Newsweek featuring Linux

George Toft plug-discuss@lists.plug.phoenix.az.us
Tue, 04 Mar 2003 08:27:48 -0500 

"der.hans" wrote:
> =

> Am 26. Feb, 2003 schw=E4tzte George Toft so:
> =

> > <computer security rant>
> > And this is one reason hand editing config files is considered a
> > computer security risk.  My typo adversly affected the availability o=
f
> > their web site to their customers.  Tools that have been certified to=

> > produce correct, consistent results are much better.  Of course, most=

> > Unix admins shudder at the thought of using GUI tools.
> > </computer security rant>
> =

> Bah! GUI tools still suck :)
> =

> In this case, what you needed was a decent format for the config file, =
a
> good lint tool and some QA.
> =

> <rant type=3D"computer" topic=3D"security">
> GUI tools fsck up all the time! If you don't know how things're suppose=
d to
> work and don't check them, then you don't know if they're working prope=
rly.
> =

> The real solution is having good testing suites and practices.
> </rant>
> =

> ciao,
> =

> der.hans
> --

Key word in my statement was "certified tool" - anyone can write a
crappy tool that botches things up.  I used to think like you do.  In my
CISSP studies, and working Computer Security for the last year and a
half, let me tell you, this is the prevailing thought in the computer
Security field.  It's covered under the Clark-Wilson Security Model.  I
have seen the benefits of that model.

Which reminds me of a story you will appreciate: a clicker I know (an NT
guy) made some edits using vi to /etc/system (Solaris 2.6 boxes).  Upon
rebooting, things went really bad.  The problem was he fat-fingered the
parameters on both boxes in different places.  First box was up 3 hours
later.  Second box was up 5 hours later.  A certified tool would have
prevented this several hour outage to a production system.  So would
making a backup copy of /etc/system, but that's another story.

George
-- =

Discover . . .         | Free Computer Security Information
        <=B7=B7=B7> Secure   | http://www.georgetoft.com/security
         Networking    | =

@http://georgetoft.com | Lock your box - keep your affairs private!