Request for Review - Fedora Security Basics

Paul W. Frields stickster at gmail.com
Mon Oct 10 12:12:44 UTC 2005 

On Mon, 2005-10-10 at 19:34 +1000, SEKINE tatz Tatsuo wrote:
> From: Felipe Alfaro Solana <felipe.alfaro at gmail.com>
> Date: Mon, 10 Oct 2005 11:02:45 +0200
> 
> > I agree that having physical access to the machine could make easy for
> > an intruder to get into it, but sometimes the intruder has limited
> > physical access, that is, the intruder can't steal the hard drive or
> > the machine, only sit at the keyboard, restart the machine into
> > single-user mode and reset the root password (and yes, I know I we can
> > use a GRUB password).
> 
> If the GRUB password isn't used to protect the machine, the
> boot parameter is editable.
> 
> In that case, the intruder can alternate "init" program with
> /bin/sh, putting "init=/bin/sh" into the boot parameter.  It
> means that modified /etc/inittab can not protect the machine
> because the file is read by /sbin/init (default "init"
> programme).

Right.  I think the point, Felipe, is that adding a password to
single-user mode gives the admin a *FALSE* sense of security.  If you
need that level of security, you need MORE than that amount of security,
if you get my meaning.  The only acceptable alternative is to physically
secure the machine.  This might be a locked room or a locked rack.  If
the security of a machine is a concern, no unauthorized person should be
able to just walk up to it and reboot it.

I would think, however, that this sort of topic, and additional security
measures, could and should be covered in a more comprehensive security
guide.  As Rahul mentioned, there is a Hardening Tutorial in CVS.  Maybe
you should offer to participate with the author to bring this document
up to snuff.  As I recall, no editor has yet stepped up to work on it.
Stuart has started some security material on the wiki as well.  Instead
of having several efforts floating around in various forms, maybe the
three of you (Stuart, Felipe, and Charles Heselton, author of the
hardening tutorial) can put your heads *together* and work on something
more comprehensive!  Three heads are better than one, and all that...

-- 
Paul W. Frields, RHCE                          http://paul.frields.org/
  gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233  5906 ACDB C937 BD11 3717
 Fedora Documentation Project: http://fedora.redhat.com/projects/docs/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/docs/attachments/20051010/027a418e/attachment.bin

More information about the docs mailing list