A few comments from out here in left field.. :) > With Debian, you could easily setup security updates to run nightly from > cron. Unfortunately, Debian does not have the easiest installer. > Three things here... 1. I personally don't want ANYTHING 'automatically updating'. Who knows what will be discreetly broken in the process, and how long it'll take to figure out that some magical update broke it, which one it actually was, and how to resolve the problem. 2. This is how the independant contractor makes money. :) Ideally, you're aware of the systems you 'admin', and are able to remotely do any necessary updates. It doesn't take a very fancy lil' bash script to weekly/monthly email you versions of commonly exploited software, I.E Sendmail, BIND, OpenSSH, etc. 3. <cheapshot> Come all without, come all within. You'll not see nothing like the mighty Deb - ian.....</cheapshot> Sitting here in my basement untill about 3:00AM I billed out $300 upgrading OpenSSH this last round. Not one of the customers understood what I really did, but understood it was a security thing, and the use of Windows workstations has familiarized them with the hazards of not keeping up in this area. The fact that I did it, and tested things afterward left no suprises. I could have done this in no more than my underwear, for all anyone knew or cared. > As much as everyone would like to believe that UNIX software is > magically immune to security holes, it simply isn't true. Almost all > popular programs have had security holes that allow arbitrary code Absolutely correct. See above. In my experience, the users are happy to see I'm watching their systems that closely, and need not concern themselves with it. > execution. Setting newbies up with Linux systems that aren't > automatically updated with security fixes is just as irresponsible > setting them up with Windows boxes. Hmm.... Automation is a wonderful thing, in the right place such as backups and other misc. tasks. UPDATING? *shudder* > > Another issue is the operating system becoming obsolete. Some companies > such as Red Hat make their operating systems obsolete faster than even > Microsoft. Obsolete in who's terms? I happen to have a 486 running Slackware 4.0, using ipchains, that has been an entirely functional firewall for years now. All it does is route and/or deny traffic. It allows SSH from inside only so even if I DID let that slide, I have only myself to fear. What's to become obsolete on it? No one or nothing gets in I don't WANT to get in. That's the idea, right? Yes, someday an iptables p133 or even OBSD might be nice, but the age of the software is not an issue at all unless I WANT to make the changes. The need doesn't exist at this point. Especially in the case of internal systems. Upgrades should be the choice and decision of the user, not the software manufacturer because "xxxxx is no longer supported with xxx on xxx" or EOL crap. If it's working for them, leave it be. As long as I can run the latest BIND on it, why would I 'update' that RH 5.2 nameserver that's been up 232 days performing it's function nicely? Beware the 'upgrade treadmill!' > Ideally, the operating systems needs a way to update itself from any You are a brave and trusting soul. :) >> E-mail Serving > Make sure to pick a secure MTA, such as qmail or Postfix. No comment... :) > Take a hint from Apple on usability. How many average Mac users know > about UNIX permissions? The average user doesn't care and shouldn't > need to. Focus on what the user needs to do, not on general UNIX > concepts. Agreed, read on. > Businesses exist to make money, Indeed. This is done in part by smooth, efficient day to day operation. >not do something a certain way because > you think it is cool (case in point: vi). Make sure a solution's total > cost of ownership is cheaper than the alternatives. Software cost is > usually a small factor. I disagree. First off, we're talking small business/non-profit here. License after license in order to remain legal can be a SIGNIFIGANT expense, not to mention deployment and interference with daily operations caused by the afforementioned. I WISH the linux servers I've setup/sold required more 'work'. I'd have a hell of a lot more money in my pocket. These folks don't even know what root IS, much less how to access anything on these big machines stashed in an office closet. All they know is that it WORKS, is ALWAYS there when they need it to be, and doesn't cost them a fortune in downtime, license fees, etc. That's all they WANT to know in most cases. A welding shop typically doesn't care one bit how/what's happening with the stuff, as long as it does what they think it should. In most cases I've found they are 'anti-computer' and only use them because that's how things work now, and it's somehow related to the way they get their paychecks. You've not LIVED until you've been a party to a delay in this area. :) "Ok whatever. Can I just print this drawing I got in my email?" As far as workstations go, there's usually some way to centalize things via an X server or some such, depending on the need of course. The beauty of open source plays nice here as it's limits are only that of the 'system designers' skills, imagination and problem solving abilities. Set it up, put it out there, look for issues or complications, LISTEN to the users wants/needs and adjust accordingly. If not, there's always Samba. :) -mj > > -- > David Phillips <david at acz.org> > http://david.acz.org/ > > > _______________________________________________ > TCLUG Mailing List - Minneapolis/St. Paul, Minnesota > http://www.mn-linux.org tclug-list at mn-linux.org > https://mailman.real-time.com/mailman/listinfo/tclug-list _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list