On Sat, Sep 03, 2005 at 03:32:21AM +0200, martin f krafft wrote: > also sprach Roberto C. Sanchez <roberto@familiasanchez.net> [2005.09.03.0311 +0200]: > > I seem to recall on an episode of MacGyver where MacGyver took > > some duck tape, > > Please watch your words! It would be more politically correct to use > the term "duct tape", rather than the brand name here. First of all, > duck tape didn't exist at the time when McGyver's hairdoo was only > beaten by that of the actors of Dallas, and second: some of us may > take personal offence at the thought of *ducks* being made into > *plastic strips*. > Yeah? Well I think you are biased because you go by madduck? Or maybe you are just mad :-) > > On to more serious responses. > > Uh, right... sorry. > > > OpenLDAP is your friend. > > It is? It's definitely my enemy. But we have come to good terms now > that I set cron to restart it every 4 hours to prevent it from > exploding and rendering our server useless until an administrator > could intervene. Okay, I am talking about several dozen of logins > per second (it's a cluster), but still... > I don't use it in nearly such touch environment, but everything I have seen/read about it leads me to believe that it can handle large setups very well. > > You want to look at the Bastille package. It will walk you > > through the hardening of your system in a tutorial fashion and > > explain at each step what it wants to do, why it wants to do it, > > and reasons why you may or may not want to deviate from the > > default. > > It's also *terribly* outdated, breaks some things when used > carelessly, and gives a wonderfully false sense of security. The > same applies to tiger/TARA, btw. > Funny that you mention that. I emailed Javier a while back because some of the changes effected by Bastille were undone when I upgraded my server from Woody to Sarge. He said it needs to be updated to use the dpkg-statoverride, rather than just changing attriutes of files without dpkg's knowledge. Other than that, I found it a very helpful tool. Besides, your statement "breaks some things when used carelessly, and gives a wonderfully false sense of security" can be applied to *any* hardening tool or package. The fact is, that you can't expect to secure a system well with no knowledge of escurity. > > Also, read the Securing Debian Manual: > > http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html > > It is a bit more general in nature, but has some good information. > > It is one of the best resources on Linux security out there. Javier, > you rock! > -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto
Attachment:
pgpWr7hIiC2TB.pgp
Description: PGP signature