From owner-freebsd-security  Tue Jun  1  4:32: 4 1999
Delivered-To: freebsd-security@freebsd.org
Received: from bagira.iit.bme.hu (bagira.iit.bme.hu [152.66.241.5])
	by hub.freebsd.org (Postfix) with ESMTP id 2DCF115216
	for <freebsd-security@FreeBSD.ORG>; Tue,  1 Jun 1999 04:31:06 -0700 (PDT)
	(envelope-from mohacsi@bagira.iit.bme.hu)
Received: from localhost (mohacsi@localhost)
	by bagira.iit.bme.hu (8.9.1/8.9.1) with ESMTP id NAA07145;
	Tue, 1 Jun 1999 13:30:43 +0200 (MET DST)
Date: Tue, 1 Jun 1999 13:30:43 +0200 (MET DST)
From: Janos Mohacsi <mohacsi@iit.bme.hu>
To: Dan Langille <junkmale@xtra.co.nz>
Cc: "Ilmar S. Habibulin" <ilmar@ints.ru>,
	freebsd-security@FreeBSD.ORG
Subject: Re: auditors
In-Reply-To: <19990531204003.LQOG7869945.mta1-rme@wocker>
Message-ID: <Pine.GSO.4.05.9906011327450.3321-100000@bagira.iit.bme.hu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org




On Tue, 1 Jun 1999, Dan Langille wrote:

> Date: Tue, 1 Jun 1999 08:37:28 +1200
> From: Dan Langille <junkmale@xtra.co.nz>
> To: Ilmar S. Habibulin <ilmar@ints.ru>
> Cc: freebsd-security@FreeBSD.ORG
> Subject: Re: auditors
> 
> On 1 Jun 99, at 0:14, Ilmar S. Habibulin wrote:
> 
> > On Mon, 31 May 1999, Snob Art Genre wrote:
> > 
> > > > And what about posix auditing? Robert Watson made posix.1e audit
> > > > implementation for freebsd. Why do not use his work? 
> > > 
> > > Different kind of auditing.  The first is people vetting code for
> > > security flaws, the second is logging of system events.
> > Oh, i suppose i misunderstood term "auditing". You we talking about source
> > code auditing?
> 
> Yes.  And a cute extract from the URL given 
> (http://www.FreeBSD.org/auditors.html):
> 
> "Our second step will be this audit, an attempt to methodically go through 
> every line of source in FreeBSD looking for obvious buffer overflows 
> (sprintf()/strcpy() vs nprintf()/strncpy() and so on), less obvious 
> security holes, instances of insufficiently defensive coding, amusing 
> comment strings to forward to freebsd-chat, whatever we run
> across."

May be it is worth making some audits on sprintf/strcpy, but it is less
useful for 3rd party programs like packages and ports. I would recommend
to include libparanoia as standard also.

	Janos Mohacsi





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message