[Courses] [Security] Default security policies (was: another netstat)

[Raven, corporate courtesan]

Heya --

Quoth Malcolm-Rannirl (Wed, Mar 06, 2002 at 06:45:40PM -0500):
> > 	Wow!  This looks like a shining example of the "when in doubt,
> > install and run everything" policy.  I'm not really a fan of that -- I
> 
> I didn't think any of the major linux distributions did that anymore.
> (I know Mandrake goes "about to activate all these things, you sure
> you want them?".  I'm reasonably sure RedHat stoped doing so by
> default too).

	I have heard but don't know firsthand that the latest Red Hats
don't do so anymore.  Many of the older versions of Red Hat would turn
on everything and the kitchen sink if you asked for a "Server" install.
It's a balancing act between security and usability -- at a basic level,
do you want to permit things by default or deny them by default?  At the
most paranoid end, OpenBSD denies damn near everything unless you
explicitly turn it on.  The SuSE netstat we saw seemed to be the other
end.

	If you've done Linux installs before, have someone experienced
to hold your hand, or are just feeling brave, I think doing a
custom/expert install is usually worth the extra effort.  That way, you
know what you're getting.  Things that it would be really stupid to
leave out (libc, for example) are usually clearly labeled as "REQUIRED".
 
> It is something to do with dns lookups (via some odd coding chain in 
> kmail/kde/qt). I believe it's been fixed for KDE 3.0 (ie. it's in the cvs 
> tree, but use that at your own risk, probably safer to wait until the 
> official release). 
> It's relatively benign.
 
	Good to know.  Thanks.

Cheers,
Raven 
 
"Sed, sed, awk.  Like duck, duck, goose.  Sync, sync, halt.  It's the
 order of nature."
  -- me, after too long a day at work