Date: Sat, 24 Oct 2015 10:33:47 +0200 From: Polytropon <freebsd@edvax.de> To: "O. Hartmann" <ohartman@zedat.fu-berlin.de> Cc: freebsd-questions@freebsd.org Subject: Re: replace uname -a informational string Message-ID: <20151024103347.393e3bea.freebsd@edvax.de> In-Reply-To: <20151024102220.72af9738.ohartman@zedat.fu-berlin.de> References: <20151023090805.5484ce9b@freyja.zeit4.iv.bundesimmobilien.de> <1445622325.1169.29.camel@michaeleichorn.com> <20151023225424.49220466.ohartman@zedat.fu-berlin.de> <20151024080936.0ff26783@X220.alogt.com> <1445658972.13154.44.camel@michaeleichorn.com> <20151024130848.0a7e946f@X220.alogt.com> <562b3cd3.1J6RucNX8xldmcgb%perryh@pluto.rain.com> <20151024102220.72af9738.ohartman@zedat.fu-berlin.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 24 Oct 2015 10:22:20 +0200, O. Hartmann wrote: > I do not want to hide the copyright notes. I simply want to hide the machine on which the > kernel and world has been built since this machine is in most security appliances not the > machine the binaries are running on! This is possible by several means. If you want to hide "root@whatever.example.com:/usr/obj/usr/src/sys/THENAME" from the "uname -a" output (I think this is what you're looking for), you can do the following: 1. Use a different account for building, not "root". 2. Temporarily (or separatedly!) set a different host name. 3. Do not use a "descriptive name" for the kernel configuration file. 4. Adjust the system's clock to report a wrong date, and make sure no background process will set the clock correctly (e. g. NTP). > So I guess this is definitely something worth to > hide, since "uname(8)" reveals informations someone wants to hide. This information, as it has been explained, is stored with the resulting kernel itself and can be queried by more than one mechanism. That's why hiding it during the build process will fit your needs better than anything possible "afterwards" (i. e., when the resulting system is already running). > Second, it is, for the impact of skript kiddies, somehow of use to hide the OS' > revision/version. Hiding _this_ information is a bit more complicated than what I've mentioned above. The build process sets variables in many places, or obtains the relevant data from file contents. > And by the way, in some areas within the structure of companies or government hiding such > informations is a feature that is explicitely or part of a catalogue of aspects to meet. That's true. It does not prevent OS or version specific attacs (because OS version x.y still is OS version x.y, even if it doesn't say so), but when it's a requirement, it is a requirement. Inside companies or government, there is no discussion about requirements. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151024103347.393e3bea.freebsd>