I've heard that the OpenSSH guys don't want to do this for various reasons. Nonetheless, there is a chroot patch you can apply (http://chrootssh.sourceforge.net) that works pretty well. There are also pointers on how to set up the jail so it will actually work- finding library dependencies and all that.
If the DoD gets the patches a month prior to everyone else, they'll just shift the suspense TCO a month sooner, or at least that's what the MAJCOM I worked for will do. Patch management was an issue where I worked, but I developed a rather nice patch management system that really helped get our systems under control. Depending on who exactly you're working for, you may be able to get a copy of it.
I just finished a contract at one Air Force base as a security consultant, and I can tell you that the Air Force is NOT using a "NSA-designed build". It's pretty much a straight install from the CD. But, you can expect at least a somewhat higher degree of sameness among all the workstations as installing unapproved applications is forbidden, and the higherups can and do audit and "software kills" from time to time.
as the submitter is making it out to be. Microsoft is only deactivating OEM keys that haven't been used yet. All you/. that burned a copy of your friend's XP disc should be OK.
OK, this is probably in the realm of silly, but curiosity is killing me. What if the galaxy was perpendicular to us in relation to the axis of its rotation?
I'm not going to go into detail on SIPRNET, but you know it's a different beast. I imagine that either DISA didn't see it, or someone came up with a waiver. I've seen some wacky stuff out there too.
All of my experiences with DISA showed me that they're not too forgiving for wandering far past the boundries.
Good catch- I don't recall ever seeing that the system actually bluescreened. I, like apparently everyone else, assumed it was a BSOD. Hell, I've seen Firefox refuse to start up after it has terminated ungracefully...
I do too, and know of one that has a couple of Debian boxes out there, but they're all doing it on the sly if the MAJCOM has't issued an interim CTO. If DISA or one of the Information Protection/Assurance offices found out, they could require those boxes to be immediately disconnected.
Just because some people are doing it doesn't mean that it's OK.
No piece of software running on a Federal interest network should be rubber stamped. It should be evalulated on its own merits by a formal DITSCAP process.
For FWIW, all the Federal networks I've worked on, I've seend damn few Novell servers. A lot of them used to run Novell, then migrated to Windows. I don't recall NetWare being on the EPL for the command I work for, so it might have already gone the way of the dodo.
There aren't any battleships currently in commission in the US Navy, all have been either scrapped or mothballed. You're probably thinking of the prototype cruiser that made all the headlines. It was running NT, bluescreened and the ship was stuck. Not that the bluescreen was not an OS error, but an error due to a divide by zero from the application, and it wasn't written well enough to handle that error nicely, so the OS did what it was supposed to. The ship was rushed anyway, and supposed to have Unix backends for all the C^2 functions. NT is just for the user workstations.
The US retired the Rainbow Series a while ago, but EAL4 is about a close approximation to C2.
The EPL (Enterprise Product List) only lists software that is allowed to run on a Federal network. As long as the system isn't connected to a Federal network and meets the requirements of the contract in terms of reliability, security and auditability, there is nothing to say that a contractor couldn't use SuSE or even RHES (was evaluated EAL3) unless it was expressly forbidden in the contract.
CC evaluation is not an automatic thing. The sponsoring company (in that case Microsoft) pays for the evaluation. A target is generated, which details hardware and software configurations. This can take months. Then the actual platform itself is evaluated, which can also take months, especially if deficiencies are found and corrected. Win2k was released in 2000, but didn't get CC evaluation until 2004. There's a hint.
Not likely to happen soon. Just because it's been EAL4 certified doesn't mean that is allowed to be operated on a Federal network. In the case of DoD network, it still needs a CTO (Certificate To Operate) before being allowed to be connected to the network. A CTO requires a whole DITSCAP session, formal documentation, evaluation and recommendation. For an operating system, it could literally be years before a CTO is produced. An interim CTO could be generated, but I don't think any major commands are willing to risk issuing one for such an unknown as this.
