Subject: Re: Chapter 8 security
To: NetBSD Security Technical Discussion List <tech-security@NetBSD.ORG>
From: Greg A. Woods <woods@weird.com>
List: tech-security
Date: 04/18/2004 14:54:34
[ On Friday, April 16, 2004 at 15:03:25 (-0400), Thor Lancelot Simon wrote: ]
> Subject: Re: Chapter 8 security
>
> 1) The password-strength requirements earlier in the document (you'll need
>    to modify /etc/passwd to enforce these restrictions, but I believe you
>    can in fact use the cracklib package to do this quite easily)

Hmmmm..... yes, see PR#10206, now almost four years idle...  :-)

> 2) The "transaction log of all system changes" at integrity (or was it
>    audit?) level 2.  This probably requires forcing all changes to system
>    configuration information to go through a setuid tool that logs them;
>    alternately, you could force all root access to the system (whether
>    by login or by sudo) to use a shell that writes to an append-only
>    log file or logs over the network.

The /etc/security support of /var/backups should even be sufficient for
the purposes of auditing "all system changes", and even the granularity
can be adjusted as necessary; though perhaps a well planned and deployed
tripwire install (or similar scheme, e.g. with mtree) would be even
better.....

-- 
						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>