[rescue] SMP on intel wasteful?

rescue at sunhelp.org rescue at sunhelp.org
Mon Jun 24 22:13:29 CDT 2002 

>>>> I'm sorry, but am I missing something here? I've heard lots
>>>> of people complaining about how secure various OSes (IRIX,
>>>> Solaris, etc.)are 'out of the box'. Who cares? 
>>> 
>>> If you don't make any more money and have to spend more time
>>> on it, you would care.  The customers don't understand
>>> security and expect it to be there as part of the base service.
>> 
>> you are right, however, it takes all of what?  5 minutes to
>> secure a Solaris box?  that pretty much negates your argument
>> IMHO 

Wrong.  If I want a *really* locked down system for a well-
defined set of uses, then I might be able to do it in 5 minutes,
or I could (in many cases) use a default OpenBSD install.  If
I wanted to have a "rather" well-secured system for a
"nebulous" (had to use the word) set of uses for a customer,
then I might take much longer to "secure" the system.  The
bottom line is that the process of locking down and tightening
security is not one-size-fits-all.  The more secure/reliable
the default config is, though, generally means less time and
effort required to produce a secure installation.

The two choices that Sun and SGI (among others) made a while
back that continue to hurt them in this area were 1.  Have an
install that by default is *very* open and 2.  Don't change
the default install, since everyone "expects" it to be open
at this point.  Off-the-record discussions with Sun and SGI
folks indicate that even within the companies there's a large
contingent which wants a more secure default install.

> Hi Brian,
> 
> You are an IRIX guru, so how long would this take for IRIX?
I'm not Brian, but since SGI trusts us to do a security eval
of IRIX/TRIX under contract I'll take a stab...

> Remember that this is not a sealed-services box, there will
> be lusers with actual logins on such boxen.  Assume one
> account gets compromised - how tough is it secure IRIX
> against most local root exploits?
If this is a shell account/web server box, then you will
want to remove (or not install) most of the SetUID root crap.
No reason to include 4dwm on such a system, or most of the
audio/video tewlz.  (In the same vein, anyone who installs
Solaris should ensure that KCMS isn't included, for anyone
who isn't already aware of how useless/insecure it is.)

If the lusers will need access to admin-type functions, you can
(should) use a combination of capabilities and sudo to separate
admin functions and preserve "least privilege".

Other than those items, "it varies".  If you can give me
more specific details off-list, I can try to review our
IRIX config guidance, update it for your specific needs, and
perhaps test it on a system here.
  
>>> I don't say anything about relative quality; there are
>>> things IRIX has that OpenBSD does not - such as XFS, SMP
>>> support, sproc based threads and "normal" threads, etc.  
>> 
>> what what is this /usr/src/sys/xfs directory in my OpenBSD
>> 3.1 source tree?  is this something other that the "real"
>> XFS?  i don't need it for these two machines i'm building,
>> but i'm very curious.
Unrelated to my knowledge.  SGI released significant details
of their XFS as part of their move to support linux (oss.sgi.com)
but that XFS in the OpenBSD source is still (to my knowledge) 
actually related to AFS and is useless to most anyone *not*
in an AFS environment.  I haven't verified this recently, tho.

>>> OpenBSD's thread implementation is so lame that I can't
>>> run a needed application on SPARC32 (and probably not
>>> SPARC64 either and must resort to using x86 hardware.)
> 
>> that's a shame.  but at least it will make a nice Bridging
>> Packet Filter which is what i plan to do with it. ;)

OpenBSD is my preferred solution for low/no-cost packet
mangling on x86 and SPARC.  Even the new pf, while it doesn't
have as much mileage as ipf, has in my experience been
very reliable.

> If I was offering solely Apache with my colo accounts i
> would be Sparc/SGI and a Cray with blinky lights to impress
> the suits and earn me geek points.

You don't need the Cray...just "the little machine that goes
*ping*".  I've seriously considered trying to find a 2U
rackmount that I could drill for LED holes in the front, and
just run it as a spectrum analyzer off MP3s or something.
Our network/telco room is too boring and needs more
blinkenlights.

  --Rip

More information about the rescue mailing list