I'm unsure as to what you mean by speed problems: slow getting results, or what? I do lots of LDAP queries- getting results is quick. The bulk of my time is spent waiting for the results to finish usually because of the large number of hits I get (I do things like query who doesn't have a login script, who hasn't logged in the last 30 days, etc). It could be something as simple as the placement of your DCs, global catalog servers, or even how your LDAP queries are being constructed. I used to use the "bulldozer technique" until I figured out how to use LDAP more or less like a SQL Server to let the server work for me instead of vice versa
No, there aren't BDCs in AD anymore. Yes, there are FSMO roles that have to be filled, but none of those roles are "backup domain controller". By Microsoft's definition, a BDC is a domain controller that contains a read-only copy of domain information and must replicate changes to the PDC to be written and then must replicate the domain back down to itself to stay current. All DCs in a given AD domain are peers, each has a writable copy of the AD. One of the roles is a PDC emulator, but that is primarily for backwards compatibility with pre-Win2k computers. There can be only one PDC emulator in a given domain, and there can never be more than one. The server that has this FSMO role is not considered a PDC in the ACtive Directory sense, since there is no such thing. Remember: All Domain Controllers in an Active Directory are peers.
No, you do not need a DC for every Organizational Unit. You need at least 1 DC for every domain. Each domain can have a (theoretical) unlimited number of OUs. In Active Directory there is no such thing as a "backup domain controller" as all DCs are peers and each has a working copy of the Active Directory. Multiple DCs are for load balancing and fault tolerance, but not a requirement.
I started out running Novell 3 and ultimately Novell NDS networks- I still prefer Active Directory. Maybe it was because back then, it was a major pain in the ass getting the real-mode IPX drivers to work in DOS/Win3.11, and the Win95 client supplied by Novell did Very Bad Things to the system.
Over the years, I have migrated two organizations from Novell to a MS-centric infrastructure. I think one org still might be running Novell 386, but then when I was there 10 years ago, they were still running the original IBM PCs with ARCNet cards.
Slashdot Mirror
Look at page 3 of the report. Oh look! A list of abbreviations and their meanings!
You've probably beenlooking at Page 3 of The Sun.
I've heard that the OpenSSH guys don't want to do this for various reasons. Nonetheless, there is a chroot patch you can apply (http://chrootssh.sourceforge.net) that works pretty well. There are also pointers on how to set up the jail so it will actually work- finding library dependencies and all that.
If the DoD gets the patches a month prior to everyone else, they'll just shift the suspense TCO a month sooner, or at least that's what the MAJCOM I worked for will do. Patch management was an issue where I worked, but I developed a rather nice patch management system that really helped get our systems under control. Depending on who exactly you're working for, you may be able to get a copy of it.
I just finished a contract at one Air Force base as a security consultant, and I can tell you that the Air Force is NOT using a "NSA-designed build". It's pretty much a straight install from the CD. But, you can expect at least a somewhat higher degree of sameness among all the workstations as installing unapproved applications is forbidden, and the higherups can and do audit and "software kills" from time to time.
as the submitter is making it out to be. Microsoft is only deactivating OEM keys that haven't been used yet. All you /. that burned a copy of your friend's XP disc should be OK.
OK, this is probably in the realm of silly, but curiosity is killing me. What if the galaxy was perpendicular to us in relation to the axis of its rotation?
I'm not going to go into detail on SIPRNET, but you know it's a different beast. I imagine that either DISA didn't see it, or someone came up with a waiver. I've seen some wacky stuff out there too.
All of my experiences with DISA showed me that they're not too forgiving for wandering far past the boundries.
I said "one of the largest". As for the number of employees, I haven't the slightest idea. Ask the Department of Defense.
Good catch- I don't recall ever seeing that the system actually bluescreened. I, like apparently everyone else, assumed it was a BSOD. Hell, I've seen Firefox refuse to start up after it has terminated ungracefully...
(when are they going to fix that, by the way?)
Nope. I'm not a kernel programmer. Go ask the contractor why their software crashed the OS.
I do too, and know of one that has a couple of Debian boxes out there, but they're all doing it on the sly if the MAJCOM has't issued an interim CTO. If DISA or one of the Information Protection/Assurance offices found out, they could require those boxes to be immediately disconnected.
Just because some people are doing it doesn't mean that it's OK.
Because it resulted in a buffer overrun.
No piece of software running on a Federal interest network should be rubber stamped. It should be evalulated on its own merits by a formal DITSCAP process.
For FWIW, all the Federal networks I've worked on, I've seend damn few Novell servers. A lot of them used to run Novell, then migrated to Windows. I don't recall NetWare being on the EPL for the command I work for, so it might have already gone the way of the dodo.
There aren't any battleships currently in commission in the US Navy, all have been either scrapped or mothballed. You're probably thinking of the prototype cruiser that made all the headlines. It was running NT, bluescreened and the ship was stuck. Not that the bluescreen was not an OS error, but an error due to a divide by zero from the application, and it wasn't written well enough to handle that error nicely, so the OS did what it was supposed to. The ship was rushed anyway, and supposed to have Unix backends for all the C^2 functions. NT is just for the user workstations.
The US retired the Rainbow Series a while ago, but EAL4 is about a close approximation to C2.
The Linux ones. There are already two Linux distros that are EAL certified and have been for some time, but they are EAL3.
The EPL (Enterprise Product List) only lists software that is allowed to run on a Federal network. As long as the system isn't connected to a Federal network and meets the requirements of the contract in terms of reliability, security and auditability, there is nothing to say that a contractor couldn't use SuSE or even RHES (was evaluated EAL3) unless it was expressly forbidden in the contract.
CC evaluation is not an automatic thing. The sponsoring company (in that case Microsoft) pays for the evaluation. A target is generated, which details hardware and software configurations. This can take months. Then the actual platform itself is evaluated, which can also take months, especially if deficiencies are found and corrected. Win2k was released in 2000, but didn't get CC evaluation until 2004. There's a hint.
Not likely to happen soon. Just because it's been EAL4 certified doesn't mean that is allowed to be operated on a Federal network. In the case of DoD network, it still needs a CTO (Certificate To Operate) before being allowed to be connected to the network. A CTO requires a whole DITSCAP session, formal documentation, evaluation and recommendation. For an operating system, it could literally be years before a CTO is produced. An interim CTO could be generated, but I don't think any major commands are willing to risk issuing one for such an unknown as this.
Maybe the zealots can stop screaming that EAL certification is just a money thing or that it's worthless just because Win2k was certified EAL4.
Anonymous Cowards don't have a foes list, you fucking lying twat.
Try harder.
I'm unsure as to what you mean by speed problems: slow getting results, or what? I do lots of LDAP queries- getting results is quick. The bulk of my time is spent waiting for the results to finish usually because of the large number of hits I get (I do things like query who doesn't have a login script, who hasn't logged in the last 30 days, etc). It could be something as simple as the placement of your DCs, global catalog servers, or even how your LDAP queries are being constructed. I used to use the "bulldozer technique" until I figured out how to use LDAP more or less like a SQL Server to let the server work for me instead of vice versa
No, there aren't BDCs in AD anymore. Yes, there are FSMO roles that have to be filled, but none of those roles are "backup domain controller". By Microsoft's definition, a BDC is a domain controller that contains a read-only copy of domain information and must replicate changes to the PDC to be written and then must replicate the domain back down to itself to stay current. All DCs in a given AD domain are peers, each has a writable copy of the AD. One of the roles is a PDC emulator, but that is primarily for backwards compatibility with pre-Win2k computers. There can be only one PDC emulator in a given domain, and there can never be more than one. The server that has this FSMO role is not considered a PDC in the ACtive Directory sense, since there is no such thing. Remember: All Domain Controllers in an Active Directory are peers.
No, you do not need a DC for every Organizational Unit. You need at least 1 DC for every domain. Each domain can have a (theoretical) unlimited number of OUs. In Active Directory there is no such thing as a "backup domain controller" as all DCs are peers and each has a working copy of the Active Directory. Multiple DCs are for load balancing and fault tolerance, but not a requirement.
Ripoff or implementation?
You can't exactly ripoff an open standard.
I started out running Novell 3 and ultimately Novell NDS networks- I still prefer Active Directory. Maybe it was because back then, it was a major pain in the ass getting the real-mode IPX drivers to work in DOS/Win3.11, and the Win95 client supplied by Novell did Very Bad Things to the system.
Over the years, I have migrated two organizations from Novell to a MS-centric infrastructure. I think one org still might be running Novell 386, but then when I was there 10 years ago, they were still running the original IBM PCs with ARCNet cards.