Re: Still learning! (kernel help)

I am curious and interested in the vulnerabilities you insinuate when a stock
kernel is used. Assume that all unnecessary services are stopped and a
firewall is in place. Also assume good encryption and strong passwords for SSH
access. How does having a lot of options compiled into the kernel increase
attack vectors? Mind, I'm not arguing; I'm ignorant. I have supported running
stock kernels with all of the modules because it has allowed me to save *at
least* 3 clients in that I moved a hard drive from one (damaged) server to
another and had no issues getting the OS to boot and recognize all hardware.
Is the danger only present when users are granted shell access? I have not
administered any Linux servers except those that offer access of the non-shell
variety (http, smtp, smb, etc.)

-Jamie

<snip>
> Running a stock distro kernel *especially* for enterprise situations is, in my
> opinion, insane. Keep in mind that most vendors compile in everything they
> can just to make sure the system will run out of the box on the widest array
> of hardware. From a security perspective that opens more attack vectors from
> users when module auto-loading is enabled, not to mention some of the latest
> filesystem driver exploits. From a performance perspective a bloated kernel
> (along with a bloated "optimized" system libraries) can be detrimental to cache
> coherency on SMT machines (or even SMT/SMP machines like the POWER5 that allow
> micropartitions).
>
> When I'm spouting my nonsense you also have to consider my affliction as a
> minimalist. I can't stand running a kernel with a bunch of crap enabled that
> I'll never need or use. That's protected me more than once from kernel
> vulnerabilities that the stock distro kernels were vulnerable from.
<snip>

-- 
Jamie Hushower
Computer Consultant
Rent-A-Geek
www.alaska-geeks.com
223-9136
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.