On 11/29/07, John H. Robinson, IV <[EMAIL PROTECTED]> wrote: > > Michael O'Keefe wrote: > > >>That user is exposed, nobody else is > > > > > >local user access + local root exploit = remote root. > > > > So your problem is local root exploit > > Your password is exposed. Now J Random Script Kiddie can log in. > Use that local root, and BAM remote root. > > The problem is not local root, it is remote root. > > > Fix the problem, don't hide it by making users change their passwd. > > or do you trust your users to not use the root exploit, just becoz ... > > Do you follow BugTraq? VulnDev? Other security-focused mailing lists? > Local escalations are not exactly rare. And they happened to exist > _before_ they are discovered. Can you state that right now all of your > systems have *no* privilege escalation vectors? (Obviously, things like > su don't count as they are legitimate). > > Systems like LIDS and SELinux go a long way to mitigate. Are you using > something like that and know (ie: have extensively tested) that it is > set up properly? > > As I said in reply to Lan, I may be a bit more paranoid than others in > this regard. > > Well in the land of government computing. I don't have much choice. I have to abide by NIST, GAO, and other groups writs. My only hope is to understand the rational behind them. If you think your system can withstand someone with expert level knowledge having unlimited time on a system undetected, then don't have password rules. A password that never changes, means that once a user has been compromised, then the person or persons that now have access to the system will never have to worry about detection, unless there is only one IP users should be coming from. Most of my servers provide services, there are not a ton of users on them, and the users that exist are technical. If they have to write down passwords in obvious places, then they need to be fired, which of course is also dictated by the above organizations. -- JD Runyan
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
