Re: CDE Without ToolTalk?

From: George Capehart (gwc@capehassoc.com)
Date: 09/07/02


Date: Sat, 07 Sep 2002 17:41:30 -0400
From: George Capehart <gwc@capehassoc.com>
To: cjclark@alum.mit.edu


"Crist J. Clark" wrote:
>
> Does anyone have a reference on how to lock down CDE?

Yes. Don't install the X Window system . . . *grin*

Seriously, though, in some shops, servers are headless and administered
remotely via ssh or locally over the serial port. It's been a couple of
years since I actually had my hands on a Sun box, but at that time,
there was nothing that necessitated an admin needing CDE to administer
the box . . . If you need multiple sessions there are a couple of ways
to accomplish that:

 o most of the *sh family support putting processes in the background
and then recalling them

 o emacs - there have been days in which I started emacs and then didn't
leave it until I logged out to go home

 o screen - supports multiple virtual terminals

 When asked to
> "harden" a Sun server, one of the first things to do is go through
> inetd.conf and take everything out but the basics, or even better, not
> run inetd at all.
>
> But the admins really don't like that since it breaks CDE. I don't
> like being stuck at the console prompt with one shell either. I
> wouldn't think it would be a lot to ask to just have a windowing
> environment so we can have multiple ttys going at once, but not have
> all of the extra network services like the dreaded ToolTalk server.

There are some serious InfoSec types (and *all* BOFHs) who would
seriously question the level of expertise of a sysadmin who would whine
about not being able to administer a server without a GUI. See the
above comments about ways to have multiple things/virtual
terminals/shells. I've really got to wonder whether these guys really
know their way around . . . That may sound harsh, but it's true.

>
> Is there a way to get CDE going? It bails out for me once it finds it
> can't start up ToolTalk. Am I stuck going to a different windowing
> system (isn't Openwin depricated these days?)?
>
> (I think this has been covered before here, but SecurityFocus's search
> page keeps telling me the server is too busy, and I haven't had any
> luck Googling. Thanks.)
> --
> Crist J. Clark | cjclark@alum.mit.edu
> | cjclark@jhu.edu
> http://people.freebsd.org/~cjc/ | cjc@freebsd.org

--
George W. Capehart

Capehart Associates LLC Phone: +1 704.678.1660 1604 Nottingham Drive Fax: +1 704.853.2624 Gastonia, NC 28054

"We did a risk management review. We concluded that there was no risk of any management." -- Dilbert



Relevant Pages

  • Re: CDE Without ToolTalk?
    ... console server with network connectivity. ... > But the admins really don't like that since it breaks CDE. ... You can ssh into the server multiple ...
    (Focus-SUN)
  • Re: Question about WMI connection and concurrent use
    ... Each one should act as an independent client to the proxy. ... It should run multiple threads - one ... WMI is multi-threaded and has an asynchronous ... >> My only server, which is allowed to make snmp queries [which I call the ...
    (microsoft.public.win32.programmer.wmi)
  • Re: Benefits of a backup domain controller
    ... This is a very good point about multiple DC's and recovery. ... restore it from any good image backup with no problem if necessary. ... Once you introduce a second domain controller, ... of the biggest hurdles in any failover scenario-- one DHCP server ...
    (microsoft.public.windows.server.sbs)
  • Re: Performance issues on tandem H series application
    ... multiple threads for a single queue configured under multiple ... Are you using TMF and locking the same record in each of the server ... when do you start the transaction? ...
    (comp.sys.tandem)
  • Re: [Full-Disclosure] XP vs 2K
    ... some services (server, messenger, etc) for security, ... Some things to administer the system are almost buried ... Charter: http://lists.netsys.com/full-disclosure-charter.html ...
    (Full-Disclosure)