Date: Thu, 19 Aug 1999 12:27:53 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: "Mikhail A. Sokolov" <mishania@demos.net> Cc: Tom Brown <tomb@securify.com>, "'freebsd-security@freebsd.org'" <freebsd-security@freebsd.org> Subject: Re: "Secure-FreeBSD" Idea Message-ID: <Pine.BSF.3.96.990819122414.21779A-100000@fledge.watson.org> In-Reply-To: <19990813031813.A94114@demos.su>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 13 Aug 1999, Mikhail A. Sokolov wrote: > On Thu, Aug 12, 1999 at 09:52:48AM -0700, Tom Brown wrote: > # HI, > # > # Now realistically all this would have to be is a really anal installation process, forcing the user to positively select services such as ftp,telnet, sendmail etc. So if you don't select anything, you can't much. It would also have carefully set UMASKS and probably come with some easy way to get the user to set-up tripwire and ipfw for example. > # > # I suspect that most of the readers of this list spend a fair amount of time going through the same laborious process of tying down each server they built. How about we pools this vast collection of procedures together and try to build some kind of a security release. We all know (well at least I hope we do!) what a solid O/S FreeBSD is, wouldn't this be the ideal opportunity, to push the OS further into the public eye? > > Robert Watson has some tools, which are supposed to be bringing standard > system install to somewhat more secure state, it was under the idea > of 'the freebsd hardening project'. I guess he reads this list and could > comment, actually. I'm currently on vacation several hundred miles from my development tree, but will be back in town next week and continuing work on the POSIX.1e extensions, primarily auditing at this point. The hardening project suffers from a lack of time on my part, and no doubt others also. Jan's HOW-TO is a useful tool for those wanting to harden a system--creating a software tool to manage his instructions for you (i.e., check the boxes to apply the restrictions he describes, with online help from the howto) would be great if someone wants to hack one up. Continued work to reduce setuid/setgid utilities and move away from /dev/kmem are always good things to do, also. I hope to be releasing some more auditing code in about a month or so, which include some IDS code that might be useful. Anyhow, I'm back off to vacationing, but will not doubt have some comments concerning the dozens of other -security mails that seem to have arrived over the past week :-). Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Computing Laboratory at Cambridge University Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990819122414.21779A-100000>