Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 01 Sep 1997 07:12:46 -0700
From:      Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
To:        Brian Mitchell <brian@firehouse.net>
Cc:        cschuber@uumail.gov.bc.ca, Andrew Brown <codewarrior@daemon.org>, BUGTRAQ@netspace.org, freebsd-security@freebsd.org
Subject:   Re: DDB/securelevel 
Message-ID:  <199709011412.HAA20786@passer.osg.gov.bc.ca>
In-Reply-To: Your message of "Sun, 31 Aug 1997 17:18:08 EDT." <Pine.BSI.3.95.970831171632.12537A-100000@shell.firehouse.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
> On Sun, 31 Aug 1997, Cy Schubert wrote:
> 
> > There's a lot to be said about physical security.  If one has a sensitive
> > application, physically secure the machine.
> > 
> > Secondly, DDB should not be compiled into the kernel of a production
> > machine unless you are trying to resolve a software or hardware problem.
> > Once a problem is resolved, remove the option from the kernel config, not
> > only for security reason but to generally improve performance.  I, for
> > example don't include the KTRACE or bpfilter options for a production
> > machine unless I am trying to solve a problem.  Most security publications
> > and auditors agree that removing bpfilter can improve network security. 
> > Removing these options on a production machine can also improve performance
> > because the kernel is not executing rarely used code
> 
> What _possible_ improvement in security does removing ktrace offer? There
> is absolutely none, that I can determine. (Note: Most of what ktrace does
> can be done via shared libraries).
> 

It doesn't add any security.  My point was that some kernel features may also
impact performance, such as KTRACE, henceforth I remove them.  Bpfilter also
can impact network security so you now have two reasons to remove it from
production environments.  Generally, the fewer features you compile into your
kernel the better it will perform and you have, in some cases better security.
IMO these are two very good reasons to keep the kernel thin.



Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
UNIX Support                   OV/VM:  BCSC02(CSCHUBER)
ITSD                          BITNET:  CSCHUBER@BCSC02.BITNET
Government of BC            Internet:  cschuber@uumail.gov.bc.ca
                                       cschuber@bcsc02.gov.bc.ca

		"Quit spooling around, JES do it."

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709011412.HAA20786>