"der.hans" wrote:
> =
> Am 26. Feb, 2003 schw=E4tzte George Toft so:
> =
> >
> > And this is one reason hand editing config files is considered a
> > computer security risk. My typo adversly affected the availability o=
f
> > their web site to their customers. Tools that have been certified to=
> > produce correct, consistent results are much better. Of course, most=
> > Unix admins shudder at the thought of using GUI tools.
> >
> =
> Bah! GUI tools still suck :)
> =
> In this case, what you needed was a decent format for the config file, =
a
> good lint tool and some QA.
> =
>
> GUI tools fsck up all the time! If you don't know how things're suppose=
d to
> work and don't check them, then you don't know if they're working prope=
rly.
> =
> The real solution is having good testing suites and practices.
>
> =
> ciao,
> =
> der.hans
> --
Key word in my statement was "certified tool" - anyone can write a
crappy tool that botches things up. I used to think like you do. In my
CISSP studies, and working Computer Security for the last year and a
half, let me tell you, this is the prevailing thought in the computer
Security field. It's covered under the Clark-Wilson Security Model. I
have seen the benefits of that model.
Which reminds me of a story you will appreciate: a clicker I know (an NT
guy) made some edits using vi to /etc/system (Solaris 2.6 boxes). Upon
rebooting, things went really bad. The problem was he fat-fingered the
parameters on both boxes in different places. First box was up 3 hours
later. Second box was up 5 hours later. A certified tool would have
prevented this several hour outage to a production system. So would
making a backup copy of /etc/system, but that's another story.
George
-- =
Discover . . . | Free Computer Security Information
<=B7=B7=B7> Secure | http://www.georgetoft.com/security
Networking | =
@http://georgetoft.com | Lock your box - keep your affairs private!