On Tue, Feb 3, 2015 at 12:24 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> > Sounds so I almost have to feel shame for securing my boxes no matter what > job vendor did ;-)Yes, computers and the way people access them are pretty much a commodity now. If you are spending time building something exotic for a common purpose, isn't that a waste?> Just a simple example: I have at least 3 classes of boxes configured > ultimately different and having very different level of > security/fortification. Do you seriously suggest that system vendor will > ship all three level of security configurations?Yes, 3 seems about right.> Do you seriously think > that needing quite high level of security for some box I will not go over > all settings influencing it myself? Will you not?Of course, but only because the vendor does not do it. I think Red Hat's engineers are capable of it if they wanted to.> We are not Windows > admins, we rely on what we configure or check ourselves.Not sure what you mean by that. Windows is much worse since the configurations tend to be hidden and the ways to do things interactively and scripted are wildly different.> Yet, I'm sure, majority Unix sysadmins will still do what I do: go over > everything themselves. No matter what someone says.There are probably still people that take their cars apart to check that they were assembled correctly too. But that doesn't mean that things should not be shipped with usable defaults. -- Les Mikesell lesmikesell at gmail.com
On Tue, February 3, 2015 12:39 pm, Les Mikesell wrote:> On Tue, Feb 3, 2015 at 12:24 PM, Valeri Galtsev > <galtsev at kicp.uchicago.edu> wrote: >> >> Sounds so I almost have to feel shame for securing my boxes no matter >> what >> job vendor did ;-) > > Yes, computers and the way people access them are pretty much a > commodity now. If you are spending time building something exotic for > a common purpose, isn't that a waste?Do I have to take that people who are not sysadmins themselves just hate an existence of sysadmins?> >> Just a simple example: I have at least 3 classes of boxes configured >> ultimately different and having very different level of >> security/fortification. Do you seriously suggest that system vendor will >> ship all three level of security configurations? > > Yes, 3 seems about right. > >> Do you seriously think >> that needing quite high level of security for some box I will not go >> over >> all settings influencing it myself? Will you not? > > Of course, but only because the vendor does not do it. I think Red > Hat's engineers are capable of it if they wanted to.Here is the difference between us. I refuse to trust something ultimately important which I can check or tune without checking (and tuning if necessary). It will be my laziness. Note, that that I apply to myself. What you do is up to you (and you bear consequences of your decision, and I bare consequences oi mine).> >> We are not Windows >> admins, we rely on what we configure or check ourselves. > > Not sure what you mean by that. Windows is much worse since the > configurations tend to be hidden and the ways to do things > interactively and scripted are wildly different. > >> Yet, I'm sure, majority Unix sysadmins will still do what I do: go over >> everything themselves. No matter what someone says. > > There are probably still people that take their cars apart to check > that they were assembled correctly too. But that doesn't mean that > things should not be shipped with usable defaults. >No, I'm not the driver of my cars, I mean computers. I am a mechanic of racing car competition team, my cars go into competition, and the life of driver riding it depends on me having taken the whole mechanism apart, and making sure nothing breaks and kills driver and hundreds of spectators. I really hate these car analogies. They are counter-productive. In your eyes my server is indeed a commodity, which I refuse to agree with pretty much like I refuse to join ipad generation. My ipad would be commodity, but I for one will never trust that ipad and will not originate connection to secure box from it. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Tue, Feb 3, 2015 at 1:01 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> >> >> Yes, computers and the way people access them are pretty much a >> commodity now. If you are spending time building something exotic for >> a common purpose, isn't that a waste? > > Do I have to take that people who are not sysadmins themselves just hate > an existence of sysadmins?No, I think there are better things for sysadmins to do than fix settings that should have had better defaults.>> There are probably still people that take their cars apart to check >> that they were assembled correctly too. But that doesn't mean that >> things should not be shipped with usable defaults. >> > > No, I'm not the driver of my cars, I mean computers. I am a mechanic of > racing car competition team, my cars go into competition, and the life of > driver riding it depends on me having taken the whole mechanism apart, and > making sure nothing breaks and kills driver and hundreds of spectators.So don't you think it would be a good thing if the thing was built so it didn't break in the first place? That is, so nobody gets killed running it as shipped, even it they don't have your magical expertise?> I really hate these car analogies. They are counter-productive. In your > eyes my server is indeed a commodity, which I refuse to agree with pretty > much like I refuse to join ipad generation. My ipad would be commodity, > but I for one will never trust that ipad and will not originate connection > to secure box from it.The point I'm trying to make is that whatever setting you might make on one computer regarding security would probably be suitable for a similar computer doing the same job in some other company. And might as well have been the default or one of a small range of choices. And in particular, rate limiting incorrect password attempts and/or providing notifications about them by default would not be a bad thing. Unless there's some reason you need brute-force attacks to work... -- Les Mikesell lesmikesell at gmail.com
On Tue, 2015-02-03 at 12:39 -0600, Les Mikesell wrote:> There are probably still people that take their cars apart to check > that they were assembled correctly too.Its about taking personal responsibility for the security of your system(s). Trusting someone else's settings of what THEY think YOUR security should be, is very unwise. It is not car disassembly - it is checking the oil level, the benzin (petrol), the brake fluid, the window washer liquid, the tyre pressures including the 'spare wheel'. Pilots of aircraft do exactly the same. It is called a preflight check. Doing that on a new Centos installation is sensible and, if one cares about security, desirable. -- Regards, Paul. England, EU. Je suis Charlie.
On Tue, 2015-02-03 at 13:01 -0600, Valeri Galtsev wrote:> I for one will never trust that ipad and will not originate connection > to secure box from it.+1. -- Regards, Paul. England, EU. Je suis Charlie.
On Tue, Feb 3, 2015 at 1:30 PM, Always Learning <centos at u64.u22.net> wrote:> >> There are probably still people that take their cars apart to check >> that they were assembled correctly too. > > Its about taking personal responsibility for the security of your > system(s). Trusting someone else's settings of what THEY think YOUR > security should be, is very unwise.Maybe.... It is at least equally unwise to think that you are the only expert and all the people who are supposed to know what they are doing are wrong. That's why we have measles again... I'd rather see some real experts set up usable defaults instead of every person doing an install having to second-guess it. -- Les Mikesell lesmikesell at gmail.com