James Carlson wrote: > Nicolas Williams writes: >> And no, you don't have to edit a database, at least not for the files >> backend. You may have to edit /etc/security/policy.conf(4), but only >> once. And even better, we may provide better interfaces for PAM >> configuration than $EDITOR (kclient(1M) already does, imagine us >> extending that into a single, simple utility). > > Neither policy.conf nor pam.conf (as far as I can tell) can be > controlled centrally in any convenient way, so if I want to impose > rules on a large organization, I have to choose among: > > - setting the file contents via jumpstart post-install > - creating custom install media > - telling all users how to become root and hack these files > - going old-school with rdist as root > > I think that's the complaint -- having to change a file on every > single machine, rather than having some central way to control policy.
+1 - I don't think that we stress this nearly enough - although this is something that very much concerns most customers today who have more than a handful of machines. It still boggles my mind that we have not delivered something like this: http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx Note that this policy once defined can be applied to a network via the Microsoft Group Policy functionality. JASS gave us a head start in the 1999-era (with being able to specify a policy) but today this continues to be a huge gap IMHO. With the emergence of SCAP (XCCDF, OVAL, et al.), we have a change to adopt an open-standards/open-source approach to this problem (at least for the configuration auditing part of the problem): http://nvd.nist.gov/scap.cfm Just my devalued $0.02, g
