On Wed, Oct 04, 2000 at 02:32:42PM -0400, Kenneth E. Lussier wrote:
> If someone is spending a day or two to lock down a box, then they are
> either extremely inexperienced or their employer is paying them too
> much. I can lock down a Linux box, regardless of distribution, in under
> 10 minutes. Anyone that has been reading my posts over the last few
> years knows that I am a big fan of the Bastille project, as well as
> MedusaDS9. Both of those tools make hardening a system trivial. Not to
> mention that Bastille educates the user while they harden a box.
Not knowing what either of these tools are or do, it sounds like they help
you secure a box? I personally disagree with using 3rd party utils to help
you secure a box, and I think the reason is pretty obvious. While it may be
useful to the person just getting into security, it's not something I would
rely on, or trust for that matter.
> There is a simple point to all of this. Security is not something that
> you wake up one morning knowing. It is something that is a never ending
> learning process. If a manager or administrator puts someone in charge
> of a system that requires high levels of security, then they should find
> someone with experience. It is not the SysAdmin fault that they were put
> in charge of a system and told to do something that they had no
> knowledge of. That blame should lay solely with the department head.
I disagree. We're not talking about a high-profile e-commerce site. We're
talking about an .edu (notorious for being wide open to exploits). Almost all
of the "Linux in 24 hour" books tell you the basics of security (i.e.
inetd.conf, anonymous ftp, etc). You don't need to be a security expert to
open up inetd.conf and disable what you don't need. You just need common sense
(hmm, I don't know what imapd is, so I probably won't be using it, so lets
disable it). It's as simple as that.
Also, no one forced him to be the admin of the box. Like I said, you think
someone down there would've been clued in the first time the box was rooted.
> It amuses me that people seem to think that security is something that
> you learn by reading a book or two. All of today's best practices will
> not help you tomorrow. Things change that fast. In my opinion, students
> do not have the time to keep up with their classes as it is. They should
> not be expected to keep up with network security on top of everything
> else. It is extremely time consuming and you can't take a day off from
> it.
Now we're to the point where it should'nt be security, but common sense. I
still blame Red Hat for enabling everything by default.
> As for the names of the people who were responsible for the system in
> question, I find it disturbing that people on this list feel the need to
> name them. Not only is it not necessary, but it is unprofessional, and
> it could be detrimental to those people in the future. The mistakes that
> they may or may not have made as a college student doing work-study
> should not be dragged out in public.
Someone wrote be about this, I apologized, because I figured it wasn't a big
deal, since their name was mentioned in the first post of this thread.
> I defy anyone to say that they have
> never made a mistake that had serious consequences.
I haven't.
--
Tony Lambiris [[EMAIL PROTECTED]]
OpenBSD: Because I care. [www.openbsd.org]
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
