Removing System Consoles from Fedora
Dave Feustel
dfeustel at mindspring.com
Wed Sep 17 02:30:49 UTC 2008
On Tue, Sep 16, 2008 at 05:50:18PM -0700, Rick Stevens wrote:
> Dave Feustel wrote:
> [snip]
>>> 1. Machines do not have X installed and boot to run level 3
I did not write the above point 1.
I did write the following:
>> Having spent some time running X on OpenBSD, FreeBSD, Fedora, and now SUSE 11,
>> I am convinced that using X on any of these platforms enables exploits that
>> cannot be disabled. You cannot have both security and X. Take your pick. I do
>> not log in as root in X for any reason since there are ways in X to listen in
>> on keyboard communications and capture passwords. So far as I have been able to
>> tell, this is not possible with non-X console io.
>
> ANYTHING over the net can be hacked, given enough CPU cycles and time.
> You can mitigate it requiring everything be heavily encrypted (including
> X). It's not perfect, but it's as close as you're going to get. There
> is such a thing as making a machine so secure it's unmanageable.
I did not write the following:
>>> 2. /etc/inittab modified to NOT spawn gettys on the VTs
>>> 3. /etc/inittab spaws serial port getty connected to a serial KVM
>>> 4. grub configured to also use the serial port for its console
>>>
>>> This is in addition to them being in cage with a deadbolt lock on the
>>> door, and the cage being in a data center with physical access
>>> restrictions, cardkey access and video surveillance. Yes, it's a bit
>>> onerous, but it is required. Whether you think they're "good reasons"
>>> is irrelevant.
>>
>> I have read that Congress passed a law in 1995 mandating undetectable
>> hardware access to all computers connected to the internet.
>
> The law, IIRC, was held unconstitutional and the US Attorney stated that
> it was unenforceable anyway. Subsequent laws may require it, but only
> with a court order. I'm not sure how the Patriot Act (what a joke)
> affects this. We don't care. We're PCI-compliant. If they want to see
> our systems, they can get a court order and deal with our lawyers first.
>
> I mean, jeeze! Didn't we beat the Nazis some 65 years ago?
Actually, the Allies defeated Germany in the war, but the German Nazis migrated
to America. Google "operation paperclip" and/or read the book _Rise of the 4th
Reich by Jim Marrs.
More information about the fedora-list
mailing list