From owner-freebsd-security@FreeBSD.ORG Sun Sep 25 04:58:01 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89ED416A41F for ; Sun, 25 Sep 2005 04:58:01 +0000 (GMT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (66-215-204-113.dhcp.rvsd.ca.charter.com [66.215.204.113]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C71643D48 for ; Sun, 25 Sep 2005 04:57:58 +0000 (GMT) (envelope-from bigby@ephemeron.org) Received: from home.fake.net (bigby@localhost [127.0.0.1]) by home.ephemeron.org (8.12.11/8.12.11) with ESMTP id j8P4vwx6071268; Sat, 24 Sep 2005 21:57:58 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from localhost (bigby@localhost) by home.fake.net (8.12.11/8.12.6/Submit) with ESMTP id j8P4vvQ2071265; Sat, 24 Sep 2005 21:57:57 -0700 (PDT) X-Authentication-Warning: home.fake.net: bigby owned process doing -bs Date: Sat, 24 Sep 2005 21:57:57 -0700 (PDT) From: Bigby Findrake X-X-Sender: bigby@home.fake.net To: "carlopmart@gmail.com" In-Reply-To: <43359660.2060606@gmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-security Subject: Re: Encrypt some services with ipsec X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Sep 2005 04:58:01 -0000 On Sat, 24 Sep 2005, carlopmart@gmail.com wrote: > Hi all, > > I have two prodction servers with FreeBSD 5.4 (all security patches > are applied). They running some services like dns, ssh, http, ftp, etc. > But I woukd like to encrypt some services for some hosts with ipsec when > it is accessed. For example: > > - DNS resolution: not encrypted. > - DNS replication master-slave: encrypted by ipsec. > - Telnet: encrypted by ipsec for some hosts. Deny for the rest. > - SSH: not encrypted for some hosts, encryted by ipsec for the rest. > - FTP: encrypted by ipsec. > - HTTP: encrypted by ipsec. > > is it possible to encrypt only certains services under ipsec tunnel?? Someone please check my work. >From the man page on setkey, it looks like you can specify ports for the security policies, so you could specify certain ports to encrypt, and not specify a blanket/default host-to-host policy for all other traffic, so that all other unspecified traffic is unencrypted. For example: ---------------------BEGIN /ETC/IPSEC.CONF------------------------------- # # encrypt all dns traffic between master host A (1.1.1.1) slave host B # (1.1.1.2) spadd 1.1.1.1 1.1.1.2[53] any -P out ipsec esp/transport//use; spadd 1.1.1.2[53] 1.1.1.1 any -P in ipsec esp/transport//use; spadd 1.1.1.1[53] 1.1.1.2 any -P out ipsec esp/transport//use; spadd 1.1.1.2 1.1.1.1[53] any -P in ipsec esp/transport//use; # # encrypt telnet traffic between server A (1.1.1.1) and client C (1.1.1.3) spadd 1.1.1.1[23] 1.1.1.3 any -P out ipsec esp/transport//use; spadd 1.1.1.3 1.1.1.1[23] any -P in ipsec esp/transport//use; # # encrypt http traffic between server A (1.1.1.1) and client D (1.1.1.4) spadd 1.1.1.1[80] 1.1.1.4 any -P out ipsec esp/transport//use; spadd 1.1.1.4 1.1.1.1[80] any -P in ipsec esp/transport//use; # # and all other traffic is unencrypted. ---------------------END /ETC/IPSEC.CONF------------------------------- /-------------------------------------------------------------------------/ I used to hate weddings; all the Grandmas would poke me and say, "You're next sonny!" They stopped doing that when i started to do it to them at funerals. finger://bigby@ephemeron.org