From owner-freebsd-security  Wed Feb 14  1:23:23 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id 11EC837B503
	for <security@freebsd.org>; Wed, 14 Feb 2001 01:23:16 -0800 (PST)
Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Wed, 14 Feb 2001 01:20:19 -0800
Received: (from cjc@localhost)
	by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1E9M6l59068;
	Wed, 14 Feb 2001 01:22:06 -0800 (PST)
	(envelope-from cjc)
Date: Wed, 14 Feb 2001 01:22:06 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: dmp@pantherdragon.org
Cc: Dag-Erling Smorgrav <des@ofug.org>,
	Adam Laurie <adam@algroup.co.uk>, security@FreeBSD.ORG
Subject: Re: syslogd -ss not part of extreme security option?
Message-ID: <20010214012206.P62368@rfx-216-196-73-168.users.reflex>
Reply-To: cjclark@alum.mit.edu
References: <3A88EB70.CC8CB78E@pantherdragon.org> <xzpelx2c3vp.fsf@flood.ping.uio.no> <3A89707C.A539BA9C@algroup.co.uk> <xzpzofqe8dr.fsf@flood.ping.uio.no> <3A8A0BDA.21504E26@pantherdragon.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3A8A0BDA.21504E26@pantherdragon.org>; from dmp@pantherdragon.org on Tue, Feb 13, 2001 at 08:38:50PM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, Feb 13, 2001 at 08:38:50PM -0800, dmp@pantherdragon.org wrote:
> Dag-Erling Smorgrav wrote:
> > Adam Laurie <adam@algroup.co.uk> writes:
> > > eh? no security bug is "known" until it's found & exploited. just
> > > because it hasn't been found doesn't mean it doesn't exist. switching
> > > off a network listener for syslog when you are not doing network logging
> > > is much more than a warm fuzzy feeling, it's closing a potential
> > > security hole. i do it on standard installs, let alone "extreme
> > > security".
> > 
> > It's not a listener. If you specify -s, the socket is half-closed so
> > you can use it to send log messages to other hosts, but can't receive.
> > If you specify -ss, the socket isn't opened at all so you can neither
> > send nor receive.
> 
> Why not add it, though?  Anyone who's going to do remote syslogging
> will know to set the appropriate option. 

No they won't. Do you promise to answer all of the people who come to
-questions asking why they can't log to another machine? "I could
always do it before!" You can take over answering all the people
asking why they can't install a new kernel (who's idea was it to have
people set securelevel(8) in sysinstall(8), oops I remember...).

> For everyone else, it's just
> one more thing that doesn't need to be enabled by default.

The only purpose the second '-s' serves is to make the line from
syslogd(8) disappear from netstat(8) output. It has no real security
use.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message