From owner-freebsd-security  Thu Feb  4 00:30:22 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id AAA07410
          for freebsd-security-outgoing; Thu, 4 Feb 1999 00:30:22 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.149.24])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA07402
          for <security@FreeBSD.ORG>; Thu, 4 Feb 1999 00:30:20 -0800 (PST)
          (envelope-from avalon@cheops.anu.edu.au)
Received: (from avalon@localhost)
	by cheops.anu.edu.au (8.9.1/8.9.1) id TAA13906;
	Thu, 4 Feb 1999 19:30:04 +1100 (EDT)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <199902040830.TAA13906@cheops.anu.edu.au>
Subject: Re: tcpdump
To: gryphon@healer.com (Coranth Gryphon)
Date: Thu, 4 Feb 1999 19:30:03 +1100 (EDT)
Cc: security@FreeBSD.ORG
In-Reply-To: <36B8EB27.689D17BF@healer.com> from "Coranth Gryphon" at Feb 3, 99 04:34:47 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In some mail from Coranth Gryphon, sie said:
[...]
> If you want to think about it another way, consider it one step
> towards shipping a "Hardening Kit" for FreeBSD.

How much more rubbish do we have to read about bpf impacting the
security of a system ?

If someone can get root then it is "game over" if you are serious
about security and haven't taken reasonable precautions (i.e. using
tripwire across everything except user files, along with securelevel
and file flags for everything but user files).  BPF [not] being
present will not matter.

I think the decision has been made, anyway, to include BPF, which
is a good thing.

If you want to include multiple kernels for distribution, then include
useful variations (i.e. different drivers enabled, etc).

If you're _that_ desperate to distribute a `secure' kernel, create a
config file and add it to the conf directory.  Oh, and don't forget
to include digital signatures of all distributed files on CD!  That's
what's really missing - oh, and a similar mechanism added to the pkg
system to (you can get it now with RPM's).

Darren

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message