From owner-freebsd-security Thu Jun 26 19:53:12 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id TAA29899 for security-outgoing; Thu, 26 Jun 1997 19:53:12 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA29893 for ; Thu, 26 Jun 1997 19:53:08 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id WAA12067; Thu, 26 Jun 1997 22:49:17 -0400 (EDT) From: Adam Shostack Message-Id: <199706270249.WAA12067@homeport.org> Subject: Re: Minimum files for operation In-Reply-To: <199706270133.SAA25974@kirk.edmweb.com> from Steve at "Jun 26, 97 06:33:50 pm" To: steve@edmweb.com (Steve) Date: Thu, 26 Jun 1997 22:49:16 -0400 (EDT) Cc: gfm@readybox.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Steve wrote: | > The security-related literature I've been through emphasizes the need | > to secure the hosts themselves, partly through removing any unneeded | > files. (If you're running a mail hub, you probably don't need a C | > compiler. If you are providing only Web service with static pages, | > you should remove the perl interpreter. And so on.) | | I wouldn't worry about such things. If someone has broken in to your | system, they can upload the C compiler, Perl interpreter, and whatever | else they need. Clever use of redirection is all it takes. Uploading a C compiler or perl involves a lot of disk space and effort. Removing servers, daemons, and other things is clearly worthwhile. I think there's a win in removing uname and other things, and making your attacker go through some effort. (assuming that you go through less.) Steve's other advice about removing set*id stuff is very good. Its also worth mounting most disks nosetuid/nodev. Adam | What you _should_ worry about are the privileged programs that are | set-UID or set-GID. FreeBSD (2.1-stable at least, probably most or all | other versions) has a "security" script that runs every night and | places a list of all suid programs and devices in /var/log/setuid.today | It would be a good idea to look at that list and then use chmod to | remove the suid bit from programs that you don't need. You may also | need to use chflags to remove the schg (immutable) flag before chmod. -- "It is seldom that liberty of any kind is lost all at once." -Hume