Subject: Re: Chapter 8 security
To: NetBSD Security Technical Discussion List <tech-security@NetBSD.ORG>
From: Greg A. Woods <woods@weird.com>
List: tech-security
Date: 04/18/2004 14:54:34
[ On Friday, April 16, 2004 at 15:03:25 (-0400), Thor Lancelot Simon wrote: ]
> Subject: Re: Chapter 8 security
>
> 1) The password-strength requirements earlier in the document (you'll need
> to modify /etc/passwd to enforce these restrictions, but I believe you
> can in fact use the cracklib package to do this quite easily)
Hmmmm..... yes, see PR#10206, now almost four years idle... :-)
> 2) The "transaction log of all system changes" at integrity (or was it
> audit?) level 2. This probably requires forcing all changes to system
> configuration information to go through a setuid tool that logs them;
> alternately, you could force all root access to the system (whether
> by login or by sudo) to use a shell that writes to an append-only
> log file or logs over the network.
The /etc/security support of /var/backups should even be sufficient for
the purposes of auditing "all system changes", and even the granularity
can be adjusted as necessary; though perhaps a well planned and deployed
tripwire install (or similar scheme, e.g. with mtree) would be even
better.....
--
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com> Secrets of the Weird <woods@weird.com>