From owner-freebsd-security@FreeBSD.ORG  Tue Sep 11 22:37:10 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D1228106566B;
	Tue, 11 Sep 2012 22:37:10 +0000 (UTC)
	(envelope-from delphij@delphij.net)
Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212])
	by mx1.freebsd.org (Postfix) with ESMTP id A9BD38FC0C;
	Tue, 11 Sep 2012 22:37:10 +0000 (UTC)
Received: from epsilon.delphij.net (drawbridge.ixsystems.com [206.40.55.65])
	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by anubis.delphij.net (Postfix) with ESMTPSA id DE0921E07F;
	Tue, 11 Sep 2012 15:37:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis;
	t=1347403030; bh=efJ+H8/s1g7R5nSyxSF/bLxDuuphzxsvl4YaFeCaRJQ=;
	h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To;
	b=ycaFfQMH133NT5dRjYuV+8jDmzUWmvx1Jl68goMbAiMlrPFNn+nfRrXJDRtMGyPg6
	zvYt4NLz+qXD4lrtn+r17JfHhTlUsLUxHaX6Y1vPsAzuzxKJhVdfiuzYaskp81o+Cc
	p9ooBfLyyinuFJV7lEehz3f6ZndAwA3VTbz+81jk=
Message-ID: <504FBD15.8040907@delphij.net>
Date: Tue, 11 Sep 2012 15:37:09 -0700
From: Xin Li <delphij@delphij.net>
Organization: The freeBSD Project
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
	rv:10.0.7) Gecko/20120830 Thunderbird/10.0.7
MIME-Version: 1.0
To: obrien@freebsd.org
References: <20120906224703.GD89120@x96.org> <50493480.8060307@FreeBSD.org>
	<20120911061530.GA77399@dragon.NUXI.org>
	<504EDC67.9070700@FreeBSD.org> <86sjao7q8c.fsf@ds4.des.no>
	<20120911205302.27484fd6@gumby.homeunix.com>
	<20120911200925.GA88456@dragon.NUXI.org>
	<504FA76A.5000209@delphij.net>
	<20120911211730.GB89188@dragon.NUXI.org>
	<504FAB87.3020701@delphij.net>
	<20120911215212.GA89515@dragon.NUXI.org>
In-Reply-To: <20120911215212.GA89515@dragon.NUXI.org>
X-Enigmail-Version: 1.4.3
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: Arthur Mesh <arthurmesh@gmail.com>, Doug Barton <dougb@FreeBSD.org>,
	freebsd-rc@freebsd.org, freebsd-security@freebsd.org,
	RW <rwmaillists@googlemail.com>,
	=?UTF-8?B?RGFnLUVybGluZyDvv70=?= <des@des.no>, d@delphij.net
Subject: Re: svn commit: r239569 - head/etc/rc.d
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: d@delphij.net
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Sep 2012 22:37:10 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 09/11/12 14:52, David O'Brien wrote:
> On Tue, Sep 11, 2012 at 02:22:15PM -0700, Xin Li wrote:
>> On 09/11/12 14:17, David O'Brien wrote:
>>> On Tue, Sep 11, 2012 at 02:04:42PM -0700, Xin Li wrote:
>>>> So if I was to implement the low grade part I'd remove the 
>>>> variable names from the sysctl output at minimum.
>>> 
>>> I've removed the MIB names in my latest diff (based on input
>>> from this thread):
>>> 
>>> +	( dmesg; kenv; df -ib; \ +	    ps -fauxrH -o 
>>> majflt,minflt,nivcsw,nvcsw,nwchan,re,sl,time; \ +	    sysctl
>>> -n kern.cp_times kern.geom kern.lastpid kern.timecounter \ + 
>>> kern.tty_nout kern.tty_nin vm vfs debug dev.cpu; \ +	    date )
>>> \ + | /sbin/sha256 -q | dd of=/dev/random bs=8k 2>/dev/null
>> 
>> Hmm, but this sha256 run will turn the output to 65 bytes (hex 
>> representation of 256 bits of hash output, 64 bytes, and one \n),
>> so, only 256 bits of random data, is that intentional?
> 
> At this point, yes.  If we find better ways of condensing the
> output of the better_than_nothing() commands, we should do that
> instead.  Even with the command list above, its way more than 4k of
> output.  I got about 45k on my test machine.
> 
> You suggested gzip, but I just don't know enough about compression 
> algorithms as they apply in this area to know if we should use
> gzip instead or not.

I don't think I know enough here, unfortunately...

Using gzip is better than not using it though, since 4k worth of
compressed data is better than 4k worth of plain text because of
higher entropy destiny (note that the FreeBSD gzip uses 64K of
input/output buffer for compression by the way so maybe only the first
64K is meaningful if we take only 4k of output).

Cheers,
- -- 
Xin LI <delphij@delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJQT70VAAoJEG80Jeu8UPuzlggH/1jVZzbY1mwo6RcizlepFKct
fb3LaZ8w47fRExFtbmTQSIPty6vJ6wt9M8gPgh8Sn2RwemLzPXFnX3lqbfbDqsWM
f0+ox/YeRwbTmUqVBVlWZSNHOXVOTmv0HyFha0U/xuUiJxvEprIeArvG1cTq7TIC
I7h0wZZ1DQg7XWVPL6FKL9K0UwvHJAKALol/NdCCCjyi3KIctEK6O0WmFIVvLe3A
WL5gFY49w6QqV0+vstZio5OlYK7b6s58iNM+VEJNszECI3S2OH6IGNOeIFCgwid2
VbYK5P46EYXWDT/x3bbD3KqtphS4EtzLjVsRLEK/1fFEk6Emm5Eai/WC04IHoWw=
=7rXE
-----END PGP SIGNATURE-----