[nycbug-talk] FreeBSD security document & tool. . .

steverieger steve
Fri Feb 18 11:57:32 EST 2005


My /etc/vfstab looks like this (just one entry

/path/to/dev /mnt/point ufs 2 yes logging,ro,noatime,nosuid,forcedirectio
noatime is self explanatory
forcedirectio, means that all the large files on my web server that get sent
out have a direct io instead of being buffered via the kernel.

This is for my apache slice

On 2/18/05 11:27 AM, "Okan Demirmen" <okan at demirmen.com> wrote:

> On Fri 2005.02.18 at 08:37 -0500, steverieger wrote:
>> To be honest with you
>> 
>> I have this exact issue with the fbsd folks (the developers not the users)
>> 
>> On my other os, I always mount /usr as read only, and all my sql and apache
>> stuff goes elswhere, but the default fbsd setup puts the apache rootdir in
>> /usr/local/www and sometimes the /var slice is a bit small to handle all my
>> databases. 
> 
> i'm not too familiar with where stuff goes in freebsd, but i like data
> in /var - including www and mysql and pgsql...etc. but each data dir
> gets its own slice if it is important to me.
> 
>> But for any decent sys admin I recommend to always mount /usr as
>> ro,nosuid,logging
> 
> i've heard that statement many times before, but what exactly does
> that give you? mounting /usr as nosuid? - what do you break? read-only
> /usr for what reason? whoever gets root can easily do a re-mount.
> not flaming, but curious to hear additional reasons that i've heard
> before behind this ;)
> 
> cheers
> 
>> 
>> My .02C
>> 
>> 
>> 
>> 
>> On 2/17/05 9:46 PM, "G. Rosamond" <george at sddi.net> wrote:
>> 
>>> There's a great security document and tool available for a number of
>>> OSs, including FreeBSD, at www.cisecurity.org
>>> 
>>> I'm going through the doc right now, which documents the tool's
>>> procedures. . . some looks pretty basic (disabling anonymous ftp) but
>>> some is very interesting (making sure no dot files are world
>>> writeable).
>>> 
>>> Highly recommended.
>>> 
>>> I'm going to run on my FBSD 5.3 workstation now, and maybe tryout on a
>>> less-than-mission-critical server tomorrow . . .
>>> 
>>> George
>>> 
>>> _______________________________________________
>>> % NYC*BUG talk mailing list
>>> http://lists.nycbug.org/mailman/listinfo/talk
>>> %Be sure to check out our Jobs and NYCBUG-announce lists
>>> %We meet the first Wednesday of the month
>>> 
>> 
>> 
>> _______________________________________________
>> % NYC*BUG talk mailing list
>> http://lists.nycbug.org/mailman/listinfo/talk
>> %Be sure to check out our Jobs and NYCBUG-announce lists
>> %We meet the first Wednesday of the month






More information about the talk mailing list