Date: Sat, 16 Sep 2000 17:23:46 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.ORG> To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> Cc: Mark Murray <mark@grondar.za>, Will Andrews <will@physics.purdue.edu>, arch@FreeBSD.ORG Subject: Re: Rsh/Rlogin/Rcmd & friends Message-ID: <Pine.NEB.3.96L.1000916171837.559A-100000@fledge.watson.org> In-Reply-To: <200009161534.e8GFYDc32614@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
The port idea is an interesting one -- I actually played with some similar ideas for the FreeBSD hardening project I was working on a couple of years ago. A port would provide an interface to select its behavior, and then strip down components of the system reflecting the needs of the administrator. For example, disable services, setuid binaries, clamp down on directory permissions (especially the user skeleton directory impacting account creation properties). I'd like to see the following, with that idea in mind: 1) inetd is disabled in /etc/defaults/rc.conf (probably already is that way) 2) It can be enabled in sysinstall by turning on Internet network servers in some or another configuration location. 3) Creation of a ports/security/harden port which provides a dialog-like front end for managing mtree application to the base system, allowing disabling of unneeded services. 4) In the long run, moving towards a more granular installation of base system components -- i.e., keep services such as rsh/telnet/etc in the CVS repo and "part of FreeBSD" but allow them to be installed/not installed via sysinstall, and toggled via matching make.conf entries. And we need to think of a name for these services, such as "Cryptography-free Internet Servers" and "Cryptography-free Internet Clients" :-). Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000916171837.559A-100000>