Re: [PLUG] PCI Compliancy with Ubuntu/RedHat/Suse

Richard Freeman on 16 Jan 2010 03:50:24 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] PCI Compliancy with Ubuntu/RedHat/Suse

From: Richard Freeman <r-plug@thefreemanclan.net>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] PCI Compliancy with Ubuntu/RedHat/Suse

Date: Sat, 16 Jan 2010 06:50:15 -0500

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko/20091229 Thunderbird/3.0

On 01/15/2010 10:21 PM, brent timothy saner wrote: > On 01/15/10 09:48, Andrew Tsen wrote: >> I m contemplating on starting to use tar balls and compile and >> re-do the whole LAMP setup instead of using apt, etc. > > (cough,cough)try gentoo(cough, cough) most of the stable branch is > latest stable release right from the project. I'm not sure I'd go quite that far - Gentoo stable tends to be a little behind upstream stable releases (for good reason - all mainstream distros do this), except where security releases are concerned. Typically security issues are handled by version upgrades, but backports aren't unheard of - especially if upstream makes them available as releases or if the new release has serious issues. Gentoo in a production environment is done, but you need to consider a number of things before going that route. Still, if you're thinking about micro-managing your LAMP setup and building it all yourself anyway, then it is probably a no-brainer. None of the downsides of Gentoo really apply to you in that case and you might as well at least benefit from the automation. At the last PLUG North I got a lot of questions around Gentoo in production so I added a few slides to the end of my Feb 9th presentation. To be honest this specific sub-topic could easily fill a 1 hour presentation on its own, so I can really only summarize a few of the pros/cons to give everybody a feel for it. Slides will go out to the list and if feedback is strong I'll probably offer to give the talk at the other venues. I think the fundamental problem is that software version numbers are useful to track but they don't definitively indicate whether software is vulnerable. When I run rkhunter on my stable Gentoo box I always get flagged for a few software version numbers, but something more serious like OpenVAS gives me passing grades and the Gentoo tools for auditing against security bugs indicate I'm fine as well. All that said, distros that don't have serious revenue streams aren't generally going to certify themselves against any external compliance standards body. It is just way to expensive to do that. Most will follow something resembling best-practices regarding security releases. If you really need somebody you can sue if something goes wrong you're going to have to stick with the big players. Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

References:

[PLUG] PCI Compliancy with Ubuntu/RedHat/Suse
From: Andrew Tsen <kloaker@gmail.com>

Re: [PLUG] PCI Compliancy with Ubuntu/RedHat/Suse
From: brent timothy saner <brent.saner@gmail.com>

Prev by Date: Re: [PLUG] PCI Compliancy with Ubuntu/RedHat/Suse

Next by Date: Re: [PLUG] Remote XP ... Re: Edit Windows Registry from Linux LiveCD?

Previous by thread: Re: [PLUG] PCI Compliancy with Ubuntu/RedHat/Suse

Next by thread: [PLUG] Probably cancelling Monday's PLUG West Meeting

Index(es):

Date

Thread