From owner-freebsd-security@FreeBSD.ORG Wed Feb 11 07:24:14 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F49016A4CE for ; Wed, 11 Feb 2004 07:24:14 -0800 (PST) Received: from redix.it (host49-169.pool8172.interbusiness.it [81.72.169.49]) by mx1.FreeBSD.org (Postfix) with SMTP id E2FEA43D1D for ; Wed, 11 Feb 2004 07:24:07 -0800 (PST) (envelope-from roberto@redix.it) Received: (qmail 26169 invoked by uid 72); 11 Feb 2004 15:24:02 -0000 Received: from 192.168.0.77 (SquirrelMail authenticated user roberto) by mail.redix.it with HTTP; Wed, 11 Feb 2004 16:24:02 +0100 (CET) Message-ID: <1295.192.168.0.77.1076513042.squirrel@mail.redix.it> In-Reply-To: <2CAA7A5D-5C9A-11D8-ADF8-0030654D97EC@patpro.net> References: <1171.192.168.0.77.1076505166.squirrel@mail.redix.it><79D6F861-5C96-11D8-A225-000A95DA58FE@jimz.net> <2CAA7A5D-5C9A-11D8-ADF8-0030654D97EC@patpro.net> Date: Wed, 11 Feb 2004 16:24:02 +0100 (CET) From: roberto@redix.it To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Subject: Re: Question about securelevel X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 15:24:14 -0000 > On 11 févr. 2004, at 14:30, Jim Zajkowski wrote: > >>> Could this configuration be considered secure, according to you? >> >> There's no way to determine that without some consideration of the >> threats you are facing. Security considerations against simple >> attacks (e.g., kiddies) are a lot different than considerations >> against industrial espionage, against discovery by the secret police, >> and against very smart government spies. >> >> What are you protecting? From whom? At what cost? > > > the cost is, to me, the more relevant point because every aspects of a > security policy has a cost or can be seen as a cost. > Security is : > time that you spend to setup = cost > time that you spend for maintenance = cost > increased complexity on the workflow (user teaching, admin training, > more delay) = cost > less time for disaster recovery = negative cost > protecting valuable data/info = negative cost > > When you sum all this, you should get a negative total cost, if not > then your security policy is probably overkill. > > I guess if I would want a perfect secure system I would start with a > bootable CD as main filesystem, with, why not, union filesystems at > some mount point for more flexibility. > > > patpro > -- > je cherche un poste d'admin-sys Mac/UNIX > (ou une jeune et jolie femme riche) > http://patpro.net/cv.php > Yes I agree with you: a secure system should be read-only fs, but to overcome the drawbacks of a CDROM, I can use a standard hardisk with a read-only file system while securelevel==3. The writable file system should be available in single user mode only on console. Regards Roberto _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"