[CentOS] Another Fedora decision

Tue Feb 3 19:40:07 UTC 2015
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Tue, February 3, 2015 1:15 pm, Les Mikesell wrote:
> On Tue, Feb 3, 2015 at 1:01 PM, Valeri Galtsev
> <galtsev at kicp.uchicago.edu> wrote:
>>
>>>
>>> Yes, computers and the way people access them are pretty much a
>>> commodity now.  If you are spending time building something exotic for
>>> a common purpose, isn't that a waste?
>>
>> Do I have to take that people who are not sysadmins themselves just hate
>> an existence of sysadmins?
>
> No, I think there are better things for sysadmins to do than fix
> settings that should have had better defaults.

Disagree. Ensure of security of the box is sysadmin's duty. It is in job
description. Job to be done.

>
>>> There are probably still people that take their cars apart to check
>>> that they were assembled correctly too.  But that doesn't mean that
>>> things should not be shipped with usable defaults.
>>>
>>
>> No, I'm not the driver of my cars, I mean computers. I am a mechanic of
>> racing car competition team, my cars go into competition, and the life
>> of
>> driver riding it depends on me having taken the whole mechanism apart,
>> and
>> making sure nothing breaks and kills driver and hundreds of spectators.
>
> So don't you think it would be a good thing if the thing was built so
> it didn't break in the first place? That is, so nobody gets killed
> running it as shipped, even it they don't have your magical expertise?

I regret I let myself be dragged into car analogy. Once again, I'm not
"driving" my machines.

>
>> I really hate these car analogies. They are counter-productive. In your
>> eyes my server is indeed a commodity, which I refuse to agree with
>> pretty
>> much like I refuse to join ipad generation. My ipad would be commodity,
>> but I for one will never trust that ipad and will not originate
>> connection
>> to secure box from it.
>
> The point I'm trying to make is that whatever setting you might make
> on one computer regarding security would probably be suitable for a
> similar computer doing the same job in some other company.  And might
> as well have been the default or one of a small range of choices.
> And in particular, rate limiting incorrect password attempts and/or
> providing notifications about them by default would not be a bad
> thing.  Unless there's some reason you need brute-force attacks to
> work...

It is possible that system vendor does what you call better job. I do
welcome, e.g., "--hitcount" iptables option used in firewall CentOS comes
with. (But some may hate that, and I respect their demand for their
boxes). This doesn't mean I will not take a look into configuration at
least once, and add what I have "certified" in my kickstart file. This
probably is where we do diverge. I do not configure all end every box, I
do necessary job with one system class for each of OS releases... -->
kickstart, but minor tweaks may still be necessary depending on particular
tasks on the box.

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++