From owner-freebsd-questions@freebsd.org  Fri Oct 13 06:53:44 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4A014E3EE30
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Fri, 13 Oct 2017 06:53:44 +0000 (UTC)
 (envelope-from matthew@FreeBSD.org)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk
 [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp.infracaninophile.co.uk",
 Issuer "infracaninophile.co.uk" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id D18CE76D24
 for <freebsd-questions@freebsd.org>; Fri, 13 Oct 2017 06:53:43 +0000 (UTC)
 (envelope-from matthew@FreeBSD.org)
Received: from liminal.local (unknown
 [IPv6:2001:8b0:151:1:49c8:5041:57cb:af84])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 (Authenticated sender: m.seaman@infracaninophile.co.uk)
 by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id F0B2E6599
 for <freebsd-questions@freebsd.org>; Fri, 13 Oct 2017 06:53:40 +0000 (UTC)
Authentication-Results: smtp.infracaninophile.co.uk;
 dmarc=none (p=none dis=none) header.from=FreeBSD.org
Subject: Re: Install-time "hardening" options
To: freebsd-questions@freebsd.org
References: <5273.1507843937@segfault.tristatelogic.com>
From: Matthew Seaman <matthew@FreeBSD.org>
Message-ID: <f53d3a86-4904-dd3f-2829-ac82fb4d9377@FreeBSD.org>
Date: Fri, 13 Oct 2017 07:53:27 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0)
 Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <5273.1507843937@segfault.tristatelogic.com>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="vJlvi0j6DaBf5tmqAMIDhUWu9M8KBUrEL"
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2017 06:53:44 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--vJlvi0j6DaBf5tmqAMIDhUWu9M8KBUrEL
Content-Type: multipart/mixed; boundary="kMfxNFm9RCBQvD7KqwHuMXoFXCMXCbT61";
 protected-headers="v1"
From: Matthew Seaman <matthew@FreeBSD.org>
To: freebsd-questions@freebsd.org
Message-ID: <f53d3a86-4904-dd3f-2829-ac82fb4d9377@FreeBSD.org>
Subject: Re: Install-time "hardening" options
References: <5273.1507843937@segfault.tristatelogic.com>
In-Reply-To: <5273.1507843937@segfault.tristatelogic.com>

--kMfxNFm9RCBQvD7KqwHuMXoFXCMXCbT61
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: quoted-printable

On 12/10/2017 22:32, Ronald F. Guilmette wrote:
>=20
> In message <21945e9b-6573-5f8d-9b6d-26bbb8bfd748@sentex.net>,=20
> Mike Tancsa <mike@sentex.net> wrote:
>=20
>>> (*)  Disable opening Syslogd network socket (disables remote logging)=

>>
>> Is not the default -s and this options makes it -ss. "disable remote
>> logging" as in the host you are configuring cannot send out messages t=
o
>> other syslogd servers.
>=20
> Was that a question or a statement?
>=20
> If you are assering that indeed, yes, star'ing this specific "hardening=
"
> option just causes the local machine to -not- send -outbound- syslog
> messages, then certainly, that is indeed a horse of a different color
> from what I was talking about, which was -accepting- -inbound- syslog
> messages/packets.
>=20
> At the very least, the wording on this option should be clarified to
> make it apparent if the thing being disabled in this case is inbound
> syslog messages or outbound ones.

syslogd -ss disables any sort of syslog transmission over the network,
in either direction.  All you can do is write to local files or (the
little used facility to) pipe syslog into an application.

	Cheers,

	Matthew



--kMfxNFm9RCBQvD7KqwHuMXoFXCMXCbT61--

--vJlvi0j6DaBf5tmqAMIDhUWu9M8KBUrEL
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJZ4GLvXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATDWYQAKOkzL1fOoou1ER+BMWOVB5G
/rr6aUci42ejg7+CGn8+LlVlNz+6T5LfJuR9otB/ZYvTvfVSNL40YqTLfjBV8GL3
Gb3o/oFLmZX0ziRnl4pYjTTSpvhHSjHJBx3ffyuCIAZPM1jl6ywDy2zw5PMB7AFW
ueh6GcfmmLbRZ7ygDdM3ZcoiWMjXBTYYTZukugdxchkpY09zuPYTHBUrPZO2CXiz
y1kclwmilJEsuVivLfT2FEPGnt94uYGGNPhxHlRUr8rJNrm4TluxcgEigQuRMFXU
bJZKZfhnZYo2ujXgrq6MCpMdjoHdhDeK71yTdRYN2tyjoWKDa1FDzINE6lZC94nl
SfprIUmMMnn8YfGtKUoznkvqCL7ueTk8P2w5onKQE0Tq2RoIvut5dQEKR0yxjf1u
xYib/i5I/YBDo4V4tuZm0CFqWCerOEqzj+bYG+lCYstApRm8aNHf9CJz9DGVgJWm
gVYCaiCcVTS6mW9BT0JKHpEaItY1VoeHEAyoeaEwUUoEWhnwG7V3+JU+3Qz6D9gt
P7cPSzdKrkGojzGQbypNAuYXZ+1R1kgCodiKJ9jQCWPUF/alq1CwaFa22QSjf3rz
SSx5GMd5PFSpn11r+vN0/rfIrhD6j4muoNbJsVVXC7UqgaSn7OHUuqm+oCSd8dEJ
EmZkNfYfc+EL4tqkXfHq
=AESy
-----END PGP SIGNATURE-----

--vJlvi0j6DaBf5tmqAMIDhUWu9M8KBUrEL--