On Wed, 2009-11-18 at 15:43 -0900, Jeff Spaleta wrote: > On Wed, Nov 18, 2009 at 3:35 PM, Eric Christensen > <eric@xxxxxxxxxxxxxxxxxxx> wrote: > > PackageKit is something right there on the desktop that, to its credit, > > needs little knowledge to use whereas many of your attack vectors noted > > above are generally fixed in my shop by use of a kickstart and securing > > the box from physical access and require a higher skill to perform. > > So can't you harden this with a kickstart file line like you do in > your other hardening steps in your shop? I think to point Bill is > trying to make is that there are of a number of other settings that > need to be hardened and that this choice is just one of many choices > associated with security associated with a console user. Console user > security is already a leaky ship and PK is just one more hole. > > -jef > Maybe. I mean removing (or not installing) PK is a snap with kickstart. I haven't visited my kickstart in a while so... :) I guess the big thing, to me, is that this vulnerability wasn't presented, documented, or talked about and it is the opposite policy to what most (all?) SYSADMINS would expect. If you don't know to fix it then you are pwned. Most of the hardening guides that I've read or have contributed to assumed that the operating system wouldn't allow this kind of behavior by default and thus doesn't really address it. I know the hardening guide for RHEL from the NSA talks about setting up sudo and how to use it but doesn't talk about securing pup, IIRC. --Eric
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
