<quote who="O Plameras"> > Jeff Waugh wrote: > > ><quote who="O Plameras"> > > > >>In security terms, one size fits all is a poor security policy. > > > >Real security is not taught or defined in platitudes. > > So, what is it ? If one cannot define what he wants how can he achieve it > ? What is the yardstick for measuring success ?
You're not defining what you want here, you're using airy-fairy "rules" to argue a point that quite a number of experienced admins on this list have attempted to correct in various ways. Security is a very hard problem. Understanding how to achieve it in practice is not helped by throwing around generic platitudes as rationale, ignoring the input of experienced admins here, and not asking questions in the face of obvious disagreement. In *theory*, it is correct to say that reducing risk by limiting the number of 'moving parts' in a system is a good thing. In *practice*, this should not impact on your decision to always build kernels, or worse, apply it in such a general statement as "building kernels is required for securing servers". Now, you could make the argument that monolithic kernels are more secure than modular kernels, and I know quite a few admins who stand by this due to bad experiences. But, in almost all cases they use the kernel source provided by their distributor and update as soon as their distributor sends security announcements, etc. But these are specific cases, with good rationale in theory *and* practice. Security is hard. Generalising on the theory and applying it haphazardly to what you do in practice is *dangerous*, and I hope we've illustrated why always building your own kernels for your servers introduces more risk than it mitigates. - Jeff -- linux.conf.au 2005: Canberra, Australia http://lca2005.linux.org.au/ "Not a lot of brothers there." - Jamie Foxx on Australia -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
