Date: Sun, 31 Aug 1997 17:18:08 -0400 (EDT) From: Brian Mitchell <brian@firehouse.net> To: cschuber@uumail.gov.bc.ca Cc: Andrew Brown <codewarrior@daemon.org>, BUGTRAQ@netspace.org, freebsd-security@FreeBSD.ORG Subject: Re: DDB/securelevel Message-ID: <Pine.BSI.3.95.970831171632.12537A-100000@shell.firehouse.net> In-Reply-To: <199708311847.LAA03326@cwsys.cwent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 31 Aug 1997, Cy Schubert wrote: > There's a lot to be said about physical security. If one has a sensitive > application, physically secure the machine. > > Secondly, DDB should not be compiled into the kernel of a production > machine unless you are trying to resolve a software or hardware problem. > Once a problem is resolved, remove the option from the kernel config, not > only for security reason but to generally improve performance. I, for > example don't include the KTRACE or bpfilter options for a production > machine unless I am trying to solve a problem. Most security publications > and auditors agree that removing bpfilter can improve network security. > Removing these options on a production machine can also improve performance > because the kernel is not executing rarely used code What _possible_ improvement in security does removing ktrace offer? There is absolutely none, that I can determine. (Note: Most of what ktrace does can be done via shared libraries).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.95.970831171632.12537A-100000>