From owner-freebsd-arch Fri Sep 15 18:14:45 2000 Delivered-To: freebsd-arch@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 45D3037B42C for ; Fri, 15 Sep 2000 18:14:42 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id SAA08958; Fri, 15 Sep 2000 18:13:36 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda08956; Fri Sep 15 18:13:15 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id SAA62793; Fri, 15 Sep 2000 18:13:12 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdY62787; Fri Sep 15 18:13:00 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.0/8.9.1) id e8G1D0627243; Fri, 15 Sep 2000 18:13:00 -0700 (PDT) Message-Id: <200009160113.e8G1D0627243@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdK27232; Fri Sep 15 18:12:08 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.1-RELEASE X-Sender: cy To: Steve Kargl Cc: Cy Schubert - ITSD Open Systems Group , Daniel Eischen , Will Andrews , arch@FreeBSD.ORG Subject: Re: Rsh/Rlogin/Rcmd & friends In-reply-to: Your message of "Fri, 15 Sep 2000 17:06:57 PDT." <200009160006.RAA77706@troutmask.apl.washington.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 15 Sep 2000 18:12:07 -0700 Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message <200009160006.RAA77706@troutmask.apl.washington.edu>, Steve Kargl wr ites: > Cy Schubert - ITSD Open Systems Group wrote: > > > > So what! That's the price of security. I believe that the > > telnet/ftp/"r" commands shouldn't even be ports. We need to make it > > difficult to install unsafe software on the system. That way the admin > > would have to go to all the trouble to find the source for unsafe > > software somewhere on the Net, port it, and install it. Then it's not > > FreeBSD's fault if that admin's system is compromised. > > > > This is a somewhat myoptic view of the world. If I didn't > read your sig, I would have thought you worked with only > FreeBSD boxes. Being that I am consulted UNIX security issues across the BC Government, I advise what an auditor would tell me. My advice is normally conservative from a security auditor's point of view, e.g. disable or remove all services and use or install only what you will use. This advice normally reduces any chance of culpability should something unfortunate happen. Looks like I've been working for government too long. :) > [deleted] > > FreeBSD provides the bullets. It up to the admin to shoot > his foot or not. Something I've been thinking about over for a while is to create a script that would either disable (and re-enable) services or applications via config files and permissions or optionally just delete (no turning back) services and applications -- the admin would choose which mode it would run. Something like this could be distributed in /etc or as a port and could be run by an admin just after install. Would there be any interest in this or would it be a waste of my time? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message