just in case you missed it

[Blake Barnett]

apt-get install task-harden

Try it on sid... :)

* Blake

-----Original Message-----
From: der.hans [mailto:PLUGd@lufthans.com]
Sent: Wednesday, May 09, 2001 10:37 AM
To: plug-discuss@lists.PLUG.phoenix.az.us
Subject: RE: just in case you missed it


Am 09. May, 2001 schwäzte Trent Shipley so:

> 1) Creating a custom install, and even more compiling a custom kernel have
> two major problems.

Compiling a custom kernel needs to be a thing of the past for the generic
public. It's getting there.

We, the Free Software/Open Source community, need to ensure that the 'custom
install' is available. Mandrake is working on that with their security
models. RedHat, via bastille and a couple of other things, is getting there.
Debian also has some harden scripts. Debian/Progeny has the best change,
IMO, due to their long-standing dependency checking and their tasks.

apt-get install business-workstation
apt-get install secure-server
apt-get install secure-workstation

It's not there, but it can be.

Resolving the conflicts between #1 and #3 might be interesting...

> A) It takes a lot more training than required to secure a Windows box.
> 
> B) It takes more time than securing a Windows box (and securing a Windows
> machine takes quite long enough, thank you).

That's why we need hardening tasks that take care of most of it. It's also
why dists need to default to decent security, especially in regards to
network exploits. And, security updates have to be easy and as automagic as
practical.

> 2) It assumes that a minimal, targeted install is acceptable.  Note that
> this means that you have decided to use a computer as a secure data
> appliance.  It is no longer a proper general computer that can emulate any
> state or data processing machine.

Nah. I bet JLFs boxen are pretty secure. He seems to get work done on them.
Though I'm far from a security expert I think I've done a decent job with
the servers where I'm working and they're usable. Same with my workstation
and some of the other workstations there.

It's all about compromise. As we have better admin programs, however, the
line of the compromise can continue getting closer to fort knoxian security.

ciao,

der.hans
-- 
# der.hans@LuftHans.com home.pages.de/~lufthans/ www.YourCompanyHere.net ;-)
#  The only way for a woman to change a man
#  is if he's wearing Depends[TM] - der.hans

________________________________________________
See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post
to the list quickly and you use Netscape to write mail.

PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss