[CentOS] Correct xen domains path
Stephen John Smoogen
smooge at gmail.com
Tue Jun 19 22:36:13 UTC 2007
On 6/18/07, Stephen Harris <lists at spuddy.org> wrote:
> On Mon, Jun 18, 2007 at 12:18:40PM -0600, Stephen John Smoogen wrote:
> > On 6/18/07, Stephen Harris <lists at spuddy.org> wrote:
> > >I've never said there are _no_ cases for SELinux. I was questioning it
> > >as a general rule for all machines.
>
> > Several of the problems were machines that were not connected to the
> > internet or were deep behind firewalls. The problems were that all it
> > takes is one user who doesnt think well to make all those
> > firewalls/issues useless. E.G the person who coming in from work finds
> > a nice shiney USB fob and plugs it into a work computer to see who it
> > belonged to so they could return it. The guy who downloads an
>
> [ etc ]
>
> This is why I mentioned "risk profile" in another message. You evaluate
> the perceived risk, the likely-hood of the event happening, the cost of
> the event, the "cost" of a potential solution and perform an analysis.
>
> So one might rank the items this:
> external facing servers: high risk! Automated attacks possible
> Desktop work stations: moderate. User stupidity highest attack vector
> General compute server: low risk. Only "trained" staff have access.
>
I was really grumpy yesterday.. so I just wanted to say that I believe
that in most cases where you are in a low risk.. you might be better
off with selinux in permissive mode versus off. Permissive at least
will give you a finger print of what might have gone wrong when the
PFY plugged in that nice shiney USB fob he found next to his car at
lunch.
--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the CentOS
mailing list