[opensuse] How do I keep openSUSE secure?

newer
[opensuse] Strange media player...

Aniruddha

8 Oct 2007 8 Oct '07

11:21

Coming from Gentoo I wonder how do I keep openSUSE secure (e.g. for rootkits)? In Gentoo there is one repository with 11.000+ packages which are all checked for vulnerabilities and verified with shasum. In contrast openSUSE has many different repositories (Packman, Guru etc). I assume these are trusted resources. How can I tell if these rpm's are tampered with? How do I safely use the gnupg key system for repositories? Is accepting these keys when adding repositories with yast the preferred way? And if so how can I tell these are the correct keys? What about rootkits? How do I protect my system for rootkits when downloading rpm's from sites such as rpmbone? And my last question; where do I find security information for openSUSE? Is there a news site or mailinglist with announcement about security threats and vulnerabilities? I ask these questions because I am planning to sell openSUSE 10.3 on retail pc's through my company. I want the make sure I get all the pro's and cons of openSUSE security wise before doing so. Thanks in advance! Regards, Aniruddha -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Show replies by date

Joe Morris (NTM)

8 Oct 8 Oct

11:41

On 10/08/2007 07:21 PM, Aniruddha wrote:

...

Coming from Gentoo I wonder how do I keep openSUSE secure (e.g. for rootkits)? In Gentoo there is one repository with 11.000+ packages which are all checked for vulnerabilities and verified with shasum.

In contrast openSUSE has many different repositories (Packman, Guru etc). I assume these are trusted resources. How can I tell if these rpm's are tampered with?

use Yast to install your packages. It checks the gpg signatures to verify every package installed.

...

How do I safely use the gnupg key system for repositories? repository files are signed as well as each package. These are also checked by Yast. Is accepting these keys when adding repositories with yast the preferred way? Depends on your paranoia. You could also check the authenticity before accepting, but remember that is only the authenticity of the files that describe the contents to yast, NOT the packages themselves. They are signed and checked independently. And if so how can I tell these are the correct keys?

They are usually published on the web sites and or via the gpg key servers.

...

What about rootkits? How do I protect my system for rootkits when downloading rpm's from sites such as rpmbone?

Only get packages from trusted sources. If it isn't available, ask or build it yourself. You can download the src rpms and build it on your machine and check it to be sure.

...

And my last question; where do I find security information for openSUSE?

Yast Online Update

...

Is there a news site or mailinglist with announcement about security threats and vulnerabilities?

Yes, opensuse-security@opensuse.org and opensuse-security-announce@opensuse.org

...

I ask these questions because I am planning to sell openSUSE 10.3 on retail pc's through my company. I want the make sure I get all the pro's and cons of openSUSE security wise before doing so.

HTH -- Joe Morris Registered Linux user 231871 running openSUSE 10.2 x86_64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Aniruddha

12:12

Hi Joe, Thank you for your answers! May I conclude that is is safe to accept gnupg keys from repositories in yast2 -> Community Repositories ? What do you mean with "the packages... are signed and checked independently"? Does this mean the repo owner checks the packages for vulnerabilities and yast only checks if the contents matches with the signature of the repo owner? Which trusted sources for (source) rpm's do you recommend? Thanks again. Regard, Aniruddha On Mon, 2007-10-08 at 19:41 +0800, Joe Morris (NTM) wrote:

...

On 10/08/2007 07:21 PM, Aniruddha wrote:

...
Coming from Gentoo I wonder how do I keep openSUSE secure (e.g. for rootkits)? In Gentoo there is one repository with 11.000+ packages which are all checked for vulnerabilities and verified with shasum.

In contrast openSUSE has many different repositories (Packman, Guru etc). I assume these are trusted resources. How can I tell if these rpm's are tampered with?

use Yast to install your packages. It checks the gpg signatures to verify every package installed.

...
How do I safely use the gnupg key system for repositories? repository files are signed as well as each package. These are also checked by Yast. Is accepting these keys when adding repositories with yast the preferred way? Depends on your paranoia. You could also check the authenticity before accepting, but remember that is only the authenticity of the files that describe the contents to yast, NOT the packages themselves. They are signed and checked independently. And if so how can I tell these are the correct keys?

They are usually published on the web sites and or via the gpg key servers.

...
What about rootkits? How do I protect my system for rootkits when downloading rpm's from sites such as rpmbone?

Only get packages from trusted sources. If it isn't available, ask or build it yourself. You can download the src rpms and build it on your machine and check it to be sure.

...
And my last question; where do I find security information for openSUSE?

Yast Online Update

...
Is there a news site or mailinglist with announcement about security threats and vulnerabilities?

Yes, opensuse-security@opensuse.org and opensuse-security-announce@opensuse.org

...
I ask these questions because I am planning to sell openSUSE 10.3 on retail pc's through my company. I want the make sure I get all the pro's and cons of openSUSE security wise before doing so.

HTH

-- Joe Morris Registered Linux user 231871 running openSUSE 10.2 x86_64

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Marcus Meissner

12:22

New subject: [opensuse-security] Re: [opensuse] How do I keep openSUSE secure?

On Mon, Oct 08, 2007 at 02:12:02PM +0200, Aniruddha wrote:

...

Hi Joe,

Thank you for your answers!

May I conclude that is is safe to accept gnupg keys from repositories in yast2 -> Community Repositories ?

What do you mean with "the packages... are signed and checked independently"? Does this mean the repo owner checks the packages for vulnerabilities and yast only checks if the contents matches with the signature of the repo owner?

Which trusted sources for (source) rpm's do you recommend?

