[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Windows Server to Debian migration

also sprach Roberto C. Sanchez <roberto@familiasanchez.net> [2005.09.03.1502 +0200]:
> I don't use it in nearly such touch environment, but everything I have
> seen/read about it leads me to believe that it can handle large setups
> very well.

I would talk to the alioth admins about it. Maybe I am just
incapable of administering OpenLDAP and they got the grips on the
server by now, but OpenLDAP to me is a synonym for grey hair and
raving fits of madness.

> > It's also *terribly* outdated, breaks some things when used
> > carelessly, and gives a wonderfully false sense of security. The
> > same applies to tiger/TARA, btw.
> > 
> Funny that you mention that.  I emailed Javier a while back
> because some of the changes effected by Bastille were undone when
> I upgraded my server from Woody to Sarge.  He said it needs to be
> updated to use the dpkg-statoverride, rather than just changing
> attriutes of files without dpkg's knowledge.  Other than that,
> I found it a very helpful tool.

It is a helpful tool. The greatest mistakes you can make are to need
and to trust it. Go through the process, make conscious decisions,
but then, for every feature you turn on (or off), verify it
after the run, make sure you understand how it's done, and then
don't touch bastille again. Oh, and make sure you know what it's
talking about. Just clicking yes because a feature "sounds good" is
calling for trouble.

> Besides, your statement "breaks some things when used carelessly,
> and gives a wonderfully false sense of security" can be applied to
> *any* hardening tool or package.

Yes. That's why I strongly recommend not to use them.

> The fact is, that you can't expect to secure a system well with no
> knowledge of escurity.

Absolutely. And no tool can do it for you either.

Please do not send copies of list mail to me; I read the list!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
"whoever fights monsters should see to it that in the process he does
 not become a monster. and when you look into an abyss, the abyss also
 looks into you."
                                                 - friedrich nietzsche

Attachment: signature.asc
Description: Digital signature (GPG/PGP)

Reply to: