What if NO update, security or otherwise is ever installed? [duplicate]

security unattended-upgrades stable-release-updates

Personally, I think that's a hard position to defend. Machines should periodically have security updates installed. This includes kernel security updates, which require reboots (unless you fancy living life on the edge with Ksplice).

He should be paying attention to the security flaws applicable to the platform as they emerge. Recently, notably, we've seen a number of privilege escalation bugs (which allow normal users to become root). There are in-the-wild exploits for at least one of these (albeit, I don't think it affects 12.04). There are a steady stream of bugs getting patched for lesser applications which fix remote code execution, DOS, priv escalation flaws, etc. There are plenty of attack vectors getting patched regularly.

That said; the final decision of whether or not to patch depends entirely on the context. If you're talking about an Internet-facing webserver, or end-user boxes, then your sysadmin is insane. If you're talking about a high-availability internal production system behind layers of network security in a trusted environment, then that's a little different, and your sysadmin may be being quite pragmatic.

I.e, if the main threat to the box is from its own employees, then is patching a few DOS holes really worth the downtime and risk to production stability? Probably not, no.

Of course, threats can get inside the network perimeter. But again, it depends on your network, your company, your setup... in many small companies, that may already be pretty much game over. The attacker may already have all the access he needs to access these boxes via passwords or keys stored elsewhere on the network, or via impersonation, sniffing, etc. In other words, patching a few holes on a couple of systems might be like starting to build a fence after the horses have bolted.

Bottom line: machines should really see security updates. It doesn't have to be a total unknown; test systems can be (and should be) brought up and upgraded in the same manner as a test-run prior to the event.

But don't ever forget that security is a balancing act. The totally secure system is one buried miles underground, with no connectivity, no power, and no data. If all you're protecting yourself from are a few trusted employees, then what's the point?


I have never faced a problem with ubuntu 12.04 updates becoming unstable, if not updated every thing would run normal but the bugs will never be fixed. Linux is quite secure but like you said needs security updates. There haven't been any attacks on linux but you should be safe any ways by installing an anti-virus software again I have never seen an update that's makes LTS unstable you can also chose what updates to install in the update manager.

I hope this helps

Related

How to access the internet from a virtual machine in Gnome Boxes?
Change postfix name from "localhost" to something meaningful?
Regenerate /etc/default/grub [duplicate]
Live OS doesn't see USB mouse or keyboard
How to bring up a network interface only if it is physically present
What options do I have to track UbuntuEdge fundraiser progress?
How to make ALT+TAB switcher icons smaller
Integration of a tag based file system approach in Gnome and Nautilus
how can one combine a series of grep statements piped together into one grep statement?
Which script rotates /var/log/auth.log?
How to disable automatic copy when selecting text from the keyboard?
Volume control applet disappeared