Removing System Consoles from Fedora

Dave Feustel dfeustel at mindspring.com
Tue Sep 16 18:11:57 UTC 2008 

On Tue, Sep 16, 2008 at 10:20:06AM -0700, Rick Stevens wrote:
> Lyvim Xaphir wrote:
>> On Tue, 2008-09-16 at 09:34 -0430, Patrick O'Callaghan wrote:
>>> On Tue, 2008-09-16 at 09:11 -0400, Mike Burger wrote:
>>>> As I said...I don't agree with it...I'm just saying that I understand
>>>> the thinking behind it.
>>> Sorry, but I think you don't. You might want to read Alan Cox's message
>>> on the fedora-test list:
>>> https://www.redhat.com/archives/fedora-test-list/2008-September/msg00314.html which indicates that the motivation is much more to do with cleaning up code and APIs. I fact security isn't mentioned.
>>>
>>> poc
>>>
>>
>>
>> It's still a stupid idea.  There's no good reason to get rid of the vt
>> consoles; they've been there for a very long time on rh, I use them all
>> the time.  As does alot of other people.  As one other user pointed out
>> on the link that *you provided, the lack of vt consoles is the number
>> one problem with another distro, according to it's users.
>
> There are reasons for disabling consoles, however the term "good" is
> subjective.  For example, PCI compliance says that you must render the
> machines as physically difficult to get into as you can.  We, for
> example, do the following:
>
> 1. Machines do not have X installed and boot to run level 3

Having spent some time running X on OpenBSD, FreeBSD, Fedora, and now SUSE 11,
I am convinced that using X on any of these platforms enables exploits that
cannot be disabled.  You cannot have both security and X. Take your pick. I do
not log in as root in X for any reason since there are ways in X to listen in
on keyboard communications and capture passwords. So far as I have been able to
tell, this is not possible with non-X console io.

> 2. /etc/inittab modified to NOT spawn gettys on the VTs
> 3. /etc/inittab spaws serial port getty connected to a serial KVM
> 4. grub configured to also use the serial port for its console
>
> This is in addition to them being in cage with a deadbolt lock on the
> door, and the cage being in a data center with physical access
> restrictions, cardkey access and video surveillance.  Yes, it's a bit
> onerous, but it is required.  Whether you think they're "good reasons"
> is irrelevant.

I have read that Congress passed a law in 1995 mandating undetectable
hardware access to all computers connected to the internet.

More information about the fedora-list mailing list