In message <Pine.GSO.4.44.0212081952200.11337-100000@clifden.donelan.com>, Sean Donelan writes:
Has anyone come out with a fix everything CD customers could use to clean up their systems? This isn't an operating system specific issue. Buggy and misconfigured software is running on Unix, Mac, Windows, etc.
It can't be done, at least not usefully. It's easy to turn things off; the hard part is knowing what should be left on, given your needs, the threat environment, and other protective measures. I forget which of the Rainbow Series of books said it -- the Yellow Book, I think -- but one of them noted that the same LAN that was insecure in an office might be quite secure in a submerged submarine with a highly-cleared crew aboard. It is possible, though, to write something that would analyze a configuration and present you with a sensible menu of choices. It could know, for example, that one can't disable rpcbind if other RPC-based services are running. But getting that right for even a single release of a single OS is hard enough, let alone many releases of many OSes. And then, of course, you want to add advice to the user. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com ("Firewalls" book)