[nycbug-talk] FreeBSD security document & tool. . .
Fri Feb 18 12:07:05 EST 2005
On Fri 2005.02.18 at 11:57 -0500, steverieger wrote:
> My /etc/vfstab looks like this (just one entry
> /path/to/dev /mnt/point ufs 2 yes logging,ro,noatime,nosuid,forcedirectio
> noatime is self explanatory
> forcedirectio, means that all the large files on my web server that get sent
> out have a direct io instead of being buffered via the kernel.
> This is for my apache slice
ok, for the www slice, makes sense. (not to nit-pick, but why
logging/noatime if ro? unless freebsd's ufs2 logging/noatime is
doing something i don't know about.
i was more looking for reasons behind mounting /usr ro, but no big
deal. i've had this arguement both ways in past lives, hence my
> On 2/18/05 11:27 AM, "Okan Demirmen" <okan at demirmen.com> wrote:
> > On Fri 2005.02.18 at 08:37 -0500, steverieger wrote:
> >> To be honest with you
> >> I have this exact issue with the fbsd folks (the developers not the users)
> >> On my other os, I always mount /usr as read only, and all my sql and apache
> >> stuff goes elswhere, but the default fbsd setup puts the apache rootdir in
> >> /usr/local/www and sometimes the /var slice is a bit small to handle all my
> >> databases.
> > i'm not too familiar with where stuff goes in freebsd, but i like data
> > in /var - including www and mysql and pgsql...etc. but each data dir
> > gets its own slice if it is important to me.
> >> But for any decent sys admin I recommend to always mount /usr as
> >> ro,nosuid,logging
> > i've heard that statement many times before, but what exactly does
> > that give you? mounting /usr as nosuid? - what do you break? read-only
> > /usr for what reason? whoever gets root can easily do a re-mount.
> > not flaming, but curious to hear additional reasons that i've heard
> > before behind this ;)
> > cheers
> >> My .02C
> >> On 2/17/05 9:46 PM, "G. Rosamond" <george at sddi.net> wrote:
> >>> There's a great security document and tool available for a number of
> >>> OSs, including FreeBSD, at www.cisecurity.org
> >>> I'm going through the doc right now, which documents the tool's
> >>> procedures. . . some looks pretty basic (disabling anonymous ftp) but
> >>> some is very interesting (making sure no dot files are world
> >>> writeable).
> >>> Highly recommended.
> >>> I'm going to run on my FBSD 5.3 workstation now, and maybe tryout on a
> >>> less-than-mission-critical server tomorrow . . .
> >>> George
> >>> _______________________________________________
> >>> % NYC*BUG talk mailing list
> >>> http://lists.nycbug.org/mailman/listinfo/talk
> >>> %Be sure to check out our Jobs and NYCBUG-announce lists
> >>> %We meet the first Wednesday of the month
> >> _______________________________________________
> >> % NYC*BUG talk mailing list
> >> http://lists.nycbug.org/mailman/listinfo/talk
> >> %Be sure to check out our Jobs and NYCBUG-announce lists
> >> %We meet the first Wednesday of the month
Okan Demirmen <okan at demirmen.com>
PGP-Fingerprint: 226D B4AE 78A9 7F4E CD2B 1B44 C281 AF18 B367 0934
More information about the talk