server with 3-yr uptime finally died :(

[kedlav]

Oh yea. That box has been kicking since well before I got here. Perfect example of how good code + good OS = stable.

 

[between]

...

 

[tranceport]

Originally posted by: between
if you haven't restarted your machine for months and months, then you're running a kernel with a bunch of known/ published security vulnerabilities which might be a bad idea in some circumstances. unless of course you are clever enough to update your kernel directly in memory without rebooting it.

These aren't windows boxes. You don't patch them every month as soon as Microsoft releases the updates and they pass your internal testing. Solaris 8 is a solid os. I prefer AIX 5.2 or 5.3.

I'd like point out as well that kernel vulnerabilities are not a huge concern usually. They are more rare than application vulnerabilities for one. Kernel updates are for features and hardware support. Vulnerability patching is for daemons. As long as Kedlav keeps his http daemon updated he should have no issues. Secure the network and updating your daemons allows you to stay with stable OS code.

 

[Nothinman]

if you haven't restarted your machine for months and months, then you're running a kernel with a bunch of known/ published security vulnerabilities which might be a bad idea in some circumstances. unless of course you are clever enough to update your kernel directly in memory without rebooting it.

Most kernel vulnerabilities are local only so unless you've got shell accounts belonging to untrusted people it's not a big deal. And there's nothing clever about using kexec although I don't think it's been tested enough to trust in production.

 

[kedlav]

Originally posted by: Nothinman

if you haven't restarted your machine for months and months, then you're running a kernel with a bunch of known/ published security vulnerabilities which might be a bad idea in some circumstances. unless of course you are clever enough to update your kernel directly in memory without rebooting it.

Most kernel vulnerabilities are local only so unless you've got shell accounts belonging to untrusted people it's not a big deal. And there's nothing clever about using kexec although I don't think it's been tested enough to trust in production.

Yep, restricted shells, good security policies, and good user management will take you a lot further than a six month patch schedule in the *nix world...

 

[Brazen]

Originally posted by: kedlav

Originally posted by: Nothinman

if you haven't restarted your machine for months and months, then you're running a kernel with a bunch of known/ published security vulnerabilities which might be a bad idea in some circumstances. unless of course you are clever enough to update your kernel directly in memory without rebooting it.

Most kernel vulnerabilities are local only so unless you've got shell accounts belonging to untrusted people it's not a big deal. And there's nothing clever about using kexec although I don't think it's been tested enough to trust in production.

Yep, restricted shells, good security policies, and good user management will take you a lot further than a six month patch schedule in the *nix world...

For the most part, that holds true in the Windows world as well. In my case, the biggest advantage with *nix is that even with the username and password, my fellow IT coworkers get too confused at a text console to even log in.

 

[between]

...

 

[Red Squirrel]

For internal stuff yeah, there is nothing wrong with not updating. But just be careful what you allow on your network. I'll be honest, I NEVER run windows update on the machines on my internal network. But I do realize that I have to be very careful about one of those machines getting directly to the internet, or an infected machine getting on the network.

In a corporate environment its probably smarter to update for those reasons, but home environment you can get away with it. I upgrade the hardware on my servers more often then the software. The beauty of Linux is you can transplant the OS to a new PC and it will boot up most of the time.

Speaking of uptime, a coworker of mine had an uptime of like 300 days on his DSL modem. (we work for the company so we can check that stuff). Then someone went and reset the card in the DSLAM and it resseted the modem. DOH.

 

[Nothinman]

kexec allows you to reboot directly into a kernel image loaded from disk, it doesn't patch the currently running kernel. For that, you need to directly manipulate kernel memory. a kexec kernel reboot destroys the uptimes people seem to be so proud of in this thread. maybe you are thinking of ksplice, which is a pretty new tool that automates linux kernel hotpatching for security updates.

I know the difference but I wasn't sure if it affected what uptime was reported or not though.

as for the importance of updating kernels, my belief is that where security is an issue, security in depth implies you cover all your bases, including kernel patches.

Of course but with everything security related it's a tradeoff. You've got to decide if the patch is worth the downtime and any other work it may cause you and your users.

In a corporate environment its probably smarter to update for those reasons, but home environment you can get away with it. I upgrade the hardware on my servers more often then the software. The beauty of Linux is you can transplant the OS to a new PC and it will boot up most of the time.

The severity of not doing it varies depending on your environment but it's not smartin any case. There's almost never a good reason not to update your machines.