Removing System Consoles from Fedora

Dave Feustel dfeustel at mindspring.com
Wed Sep 17 02:30:49 UTC 2008


On Tue, Sep 16, 2008 at 05:50:18PM -0700, Rick Stevens wrote:
> Dave Feustel wrote:
> [snip]
>>> 1. Machines do not have X installed and boot to run level 3

I did not write the above point 1.
I did write the following:

>> Having spent some time running X on OpenBSD, FreeBSD, Fedora, and now SUSE 11,
>> I am convinced that using X on any of these platforms enables exploits that
>> cannot be disabled.  You cannot have both security and X. Take your pick. I do
>> not log in as root in X for any reason since there are ways in X to listen in
>> on keyboard communications and capture passwords. So far as I have been able to
>> tell, this is not possible with non-X console io.
>
> ANYTHING over the net can be hacked, given enough CPU cycles and time.
> You can mitigate it requiring everything be heavily encrypted (including
> X).  It's not perfect, but it's as close as you're going to get.  There
> is such a thing as making a machine so secure it's unmanageable.

I did not write the following:

>>> 2. /etc/inittab modified to NOT spawn gettys on the VTs
>>> 3. /etc/inittab spaws serial port getty connected to a serial KVM
>>> 4. grub configured to also use the serial port for its console
>>>
>>> This is in addition to them being in cage with a deadbolt lock on the
>>> door, and the cage being in a data center with physical access
>>> restrictions, cardkey access and video surveillance.  Yes, it's a bit
>>> onerous, but it is required.  Whether you think they're "good reasons"
>>> is irrelevant.
>>
>> I have read that Congress passed a law in 1995 mandating undetectable
>> hardware access to all computers connected to the internet.
>
> The law, IIRC, was held unconstitutional and the US Attorney stated that
> it was unenforceable anyway.  Subsequent laws may require it, but only
> with a court order.  I'm not sure how the Patriot Act (what a joke)
> affects this.  We don't care.  We're PCI-compliant.  If they want to see
> our systems, they can get a court order and deal with our lawyers first.
>
> I mean, jeeze!  Didn't we beat the Nazis some 65 years ago?

Actually, the Allies defeated Germany in the war, but the German Nazis migrated
to America. Google "operation paperclip" and/or read the book _Rise of the 4th
Reich by Jim Marrs.




More information about the fedora-list mailing list