On Wed, 30 Aug 2000, Jason Jeremias wrote:
> Geoff,
>
> All i'm asking for is a "Console Server Install" installs only the
> basics not X,
> KDE, GNOME, let the user add to the installation, (add inn, openldap,
> postgres)
> heck even make them standard if you want. It would be easier for me to
> un install
> a few server services then what I have to do now.
>
> As for security. When selecting that option turn everything off by
> default. This
> might fit in nicely with the current security scripts in 7.1. I would
> like to see
> the default have nothing, make me turn it on if I want it. Instead of
> turning it
> on by default and then making the user find everything on and turn off
> the stuff
> they don't want.
>
> In this respect openbsd is superior to all linux distributions. Granted
> I don't
> expect Mandrake to become as secure as openbsd over night. But wouldn't
> it be a
> good idea to start the process. Mandrake could become the Easiest and
> the most
> Secure linux distribution.
>
> Just my two cents.
>
> -Jason
This is something I've wanted for a very long time. There's no sense in
having say apache turned on for next boot(chkconfig apache on/off).
But this simply doesn't do the trick if you want to truely have a secure
linux distro.
Most of the security comes down to configuration files.
Examples:
inetd.conf: everything should be commented out except maybe identd
httpd.conf: cgi, ssi , indexing, etc....... should all be commented out by
default.
If someone is going to run a webserver, they need to enable this themselves.
Though, we come at cross fire here since mandrake is aimed at the end-user,
and everything is supposed to work out of the box. So by disabling and
setting restrictive defaults we break that "out of the box" scheme.
Persoally I really don't care if it works out of the box, security is always
the first thing on my mind. But since this distro is aimed at end-users we
can not jail them and ask them to figure how to break loose. That defeats the
whole purpose of linux-mandrake(grrrrr hummmm GNU/linux : ) ).
So what to do ?
Sure we can always have hardening scripts like msec and B.U.S.(check it out
from the cvs), but that simply isn't it enough. A requirement on vendor side
to have a safe version roll out is needed. I propose a light-weight system
audit of linux-mandrake(configuration files), as well as things like having a
package to chroot bind and other daemons(it would be like the anon-ftp
package).
I also propose this big one.
Completely split up the distro.
inux-mandrake is aimed at desktop users right ?
So why on earth would an end-user need to run an MTA, httpd, name server,
etc..... ?
I propose having different downloads/cds.
Linux-Mandrake: Desktop
Linux-Mandrake: Server
And so on.........
I know this is a really rough scheme I've laid out. But deal with it : )
--
Bryan Paxton
Go to the room with the chair and wait for your life...