Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Auto-detect



Quoth Stephen J. Turnbull:

>>>>>> "Josh" == Josh Glover <tlug@example.com> writes:
>
>     Josh> As far as I am concerned, having no net-facing services on
>     Josh> is the *only* secure-out-of-the-box step that distros can
>     Josh> reasonably take.
>
> 1.  Make it hard to turn on insecure services (telnet, ftpd).

Gentoo kind of succeeds here, as telnetd and ftpd are both xinetd services, so
you have to remember how to turn them on... :) Installing them, however, *does
not* turn them on, A Good Thing(TM).

> 2.  Provide secure settings when people decide to turn them on
>     (no anonftp by default).

Gentoo is OK here.

> 3.  Provide sane configurations for secure services (ssh) by
>     default so they work out of the box, and people are less tempted
>     to use the insecure ones.

Gentoo is OK here.

> 4.  Install some basic security tools by default (logcheck, for example).

Nope.

> 5.  For services with multiple implementations, provide simple,
>     relatively secure implementations (postfix vs sendmail, vftpd vs
>     wu-ftpd) by default, with locked-down configurations.

Gentoo succeeds admirably here, as the virtual/mta dependency is filled by
ssmtp by default, an MTA that can only send mail and *does not* run as a
daemon.

> 6.  Provide a working, locked-down firewall configuration by default.

Nope.

> 7.  Don't allow root to have a password less than 38 characters long,
>     all of them 3-finger-chords.  ;-)

Gentoo actually runs distributed-crackd for 48 hours on the world's largest
cluster before accepting a root password. D:IAALB[1]

> 8.  Don't allow root to send mail or browse the web.  ;-)

Gentoo actually requires that you hook a USB cattle prod to your head while
logged in as root or using sudo; all mistakes and / or acts of stupidity
result in a "mild" electrical correction. D:IAALB[1]

> etc.  I could go on, but I'm getting silly.

You ain't the only one! ;)

-Josh "Saw a Gentoo penguin at the zoo this week-end!" Glover

[1] Disclaimer: I Am A Lying Bastard

-- 
Josh Glover

GPG keyID 0xDE8A3103 (C3E4 FA9E 1E07 BBDB 6D8B  07AB 2BF1 67A1 DE8A 3103)
gpg --keyserver pgp.mit.edu --recv-keys DE8A3103


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links