From owner-freebsd-questions@freebsd.org Sat Oct 24 08:40:11 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 549E5A1DED8 for ; Sat, 24 Oct 2015 08:40:11 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0DB18196 for ; Sat, 24 Oct 2015 08:40:10 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from r56.edvax.de (port-92-195-13-119.dynamic.qsc.de [92.195.13.119]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx01.qsc.de (Postfix) with ESMTPS id 1F9D03CE16; Sat, 24 Oct 2015 10:33:47 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id t9O8Xlpt002636; Sat, 24 Oct 2015 10:33:47 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Sat, 24 Oct 2015 10:33:47 +0200 From: Polytropon To: "O. Hartmann" Cc: freebsd-questions@freebsd.org Subject: Re: replace uname -a informational string Message-Id: <20151024103347.393e3bea.freebsd@edvax.de> In-Reply-To: <20151024102220.72af9738.ohartman@zedat.fu-berlin.de> References: <20151023090805.5484ce9b@freyja.zeit4.iv.bundesimmobilien.de> <1445622325.1169.29.camel@michaeleichorn.com> <20151023225424.49220466.ohartman@zedat.fu-berlin.de> <20151024080936.0ff26783@X220.alogt.com> <1445658972.13154.44.camel@michaeleichorn.com> <20151024130848.0a7e946f@X220.alogt.com> <562b3cd3.1J6RucNX8xldmcgb%perryh@pluto.rain.com> <20151024102220.72af9738.ohartman@zedat.fu-berlin.de> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Oct 2015 08:40:11 -0000 On Sat, 24 Oct 2015 10:22:20 +0200, O. Hartmann wrote: > I do not want to hide the copyright notes. I simply want to hide the machine on which the > kernel and world has been built since this machine is in most security appliances not the > machine the binaries are running on! This is possible by several means. If you want to hide "root@whatever.example.com:/usr/obj/usr/src/sys/THENAME" from the "uname -a" output (I think this is what you're looking for), you can do the following: 1. Use a different account for building, not "root". 2. Temporarily (or separatedly!) set a different host name. 3. Do not use a "descriptive name" for the kernel configuration file. 4. Adjust the system's clock to report a wrong date, and make sure no background process will set the clock correctly (e. g. NTP). > So I guess this is definitely something worth to > hide, since "uname(8)" reveals informations someone wants to hide. This information, as it has been explained, is stored with the resulting kernel itself and can be queried by more than one mechanism. That's why hiding it during the build process will fit your needs better than anything possible "afterwards" (i. e., when the resulting system is already running). > Second, it is, for the impact of skript kiddies, somehow of use to hide the OS' > revision/version. Hiding _this_ information is a bit more complicated than what I've mentioned above. The build process sets variables in many places, or obtains the relevant data from file contents. > And by the way, in some areas within the structure of companies or government hiding such > informations is a feature that is explicitely or part of a catalogue of aspects to meet. That's true. It does not prevent OS or version specific attacs (because OS version x.y still is OS version x.y, even if it doesn't say so), but when it's a requirement, it is a requirement. Inside companies or government, there is no discussion about requirements. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...