Re: Removing System Consoles from Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dave Feustel wrote:
[snip]

1. Machines do not have X installed and boot to run level 3


Having spent some time running X on OpenBSD, FreeBSD, Fedora, and now SUSE 11,
I am convinced that using X on any of these platforms enables exploits that
cannot be disabled.  You cannot have both security and X. Take your pick. I do
not log in as root in X for any reason since there are ways in X to listen in
on keyboard communications and capture passwords. So far as I have been able to
tell, this is not possible with non-X console io.


ANYTHING over the net can be hacked, given enough CPU cycles and time.
You can mitigate it requiring everything be heavily encrypted (including
X).  It's not perfect, but it's as close as you're going to get.  There
is such a thing as making a machine so secure it's unmanageable.


2. /etc/inittab modified to NOT spawn gettys on the VTs
3. /etc/inittab spaws serial port getty connected to a serial KVM
4. grub configured to also use the serial port for its console

This is in addition to them being in cage with a deadbolt lock on the
door, and the cage being in a data center with physical access
restrictions, cardkey access and video surveillance.  Yes, it's a bit
onerous, but it is required.  Whether you think they're "good reasons"
is irrelevant.


I have read that Congress passed a law in 1995 mandating undetectable
hardware access to all computers connected to the internet.


The law, IIRC, was held unconstitutional and the US Attorney stated that
it was unenforceable anyway.  Subsequent laws may require it, but only
with a court order.  I'm not sure how the Patriot Act (what a joke)
affects this.  We don't care.  We're PCI-compliant.  If they want to see
our systems, they can get a court order and deal with our lawyers first.

I mean, jeeze!  Didn't we beat the Nazis some 65 years ago?
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                       rps2@xxxxxxxx -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-         The world is coming to an end ... SAVE YOUR FILES!!!       -
----------------------------------------------------------------------

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux