[Novalug] OT: Windows Assumptions [was: Re: Is Google Chrome going to threaten Linux?]

The Doctor drwho at virtadpt.net
Fri Jul 10 10:50:43 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Disclaimer: I can't say anything specific about my clients.

American Dave wrote:

> If you were to automate conforming to these regulations, would that
> sentiment still be true?  Why not collect your changes and apply them as

They'd still need to be verified periodically.

> scripts globally?  Make them available via a Yum repo?  Better, why not
> remaster a RHEL installation image so each machine is compliant from
the start?

Money.  A team of developers would have to be tasked with maintaining
that image, which means that billable hours are concerned, which means
dealing with government contracting..

> This is one of the very real reasons why Government machines have
> abysmal security records.  If you're still vulnerable to very
> significant threats, what value is conforming to the specification
> providing?

Compliance with FISMA/DIACAP/<insert body of regs here> and security are
two very different things.

> Mucking with technologies like PAM and LDAP isn't fun.  Security is
> hard.  However the idea would be to do this once, and automate it 
> for your next thousand deployments.

Security also needs to be maintained.  Patches need to be installed,
which means keeping an eye on what changes on disk.  Often, hardening
measures (sometimes as simple as changing a file permission from 0755 to
0700) will have to be re-applied, but then that means a separate change
request (and all the bureaucracy that entails).

> The sentiment I do very much disagree with is "It's harder to secure
> Linux", which was made in an earlier email.  When we talk about conforming 

I happen to agree with you on a personal basis.

> to specifications, we're talking about something different entirely. 

You are very, very right.

- --

The Doctor [412/724/301/703]

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: http://drwho.virtadpt.net/

"'PC LOAD LETTER'?!  What the /[a-z]{4}/ does that mean??" --Michael
Bolton, _Office Space_

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpXVUIACgkQO9j/K4B7F8FvTQCeOlPFVuECYNjY6vSh8EEyX+GX
xtIAoM97FjaLaVPC21tDfjic6zRT3cF9
=brSV
-----END PGP SIGNATURE-----

More information about the Novalug mailing list