The community packages are provided ... by our community. So in the end you have to decide how much you trust our judgement to decide on good community members.;) The repository owner is responsible for the security fixes, SUSE Security does that only for the official SUSE repositories. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Aniruddha

12:28

New subject: [opensuse-security] Re: [opensuse] How do I keep openSUSE secure?

Thanks for clarifying that :). Do you happen to know where I can manage (verify, delete etc.) imported gnupg keys? Thanks! Regards, Aniruddha On Mon, 2007-10-08 at 14:22 +0200, Marcus Meissner wrote:

...

On Mon, Oct 08, 2007 at 02:12:02PM +0200, Aniruddha wrote:

...
Hi Joe,

Thank you for your answers!

May I conclude that is is safe to accept gnupg keys from repositories in yast2 -> Community Repositories ?

What do you mean with "the packages... are signed and checked independently"? Does this mean the repo owner checks the packages for vulnerabilities and yast only checks if the contents matches with the signature of the repo owner?

Which trusted sources for (source) rpm's do you recommend?

The community packages are provided ... by our community.

So in the end you have to decide how much you trust our judgement to decide on good community members.;)

The repository owner is responsible for the security fixes, SUSE Security does that only for the official SUSE repositories.

Ciao, Marcus

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Stanislav Visnovsky

13:01

New subject: [opensuse-security] Re: [opensuse] How do I keep openSUSE secure?

Dňa Monday 08 October 2007 14:28:02 Aniruddha ste napísal:

...

Thanks for clarifying that :). Do you happen to know where I can manage (verify, delete etc.) imported gnupg keys?

See 'man rpm' for importing new keys, removing the keys, listing of them. Stano -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Marcus Meissner

12:05

On Mon, Oct 08, 2007 at 01:21:47PM +0200, Aniruddha wrote:

...

Coming from Gentoo I wonder how do I keep openSUSE secure (e.g. for rootkits)? In Gentoo there is one repository with 11.000+ packages which are all checked for vulnerabilities and verified with shasum.

In contrast openSUSE has many different repositories (Packman, Guru etc). I assume these are trusted resources. How can I tell if these rpm's are tampered with?

...

From the SUSE Security team perspective, only the official repositories (OSS, Non-OSS and the Update) repos are fully ensured and updated with security fixes. The GPG keys for those are checked and are already on the CD/DVD.

The buildservice hosts packages by any user who wants to build them, here you have to mostly trust the repository and its packagers. There is no SUSE ensurance for it. There is 1 global buildservice key, but this will be changed to 1 key per buildservice repo. packman and others have dedicated developers not working for SUSE usually and you have to decide whether to trust them.

...

How do I safely use the gnupg key system for repositories? Is accepting these keys when adding repositories with yast the preferred way? And if so how can I tell these are the correct keys?

SUSE repos - no import dialog should appear, the keys are preconfigured. other repos - the id and the fingerprint is shown and you should review them (and can fetch the key in another shell and use GPG to check it).

...

What about rootkits? How do I protect my system for rootkits when downloading rpm's from sites such as rpmbone?

Difficult, because you dont really know what is in those RPMs.

...

And my last question; where do I find security information for openSUSE? Is there a news site or mailinglist with announcement about security threats and vulnerabilities?

Others mentioned our mailinglists, opensuse-security and opensuse-security-announce reachable from http://lists.opensuse.org . Also check http://www.novell.com/linux/security/securitysupport.html Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

darko g

12:34

On 10/8/07, Marcus Meissner wrote:

...

...
How do I safely use the gnupg key system for repositories? Is accepting these keys when adding repositories with yast the preferred way? And if so how can I tell these are the correct keys?

SUSE repos - no import dialog should appear, the keys are preconfigured.

other repos - the id and the fingerprint is shown and you should review them (and can fetch the key in another shell and use GPG to check it).

...
What about rootkits? How do I protect my system for rootkits when downloading rpm's from sites such as rpmbone?

Hello, where does Yast keep the keys? -- cheers, dg <a href="http://opensuse.org"><img style="border: 0px solid ; width: 80px; height: 15px;" alt="openSUSE.org" title="openSUSE.org" src="http://files.opensuse.org/opensuse/en/6/6e/Suselinux-green.png" /></a> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Marcus Meissner

12:35

On Mon, Oct 08, 2007 at 08:34:36AM -0400, darko g wrote:

...

On 10/8/07, Marcus Meissner wrote:

...
...
How do I safely use the gnupg key system for repositories? Is accepting these keys when adding repositories with yast the preferred way? And if so how can I tell these are the correct keys?

SUSE repos - no import dialog should appear, the keys are preconfigured.

other repos - the id and the fingerprint is shown and you should review them (and can fetch the key in another shell and use GPG to check it).

...
What about rootkits? How do I protect my system for rootkits when downloading rpm's from sites such as rpmbone?

Hello, where does Yast keep the keys?

In the RPM database. rpm -qa|grep gpg-pubkey You can remove them with "rpm -e" for instance. There is no GUI for it yet. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Joe Morris (NTM)

12:57

On 10/08/2007 08:35 PM, Marcus Meissner wrote:

...

In the RPM database.

rpm -qa|grep gpg-pubkey

You can remove them with "rpm -e" for instance.

There is no GUI for it yet.

Ciao, Marcus

Kpackage works a treat as a GUI for rpm and especially the keys. -- Joe Morris Registered Linux user 231871 running openSUSE 10.2 x86_64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

6053

Age (days ago)

6053

Last active (days ago)

List overview

Download

9 comments

5 participants

participants (5)

Aniruddha
darko g
Joe Morris (NTM)
Marcus Meissner
Stanislav Visnovsky