Tim: >> I wonder if anyone vets that information? Jonathan Billings: > Just check the references: > > https://static.open-scap.org/ssg-guides/ssg-fedora-guide-standard.html#xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs > Although I picked a specific portion (about passwords), I meant overall if anyone vets all the advice. Just clicking on some of the reference links, I see many of them lead to pages which pop up a PR page for the organisation, and one which actually displays a "withdrawn NIST technical series publication" (in otherwise the reference is invalid). I wasn't going to try them all, because (a) I don't have the time to put up with that crap, and (b) burying anything that might actually be useful in a mound of crap doesn't engender any faith in following their operating procedures. It looks like it's designed to make you just give up and do what they say. The "rationale" rather lamely explains the idea behind the practice. Neither it, or any of the links I tried offer any proof that it was a good idea. It doesn't give anything to back up the theory. It doesn't address counterarguments. It doesn't withstand my own scrutiny. It reminds me of something I looked up regarding some medical quackery device. They proudly proclaimed its use in some hospital (singular) as proof that it had sound medical backing. But if you followed up the recommendation, the hospital's paper said absolutely nothing about the medical benefits of the device, nor its ilk, it just mentioned that when staff handled those kinds of device that particular brand didn't break as easily as alternatives. It was a false endorsement. I have a strong distrust of security advice like this, particularly when explanations are so obscure, and the advice doesn't even stand up to your own scrutiny. I'm reminded of things like: "9 out of 10 doctors support out product." They actually asked 100 doctors a question about it, most of them were negative or refused, but 9 gave a positive response. So they just used 10 samples out of the 100 for their PR bullcrap. It's not a lie, technically, but it's also a completely misrepresentation of the truth. -- uname -rsvp Linux 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. -- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
