On 1/22/2016 2:24 PM, Gordon Messmer wrote:
On 01/22/2016 01:56 PM, John R Pierce wrote:
Sure, if someone has penetrated my IPMI and/or virtualization
management, I'm already in a world of hurt
Exactly. IPMI should be on a dedicated VLAN with a bastion host. No
other systems should have access to it at all. The servers,
especially, should not have access to their own IPMI network.
Otherwise, you risk creating exactly that kind of hole, where tasks
that are supposed to require console access don't.
Having said that, I have no idea whether or not the virtual console is
locked during the secure boot path. Anybody who uses IPMI and secure
boot?
for that matter, what about a VM running on a service like Amazon AWS
(or pick your virtual server environment) ? AWS provides a remote
console, doesn't it?
--
john r pierce, recycling bits in santa cruz
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
