Date: Mon, 01 Sep 1997 07:12:46 -0700 From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> To: Brian Mitchell <brian@firehouse.net> Cc: cschuber@uumail.gov.bc.ca, Andrew Brown <codewarrior@daemon.org>, BUGTRAQ@netspace.org, freebsd-security@freebsd.org Subject: Re: DDB/securelevel Message-ID: <199709011412.HAA20786@passer.osg.gov.bc.ca> In-Reply-To: Your message of "Sun, 31 Aug 1997 17:18:08 EDT." <Pine.BSI.3.95.970831171632.12537A-100000@shell.firehouse.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Sun, 31 Aug 1997, Cy Schubert wrote: > > > There's a lot to be said about physical security. If one has a sensitive > > application, physically secure the machine. > > > > Secondly, DDB should not be compiled into the kernel of a production > > machine unless you are trying to resolve a software or hardware problem. > > Once a problem is resolved, remove the option from the kernel config, not > > only for security reason but to generally improve performance. I, for > > example don't include the KTRACE or bpfilter options for a production > > machine unless I am trying to solve a problem. Most security publications > > and auditors agree that removing bpfilter can improve network security. > > Removing these options on a production machine can also improve performance > > because the kernel is not executing rarely used code > > What _possible_ improvement in security does removing ktrace offer? There > is absolutely none, that I can determine. (Note: Most of what ktrace does > can be done via shared libraries). > It doesn't add any security. My point was that some kernel features may also impact performance, such as KTRACE, henceforth I remove them. Bpfilter also can impact network security so you now have two reasons to remove it from production environments. Generally, the fewer features you compile into your kernel the better it will perform and you have, in some cases better security. IMO these are two very good reasons to keep the kernel thin. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709011412.HAA20786>