IIAB/Security: Difference between revisions

From OLPC
Jump to navigation Jump to search
No edit summary
No edit summary
Line 3: Line 3:
* The following applies to CentOS-based XSCE school servers, towards downloading and semi-automatically installing recent security patches & updates, that is if you have a reasonably fast connection, and are willing to take risks with certain packages breaking.
* The following applies to CentOS-based XSCE school servers, towards downloading and semi-automatically installing recent security patches & updates, that is if you have a reasonably fast connection, and are willing to take risks with certain packages breaking.


* Run <code>[http://www.cyberciti.biz/faq/redhat-fedora-centos-linux-yum-installs-security-updates/ yum -y update --security]</code> if your system already has yum-security installed, typically via <code>[https://access.redhat.com/solutions/10021 yum install yum-security]</code>(this appears preinstalled within CentOS 7.x) Be warned that --security updates very few packages, and is not prompt about updating important security packages (administrators may prefer to run "yum update openssl" and similar frequently, to stay up-to-date with critical CentOS ESR packages, which the --security flag unfortunately doesn't quite do!)
* Run <code>[http://www.cyberciti.biz/faq/redhat-fedora-centos-linux-yum-installs-security-updates/ yum -y update --security]</code> if your system already has yum-security installed, typically via <code>[https://access.redhat.com/solutions/10021 yum install yum-security]</code>(this appears preinstalled within CentOS 7.x). Be warned that --security unfortunately updates very few packages, and is not prompt in updating (administrators may prefer to run "yum update openssl", "yum update openvpn" and similar frequently, to stay up-to-date with critical CentOS ESR packages/services).


* In the past we ran "yum -y update" but (arguably) that installs far too many untested and diverse updates/upgrades across the board, adding features not directly related to security. However this is still the way to go IF you want all packages updated (and are willing to face many unintended consequences, with a professional Linux administration staff!)
* In the past we ran "yum -y update" but (arguably) that installs far too many untested and diverse updates/upgrades across the board, adding features not directly related to security. However this is still the way to go IF you want ALL packages updated (and are willing to face many unintended consequences, with a professional Linux administration staff to recover!)


* If you notice Wikipedia-like item are no longer accessible from http://schoolserver.lan, try running the following as root:
* If you notice Wikipedia-like item are no longer accessible from http://schoolserver.lan, try running the following as root:

Revision as of 17:19, 31 August 2015

Some security tips that will become more professional as time goes on:

  • The following applies to CentOS-based XSCE school servers, towards downloading and semi-automatically installing recent security patches & updates, that is if you have a reasonably fast connection, and are willing to take risks with certain packages breaking.
  • Run yum -y update --security if your system already has yum-security installed, typically via yum install yum-security(this appears preinstalled within CentOS 7.x). Be warned that --security unfortunately updates very few packages, and is not prompt in updating (administrators may prefer to run "yum update openssl", "yum update openvpn" and similar frequently, to stay up-to-date with critical CentOS ESR packages/services).
  • In the past we ran "yum -y update" but (arguably) that installs far too many untested and diverse updates/upgrades across the board, adding features not directly related to security. However this is still the way to go IF you want ALL packages updated (and are willing to face many unintended consequences, with a professional Linux administration staff to recover!)
  • If you notice Wikipedia-like item are no longer accessible from http://schoolserver.lan, try running the following as root:
 xsce-make-kiwix-lib
 systemctl restart kiwix-serve
  • If ownCloud updates itself, users visiting http://schoolserver.lan/owncloud may face error message "You don't have permission to access /owncloud on this server." Fix guideline forthcoming from Tim Moody.