Serious question about Linux security...
- 
 @coliver said in Serious question about Linux security...: @BBigford said in Serious question about Linux security...: @coliver said in Serious question about Linux security...: @BBigford said in Serious question about Linux security...: We have a bunch of RHEL servers, some CentOS, a couple Debian, and lots of Windows servers. We're looking to drop RHEL costs from Enterprise to Standard, but still keep RHEL because "updates are more reliable and quick to release". So there are a couple servers we're looking to keep on RHEL like our public DNS servers, but transition some of the other stuff to CentOS or move them to RHEL Standard. I mean it's fairly well known that CentOS updates come down the pike after RHEL updates are released I guess. My question is, how much validity is there in saying that CentOS is a security risk? from a business standpoint there is risk in not having some of your major server supported by a vendor. Definitely valid. Rarely do we ever contact RHEL though. Right, and if you are running anything on Windows you would run into the same issues as you do with CentOS. Which is a big selling point for RHEL, Suse and Ubuntu (and Solaris, AIX, HP-UX) - total vendor support. 
- 
 @BBigford said in Serious question about Linux security...: @coliver said in Serious question about Linux security...: @BBigford said in Serious question about Linux security...: @coliver said in Serious question about Linux security...: @BBigford said in Serious question about Linux security...: We have a bunch of RHEL servers, some CentOS, a couple Debian, and lots of Windows servers. We're looking to drop RHEL costs from Enterprise to Standard, but still keep RHEL because "updates are more reliable and quick to release". So there are a couple servers we're looking to keep on RHEL like our public DNS servers, but transition some of the other stuff to CentOS or move them to RHEL Standard. I mean it's fairly well known that CentOS updates come down the pike after RHEL updates are released I guess. My question is, how much validity is there in saying that CentOS is a security risk? from a business standpoint there is risk in not having some of your major server supported by a vendor. Definitely valid. Rarely do we ever contact RHEL though. Right, and if you are running anything on Windows you would run into the same issues as you do with CentOS. We can call Microsoft and pay a flat fee if there was an issue with something Windows Server related. Can you elaborate? It's a different kind of support. You have to purchase support for that one issue, they don't always decide to accept the support scenario, they are under no obligation to fix the issue, etc. It's support, but it is not what IT people mean when they say that something is supported. It's a half-way kind of support. It's not comparable to any enterprise support system like other OSes have. 
- 
 @coliver said in Serious question about Linux security...: @BBigford said in Serious question about Linux security...: @coliver said in Serious question about Linux security...: @BBigford said in Serious question about Linux security...: @coliver said in Serious question about Linux security...: @BBigford said in Serious question about Linux security...: We have a bunch of RHEL servers, some CentOS, a couple Debian, and lots of Windows servers. We're looking to drop RHEL costs from Enterprise to Standard, but still keep RHEL because "updates are more reliable and quick to release". So there are a couple servers we're looking to keep on RHEL like our public DNS servers, but transition some of the other stuff to CentOS or move them to RHEL Standard. I mean it's fairly well known that CentOS updates come down the pike after RHEL updates are released I guess. My question is, how much validity is there in saying that CentOS is a security risk? from a business standpoint there is risk in not having some of your major server supported by a vendor. Definitely valid. Rarely do we ever contact RHEL though. Right, and if you are running anything on Windows you would run into the same issues as you do with CentOS. We can call Microsoft and pay a flat fee if there was an issue with something Windows Server related. Can you elaborate? Not to say that Windows is more secure than CentOS for that reason though. That's it though, you call Microsoft and you pay a flat rate. The same as you would get for CentOS. RHEL includes that support fee in the cost of the license. RHEL includes a support SLA. CentOS and Windows do not. 
- 
 @scottalanmiller said in Serious question about Linux security...: @BBigford said in Serious question about Linux security...: I mean it's fairly well known that CentOS updates come down the pike after RHEL updates are released I guess. News to me. When did this change? I've been under the impression that's how it always was... Red Hat patches a vulnerability or changes something, then CentOS does. https://wiki.centos.org/FAQ/General#head-cea9337e6513cc1567c4d05afbd693f1f7038ccb  
- 
 @BBigford said in Serious question about Linux security...: I've been under the impression that's how it always was... Red Hat patches a vulnerability or changes something, then CentOS does. It's how it was when CentOS wasn't part of Red Hat. Now CentOS isn't a company, just a product of Red Hat. So Red Hat is patching both. So your statement above can be rephrased to... I've been under the impression that's how it always was... Red Hat patches a vulnerability or changes something. It's true that the RHEL repos always get the updates first, but there isn't a long delay. Everyone has an interest in getting everything patched quickly. There is no intentional delay. 
