Removing System Consoles from Fedora

Rick Stevens ricks at nerd.com
Wed Sep 17 00:50:18 UTC 2008 

Dave Feustel wrote:
[snip]
>> 1. Machines do not have X installed and boot to run level 3
> 
> Having spent some time running X on OpenBSD, FreeBSD, Fedora, and now SUSE 11,
> I am convinced that using X on any of these platforms enables exploits that
> cannot be disabled.  You cannot have both security and X. Take your pick. I do
> not log in as root in X for any reason since there are ways in X to listen in
> on keyboard communications and capture passwords. So far as I have been able to
> tell, this is not possible with non-X console io.

ANYTHING over the net can be hacked, given enough CPU cycles and time.
You can mitigate it requiring everything be heavily encrypted (including
X).  It's not perfect, but it's as close as you're going to get.  There
is such a thing as making a machine so secure it's unmanageable.

>> 2. /etc/inittab modified to NOT spawn gettys on the VTs
>> 3. /etc/inittab spaws serial port getty connected to a serial KVM
>> 4. grub configured to also use the serial port for its console
>>
>> This is in addition to them being in cage with a deadbolt lock on the
>> door, and the cage being in a data center with physical access
>> restrictions, cardkey access and video surveillance.  Yes, it's a bit
>> onerous, but it is required.  Whether you think they're "good reasons"
>> is irrelevant.
> 
> I have read that Congress passed a law in 1995 mandating undetectable
> hardware access to all computers connected to the internet.

The law, IIRC, was held unconstitutional and the US Attorney stated that
it was unenforceable anyway.  Subsequent laws may require it, but only
with a court order.  I'm not sure how the Patriot Act (what a joke)
affects this.  We don't care.  We're PCI-compliant.  If they want to see
our systems, they can get a court order and deal with our lawyers first.

I mean, jeeze!  Didn't we beat the Nazis some 65 years ago?
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                       rps2 at nerd.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-         The world is coming to an end ... SAVE YOUR FILES!!!       -
----------------------------------------------------------------------

More information about the fedora-list mailing list