kelsey hudson wrote:
James G. Sack (jim) wrote:
I haven't come to grips with SELinux yet (though I suspect I
eventually will), but I heartily concur with the statement about root.
I don't. I'm a seasoned systems admin, and I log in as root. I always
have. I always will. SELinux may be great for some things, for the
ultra-paranoid, and the necessity for things to be ultra-secure, but
honestly, in the real world 99% of the functionality just isn't needed
if you set your system up properly, with sane configurations and an
appropriate firewalling scheme.
Sample argument: I have finally come to appreciate the value of the
/var/log/secure in documenting system changes. Real Soon Now (tm), I'm
going to get these records into a database, so that I won't be so
upset next time I have to undo or redo something (like reconfigure
after an upgrade).
Uhhh, (confession) I still use a root shell, but just for looking at
stuff -- i swear!
I use mine for configuration, viewing log files, editing files owned by
root, etc. I can't be bothered to type 'sudo blah' before every command
I intend to execute as root (the main reason is that I despise entering
my password -- sure, you can configure ... NOPASSWD: ALL in
/etc/sudoers, but come on, how *insecure* is that?!)
I wasn't so much talking about security as I was talking about having
important operations logged -- well, maybe I do, in fact, appreciate
some shoot-yourself-in-the-foot protection, but that's really a
different subject (re: which I was expecting some I-told-you-so's).
Moreover, I was welcoming the benefits of such logging for
personal-system (ofter inexperienced) administrators.
I don't know if It's going to prove out or not, but I _do_ want to try
to capture useful history into a database. .. Wish me well.
Regards,
..jim
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
