User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE

111

112

113

114

115

116

117

118

119

120

Chapter 6.

107

Software Maintenance

Software maintenance is extremely important to maintaining a secure system. It is vital to patch

software as soon as it becomes available in order to prevent attackers from using known holes to

infiltrate your system.

6.1. Install Minimal Software

It is best practice to install only the packages you will use because each piece of software on your

computer could possibly contain a vulnerability. If you are installing from the DVD media take the

opportunity to select exactly what packages you want to install during the installation. When you find

you need another package, you can always add it to the system later.

6.2. Plan and Configure Security Updates

All software contains bugs. Often, these bugs can result in a vulnerability that can expose your system

to malicious users. Unpatched systems are a common cause of computer intrusions. You should have

a plan to install security patches in a timely manner to close those vulnerabilities so they can not be

exploited.

For home users, security updates should be installed as soon as possible. Configuring automatic

installation of security updates is one way to avoid having to remember, but does carry a slight risk

that something can cause a conflict with your configuration or with other software on the system.

For business or advanced home users, security updates should be tested and schedule for

installation. Additional controls will need to be used to protect the system during the time between

the patch release and its installation on the system. These controls would depend on the exact

vulnerability, but could include additional firewall rules, the use of external firewalls, or changes in

software settings.

6.3. Adjusting Automatic Updates

Red Hat Enterprise Linux is configured to apply all updates on a daily schedule. If you want to change

the how your system installs updates you must do so via '''Software Update Preferences'''. You can

change the schedule, the type of updates to apply or to notify you of available updates.

In Gnome, you can find controls for your updates at: System -> Preferences -> Software

Updates. In KDE it is located at: Applications -> Settings -> Software Updates.

6.4. Install Signed Packages from Well Known Repositories

Software packages are published through repositories. All well known repositories support package

signing. Package signing uses public key technology to prove that the package that was published by

the repository has not been changed since the signature was applied. This provides some protection

against installing software that may have been maliciously altered after the package was created but

before you downloaded it.

Using too many repositories, untrustworthy repositories, or repositories with unsigned packages has

a higher risk of introducing malicious or vulnerable code into your system. Use caution when adding

repositories to yum/software update.