Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 31 Aug 1997 17:18:08 -0400 (EDT)
From:      Brian Mitchell <brian@firehouse.net>
To:        cschuber@uumail.gov.bc.ca
Cc:        Andrew Brown <codewarrior@daemon.org>, BUGTRAQ@netspace.org, freebsd-security@FreeBSD.ORG
Subject:   Re: DDB/securelevel 
Message-ID:  <Pine.BSI.3.95.970831171632.12537A-100000@shell.firehouse.net>
In-Reply-To: <199708311847.LAA03326@cwsys.cwent.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 31 Aug 1997, Cy Schubert wrote:

> There's a lot to be said about physical security.  If one has a sensitive
> application, physically secure the machine.
> 
> Secondly, DDB should not be compiled into the kernel of a production
> machine unless you are trying to resolve a software or hardware problem.
> Once a problem is resolved, remove the option from the kernel config, not
> only for security reason but to generally improve performance.  I, for
> example don't include the KTRACE or bpfilter options for a production
> machine unless I am trying to solve a problem.  Most security publications
> and auditors agree that removing bpfilter can improve network security. 
> Removing these options on a production machine can also improve performance
> because the kernel is not executing rarely used code

What _possible_ improvement in security does removing ktrace offer? There
is absolutely none, that I can determine. (Note: Most of what ktrace does
can be done via shared libraries).






Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.95.970831171632.12537A-100000>