Re: Secure Kickstart Installation
From: Jon Hart (warchild_at_spoofed.org)
Date: 05/26/05
- Previous message: Mathieu KRETCHNER: "Re: Secure Kickstart Installation"
- In reply to: Mathieu KRETCHNER: "Re: Secure Kickstart Installation"
- Next in thread: antoine: "Re: Secure Kickstart Installation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 May 2005 16:51:32 -0400 To: Mathieu KRETCHNER <m.kretchner@siig.u-bordeaux.fr>
On Wed, May 25, 2005 at 10:02:52AM +0200, Mathieu KRETCHNER wrote:
> Hi,
>
> Me and my team have installed approximativly all the packages. But we
> have choosen to configure only services that we need. So we can add
> services withtout new installation !
> For my own it's a political choice.
That will certainly work. But, I wouldn't advocate installing all of
the base/available services and just not enabling them. Sure, you
aren't running those services, but you still have all the files provided
with that package installed. This can make securing the system against
local attackers quite a bit more difficult.
The most common example I can think of is setuid/setgid files. Do you
really want unused setuid/setgid files laying around?
Potentially worse yet... You install service foobar at initial install
time but don't enable it. 6 months down the road you find a need for
foobar and fire it up. You are suddenly at risk of running
a 6 month-old foobar, which may or may not be a problem depending on
your security policies (i.e., how often you update).
Take your pick: security or convenience. Or try to find a happy medium.
My $0.02,
-jon
- Previous message: Mathieu KRETCHNER: "Re: Secure Kickstart Installation"
- In reply to: Mathieu KRETCHNER: "Re: Secure Kickstart Installation"
- Next in thread: antoine: "Re: Secure Kickstart Installation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
