hard drive is stored in a government-approved safe. Or it's a laptop, and the whole computer is kept in a safe.

Beyond classification levels, some things are put into SAPs ("Special Access Programs", AKA "Compartments"). You need formal, individual approval for each SAP. More paperwork.

A non-uncommon scenario might be: A computer, locked in a safe, locked in a room, inside a secure facility, protected by multiple levels of alarm systems, surveillance cameras, and armed guards.

Then things get *really* tough.

You have TPI, or Two Person Integrity. This means that any time the material is in use, you have to have two people there. They watch each other.

Beyond that, you have TPC, or Two Person Control. The material is guarded at all times (even when not in use) by two people. The people don't know who will be working with in advance of their shift/assignment. The equipment won't operate without both people acting together.

None of the above is special knowledge; you can find it all on Wikipedia. I imagine there is stuff DoD *isn't* telling us about, too.

solaris?

don't use linux maybe? use trusted solaris instead or something less 'patchy'

DoD isn't big on DIY

[DragonHawk]

"If you need to stay cutting edge, why not use a rolling distrobution such as Arch or Gentoo?"

The DoD, in general, *really* doesn't like do-it-yourself stuff. Yah, you can run Linux, but it has to be from Officially Approved vendors (Red Hat, SuSE). Only they have the secret decoder ring or whatever it is the DoD wants.

I'm sure any number of arguments against this will occur to people. You learn real quick: What you think doesn't matter for squat. You're in the army now, and they do it the army way.

(Substitute service branch of your choice.)

OpenBSD

OpenBSD

Sounds like an opportunity...

[Bravoc]

for a business model that provides a DOD-compliant distro, yes?

Even by Slashdot standards...

[Slashcrap]

...the OP is impressively full of shit. Hope this helps.

unbelievable

Whoever gave you and the people who reply to you that claim to work for the DoD, security clearances needs to be shot.

Flames from self-righteous civilians who think they need to know everything about everything will be summarily ignored.

Where, exactly?

[Kung_Fu_Hamster]

I've been asking people for YEARS where Linux is used in the DoD. The answer was always the same:
Me: "Where does the DoD use Linux? I'd like to explore some different opportunities."
NCO/SNCO/Officer: "We don't. Now go run those lines."
Me: "I'm color-blind."
NCO/SNCO/Officer: "That doesn't matter."
Me: "..."
And people wonder why the Marine Corps has the lowest re-enlistment rates in the whole military.

Publishing the Version Numbers

[sargon666777]

I'm not sure how intelligent it is to publish the version numbers of all the packages you use anyhow. By publishing them someone can now easily look up the vunerabilities and attack. Its one thing to be on a old version, but its another to tell someone that you are.

DISA STIG compliance

[razholio]

Most likely, the mandate for the latest major versions of packages comes from STIG. The STIG is a guideline, and more often than not, requires an explanation as to why you have chosen not to comply. I've been able to get around the broken STIG assumption that only the latest major version of a package contains the required security fixes by writing up a vulnerability assessment that includes the patch-level of the package from the vendor (RedHat in my case), and the changelog of that patch that almost always includes the CVE for which the fix was provided.

The intent of the STIG issue is to close a security hole, *NOT* to force you to dangerously track the very latest major/minor version of a package. If you can show that you are closing security issues by suing the latest version from your vendor, then you are complying with the goal of the STIG.

No Sympathy!

Most distros that provide updated security patches/packages provide information regarding the vulnerabilities fixed within, IE rhn.redhat.com has a 'changelog' tab for each package they release that contains vulnerabilities fixed. Use that as a reference when you write your mitigation report for false findings. For example, when the scanning software says to upgrade to kernel 2.6.30 and you go to redhat and grab the latest kernel 2.6.8-128, inside the changelog for that package it will probably contain the vulnerabilities fixed in the 2.6.30 kernel so write a mitigation report against it. IA/Security is 90% of a Sys Admins work. Dont say you have no time for it, it's your job. You get no sympathy!

NSA hardening guides

[epicfailftw]

I've found the NSA hardening guides, on what used to be called the SNAC, pretty useful: http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml#linux2

the only real solution!

[Fotograf]

Go with windows! Yep, sooner or later year of Windows on desktop will come and even that woody heads in gov will have to adapt

"Windows way of thinking", works... apk

"It's the Windows way of thinking." - by KGBear (71109) on Wednesday July 22, @05:17PM (#28787937) Homepage

It's a way of thinking that works, IF you can follow some simple rules + suggestions by a tool called CIS Tool (reviewed well in COMPUTERWORLD & by other reputable sources also) & this guide below which goes "above & beyond" CIS Tool's suggestions (based on "industry best practices") in a stable, safe, & secure manner, IF you put a few practices "into motion" on it (&, a few others "out of motion", such as indiscriminately using javascript on every site under the sun for example):

----

HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, + make it "fun-to-do", via CIS Tool Guidance (&, beyond):

http://www.tcmagazine.com/forums/index.php?s=dec021749afe0b8139cbee0acf5e188f&showtopic=2662

----

The results of implementing that guide?

----

http://www.xtremepccentral.com/forums/showthread.php?s=a38e96d97e840cb3fe9e3762c05fd020&t=28430&page=3

"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" THRONKA user @ xtremepccentral.com

----

Thus, you can see that IF a person becomes "enlightened" (for lack of a better expression here) to what works for security on a Windows NT-based OS of modern variety (2000/XP/Server 2003 & even VISTA and beyond), they CAN & DO experience solid, stable, & safe(r) uptime + a better, & even F A S T E R online experience as well...

APK

P.S.=> It's NOT like you CANNOT secure Windows, you can... &, it works, as a single example testimonial from someone other than myself above, clearly demonstrates! You *NIX people, especially admins (users with a better password, because until you are a coder? You're only that, because all you do, is use tools guys like myself, create for you, to USE, period) are grossly misinforming others who use Windows (which happens to be the most used OS there is, from home end user machines up thru departmental servers, & clear into the "mission critical/enterprise class" range of systems also AND on the most used hardware platform for computing there is, in the x86 instruction set + CPU based family) w/ your "Pro-*NIX hype", especially on THIS website... apk