Dave Airlie wrote:
but why stop at the kernel? why not build your own glibc with NSS turned off? who needs name service switch on a firewall, who needs bash tab completetion on a firewall... etc.. you are lulling yourself and your customers (more scary) into thinking that by u compiling a kernel you are making their system more secure whereas in fact you may be making their system less secure by not allowing them to install vendor supplied security updates... this is the fact that your missing, and which you don't seem to want to get, .. it's not so bad for you but I would feel bad for anyone who you push this advice on...
does anyone recompile cisco pix? or Solaris kernels? do they have worse security? (well cisco pix is probably a crappy example ;-), say IOS instead)
Let me make clear once more this,
The reason for re-compiling is to implement one of the many Generic Security Policies,
namely:
Include only those OS components that are required. There are scores of rationalies for this.
I had 12 or so Cisco Pix Firewalls in my Company when me and my family controls a Privately
owned company. Incidentally, we sold majority of our shares. So, I know about PIX firewalls,
the handing, licensing, and warranties that goes with it. I know because i do most of the work
like setting the policies for ALL Network Securities of that network including those on PIX and
all other kinds of Cisco routers and servers. I know because I participate hands-on with the
audit of the implementation of these policies and re-configure if required.
The same principle applies to Solaris. The licensing, handling, and warranties with Solaries
are different from Linux.
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