http://www.ephemeron.org/~bigby/ news://news.ephemeron.org/alt.lemurs /-------------------------------------------------------------------------/ From owner-freebsd-security@FreeBSD.ORG Mon Sep 26 07:55:24 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5AD716A429 for ; Mon, 26 Sep 2005 07:55:24 +0000 (GMT) (envelope-from carlopmart@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1BF8343D48 for ; Mon, 26 Sep 2005 07:55:24 +0000 (GMT) (envelope-from carlopmart@gmail.com) Received: by zproxy.gmail.com with SMTP id 13so273397nzp for ; Mon, 26 Sep 2005 00:55:23 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=LM6ApJBm1iynOSgM94ofC57pa6rn1i200HBWVW0OgBrl/xxehDmTvT37DC7/x3mV0UCFT8df/t21wIuIV/V6R+FvEyshNeTjVFYm755DreT9GIxz81In/PF+EhfpCTrYkrN0U8EVOxfJa5e8S6QtdKmZ2ZnjR/6zxinbHvB1Iac= Received: by 10.54.130.6 with SMTP id c6mr1423135wrd; Mon, 26 Sep 2005 00:55:23 -0700 (PDT) Received: from ?10.10.10.206? ( [62.22.178.217]) by mx.gmail.com with ESMTP id g3sm235732wra.2005.09.26.00.55.22; Mon, 26 Sep 2005 00:55:23 -0700 (PDT) Message-ID: <4337A962.6020600@gmail.com> Date: Mon, 26 Sep 2005 09:55:14 +0200 From: "carlopmart@gmail.com" User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050912) X-Accept-Language: en-us, en MIME-Version: 1.0 CC: freebsd-security References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Encrypt some services with ipsec X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Sep 2005 07:55:25 -0000 Thank you bigby!!!!. Bigby Findrake wrote: > On Sat, 24 Sep 2005, carlopmart@gmail.com wrote: > > >>Hi all, >> >> I have two prodction servers with FreeBSD 5.4 (all security patches >>are applied). They running some services like dns, ssh, http, ftp, etc. >>But I woukd like to encrypt some services for some hosts with ipsec when >>it is accessed. For example: >> >> - DNS resolution: not encrypted. >> - DNS replication master-slave: encrypted by ipsec. >> - Telnet: encrypted by ipsec for some hosts. Deny for the rest. >> - SSH: not encrypted for some hosts, encryted by ipsec for the rest. >> - FTP: encrypted by ipsec. >> - HTTP: encrypted by ipsec. >> >> is it possible to encrypt only certains services under ipsec tunnel?? > > > Someone please check my work. > >>From the man page on setkey, it looks like you can specify ports for the > security policies, so you could specify certain ports to encrypt, and not > specify a blanket/default host-to-host policy for all other traffic, so > that all other unspecified traffic is unencrypted. > > For example: > > ---------------------BEGIN /ETC/IPSEC.CONF------------------------------- > # > # encrypt all dns traffic between master host A (1.1.1.1) slave host B > # (1.1.1.2) > spadd 1.1.1.1 1.1.1.2[53] any -P out ipsec esp/transport//use; > spadd 1.1.1.2[53] 1.1.1.1 any -P in ipsec esp/transport//use; > > spadd 1.1.1.1[53] 1.1.1.2 any -P out ipsec esp/transport//use; > spadd 1.1.1.2 1.1.1.1[53] any -P in ipsec esp/transport//use; > > # > # encrypt telnet traffic between server A (1.1.1.1) and client C (1.1.1.3) > spadd 1.1.1.1[23] 1.1.1.3 any -P out ipsec esp/transport//use; > spadd 1.1.1.3 1.1.1.1[23] any -P in ipsec esp/transport//use; > > # > # encrypt http traffic between server A (1.1.1.1) and client D (1.1.1.4) > spadd 1.1.1.1[80] 1.1.1.4 any -P out ipsec esp/transport//use; > spadd 1.1.1.4 1.1.1.1[80] any -P in ipsec esp/transport//use; > > # > # and all other traffic is unencrypted. > ---------------------END /ETC/IPSEC.CONF------------------------------- > > > > /-------------------------------------------------------------------------/ > I used to hate weddings; all the Grandmas would poke me and > say, "You're next sonny!" They stopped doing that when i > started to do it to them at funerals. > > finger://bigby@ephemeron.org > http://www.ephemeron.org/~bigby/ > news://news.ephemeron.org/alt.lemurs > /-------------------------------------------------------------------------/ > > -- CL Martinez carlopmart {at} gmail {d0t} com From owner-freebsd-security@FreeBSD.ORG Wed Sep 28 00:30:19 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F32EC16A426 for ; Wed, 28 Sep 2005 00:30:16 +0000 (GMT) (envelope-from bret-walker@northwestern.edu) Received: from hecky.it.northwestern.edu (hecky.it.northwestern.edu [129.105.16.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id E648B43D48 for ; Wed, 28 Sep 2005 00:30:15 +0000 (GMT) (envelope-from bret-walker@northwestern.edu) Received: from [127.0.0.1] (medill-bwpc.medill.northwestern.edu [129.105.51.23]) by hecky.it.northwestern.edu (Postfix) with ESMTP id 3438E32DF5 for ; Tue, 27 Sep 2005 19:30:15 -0500 (CDT) Message-ID: <4339E416.8050300@northwestern.edu> Date: Tue, 27 Sep 2005 19:30:14 -0500 From: Bret Walker User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security References: <4337A962.6020600@gmail.com> In-Reply-To: <4337A962.6020600@gmail.com> X-Enigmail-Version: 0.92.0.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms080509000205090600050401" Subject: 5.X Tripwire Policy File X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2005 00:30:19 -0000 This is a cryptographically signed message in MIME format. --------------ms080509000205090600050401 Content-Type: multipart/mixed; boundary="------------080807060209030208070604" This is a multi-part message in MIME format. --------------080807060209030208070604 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hello all. I am just setting up my first 5.X box, and I'm in the process of fine tuning my tripwire policy file. I am much more familiar with 4.X than I am with 5, so I'm worried that I may be missing a critical element of 5.X in my policy file. Cy (the tripwire port maintainer) updated the policy file to a certain extent, but I would appreciate it if those on the security list would provide some more feedback as to what should definitely be in a tripwire policy file for a 5.X box. I know most good sysadmins use tripwire, so I think it would be good to have a well thought out policy file for 5.X that others may use as well. I've attached mine to this message. Thanks, Bret --------------080807060209030208070604 Content-Type: text/plain; name="twpol.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="twpol.txt" # # Policy file for FreeBSD # # $FreeBSD: ports/security/tripwire/files/twpol.txt,v 1.3 2005/08/09 18:24:15 cy Exp $ # # This is the example Tripwire Policy file. It is intended as a place to # start creating your own custom Tripwire Policy file. Referring to it as # well as the Tripwire Policy Guide should give you enough information to # make a good custom Tripwire Policy file that better covers your # configuration and security needs. A text version of this policy file is # called twpol.txt. # # Note that this file is tuned to an install of FreeBSD using # buildworld. If run unmodified, this file should create no errors on # database creation, or violations on a subsiquent integrity check. # However it is impossible for there to be one policy file for all machines, # so this existing one errs on the side of security. Your FreeBSD # configuration will most likey differ from the one our policy file was # tuned to, and will therefore require some editing of the default # Tripwire Policy file. # # The example policy file is best run with 'Loose Directory Checking' # enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration # file. # # Email support is not included and must be added to this file. # Add the 'emailto=' to the rule directive section of each rule (add a comma # after the 'severity=' line and add an 'emailto=' and include the email # addresses you want the violation reports to go to). Addresses are # semi-colon delimited. # # # Global Variable Definitions # # These are defined at install time by the installation script. You may # Manually edit these if you are using this file directly and not from the # installation script itself. # @@section GLOBAL TWDOCS="/usr/local/share/doc/tripwire"; TWBIN="/usr/local/sbin"; TWPOL="/usr/local/etc/tripwire"; TWDB="/var/db/tripwire"; TWSKEY="/usr/local/etc/tripwire"; TWLKEY="/usr/local/etc/tripwire"; TWREPORT="/var/db/tripwire/report"; HOSTNAME=speedy.medill.northwestern.edu; @@section FS SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set SEC_BIN = $(ReadOnly) ; # Binaries that should not change SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership SIG_LOW = 33 ; # Non-critical files that are of minimal security impact SIG_MED = 66 ; # Non-critical files that are of significant security impact SIG_HI = 100 ; # Critical files that are significant points of vulnerability # Tripwire Binaries ( rulename = "Tripwire Binaries", severity = $(SIG_HI) ) { $(TWBIN)/siggen -> $(SEC_BIN) ; $(TWBIN)/tripwire -> $(SEC_BIN) ; $(TWBIN)/twadmin -> $(SEC_BIN) ; $(TWBIN)/twprint -> $(SEC_BIN) ; } # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases ( rulename = "Tripwire Data Files", severity = $(SIG_HI) ) { # NOTE: We remove the inode attribute because when Tripwire creates a backup, # it does so by renaming the old file and creating a new one (which will # have a new inode number). Inode is left turned on for keys, which shouldn't # ever change. # NOTE: The first integrity check triggers this rule and each integrity check # afterward triggers this rule until a database update is run, since the # database file does not exist before that point. $(TWDB) -> $(SEC_CONFIG) -i ; $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; $(TWPOL)/twcfg.txt -> $(SEC_BIN) ; $(TWPOL)/twpol.txt -> $(SEC_BIN) ; $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; $(TWSKEY)/site.key -> $(SEC_BIN) ; #don't scan the individual reports $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; } # Tripwire HQ Connector Binaries #( # rulename = "Tripwire HQ Connector Binaries", # severity = $(SIG_HI) #) #{ # $(TWBIN)/hqagent -> $(SEC_BIN) ; #} # # Tripwire HQ Connector - Configuration Files, Keys, and Logs # # Note: File locations here are different than in a stock HQ Connector # installation. This