2010/12/1 Nico Kadel-Garcia <nkadel at gmail.com>: >> Anyone willing to contribute funds (or time) to such a study? It would be >> educational experience and good PR, at the least. > > Oh, I know the holes and which would be straightforward to get to. > There's generally enough lower hanging fruit with NFS stored > passwords, email with passwords, and poorly managed elevation via SSH > keys as policies before I even got there that this protection is like > putting a bike lock on a jello mold. How about production like server: - firewall installed - selinux disabled - all services except ssh and httpd disabled -> sshd login enabled only with ssh keys and httpd protected via mod_security ? - cis hardened fixes applied to os - latest kernel patched applied -- Eero