From owner-freebsd-security Wed Jul 30 06:52:50 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id GAA01716 for security-outgoing; Wed, 30 Jul 1997 06:52:50 -0700 (PDT) Received: from shift-f1.com (shift-f1.com [205.160.29.37]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA01705 for ; Wed, 30 Jul 1997 06:52:46 -0700 (PDT) Received: (from shashi@localhost) by shift-f1.com (8.8.5/8.8.5) id JAA25877; Wed, 30 Jul 1997 09:50:56 -0500 (EST) From: Shashi Joshi Message-Id: <199707301450.JAA25877@shift-f1.com> Subject: So, lets have a checklist compiled (was Re: Security hole) In-Reply-To: from Marco Molteni at "Jul 30, 97 02:04:33 pm" To: molter@logic.it (Marco Molteni) Date: Wed, 30 Jul 1997 09:50:56 -0500 (EST) Cc: vince@mail.MCESTATE.COM, security@FreeBSD.ORG, mario1@PrimeNet.Com X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk As Marco Molteni said -> > There's a thing really I can't understand in all this thread. > Nobody said: > "Vince, we're sorry about what happened to you. Probably you did something > stupid, but _everybody_ has to learn his lesson the hard way. > Here you are a a checklist of books, programs and ideas to follow to > improve the security of your site." > > No, everybody started to flame at him! Why? Because he choosed as his > subject line: "security hole in FreeBSD" instead of "I'm a sucker > please you security wizards help me" ? > > Do you think one can be a newcomer as an administrator, but _has_ to know > everything about security before he starts to work? Come on! Exactly my thoughts. So, do we get a checklist or reference list from the gurus? I am also a bit new to the sys admin duties. I have taken the time to read the FreeBSD book that came with the CD (which doesn't help much in the security area), read a UNIX sysadmin book (Nemeth, Snyder etc the Red Book) but it too has its limitations. We don't have external user logins, so the risks are much less, but I would always like to learn because soon we will be "out there". Another netter mentioned about FreeBSD should ship with some documentation, scripts that tell us (about the system files and directories) what are the files associated with "feature" A or "service" B (e.g. uucp), which files need to be setuid for what functionality. Here is an example. (I know you gurus will laugh, but it was my 3rd day only). Realizing that sbin dirs are for sysadmin related files, I made the */sbin as -r-xr-x--- and group being wheel or bin as appropriate. Now, after a few weeks!! I realised that I am not able to send out any mail. I had been receiving mail like anything, my elm session also didn't complain when I sent out email. Finally I checked the logs and found nothing, not a trace of a mail sent out. So I checked to see `which sendmail` and it was /usr/sbin/sendmail So I had to give r-x permissions to it to the world. Now why would sendmail be in sbin when it is not purely a sysadmin tool only? My point? Having a document or a checklist would be real helpful to newbies and can serve as a quick reference for the gurus. regards, -- Shashi Joshi