Subject: Re: r/o filesystem restrictions for firewall?
To: Andrew Brown <atatat@atatdot.net>
From: Simon Burge <simonb@wasabisystems.com>
List: port-sparc
Date: 10/25/2000 01:37:40
Andrew Brown wrote:
> theoterical secure level three? ie:
>
> no mounting or unmounting of filesystems...
> no loading of ipf or ipnat rules...
> no interface or route changes...
> no opening disk devices, either character or block...
> no time changes at all... (hmm...ntpd...after all, we want good time)
> no setuid() calls or suid effect on programs...
We really want a feature mask (or probably better a security sysctl
MIB with separate knobs to disable these one by one), not an arbitary
"level".
Simon.
--
Simon Burge <simonb@wasabisystems.com>
NetBSD Sales, Support and Service: http://www.wasabisystems.com/