Kilian CAVALOTTI wrote:
But this can also lead to the kind of security problem Joe described,
even if here, I don't think one can blame any of the system's component
being outdated for this intrusion.
It is/was a user issue. We are working to prevent this sort of issue
arising again.
Sadly, I feel as if we are playing "whack-a-mole" with these issues.
No, adding SElinux or other products won't make this any better, they
add layers of complexity, and the benefits may not be worth the costs.
The issue is, in part, we need to
a) prevent sharing of accounts
b) control access to ssh logins
c) prevent execution of dangerous stuff.
"c" is 'easy' (yeah, I know its wrong), but we can disable all suid
programs on the machine that are accessible from users accounts.
"a" is hard. Academics like to share things. We need to find a way to
let them do this. Securely.
"b" is interesting. They were using keys for access. Someone loaned
their keys to a friend, or their keys were hijacked, or whatever.
So we are going to take a different approach.
Cheers,
--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics LLC,
email: [EMAIL PROTECTED]
web : http://www.scalableinformatics.com
http://jackrabbit.scalableinformatics.com
phone: +1 734 786 8423 x121
fax : +1 866 888 3112
cell : +1 734 612 4615
_______________________________________________
Beowulf mailing list, Beowulf@beowulf.org
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