- 
 @scottalanmiller said in Serious question about Linux security...: @BBigford said in Serious question about Linux security...: @coliver said in Serious question about Linux security...: @BBigford said in Serious question about Linux security...: We have a bunch of RHEL servers, some CentOS, a couple Debian, and lots of Windows servers. We're looking to drop RHEL costs from Enterprise to Standard, but still keep RHEL because "updates are more reliable and quick to release". So there are a couple servers we're looking to keep on RHEL like our public DNS servers, but transition some of the other stuff to CentOS or move them to RHEL Standard. I mean it's fairly well known that CentOS updates come down the pike after RHEL updates are released I guess. My question is, how much validity is there in saying that CentOS is a security risk? from a business standpoint there is risk in not having some of your major server supported by a vendor. Definitely valid. Rarely do we ever contact RHEL though. The question is not how often... but do you ever? How much risk is there is not being able to? Good point. I'm not sure if any of our contracts require it so I can't speak to that. But having the option to hold someone accountable and have a resolution quickly could be important in some situations. 
- 
 @BBigford Nothing in that screen cap talks about the time AFTER RHEL getting stuff, it talks about how long the updates take to show up in repos. RHEL has the same issues. 
- 
 @scottalanmiller said in Serious question about Linux security...: @BBigford said in Serious question about Linux security...: I've been under the impression that's how it always was... Red Hat patches a vulnerability or changes something, then CentOS does. It's how it was when CentOS wasn't part of Red Hat. Now CentOS isn't a company, just a product of Red Hat. So Red Hat is patching both. So your statement above can be rephrased to... I was under the wrong premise. Whoops... thanks for the clarification. Did not get those answers over at SW. Another reason I love ML. http://www.linux-magazine.com/Online/News/Red-Hat-Adopts-CentOS 
- 
 @BBigford said in Serious question about Linux security...: @scottalanmiller said in Serious question about Linux security...: @BBigford said in Serious question about Linux security...: @coliver said in Serious question about Linux security...: @BBigford said in Serious question about Linux security...: We have a bunch of RHEL servers, some CentOS, a couple Debian, and lots of Windows servers. We're looking to drop RHEL costs from Enterprise to Standard, but still keep RHEL because "updates are more reliable and quick to release". So there are a couple servers we're looking to keep on RHEL like our public DNS servers, but transition some of the other stuff to CentOS or move them to RHEL Standard. I mean it's fairly well known that CentOS updates come down the pike after RHEL updates are released I guess. My question is, how much validity is there in saying that CentOS is a security risk? from a business standpoint there is risk in not having some of your major server supported by a vendor. Definitely valid. Rarely do we ever contact RHEL though. The question is not how often... but do you ever? How much risk is there is not being able to? Good point. I'm not sure if any of our contracts require it so I can't speak to that. But having the option to hold someone accountable and have a resolution quickly could be important in some situations. Their support is excellent. If you have an organization that can engineer their own solutions, you might not need them (a bank hired me to head that, but kept RHEL around anyway but we never needed them, ever) but if you don't have lots of high end Linux resources you might want Red Hat there to back you up in case things go wrong. Plus the politics thing... is it about cost, or about blame? 
- 
 @BBigford said in Serious question about Linux security...: @scottalanmiller said in Serious question about Linux security...: @BBigford said in Serious question about Linux security...: I've been under the impression that's how it always was... Red Hat patches a vulnerability or changes something, then CentOS does. It's how it was when CentOS wasn't part of Red Hat. Now CentOS isn't a company, just a product of Red Hat. So Red Hat is patching both. So your statement above can be rephrased to... I was under the wrong premise. Whoops... thanks for the clarification. Did not get those answers over at SW. Another reason I love ML. http://www.linux-magazine.com/Online/News/Red-Hat-Adopts-CentOS Lots of big time CentOS users here  It was good before RH bought them, but way better since they did.  Used to be even months behind in releases.  Not like that at all anymore. It was good before RH bought them, but way better since they did.  Used to be even months behind in releases.  Not like that at all anymore.RH has to keep CentOS patched to maintain their reputation as the most enterprise OS option in the SMB and commodity spaces. 
