SLES9 ships with a script that puts the system into the certified configuration. I don't know whether we have such a script for SLES10SP1, but it is currently in evaluation, so such a script could not be final right now anyway. Crispin Raekism wrote:

This there a whitepaper on locking down a "certified" Suse configuration?

Thanks, Rae

On 5/21/07, *Crispin Cowan* <crispin@novell.com <mailto:crispin@novell.com>> wrote:

Emily Ratliff wrote: > Crispin Cowan wrote: > > To be considered certified, it would have to be in the certified > configuration. > > Installing a new application with an open network port violates that > certification. > > This is only true if it opens a port < 1024 or runs as root. If it is > started as a non-root user, then a port can be opened. That's why > running a webserver on port 8080 does not violate the certified > configuration. > > I'm not arguing against your main point, but it is not quite as bad as > you state here. Thanks for clarifying. Its good to know that the certified configuration's restrictions make it less useless than I thought :-)

Crispin

-- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ <http://crispincowan.com/%7Ecrispin/> Director of Software Engineering http://novell.com

--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org <mailto:opensuse-security+unsubscribe@opensuse.org> For additional commands, e-mail: opensuse-security+help@opensuse.org <mailto:opensuse-security+help@opensuse.org>

-- Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind. - Dr. Seuss

-- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org