[Fedora] Seeing input on Securing the Linux system from intrusions and attacks.

John Summerfield debian at herakles.homelinux.org
Mon Dec 31 05:31:25 UTC 2007 

Les Mikesell wrote:

> 
> With cars, you are required to select a subset of the available choices 
> before you make the purchase.  With software, especially free software, 
> there is no reason you can't have all the choices available all the time 
> and just run what you need.  But I don't think anyone needs programs 
> with known security vulnerabilities so they can all be fixed in the 
> standard distribution.
> 
>> I would expect RHSL to have more emphasis on keeping the bastards out 
>> and detecting their efforts to subvert the security measures, and 
>> maybe some self-repair.
> 
> But aren't those things all available as standard packages?

They are available in most general-purpose distros, yes. Maximally 
secure, no.


> 
>> Running a secure server as a virtual server implies you _can_ check it 
>> with a trusted Linux - the host. Or another guest. Installing a 
>> service would imply all appropriate support packages - 
>> sendmail+spamassassin+mimedefang, and guidance on getting them up and 
>> running securely.
> 
> Yes, I'd like to see mimedefang packaged with a standard configuration, 
> but it isn't horrible to set up.
> 
>> A default install would have the minimum required to boot and install 
>> other stuff, a GUI would be optional on a server (if provided). 
>> selinux would be enforcing, and maybe not able to be turned off 
>> without a reboot. Filesystems might be encrypted by default.
> 
> I don't think you need a separate distribution for that - and forcing a 
> user to pick the packages to install is probably the worst mistake 
> security-wise since most users have no idea about what they need.  What 
> I've always wanted to see is a configuration management scheme where 
> anyone could 'publish' a complete list of packages and config changes 
> they used to set up a machine for certain purposes and anyone else could 
> clone that exact setup (with local adjustment for hostnames and 
> addresses, of course), and then track the updates of the master machine 
> automatically.  Then you could simply let an expert take care of your 
> choices with no extra effort on either side.
> 

RHSL would be targeted at organisations where security is the most 
important consideration. Believe that security requirements at national 
law enforcement and national intelligence agencies are more stringent 
than you or I could possibly want. Penetration of ASIS or ASIO for 
Australia, MI5 or MI6 for .uk, CIA for USA has implications for national 
security. Penetration of a major bank could have consequences for 
national and maybe international economies, just look at the problems a 
few maybe-defaulting loans are causing in USA and elsewhere - heck it's 
cost me a few thou.


-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

More information about the fedora-list mailing list