tech-security: Re: A couple of security-related issues.

Subject: Re: A couple of security-related issues.
To: Manuel Bouyer <bouyer@antioche.lip6.fr>
From: Richard Rauch <rauch@eecs.ukans.edu>
List: tech-security
Date: 12/28/2000 08:04:55

> > [...]
> > $ man ssh.conf
> > man: no entry for ssh.conf in the manual.
> > $ man 5 ssh.conf
> > man: no entry for ssh.conf in the manual.
> 
> Hum, as I said I don't have a 1.5 system to look at rigth now :)

(^&  'Sokay.  But we _should_ have man-pages on them, yes?  Or does
OpenSSH blow off documentation?  If it's an OpenSSH problem, we probably
don't need to get too concerned about it (assuming that we get that
previously-mentioned new ssh implementation by the next release).


> > [...]
> > Still, we have (if commented-out) /usr/pkg/etc/rc.d/apache referenced from
> > rc.local.  And do you object to /etc/man.conf refering to /usr/pkg
> > directories?  (^&  As long as the obvious does-it-exist check is made, it
> > seems reasonable to use audit-packages in the daily security run.  The
> > leap does not seem so large to me.
> 
> Better would be to have a security.local or something like this.

Yes, I suppose that that makes much better sense.  (^&


> > I do read them.  Regular as a broken clock, even!  (^&  (Seriously,
> > sometimes I let a week or more go by, but I generally read root's mail
 [...]
> 
> I prefer to read  them daily. Especially the fsck run from the daily script

I would, if I were admining a system for more than just myself.

For email, I presently find it more convenient to use a remote account.  
This lets me take my system down for various reasons and arbitrary
duration with relative impunity.  My crontab is unexciting (just a stock
daily/weekly pair of events).  The only things that I look for at all in
root's mail are:

 *.core files.

 Package security warnings

(I skim the rest lightly, but I don't think that I've ever seen anything
interesting show up, since my system sees very low use.)

I could see about a disk failure being a concern, I guess.  But it's less
painful, and probably more useful, to keep relatively current
backups.  (Not that that invalidates the notion of scanning the mail for
such problems.  But...it does make it less of an issue to catch it.)


  "I probably don't know what I'm talking about." --rauch@eecs.ukans.edu