- 
 @scottalanmiller said in Serious question about Linux security...: @BBigford said in Serious question about Linux security...: @scottalanmiller said in Serious question about Linux security...: @BBigford said in Serious question about Linux security...: I've been under the impression that's how it always was... Red Hat patches a vulnerability or changes something, then CentOS does. It's how it was when CentOS wasn't part of Red Hat. Now CentOS isn't a company, just a product of Red Hat. So Red Hat is patching both. So your statement above can be rephrased to... I was under the wrong premise. Whoops... thanks for the clarification. Did not get those answers over at SW. Another reason I love ML. http://www.linux-magazine.com/Online/News/Red-Hat-Adopts-CentOS Lots of big time CentOS users here  It was good before RH bought them, but way better since they did.  Used to be even months behind in releases.  Not like that at all anymore. It was good before RH bought them, but way better since they did.  Used to be even months behind in releases.  Not like that at all anymore.RH has to keep CentOS patched to maintain their reputation as the most enterprise OS option in the SMB and commodity spaces. Yeah I live under a rock. We don't get updates about that kind of stuff in the desert. Also, please send food and Internet.  
- 
 @BBigford said in Serious question about Linux security...: @scottalanmiller said in Serious question about Linux security...: @BBigford said in Serious question about Linux security...: @scottalanmiller said in Serious question about Linux security...: @BBigford said in Serious question about Linux security...: I've been under the impression that's how it always was... Red Hat patches a vulnerability or changes something, then CentOS does. It's how it was when CentOS wasn't part of Red Hat. Now CentOS isn't a company, just a product of Red Hat. So Red Hat is patching both. So your statement above can be rephrased to... I was under the wrong premise. Whoops... thanks for the clarification. Did not get those answers over at SW. Another reason I love ML. http://www.linux-magazine.com/Online/News/Red-Hat-Adopts-CentOS Lots of big time CentOS users here  It was good before RH bought them, but way better since they did.  Used to be even months behind in releases.  Not like that at all anymore. It was good before RH bought them, but way better since they did.  Used to be even months behind in releases.  Not like that at all anymore.RH has to keep CentOS patched to maintain their reputation as the most enterprise OS option in the SMB and commodity spaces. Yeah I live under a rock. We don't get updates about that kind of stuff in the desert. Also, please send food and Internet.  We only make our houses out of rock around here... the house my grandfather grew up in is made up of soapstone queried from the hill beside the house  We don't need more food, but... 
  Also, security wise, while updates are important, that's secondary to rootkits in UNIX/BSD/Linux. My slide deck from MangoCon might get you pointed in the right direction. 
- 
 @BBigford said in Serious question about Linux security...: @scottalanmiller said in Serious question about Linux security...: @BBigford said in Serious question about Linux security...: @scottalanmiller said in Serious question about Linux security...: @BBigford said in Serious question about Linux security...: I've been under the impression that's how it always was... Red Hat patches a vulnerability or changes something, then CentOS does. It's how it was when CentOS wasn't part of Red Hat. Now CentOS isn't a company, just a product of Red Hat. So Red Hat is patching both. So your statement above can be rephrased to... I was under the wrong premise. Whoops... thanks for the clarification. Did not get those answers over at SW. Another reason I love ML. http://www.linux-magazine.com/Online/News/Red-Hat-Adopts-CentOS Lots of big time CentOS users here  It was good before RH bought them, but way better since they did.  Used to be even months behind in releases.  Not like that at all anymore. It was good before RH bought them, but way better since they did.  Used to be even months behind in releases.  Not like that at all anymore.RH has to keep CentOS patched to maintain their reputation as the most enterprise OS option in the SMB and commodity spaces. Yeah I live under a rock. We don't get updates about that kind of stuff in the desert. Also, please send food and Internet.  +1 internet sent. 



