Feature Request "secure by default"
Alexander Boström
abo at kth.se
Sun Jun 10 15:04:06 UTC 2007
sön 2007-06-10 klockan 16:34 +0200 skrev Andras Simon:
> On 6/10/07, Rahul Sundaram <sundaram at fedoraproject.org> wrote:
> > Ipv6 is not a daemon or service.
>
> Right, but I think that it is relevant in a discussion about "secure
> by default". (I'd be more than happy to be corrected about this.)
I tried to remove the ipv6 module once and found that xinetd needed to
be reconfigured to use v4 instead. (It uses v4 "through" v6 by default,
I think.) There might be other similar cases. So it's not just a matter
of removing the module.
Might be doable though, but I won't do it because I want more v6, not
less. :)
> Since I disabled them after first boot, I can't name them all. But
> rpc, nfs, sendmail were definitely among them. Though they may have
> been hidden by the default firewall rules.
I agree/am of the opinion that the system should be designed as if the
firewall wasn't there. (Think multi-layer security.)
There's a thread about this on fedora-devel-list, with this in the
subject:
too many deamons by default - F7 test 2 live cd
I don't think there was any agreement of which services could be
disabled by default, though. There's room for improvement here, though.
/abo
More information about the fedora-list
mailing list