> > The reason for re-compiling is to implement one of the many Generic Security > Policies, > namely: > > Include only those OS components that are required. There are scores of > rationalies for this.
Why do you not apply this to Solaris then? or glibc components of Linux? the kernel is not the be all and end all so the sense of implementing your above "generic" policy implies that you must then customise every component of the OS not just the kernel.. finishing at the kernel implies that you don't fully practice your beliefs and so place your customer in further danger, Also getting into the habit of applying the same hammer to every nail (i.e. generic policies) leads to complacency, you don't learn anything new as your are sure your list of policies are of course going to cover everything, so you have to weigh up when to apply the policies in every situation you encounter and what I'm (and Jeff previously) trying to point out is that applying the aforementioned policy of removing pieces of the OS to every situation may in fact make security worse in certain situtations so should not be stated as a statement of fact that can be applied absolutely... > The same principle applies to Solaris. The licensing, handling, and warranties > with Solaries are different from Linux. not really if someone breaks into your system, Sun ain't gonna do anything more than Redhat or Novell, so the licensing/handling/warranties are nothing to do with the situation, so there isn't any further need to mention them... (apologies to the list, it's Friday and my kernel/mplayer compiles on a 433PIII are giving me loads of time :-) Dave. -- David Airlie, Software Engineer http://www.skynet.ie/~airlied / airlied at skynet.ie pam_smb / Linux DECstation / Linux VAX / ILUG person -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html