[Novalug] Windows vs Linux: Conforming to Security Specs (Was assumptions)
Clif Flynt
clif at cflynt.com
Thu Jul 9 09:47:59 EDT 2009
On Thu, Jul 09, 2009 at 09:32:26AM -0400, American Dave wrote:
> On Thu, Jul 09, 2009 at 09:08:01AM -0400, Clif Flynt wrote:
> > ... But, I'll concede that it's easier to make a Windows box conform to
> > DoD security regs.
>
> If you were to automate conforming to these regulations, would that
> sentiment still be true? Why not collect your changes and apply them as
> scripts globally? Make them available via a Yum repo?
> Better, why not remaster a RHEL installation image so each machine is
> compliant from the start?
>
Once I had a system configured to meet the specs, I put together
some cloning and configuration scripts on a bootable USB disk that
could take a blank disk and generate a new system with all the right
settings in about 20 minutes. (It helped that I had identical hardware
for new boxes.)
tar and expect are your (and my) friends.
This is a perfectly fine solution for the *ix expert on a per-site
basis.
But, by the next year, the Kernel Auditing stuff had gone into a new
rev, some pam stuff had been fixed, SuSE changed configuration files,
etc, and it took me several days to tweak all the files to conform to
spec again.
It's one of the prices we pay for working with an agile, evolving
system designed to do "stuff" in whatever manner is needed, instead of
one that is stable and engineered to do the minimum to meet specs.
Once you've got a Linux and a Windows box conforming to specs, I
believe that the Linux box is more secure. However, I'll concede that
it's easier to get the Windows box to conform to DSS specs.
Clif
--
... Clif Flynt ... http://www.cwflynt.com ... clif at cflynt.com ...
.. Tcl/Tk: A Developer's Guide (2nd edition) - Morgan Kauffman ..
... 16'th Annual Tcl/Tk Conference: 2009, Portland, OR USA ...
............. http://www.tcl.tk/community/tcl2009/ ............
More information about the Novalug
mailing list