On Sat, Sep 03, 2005 at 03:10:31PM +0200, martin f krafft wrote: > also sprach Roberto C. Sanchez <[EMAIL PROTECTED]> [2005.09.03.1502 +0200]: > > I don't use it in nearly such touch environment, but everything I have > > seen/read about it leads me to believe that it can handle large setups > > very well. > > I would talk to the alioth admins about it. Maybe I am just > incapable of administering OpenLDAP and they got the grips on the > server by now, but OpenLDAP to me is a synonym for grey hair and > raving fits of madness. > Interesting. I am getting ready to setup a network (20 workstations + 2 servers) for my church and was going to use OpenLDAP. I would be interested in some alternate suggestions.
> > > It's also *terribly* outdated, breaks some things when used > > > carelessly, and gives a wonderfully false sense of security. The > > > same applies to tiger/TARA, btw. > > > > > Funny that you mention that. I emailed Javier a while back > > because some of the changes effected by Bastille were undone when > > I upgraded my server from Woody to Sarge. He said it needs to be > > updated to use the dpkg-statoverride, rather than just changing > > attriutes of files without dpkg's knowledge. Other than that, > > I found it a very helpful tool. > > It is a helpful tool. The greatest mistakes you can make are to need > and to trust it. Go through the process, make conscious decisions, > but then, for every feature you turn on (or off), verify it > after the run, make sure you understand how it's done, and then > don't touch bastille again. Oh, and make sure you know what it's > talking about. Just clicking yes because a feature "sounds good" is > calling for trouble. > > > Besides, your statement "breaks some things when used carelessly, > > and gives a wonderfully false sense of security" can be applied to > > *any* hardening tool or package. > > Yes. That's why I strongly recommend not to use them. > > > The fact is, that you can't expect to secure a system well with no > > knowledge of escurity. > > Absolutely. And no tool can do it for you either. > All good points. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto
pgpXjSs71vagA.pgp
Description: PGP signature
