[nycbug-talk] BSD Chapter in HLE
George R.
george at sddi.net
Fri Sep 15 18:05:41 EDT 2006
Ray Lai wrote:
> On Fri, Sep 15, 2006 at 01:58:37PM -0400, George R. wrote:
>> and add in ports/pkg_src, etc. . . checksum checks. . .
>
> systrace can be used during ports builds to contain trojaned sources.
systrace is certainly worth putting in, and it ups the control that an
admin or developer has. . .
IMHO, it also is the open source reply to much of the IPS functionality.
>
>>> - PAM
>> do all have PAM support now?
>
> Not OpenBSD.
that's what i thought.
>
>>> - /etc/ssh/sshd_config
>> question of root enabled by default, although I think this has changed
>> now with obsd.
>
> Nope, still enabled.
double negative time. . . I don't have a recent obsd box to look at, but
I am stating that I think that obsd *now* enabled default root access as
per sshd_conf.. . am i correct or wrong?
I remember the arguments around this. . .
>
>>> Securing Applications
>>> - jail (sysjail)
>> jails, yes, but is sysjail anywhere yet?
>>
>> and chroot?
>
> chroot and dropping privileges is important. root can break out of a
> chroot, so you must change to an unprivileged user. Additionally,
> OpenBSD creates new users and groups for each privilege-revoking
> program, so one cannot another.
>
>> tcp-wrappers. . .
>
> I think packet filters have largely replaced tcp-wrappers.
>
Mostly . . . but there is a certain continued relevance to both linux
and the bsds. . . and besides, Wietse is speaking at NYCBSDCon . . . ;-)
and dru, don't forget your mtree-as-poorman's-tripwire. . . but again,
found both in linux and the bsds.
g
More information about the talk
mailing list