Keeping Up With DoD Security Requirements In Linux?

ers81239 writes "I've recently become a Linux administrator within the Department of Defense. I am surprised to find out that the DoD actually publishes extensive guidance on minimum software versions. I guess that isn't so surprising, but the version numbers are. Kernel 2.6.30, ntp 4.2.4p7-RC2, OpenSSL 9.8k and the openssh to match, etc. The surprising part is that these are very fresh versions which are not included in many distributions. We use SUSE Enterprise quite a bit, but even openSUSE factory (their word for unstable) doesn't have these packages. Tarballing on this many systems is a nightmare and even then some things just don't seem to work. I don't have time to track down every possible lib/etc/opt/local/share path that different packages try to use by default. I think that this really highlights the trade-offs of stability and security. I have called Novell to ask about it. When vulnerabilities are found in software, they backport the patches into whatever version of the software they are currently supporting. The problem here is that doesn't give me a guarantee that the backport fixes the problem for which this upgrade is required (My requirements say to install version x or higher). There is also the question of how quickly they are providing the backports. I'm hoping that there are 100s of DoD Linux administrators reading this who can bombard me with solutions. How do you balance security with stability?"

Re:Doing your job?

[HomelessInLaJolla]

is that any reason not to want to find a software solution to make his life easier?

That sounds great in theory but, mostly, it is the excuse of the incompetent who would like to have someone else do the work while they gather all the credit. The conceptual progression is no different than cheating on homework beginning in second grade.

I thought that was what software solutions were all about?

I think we've come a long way from the original path of software solutions. The system began as people who had computers at their disposal and who enjoyed working with them. They created solutions--heck, they created their own problems. They found new hardware, or new software, or new applications, and they had a simple interest to put things together and make them work. They created software solutions. Some of them began to sell their software solutions to people who needed them. The most inventive minds, however, continued to create their own solutions.

I think the largest problem is that management has even forgotten this. They want the job done. They do not want to spend money on it, they do not want to wait for it to happen, whatever the need is the managers want it done, now, at no cost. Part of this is just the crap rolling down hill from upper management who want something to report to the executives, and the executives just want to have material for their latest bout of grandstanding and speeches at various dinners, conferences, get-togethers, or golf outings, to have that edge to be able to feed to the investment partners, so that the numbers which drive their salaries and bonuses will go up. So the investment partners want something, that makes the executives want something, that means upper management wants something, that means middle management wants something, that means that front line managers want something done, and that means someone must do it.

So, rather than seeing people who have a genuine interest in developing and advancing computer, hardware, software, and programming technologies and art forms... we have an enormous population of what amounts to slightly more technically trained button pushing monkeys. These monkeys are slightly better than previous generations of monkeys in that these monkeys have been trained to be able to recognize more technical language and can follow the mouse pointer across the screen with their eyes.

I don't think the DoD wants "purchase, install, and deploy" monkeys--though quite likely the managers who will administer the posted position will (because monkeys are easier to push around and ride for their own professional profit than a real thinking human being). I think the requirements are set attempting to find those candidates who really and truly have a desire to work with those systems.