On Tue, Sep 16, 2008 at 10:20:06AM -0700, Rick Stevens wrote: > Lyvim Xaphir wrote: >> On Tue, 2008-09-16 at 09:34 -0430, Patrick O'Callaghan wrote: >>> On Tue, 2008-09-16 at 09:11 -0400, Mike Burger wrote: >>>> As I said...I don't agree with it...I'm just saying that I understand >>>> the thinking behind it. >>> Sorry, but I think you don't. You might want to read Alan Cox's message >>> on the fedora-test list: >>> https://www.redhat.com/archives/fedora-test-list/2008-September/msg00314.html which indicates that the motivation is much more to do with cleaning up code and APIs. I fact security isn't mentioned. >>> >>> poc >>> >> >> >> It's still a stupid idea. There's no good reason to get rid of the vt >> consoles; they've been there for a very long time on rh, I use them all >> the time. As does alot of other people. As one other user pointed out >> on the link that *you provided, the lack of vt consoles is the number >> one problem with another distro, according to it's users. > > There are reasons for disabling consoles, however the term "good" is > subjective. For example, PCI compliance says that you must render the > machines as physically difficult to get into as you can. We, for > example, do the following: > > 1. Machines do not have X installed and boot to run level 3 Having spent some time running X on OpenBSD, FreeBSD, Fedora, and now SUSE 11, I am convinced that using X on any of these platforms enables exploits that cannot be disabled. You cannot have both security and X. Take your pick. I do not log in as root in X for any reason since there are ways in X to listen in on keyboard communications and capture passwords. So far as I have been able to tell, this is not possible with non-X console io. > 2. /etc/inittab modified to NOT spawn gettys on the VTs > 3. /etc/inittab spaws serial port getty connected to a serial KVM > 4. grub configured to also use the serial port for its console > > This is in addition to them being in cage with a deadbolt lock on the > door, and the cage being in a data center with physical access > restrictions, cardkey access and video surveillance. Yes, it's a bit > onerous, but it is required. Whether you think they're "good reasons" > is irrelevant. I have read that Congress passed a law in 1995 mandating undetectable hardware access to all computers connected to the internet. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