is because Tripwire 2.3 uses a different path # structure than Tripwire 2.2.1. # # You may need to update your HQ Agent configuation file (or this policy # file) to correct the paths. We have attempted to support the FHS standard # here by placing the HQ Agent files similarly to the way Tripwire 2.3 # places them. # #( # rulename = "Tripwire HQ Connector Data Files", # severity = $(SIG_HI) #) #{ # # # NOTE: Removing the inode attribute because when Tripwire creates a backup # # it does so by renaming the old file and creating a new one (which will # # have a new inode number). Leaving inode turned on for keys, which # # shouldn't ever change. # # # $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; # $(TWLKEY)/authentication.key -> $(SEC_BIN) ; # $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; # $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; # # # Uncomment if you have agent logging enabled. # #/var/log/tripwire/agent.log -> $(SEC_LOG) ; #} # Commonly accessed directories that should remain static with regards to owner and group ( rulename = "Invariant Directories", severity = $(SIG_MED) ) { / -> $(SEC_INVARIANT) (recurse = false) ; /home -> $(SEC_INVARIANT) (recurse = false) ; } # # First, root's "home" # ( rulename = "Root's home", severity = $(SIG_HI) ) { # /.rhosts -> $(SEC_CRIT) ; /.profile -> $(SEC_CRIT) ; /.cshrc -> $(SEC_CRIT) ; # /.login -> $(SEC_CRIT) ; # /.exrc -> $(SEC_CRIT) ; # /.logout -> $(SEC_CRIT) ; # /.forward -> $(SEC_CRIT) ; /root -> $(SEC_CRIT) (recurse = true) ; !/root/.history ; !/root/.bash_history ; # !/root/.lsof_SYSTEM_NAME ; # Uncomment if lsof is installed } # # FreeBSD Kernel # ( rulename = "FreeBSD Kernel", severity = $(SIG_HI) ) { # /boot is used by FreeBSD 5.X+ /boot -> $(SEC_CRIT) ; # /kernel is used by FreeBSD 4.X # /kernel -> $(SEC_CRIT) ; # /kernel.old -> $(SEC_CRIT) ; # /kernel.GENERIC -> $(SEC_CRIT) ; } # # FreeBSD Modules # ( rulename = "FreeBSD Modules", severity = $(SIG_HI) ) { # /modules is used by FreeBSD 4.X # /modules -> $(SEC_CRIT) (recurse = true) ; # /modules.old -> $(SEC_CRIT) (recurse = true) ; # /lkm is used by FreeBSD 2.X and 3.X # /lkm -> $(SEC_CRIT) (recurse = true) ; # uncomment if using lkm kld } # # System Administration Programs # ( rulename = "System Administration Programs", severity = $(SIG_HI) ) { /sbin -> $(SEC_CRIT) (recurse = true) ; /usr/sbin -> $(SEC_CRIT) (recurse = true) ; } # # User Utilities # ( rulename = "User Utilities", severity = $(SIG_HI) ) { /bin -> $(SEC_CRIT) (recurse = true) ; /usr/bin -> $(SEC_CRIT) (recurse = true) ; } # # /dev # ( rulename = "/dev", severity = $(SIG_HI) ) { # XXX Do we really need to verify the integrity of /dev on 5.X? # /dev -> $(Device) (recurse = true) ; # !/dev/vga ; # !/dev/dri ; # /dev/console -> $(SEC_TTY) ; # /dev/ttyv0 -> $(SEC_TTY) ; # /dev/ttyv1 -> $(SEC_TTY) ; # /dev/ttyv2 -> $(SEC_TTY) ; # /dev/ttyv3 -> $(SEC_TTY) ; # /dev/ttyv4 -> $(SEC_TTY) ; # /dev/ttyv5 -> $(SEC_TTY) ; # /dev/ttyv6 -> $(SEC_TTY) ; # /dev/ttyv7 -> $(SEC_TTY) ; # /dev/ttyp0 -> $(SEC_TTY) ; # /dev/ttyp1 -> $(SEC_TTY) ; # /dev/ttyp2 -> $(SEC_TTY) ; # /dev/ttyp3 -> $(SEC_TTY) ; # /dev/ttyp4 -> $(SEC_TTY) ; # /dev/ttyp5 -> $(SEC_TTY) ; # /dev/ttyp6 -> $(SEC_TTY) ; # /dev/ttyp7 -> $(SEC_TTY) ; # /dev/ttyp8 -> $(SEC_TTY) ; # /dev/ttyp9 -> $(SEC_TTY) ; # /dev/ttypa -> $(SEC_TTY) ; # /dev/ttypb -> $(SEC_TTY) ; # /dev/ttypc -> $(SEC_TTY) ; # /dev/ttypd -> $(SEC_TTY) ; # /dev/ttype -> $(SEC_TTY) ; # /dev/ttypf -> $(SEC_TTY) ; # /dev/ttypg -> $(SEC_TTY) ; # /dev/ttyph -> $(SEC_TTY) ; # /dev/ttypi -> $(SEC_TTY) ; # /dev/ttypj -> $(SEC_TTY) ; # /dev/ttypl -> $(SEC_TTY) ; # /dev/ttypm -> $(SEC_TTY) ; # /dev/ttypn -> $(SEC_TTY) ; # /dev/ttypo -> $(SEC_TTY) ; # /dev/ttypp -> $(SEC_TTY) ; # /dev/ttypq -> $(SEC_TTY) ; # /dev/ttypr -> $(SEC_TTY) ; # /dev/ttyps -> $(SEC_TTY) ; # /dev/ttypt -> $(SEC_TTY) ; # /dev/ttypu -> $(SEC_TTY) ; # /dev/ttypv -> $(SEC_TTY) ; # /dev/cuaa0 -> $(SEC_TTY) ; # modem } # # /etc # ( rulename = "/etc", severity = $(SIG_HI) ) { /etc -> $(SEC_CRIT) (recurse = true) ; # /etc/mail/aliases -> $(SEC_CONFIG) ; /etc/dumpdates -> $(SEC_CONFIG) ; /etc/motd -> $(SEC_CONFIG) ; !/etc/ppp/connect-errors ; # /etc/skeykeys -> $(SEC_CONFIG) ; # Uncomment the following 4 lines if your password file does not change # /etc/passwd -> $(SEC_CONFIG) ; # /etc/master.passwd -> $(SEC_CONFIG) ; # /etc/pwd.db -> $(SEC_CONFIG) ; # /etc/spwd.db -> $(SEC_CONFIG) ; } # # Copatibility (Linux) # ( rulename = "Linux Compatibility", severity = $(SIG_HI) ) { /compat -> $(SEC_CRIT) (recurse = true) ; # # Uncomment the following if Linux compatibility is used. Replace # HOSTNAME1 and HOSTNAME2 with the hosts that have Linux emulation port # installed. # #@@ifhost HOSTNAME1 || HOSTNAME2 # /compat/linux/etc -> $(SEC_INVARIANT) (recurse = false) ; # /compat/linux/etc/X11 -> $(SEC_CONFIG) (recurse = true) ; # /compat/linux/etc/pam.d -> $(SEC_CONFIG) (recurse = true) ; # /compat/linux/etc/profile.d -> $(SEC_CONFIG) (recurse = true) ; # /compat/linux/etc/real -> $(SEC_CONFIG) (recurse = true) ; # /compat/linux/etc/bashrc -> $(SEC_CONFIG) ; # /compat/linux/etc/csh.login -> $(SEC_CONFIG) ; # /compat/linux/etc/host.conf -> $(SEC_CONFIG) ; # /compat/linux/etc/hosts.allow -> $(SEC_CONFIG) ; # /compat/linux/etc/hosts.deny -> $(SEC_CONFIG) ; # /compat/linux/etc/info-dir -> $(SEC_CONFIG) ; # /compat/linux/etc/inputrc -> $(SEC_CONFIG) ; # /compat/linux/etc/ld.so.conf -> $(SEC_CONFIG) ; # /compat/linux/etc/nsswitch.conf -> $(SEC_CONFIG) ; # /compat/linux/etc/profile -> $(SEC_CONFIG) ; # /compat/linux/etc/redhat-release -> $(SEC_CONFIG) ; # /compat/linux/etc/rpc -> $(SEC_CONFIG) ; # /compat/linux/etc/securetty -> $(SEC_CONFIG) ; # /compat/linux/etc/shells -> $(SEC_CONFIG) ; # /compat/linux/etc/termcap -> $(SEC_CONFIG) ; # /compat/linux/etc/yp.conf -> $(SEC_CONFIG) ; # !/compat/linux/etc/ld.so.cache ; # !/compat/linux/var/spool/mail ; #@@endif } # # Libraries, include files, and other system files # ( rulename = "Libraries, include files, and other system files", severity = $(SIG_HI) ) { /usr/include -> $(SEC_CRIT) (recurse = true) ; /usr/lib -> $(SEC_CRIT) (recurse = true) ; /usr/libdata -> $(SEC_CRIT) (recurse = true) ; /usr/libexec -> $(SEC_CRIT) (recurse = true) ; /usr/share -> $(SEC_CRIT) (recurse = true) ; /usr/share/man -> $(SEC_CONFIG) ; !/usr/share/man/whatis ; !/usr/share/man/.glimpse_filenames ; !/usr/share/man/.glimpse_filenames_index ; !/usr/share/man/.glimpse_filetimes ; !/usr/share/man/.glimpse_filters ; !/usr/share/man/.glimpse_index ; !/usr/share/man/.glimpse_messages ; !/usr/share/man/.glimpse_partitions ; !/usr/share/man/.glimpse_statistics ; !