Date: Fri, 15 Sep 2000 18:12:07 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Steve Kargl <sgk@troutmask.apl.washington.edu> Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, Daniel Eischen <eischen@vigrid.com>, Will Andrews <will@physics.purdue.edu>, arch@FreeBSD.ORG Subject: Re: Rsh/Rlogin/Rcmd & friends Message-ID: <200009160113.e8G1D0627243@cwsys.cwsent.com> In-Reply-To: Your message of "Fri, 15 Sep 2000 17:06:57 PDT." <200009160006.RAA77706@troutmask.apl.washington.edu>
index | next in thread | previous in thread | raw e-mail
In message <200009160006.RAA77706@troutmask.apl.washington.edu>, Steve Kargl wr ites: > Cy Schubert - ITSD Open Systems Group wrote: > > > > So what! That's the price of security. I believe that the > > telnet/ftp/"r" commands shouldn't even be ports. We need to make it > > difficult to install unsafe software on the system. That way the admin > > would have to go to all the trouble to find the source for unsafe > > software somewhere on the Net, port it, and install it. Then it's not > > FreeBSD's fault if that admin's system is compromised. > > > > This is a somewhat myoptic view of the world. If I didn't > read your sig, I would have thought you worked with only > FreeBSD boxes. Being that I am consulted UNIX security issues across the BC Government, I advise what an auditor would tell me. My advice is normally conservative from a security auditor's point of view, e.g. disable or remove all services and use or install only what you will use. This advice normally reduces any chance of culpability should something unfortunate happen. Looks like I've been working for government too long. :) > [deleted] > > FreeBSD provides the bullets. It up to the admin to shoot > his foot or not. Something I've been thinking about over for a while is to create a script that would either disable (and re-enable) services or applications via config files and permissions or optionally just delete (no turning back) services and applications -- the admin would choose which mode it would run. Something like this could be distributed in /etc or as a port and could be run by an admin just after install. Would there be any interest in this or would it be a waste of my time? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the messagehelp
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009160113.e8G1D0627243>