From owner-freebsd-security@FreeBSD.ORG  Thu Aug 12 04:57:03 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3928216A4CE; Thu, 12 Aug 2004 04:57:03 +0000 (GMT)
Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.85])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 239B043D55; Thu, 12 Aug 2004 04:57:03 +0000 (GMT)
	(envelope-from DougB@freebsd.org)
Received: from lap (c-24-130-110-32.we.client2.attbi.com[24.130.110.32])
          by comcast.net (rwcrmhc12) with SMTP
          id <2004081204570201400qvt9pe>; Thu, 12 Aug 2004 04:57:02 +0000
Date: Wed, 11 Aug 2004 21:57:01 -0700 (PDT)
From: Doug Barton <DougB@FreeBSD.org>
To: Xin LI <delphij@frontfree.net>
In-Reply-To: <20040812040556.GC305@frontfree.net>
Message-ID: <20040811215606.H817@ync.qbhto.arg>
References: <20040810161305.GA161@frontfree.net>
	<20040810095953.H1984@qbhto.arg><20040812040556.GC305@frontfree.net>
Organization: http://www.FreeBSD.org/
X-message-flag: Outlook -- Not just for spreading viruses anymore!
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
cc: "freebsd-security@FreeBSD.org" <freebsd-security@FreeBSD.org>
cc: Thomas Quinot <thomas@FreeBSD.ORG>
Subject: Re: [PATCH] Tighten /etc/crontab permissions
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Aug 2004 04:57:03 -0000

On Thu, 12 Aug 2004, Xin LI wrote:

> I think I would want to compromise at this point ;)  In addition of this,
> personally I suggest the following changes to be made:
>
> 	- Provide an option in sysinstall so users will be instructed
> 	  to choose whether to ``lockdown'' their systems as soon as
> 	  the configuration is completed.  Also, include this utility
> 	  in the installation disc.
> 	- Add a new security audit script which will tell admins that
> 	  the permission of "watched" configurations was altered.
> 	  This might be turned off by default, or even a depency port
> 	  of lockdown, to provide a mechanism to detect potential
> 	  break-ins earlier, and to notice users when something like
> 	  mergemaster or manual etc/ upgrades has reverted the
> 	  permissions.
>
> What do you think about this?  Actually the FreeBSD Simplified Chinese
> project is recently coordinating an effort of making an Internationalized
> FreeBSD Installer, I think we will try to implement these
> things if they looks better.

Those sound like good goals, I wish you great luck with them. :)

Doug

-- 

     This .signature sanitized for your protection