Lech Sandecki
on 10 December 2019
CVE patching alone is not making your Linux secure
Would you like to enhance your Linux security? Do you wonder what factors should be considered when evaluating your open source security from both – the infrastructure and the application perspectives? Are you keen to learn the Ubuntu security team approach? I’ve learned that CVE patching is indeed an important puzzle, but without a structured approach, professional tools and well-defined processes in place, your Linux environment will not be secure.
What do Linux security experts say?
I got inspired by all these questions during the Open Source Security Summit, which was followed by the Linux Security Summit. I really enjoyed a week full of keynotes, workshops and meaningful conversations. So much so that, in my notebook, I noted down some really good quotes about the Linux security. For instance, Kelly Hammond from Intel opened her keynote by saying that “security is like doing the laundry or the dishes – it’s never done”.
Linux security is more complicated than fixing CVEs
Fixing CVEs is a continuous job that all Linux security teams focus on. In his keynote, Greg Kroah-Hartman from the Linux Foundation looked at this problem from the kernel perspective. In his exact words “CVEs mean nothing for the kernel” because very few CVEs are ever going to be assigned for the kernel. A stable Linux kernel receives 22-25 patches every day without any CVE process involved. So Greg’s position on the Linux security comes down to always using the latest stable kernel and not worrying about CVEs.
What is a CVE?
CVEs are known Common Vulnerabilities and Exposures maintained by Mitre, a not-for-profit organisation. Its goal is to make it easier to deal with cybersecurity threats by providing a unified framework. Anyone can file a CVE which then can then be evaluated by a vendor or a publisher of a product. As of today the CVE database it consists of 127111 entries. Ubuntu security team receives, reviews and prioritises multiple CVEs every day.
Security has multiple layers
From the security standpoint, Canonical (the publisher of Ubuntu) has two teams: the kernel team and the security team.
The Ubuntu Kernel team has multiple security-related initiatives, including:
- A short kernel release cycle, which is like a flu shot to the Ubuntu kernel. Every 3 weeks, Canonical delivers the latest stable kernel with all security patches in place.
- Kernel Livepatch, a security-focused product which allows automatic patching of the kernel without reboots. It is free for personal use. For commercial use, it is part of the Ubuntu Advantage for Infrastructure.
The Ubuntu Security team has multiple initiatives including:
- Proactive security: the team examines the source code to identify treads and problem patterns. For example, before adding any new package to the main Ubuntu repository, each source code package needs to be signed-off by the security team.
- CVE patching: which is done on multiple levels. As mentioned above, CVEs are coming from various sources, so first, they need to be evaluated. Canonical is one of the most distributed companies in the world, so there is always someone ready to assess the threat. Each CVE is then prioritized according to the Ubuntu CVE Priority Descriptions.
Quantify your security score
According to Greg Kroah-Hartman from the Linux Foundation, “if you are not using a supported Linux distribution kernel, or a stable/ longterm kernel, you have an insecure system”. Ubuntu users can benefit from the Kernel Livepatch and 5 years of standard support, which can be extended to 10 years under the ESM (Extended Security Maintenance). Both ESM and Kernel Livepatch are included in the Ubuntu Advantage for Infrastructure offering.
Ubuntu is built with security in mind, so the team evaluates the effectiveness of security initiatives by defining and carefully monitoring security metrics. As mentioned earlier, security at Canonical is a 24/7 job. In the CVE context, we are using a distributed team of security experts, structured processes and professional tools to prioritize each CVE. Our goal is to provide a patch for the most impactful security threats as quickly as possible. That is why, on average a CVE of critical priority is patched in less than a day, and a CVE of high priority is patched in less than a week.
If you’d like to learn more, check out our latest “Linux security with Ubuntu” webinar.
Photo by Hans-Peter Gauster on Unsplash