Hi, This is really not the forum to debate such advice. But the general theory is to basically decrease the attack surface for bad guys.
On Thursday 10 July 2008 14:13:13 Bill Nottingham wrote: > - disabling pam_console handling of DRI devices, which has the effect > of either: > - making the devices 0666 > - crippling the X server Which guide is doing anything with DRI devices? > - removing module files shipped with the kernel to disable features, > which is an impressively hacky and bad way to do it (Maintaining lists > of modules to remove sounds like so much fun.) There is no other way of ensuring wireless cannot be used. This is definitely hacky and I've asked for this to be made better. rm -rf is not acceptable as a long term solution. > - decries IPv6 as being new and untested, when it predates the existence > of RHEL by 5+ years (and is actually pushed to be default in > RHEL by... government standard. ;) ) The problem is that many places do not need it. So, going with the theory of get rid of what you don't need - we have to show people how to disable it if not needed. If you had it disabled back when that IPv6 kernel flaw came along last year, you didn't have as much to worry about. This is what its all about. > - has contradictory guidelines on the same page about yum > - describes kudzu as allowing hardware configuration by unpriveleged users What they are talking about is that some hardware may not be desired to be enabled. The thought was that kudzu can do some things that may suddenly cause the hardware to be enabled. Generally govt standards do not like hot plug anything because it could be a way to get info in or out of a network. Or perhaps enable a buggy driver that has a root hole. > None of these things fall under 'sensible', and it makes me rather > skeptical as to the guidelines' overall quality when I read this. The rbottomline is that we need to work more on making the distro lockdown friendly. -Steve _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
