[nycbug-talk] FreeBSD security document & tool. . .

Okan Demirmen okan
Fri Feb 18 11:27:23 EST 2005


On Fri 2005.02.18 at 08:37 -0500, steverieger wrote:
> To be honest with you
> 
> I have this exact issue with the fbsd folks (the developers not the users)
> 
> On my other os, I always mount /usr as read only, and all my sql and apache
> stuff goes elswhere, but the default fbsd setup puts the apache rootdir in
> /usr/local/www and sometimes the /var slice is a bit small to handle all my
> databases. 

i'm not too familiar with where stuff goes in freebsd, but i like data
in /var - including www and mysql and pgsql...etc. but each data dir
gets its own slice if it is important to me.

> But for any decent sys admin I recommend to always mount /usr as
> ro,nosuid,logging

i've heard that statement many times before, but what exactly does
that give you? mounting /usr as nosuid? - what do you break? read-only
/usr for what reason? whoever gets root can easily do a re-mount.
not flaming, but curious to hear additional reasons that i've heard
before behind this ;)

cheers

> 
> My .02C
> 
> 
> 
> 
> On 2/17/05 9:46 PM, "G. Rosamond" <george at sddi.net> wrote:
> 
> > There's a great security document and tool available for a number of
> > OSs, including FreeBSD, at www.cisecurity.org
> > 
> > I'm going through the doc right now, which documents the tool's
> > procedures. . . some looks pretty basic (disabling anonymous ftp) but
> > some is very interesting (making sure no dot files are world
> > writeable).
> > 
> > Highly recommended.
> > 
> > I'm going to run on my FBSD 5.3 workstation now, and maybe tryout on a
> > less-than-mission-critical server tomorrow . . .
> > 
> > George
> > 
> > _______________________________________________
> > % NYC*BUG talk mailing list
> > http://lists.nycbug.org/mailman/listinfo/talk
> > %Be sure to check out our Jobs and NYCBUG-announce lists
> > %We meet the first Wednesday of the month
> > 
> 
> 
> _______________________________________________
> % NYC*BUG talk mailing list
> http://lists.nycbug.org/mailman/listinfo/talk
> %Be sure to check out our Jobs and NYCBUG-announce lists
> %We meet the first Wednesday of the month

-- 
Okan Demirmen <okan at demirmen.com>
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB3670934
PGP-Fingerprint: 226D B4AE 78A9 7F4E CD2B 1B44 C281 AF18 B367 0934




More information about the talk mailing list