A customer of my firm has setup a SME Server installation and asked us to audit it for security. Being given the task for the intake audit I can't help wonder about a few security details, so after reading the FAQ and the manuals I figured I could just as well dump 'm here as well
There are a few details which worry me. RedHat has stopped supporting their public distributions earlier this year and due to the lack of recent updates (and also recently discovered kernel exploits) its already become a little risky to put a RH9 box online. Therefor I was a little surprised to see SMEServer being based on RH7.3, a distribution which is quite old, if not ancient, these days. I can't help wonder how it deals with these issues considering that RH has stopped support...
Another issue bothering me is the kernel itself. The current stable version ships with 2.4.20, however recently announcement stated that all kernels (< 2.4.24 / < 2.6.10 iirc from mind) suffered from nasty exploits and upgrading to the latest release (either it be 2.4 or 2.6) was *strongly* recommended. I hope you can understand my concerns in this matter.
So I can't help wonder how exactly SME Server adresses all of these issues. I did pick up the issue on updating in the administration FAQ, however, when I skimmed the mentioned 'update' directory all I found was 'yum' which I somewhat find a little strange if you consider that distributions like SuSE and Debian have released several security updates couting from the release date of the SME Server 6.5.
I know there isn't a full security policy yet but could someone fill me in as to how these issues are adressed right now ?
Thanks in advance for any input.
With kind regards, Peter
1 Replies
654 Views