From owner-freebsd-security@freebsd.org Wed Jul 13 09:28:22 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9B10DB93868 for ; Wed, 13 Jul 2016 09:28:22 +0000 (UTC) (envelope-from steve@localhost.lu) Received: from mail2.mbox.lu (mail.mbox.lu [85.93.212.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6152412A5 for ; Wed, 13 Jul 2016 09:28:21 +0000 (UTC) (envelope-from steve@localhost.lu) Received: from mail2.mbox.lu (localhost [127.0.0.1]) by mail2.mbox.lu (Postfix) with ESMTPS id 134A73200C; Wed, 13 Jul 2016 11:19:18 +0200 (CEST) Received: from mail2.mbox.lu (localhost [127.0.0.1]) by mail2.mbox.lu (Postfix) with ESMTPS id 048A83200E; Wed, 13 Jul 2016 11:19:18 +0200 (CEST) Received: from steves-mac-pro.office.lan (vodsl-9826.vo.lu [85.93.205.98]) by mail2.mbox.lu (Postfix) with ESMTPSA id E03F33200C; Wed, 13 Jul 2016 11:19:17 +0200 (CEST) Subject: Re: FreeBSD - a lesson in poor defaults? Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Content-Type: multipart/signed; boundary="Apple-Mail=_C5B74AD3-1884-4A58-87BB-68D928867F70"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Pgp-Agent: GPGMail From: Steve Clement In-Reply-To: <57860275.404@obluda.cz> Date: Wed, 13 Jul 2016 11:19:04 +0200 Cc: freebsd-security@freebsd.org Message-Id: <300EEE78-1BF1-460E-ABDD-8EA5C4809941@localhost.lu> References: <20160713073859.GA88448@localhost.lu> <57860275.404@obluda.cz> To: Dan Lukes X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2016 09:28:22 -0000 --Apple-Mail=_C5B74AD3-1884-4A58-87BB-68D928867F70 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 By default, IMHO, a system should resist a standard install on a public = ip address without being owned within the hour. If you need hardening, you should always check and know your system. Especially if something says =E2=80=9Csecure by default=E2=80=9D. Wonder how HardenedBSD is doing these days=E2=80=A6 = https://wiki.freebsd.org/Hardening You do want to protect your basic users from themselves to a certain = extent. The SSL mess is a mess, but libreSSL hasn=E2=80=99t been spared either. Nevertheless I am sure that the Core Security team is having regular = discussions on some defaults. If we can assume that this About blob from the FreeBSD site is it=E2=80=99= s mission statement: =E2=80=9C=E2=80=9D=E2=80=9D=E2=80=9D https://www.freebsd.org/about.html What is FreeBSD? FreeBSD is an operating system for a variety of platforms which focuses = on features, speed, and stability. It is derived from BSD, the version = of UNIX=C2=AE developed at the University of California, Berkeley. It is = developed and maintained by a large community. =E2=80=9C=E2=80=9D=E2=80=9D=E2=80=9D The rant is not that justified baring in mind the versatility of = FreeBSD. Sincerely, Steve > On 13 Jul 2016, at 10:57, Dan Lukes wrote: >=20 > Particular system needs to be tuned according local environment, goal = and requirements. Thus I don't care install-time defaults so much. --Apple-Mail=_C5B74AD3-1884-4A58-87BB-68D928867F70 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXhgeIAAoJEGmiD1Cb5K7pFMoQAJJJzwFroX/5Fzb9RlAynRFA TcGc9UEKd27lrLkriNNaBS/SSZHUKxR+krT3igEsOv9n03gEO2AwBcuOqLkRRulN QmvHwmdUB7FJi71Xu/KH56YaJhpUBgogz0HMwj3ADg9nhABeN2ePPD5BYgWU+2Mv BYJy52QQdHxJizfW/Ku4DT8/HdVgSLJJNq6Lof0NHX6sZRxIX9msGdXnCwU3z54x C2U1WTrilhz+F31wB8zxun8xvv4qjHIXzzO2I/ElISu2yyb0CU3ow7F6ztLobiMp VMhHFEhVLtEjq5tR92ZNc5JuFgnyR8d7W2oGfamKBX2uf+u4JpyOg+zLTGFpRtI3 uP/IA9uxd43Ko2VVV8k5/GDoRZX+UJ/SdtkBD86/0VZkPeLxa3V1Eh0dgcfJUYDY 6v0gEMmMSB52pD6i8fkiUQLC7558rSvggx3xug4g2Vg1REI3C5Ts1cMFoECrcidX rCmhbyIlrwAWEVvGA7VwSvBRifTLJ3Iumefy0cXP3Vam/YFI31gVXKx9O1FCRVBk kA52fs5OPYTz4FbE/44GAKqzdbYdeWBWJGLDkZo6JN8f43dWnFi0GawVVNOFjlWJ ldIGQ75Keg+lrMSfyDfGFs4qwqU4sbE6RPFQdwouQlGjtDxu1GerC7tjf4zOGyJw hBUSl1Kl3jPeLkDVYeAH =Y7j3 -----END PGP SIGNATURE----- --Apple-Mail=_C5B74AD3-1884-4A58-87BB-68D928867F70--