Tony Lambiris wrote:
> Again, pointing out the obvious.
>
> Example: a new exploit comes out that writes a suid root shell to /tmp. First
> off, how many people create a seperate tmp partition (I do)? And how many
> people set the /tmp partition NOSUID in their fstab (I do)? Of course, if
> Red Hat did not decided to include that service (or at least turned on by
> default), they would've spared a lot of headaches. Why spend a day or two
> locking down Red Hat, when you can install something like OpenBSD and have
> it secured in 2 minutes. It's inefficient.
If someone is spending a day or two to lock down a box, then they are
either extremely inexperienced or their employer is paying them too
much. I can lock down a Linux box, regardless of distribution, in under
10 minutes. Anyone that has been reading my posts over the last few
years knows that I am a big fan of the Bastille project, as well as
MedusaDS9. Both of those tools make hardening a system trivial. Not to
mention that Bastille educates the user while they harden a box.
There is a simple point to all of this. Security is not something that
you wake up one morning knowing. It is something that is a never ending
learning process. If a manager or administrator puts someone in charge
of a system that requires high levels of security, then they should find
someone with experience. It is not the SysAdmin fault that they were put
in charge of a system and told to do something that they had no
knowledge of. That blame should lay solely with the department head.
It amuses me that people seem to think that security is something that
you learn by reading a book or two. All of today's best practices will
not help you tomorrow. Things change that fast. In my opinion, students
do not have the time to keep up with their classes as it is. They should
not be expected to keep up with network security on top of everything
else. It is extremely time consuming and you can't take a day off from
it.
As for the names of the people who were responsible for the system in
question, I find it disturbing that people on this list feel the need to
name them. Not only is it not necessary, but it is unprofessional, and
it could be detrimental to those people in the future. The mistakes that
they may or may not have made as a college student doing work-study
should not be dragged out in public. I defy anyone to say that they have
never made a mistake that had serious consequences.
Kenny
--
Kenny Lussier
Systems Administrator
Mission Critical Linux
***********************************************************
Life is a lesson, you learn it at the end
Reality has become increasingly less accurate
***********************************************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
