Well, having a server you can't log onto is certainly one way to make it "secure", I suppose.....not connecting it to a network is another...:-)
DJ
Kohrs, Steven wrote:
On Mon, 2004-08-02 at 11:29, Ferguson, Neale wrote:
Paper: Achieving CAPP/EAL3+ Security Certification for Linux See: http://www-124.ibm.com/linux/presentations/ols2004/sec-cert-OLS_04.pdf
I tried 'securing' a server by following the recommendations associated with this paper. Basically, it works great for an idle server. The second I installed any sort of application (IHS or WebSphere) and tried to use the server for a purpose, all Hell broke loose.
Auditing filled /var and I couldn't even log in to fix the problem.
I couldn't stop the audit module because the audit, laus, and pam-laus pieces are so intertwined.
I could only log in, after a reboot, if I stop and restarted the ssh daemon.
A simple ulimit -n 2048 wasn't authorized anymore.
If I was more fluent in PAMense, I might have gotten around these issues, but the EAL3+ specifications are so strict that I don't see how any server can be expected to be used in a production environment. I had to add 20+ packages to the package.tolerated list so I could install application software or manage the server. For example, LVM is not allowed and we depend greatly on that for managing our DASD.
---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
-- Dave Jones V/Soft Software Houston, TX 281.578.7544
---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
