From owner-freebsd-security  Wed Feb 14 23:21:52 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id ED61F37B401
	for <freebsd-security@freebsd.org>; Wed, 14 Feb 2001 23:21:49 -0800 (PST)
Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Wed, 14 Feb 2001 23:19:54 -0800
Received: (from cjc@localhost)
	by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1F7LXU66520;
	Wed, 14 Feb 2001 23:21:33 -0800 (PST)
	(envelope-from cjc)
Date: Wed, 14 Feb 2001 23:21:28 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: Michael Lea <mlea@atomicbluebear.org>
Cc: Kris Kennaway <kris@obsecurity.org>,
	Rob Simmons <rsimmons@wlcg.com>,
	Ragnar Beer <rbeer@uni-goettingen.de>, freebsd-security@FreeBSD.ORG
Subject: Re: security settings documentation
Message-ID: <20010214232128.S62368@rfx-216-196-73-168.users.reflex>
Reply-To: cjclark@alum.mit.edu
References: <p04330102b6b0697c0f5b@[134.76.136.114]> <Pine.BSF.4.21.0102141209460.15577-100000@mail.wlcg.com> <20010214092909.B72301@mollari.cthul.hu> <20010214122432.A76375@core.atomicbluebear.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010214122432.A76375@core.atomicbluebear.org>; from mlea@atomicbluebear.org on Wed, Feb 14, 2001 at 12:24:33PM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, Feb 14, 2001 at 12:24:33PM -0600, Michael Lea wrote:
> On Wed, 14 Feb 2001, Kris Kennaway wrote:
> 
> > Then write up some documentation for us and send it to doc@freebsd.org
> 
> Somewhat terse, but here's a little "feature" matrix:
> 
>                Fascist        High           Moderate       Low
> inetd          NO             NO             YES            YES
> sendmail       NO             YES            YES            YES
> sshd           NO             YES            YES            YES
> portmap        NO             NO             *              YES
> nfs_server     NO             NO             **             ***
> securelevel    YES (2)        YES (1)        NO             NO
  ^^^^^^^^^^^    ^^^            ^^^
Noooooooooooooooo!

Setting securelevel is silly. We're just going to get a _lot_ of
people wondering why they can't install a new kernel, load kernel
modules, set ipfw rules sending messages to -questions, etc. But
their boxes really aren't that much more secure. Without setting quite
a few files schg, it does not really add much security.

Effectively implementing securelevel(8) is non-trivial. Anyone who can
do it is more than capable of figuring out how to turn it on.

As for the other stuff, kewl.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message