On Thursday 28 February 2008 16:48:50 Ed Brown wrote:
>There are third-party 'benchmarks' or configuration guides for RHEL5 that are
>becoming standards, or mandates, at least for some government sites. E.g.:

Both of these you point to, I was involved in.


>Each is over a hundred pages of configuration recommendations, from the
>common sense (turn off services you don't need) to the micro-managed and
>essentially arbitrary (chmod /etc/sysctl.conf from 0644 to 0600).

The micromanaged one comes from the CIS guide.  :)


>- Are RedHat's "enterprise" operating systems insecure as shipped?

No. For example, the sysctl.conf file doesn't really divulge any secret
information. If you want to set the permissions to 0600, go right ahead. It
won't hurt anything. There is a balance that has to be achieved between
people want the machine to work vs I'm paranoid and I don't trust anyone.
Some people want USB flash drives to work so they can copy files, some people
see them as a way to let govt documents out the door. It all depends on your
context as to whether something needs to be tightened or not.