Ubuntu Documentation at Install
John Richard Moser
nigelenki at comcast.net
Tue Mar 28 04:31:17 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Just got back from getting owned hard at the first collegiate cyber
defense competition, we had a fedora core 4 box and win2k win2k3 FC3.
We had most services migrated to FC4 eventually. These were default
everything installs of every OS and we had little control over what was
there; all default settings were in effect.
We did not get buffer overflowed or heap injected or whatever you want
to think. Our pain was configuration errors. EVERYTHING the red cell
used was configuration. First order of business was adam owning our
CISCO 2600 router because SNMP was still on and they could change the
You know what we need? We need something that tracks configuration
changes. After install, the entire configuration of a system is stored
in an encrypted database. After upgrade, the changes are stored in
encrypted database. Install new programs, changes stored in encrypted
database. Change configuration, have a tool sweep known config paths,
changes re stored in an encrypted database. Give us a tool to pull this
up, decrypt it, and print, and we're all happy.
Any changes that are detectable and manageable should be represented
with information about them. If Apache is installed, the entire
.htaccess and .htauth for everything should be reflected in the report
in human readable terms. If apache has mod_auth_root and gives
http://mysite.com:8081/ as a PHP script that gives a root shell with
user:password apache:defult, this should be in the configuration file
after install time.
When someone changes something, they should be able to put notes in the
database attached to ANY part of it. If I change that apache:default to
simmons:vooHah#4o and the configuration manager can't tell, I should be
able to look at the report; click that bit of info; and enter in:
- Default account was removed.
- Account 'simmons' was created with password 'vooHah#4o'
This entry will be datestamped and stored.
That's all I have for you today.
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.
Creative brains are a valuable, limited resource. They shouldn't be
wasted on re-inventing the wheel when there are so many fascinating
new problems waiting out there.
-- Eric Steven Raymond
We will enslave their women, eat their children and rape their
-- Evil alien overlord from Blasto
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v188.8.131.52 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the ubuntu-users