review of hardening guide

tuxxer tuxxer at cox.net
Fri Apr 1 09:03:48 UTC 2005 

On Thu, 2005-03-31 at 10:42 +0100, Stuart Ellis wrote:
> On Wed, 30 Mar 2005 22:17:12 -0800 (PST), "Rahul Sundaram"
> <rahulsundaram at yahoo.co.in> said:
> >
> > http://members.cox.net/tuxxer/ch-chapter2.html
> > 
> > Since this is out of scope for your document by your
> > own admission it would be better to just drop this.
> > Kernel recompilation or additional hardening is
> > unnecessary for the large majority of users and worse
> > gives the idea that the kernel requires active manual
> > intervention to make it secure.
> 
> I think that the main issue is that the specified audience ("all users")
> doesn't match up with the intent (a comprehensive security overview).  I
> don't see there's anything wrong with saying that it's a detailed guide
> for more advanced users, and leaving the basic security stuff for
> another doc - 1) don't mess with the defaults without a reason, 2) run
> updates, 3) there is no step 3 :)
> 
> 
> 
> --
> 
> Stuart Ellis
> 

Well, I think there is a little bit of both opinions here.  Maybe there
are some assumptions that I have made that would be beyond the most
basic user.  And I admit that this could be a failing of my writing.
I've been using Linux off and on since '97, so some assumptions I make
may be completely obscured to the most basic user.  While this document
isn't meant to be the end-all-be-all document to securing a Fedora
system, I think that it covers a fairly broad spectrum of potential
readers.  And, I think that it should serve as a guide to users who are
just beginning in linux, and those who maybe familiar with linux, but
aren't aware of some of the security problems associated with it.

I can agree, that for the time being, the kernel hardening section could
probably be left out.  I do, however, believe that it has a place here,
and eventually would like to see it return to this document - or perhaps
be included in a larger scope, more detailed document that was perhaps
more of a collaboration.  I also think that before the kernel hardening
section returns that there should be a kernel compilation guide.

-Charlie
-- 
-tuxxer

gpg:  57EB F948 76AE 25BC E340  EFA9 FAF6 E1AC F1E1 1EA1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/docs/attachments/20050401/53690a6a/attachment.bin

More information about the docs mailing list