On Tue, Feb 3, 2015 at 12:24 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote: > > Sounds so I almost have to feel shame for securing my boxes no matter what > job vendor did ;-) Yes, computers and the way people access them are pretty much a commodity now. If you are spending time building something exotic for a common purpose, isn't that a waste? > Just a simple example: I have at least 3 classes of boxes configured > ultimately different and having very different level of > security/fortification. Do you seriously suggest that system vendor will > ship all three level of security configurations? Yes, 3 seems about right. > Do you seriously think > that needing quite high level of security for some box I will not go over > all settings influencing it myself? Will you not? Of course, but only because the vendor does not do it. I think Red Hat's engineers are capable of it if they wanted to. > We are not Windows > admins, we rely on what we configure or check ourselves. Not sure what you mean by that. Windows is much worse since the configurations tend to be hidden and the ways to do things interactively and scripted are wildly different. > Yet, I'm sure, majority Unix sysadmins will still do what I do: go over > everything themselves. No matter what someone says. There are probably still people that take their cars apart to check that they were assembled correctly too. But that doesn't mean that things should not be shipped with usable defaults. -- Les Mikesell lesmikesell at gmail.com