Date: Tue, 1 Jun 1999 13:30:43 +0200 (MET DST) From: Janos Mohacsi <mohacsi@iit.bme.hu> To: Dan Langille <junkmale@xtra.co.nz> Cc: "Ilmar S. Habibulin" <ilmar@ints.ru>, freebsd-security@FreeBSD.ORG Subject: Re: auditors Message-ID: <Pine.GSO.4.05.9906011327450.3321-100000@bagira.iit.bme.hu> In-Reply-To: <19990531204003.LQOG7869945.mta1-rme@wocker>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 1 Jun 1999, Dan Langille wrote: > Date: Tue, 1 Jun 1999 08:37:28 +1200 > From: Dan Langille <junkmale@xtra.co.nz> > To: Ilmar S. Habibulin <ilmar@ints.ru> > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: auditors > > On 1 Jun 99, at 0:14, Ilmar S. Habibulin wrote: > > > On Mon, 31 May 1999, Snob Art Genre wrote: > > > > > > And what about posix auditing? Robert Watson made posix.1e audit > > > > implementation for freebsd. Why do not use his work? > > > > > > Different kind of auditing. The first is people vetting code for > > > security flaws, the second is logging of system events. > > Oh, i suppose i misunderstood term "auditing". You we talking about source > > code auditing? > > Yes. And a cute extract from the URL given > (http://www.FreeBSD.org/auditors.html): > > "Our second step will be this audit, an attempt to methodically go through > every line of source in FreeBSD looking for obvious buffer overflows > (sprintf()/strcpy() vs nprintf()/strncpy() and so on), less obvious > security holes, instances of insufficiently defensive coding, amusing > comment strings to forward to freebsd-chat, whatever we run > across." May be it is worth making some audits on sprintf/strcpy, but it is less useful for 3rd party programs like packages and ports. I would recommend to include libparanoia as standard also. Janos Mohacsi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.05.9906011327450.3321-100000>