http://qa.mandrakesoft.com/show_bug.cgi?id=3789
[EMAIL PROTECTED] changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Ever Confirmed| |1
------- Additional Comments From [EMAIL PROTECTED] 2003-25-06 20:27 -------
No I ignored your point. It was a reply to comment 1 "The
tuning of a *nix system is very complicated"; msec can be tuned using draksec/
drakperm.
As for the question tree, I mostly agree. I disagree with calling it a question
tree. I do not like to fill out a questionnaire and even though you say "small
number of questions" I hope you do mean 5 questions maximum.
Msec should find out most stuff on its own. Example: When someone installs
Mandrake with Apache, it should increase security. Someone might not want to
have that security increased; IMO that is too bad. As long as you can finetune
it later, it should only provide sane defaults. When configuring a firewall, it
should see Apache is running and ensure port 80 will be reachable as a default.
confirming
--
Configure bugmail: http://qa.mandrakesoft.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
------- Reminder: -------
assigned_to: [EMAIL PROTECTED]
status: NEW
creation_date:
description:
I have a problem with the notion that system security is so simple it can be
described by a single number, 0 - 5.
I run my desktop machine heavily as a single user in an appartment where I live
alone, and I run the machine as a web server.
Level 4 won't let me run my server, but level 5 does all sorts of bad things to
me as a user! Msec wants to time-out my terminal sessions as though somebody
were going to walk by and see some vital information. It locks my primary user
out of vital services. It won't let me log in as root. (granted, some of these
are just bugs in the ability to re-configure the settings, but they're wrong to
begin with).
I propose that you re-think your security criteria. As a suggestion, consider
asking several questions, such as:
Degree of access to console:
(1 person, a few trusted people, a few untrustworthy people, anybody)
Internet exposure
(none, behind a firewall, direct)
Servers
(none, or list)
Importance of info
(unimportant, personal, highly desirable financial records...)
Some options shouldn't be possible: for example, a machine containing personal
information shouldn't have its console available to just anybody.
Based on a small number of questions, a reasonable security scheme can be worked
out. But I don't think a few "security levels" can capture the complexity of
the problem.
