[CentOS] SELinux - way of the future or good idea but !!!
Eero Volotinen
eero.volotinen at iki.fi
Wed Dec 1 13:22:24 UTC 2010
2010/12/1 Nico Kadel-Garcia <nkadel at gmail.com>:
>> Anyone willing to contribute funds (or time) to such a study? It would be
>> educational experience and good PR, at the least.
>
> Oh, I know the holes and which would be straightforward to get to.
> There's generally enough lower hanging fruit with NFS stored
> passwords, email with passwords, and poorly managed elevation via SSH
> keys as policies before I even got there that this protection is like
> putting a bike lock on a jello mold.
How about production like server:
- firewall installed
- selinux disabled
- all services except ssh and httpd disabled
-> sshd login enabled only with ssh keys and httpd protected via mod_security ?
- cis hardened fixes applied to os
- latest kernel patched applied
--
Eero
More information about the CentOS
mailing list