/usr/share/man/.glimpse_turbo ; /usr/share/man/man1 -> $(SEC_CRIT) (recurse = true) ; /usr/share/man/man2 -> $(SEC_CRIT) (recurse = true) ; /usr/share/man/man3 -> $(SEC_CRIT) (recurse = true) ; /usr/share/man/man4 -> $(SEC_CRIT) (recurse = true) ; /usr/share/man/man5 -> $(SEC_CRIT) (recurse = true) ; /usr/share/man/man6 -> $(SEC_CRIT) (recurse = true) ; /usr/share/man/man7 -> $(SEC_CRIT) (recurse = true) ; /usr/share/man/man8 -> $(SEC_CRIT) (recurse = true) ; /usr/share/man/man9 -> $(SEC_CRIT) (recurse = true) ; # /usr/share/man/mann -> $(SEC_CRIT) (recurse = true) ; ! /usr/share/man/cat1 ; ! /usr/share/man/cat2 ; ! /usr/share/man/cat3 ; ! /usr/share/man/cat4 ; ! /usr/share/man/cat5 ; ! /usr/share/man/cat6 ; ! /usr/share/man/cat7 ; ! /usr/share/man/cat8 ; ! /usr/share/man/cat9 ; ! /usr/share/man/catl ; ! /usr/share/man/catn ; # /usr/share/perl/man -> $(SEC_CONFIG) ; !/usr/share/perl/man/whatis ; !/usr/share/perl/man/.glimpse_filenames ; !/usr/share/perl/man/.glimpse_filenames_index ; !/usr/share/perl/man/.glimpse_filetimes ; !/usr/share/perl/man/.glimpse_filters ; !/usr/share/perl/man/.glimpse_index ; !/usr/share/perl/man/.glimpse_messages ; !/usr/share/perl/man/.glimpse_partitions ; !/usr/share/perl/man/.glimpse_statistics ; !/usr/share/perl/man/.glimpse_turbo ; # /usr/share/perl/man/man3 -> $(SEC_CRIT) (recurse = true) ; ! /usr/share/perl/man/cat3 ; # /usr/local/lib/perl5/5.00503/man -> $(SEC_CONFIG) ; ! /usr/local/lib/perl5/5.00503/man/whatis ; ! /usr/local/lib/perl5/5.00503/man/.glimpse_filters ; ! /usr/local/lib/perl5/5.00503/man/.glimpse_filetimes ; ! /usr/local/lib/perl5/5.00503/man/.glimpse_messages ; ! /usr/local/lib/perl5/5.00503/man/.glimpse_statistics ; ! /usr/local/lib/perl5/5.00503/man/.glimpse_index ; ! /usr/local/lib/perl5/5.00503/man/.glimpse_turbo ; ! /usr/local/lib/perl5/5.00503/man/.glimpse_partitions ; ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames ; ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames_index ; # /usr/local/lib/perl5/5.00503/man/man3 -> $(SEC_CRIT) (recurse = true) ; ! /usr/local/lib/perl5/5.00503/man/cat3 ; } # # X11R6 # ( rulename = "X11R6", severity = $(SIG_HI) ) { /usr/X11R6 -> $(SEC_CRIT) (recurse = true) ; # /usr/X11R6/lib/X11/xdm -> $(SEC_CONFIG) (recurse = true) ; !/usr/X11R6/lib/X11/xdm/xdm-errors ; !/usr/X11R6/lib/X11/xdm/authdir/authfiles ; !/usr/X11R6/lib/X11/xdm/xdm-pid ; # /usr/X11R6/lib/X11/xkb/compiled -> $(SEC_CONFIG) (recurse = true) ; /usr/X11R6/man -> $(SEC_CONFIG) ; !/usr/X11R6/man/whatis ; !/usr/X11R6/man/.glimpse_filenames ; !/usr/X11R6/man/.glimpse_filenames_index ; !/usr/X11R6/man/.glimpse_filetimes ; !/usr/X11R6/man/.glimpse_filters ; !/usr/X11R6/man/.glimpse_index ; !/usr/X11R6/man/.glimpse_messages ; !/usr/X11R6/man/.glimpse_partitions ; !/usr/X11R6/man/.glimpse_statistics ; !/usr/X11R6/man/.glimpse_turbo ; /usr/X11R6/man/man1 -> $(SEC_CRIT) (recurse = true) ; /usr/X11R6/man/man2 -> $(SEC_CRIT) (recurse = true) ; /usr/X11R6/man/man3 -> $(SEC_CRIT) (recurse = true) ; /usr/X11R6/man/man4 -> $(SEC_CRIT) (recurse = true) ; /usr/X11R6/man/man5 -> $(SEC_CRIT) (recurse = true) ; /usr/X11R6/man/man6 -> $(SEC_CRIT) (recurse = true) ; /usr/X11R6/man/man7 -> $(SEC_CRIT) (recurse = true) ; /usr/X11R6/man/man8 -> $(SEC_CRIT) (recurse = true) ; /usr/X11R6/man/man9 -> $(SEC_CRIT) (recurse = true) ; /usr/X11R6/man/manl -> $(SEC_CRIT) (recurse = true) ; /usr/X11R6/man/mann -> $(SEC_CRIT) (recurse = true) ; ! /usr/X11R6/man/cat1 ; ! /usr/X11R6/man/cat2 ; ! /usr/X11R6/man/cat3 ; ! /usr/X11R6/man/cat4 ; ! /usr/X11R6/man/cat5 ; ! /usr/X11R6/man/cat6 ; ! /usr/X11R6/man/cat7 ; ! /usr/X11R6/man/cat8 ; ! /usr/X11R6/man/cat9 ; ! /usr/X11R6/man/catl ; ! /usr/X11R6/man/catn ; } # # sources # ( rulename = "Sources", severity = $(SIG_HI) ) { /usr/src -> $(SEC_CRIT) (recurse = true) ; # /usr/src/sys/compile -> $(SEC_CONFIG) (recurse = false) ; } # # NIS # ( rulename = "NIS", severity = $(SIG_HI) ) { /var/yp -> $(SEC_CRIT) (recurse = true) ; !/var/yp/binding ; } # # Temporary directories # ( rulename = "Temporary directories", recurse = false, severity = $(SIG_LOW) ) { # /usr/tmp -> $(SEC_INVARIANT) ; /var/tmp -> $(SEC_INVARIANT) ; /var/preserve -> $(SEC_INVARIANT) ; /tmp -> $(SEC_INVARIANT) ; } # # Local files # ( rulename = "Local files", severity = $(SIG_MED) ) { /usr/local/bin -> $(SEC_BIN) (recurse = true) ; /usr/local/sbin -> $(SEC_BIN) (recurse = true) ; /usr/local/etc -> $(SEC_BIN) (recurse = true) ; /usr/local/lib -> $(SEC_BIN) (recurse = true ) ; /usr/local/libexec -> $(SEC_BIN) (recurse = true ) ; /usr/local/share -> $(SEC_BIN) (recurse = true ) ; /usr/local/man -> $(SEC_CONFIG) ; !/usr/local/man/whatis ; !/usr/local/man/.glimpse_filenames ; !/usr/local/man/.glimpse_filenames_index ; !/usr/local/man/.glimpse_filetimes ; !/usr/local/man/.glimpse_filters ; !/usr/local/man/.glimpse_index ; !/usr/local/man/.glimpse_messages ; !/usr/local/man/.glimpse_partitions ; !/usr/local/man/.glimpse_statistics ; !/usr/local/man/.glimpse_turbo ; /usr/local/man/man1 -> $(SEC_CRIT) (recurse = true) ; /usr/local/man/man2 -> $(SEC_CRIT) (recurse = true) ; /usr/local/man/man3 -> $(SEC_CRIT) (recurse = true) ; /usr/local/man/man4 -> $(SEC_CRIT) (recurse = true) ; /usr/local/man/man5 -> $(SEC_CRIT) (recurse = true) ; /usr/local/man/man6 -> $(SEC_CRIT) (recurse = true) ; /usr/local/man/man7 -> $(SEC_CRIT) (recurse = true) ; /usr/local/man/man8 -> $(SEC_CRIT) (recurse = true) ; /usr/local/man/man9 -> $(SEC_CRIT) (recurse = true) ; /usr/local/man/manl -> $(SEC_CRIT) (recurse = true) ; /usr/local/man/mann -> $(SEC_CRIT) (recurse = true) ; ! /usr/local/man/cat1 ; ! /usr/local/man/cat2 ; ! /usr/local/man/cat3 ; ! /usr/local/man/cat4 ; ! /usr/local/man/cat5 ; ! /usr/local/man/cat6 ; ! /usr/local/man/cat7 ; ! /usr/local/man/cat8 ; ! /usr/local/man/cat9 ; ! /usr/local/man/catl ; ! /usr/local/man/catn ; # /usr/local/krb5 -> $(SEC_CRIT) (recurse = true) ; # /usr/local/krb5/man -> $(SEC_CONFIG) ; !/usr/local/krb5/man/whatis ; !/usr/local/krb5/man/.glimpse_filenames ; !/usr/local/krb5/man/.glimpse_filenames_index ; !/usr/local/krb5/man/.glimpse_filetimes ; !/usr/local/krb5/man/.glimpse_filters ; !/usr/local/krb5/man/.glimpse_index ; !/usr/local/krb5/man/.glimpse_messages ; !/usr/local/krb5/man/.glimpse_partitions ; !/usr/local/krb5/man/.glimpse_statistics ; !/usr/local/krb5/man/.glimpse_turbo ; # /usr/local/krb5/man/man1 -> $(SEC_CRIT) (recurse = true) ; # /usr/local/krb5/man/man2 -> $(SEC_CRIT) (recurse = true) ; # /usr/local/krb5/man/man3 -> $(SEC_CRIT) (recurse = true) ; # /usr/local/krb5/man/man4 -> $(SEC_CRIT) (recurse = true) ; # /usr/local/krb5/man/man5 -> $(SEC_CRIT) (recurse = true) ; # /usr/local/krb5/man/man6 -> $(SEC_CRIT) (recurse = true) ; # /usr/local/krb5/man/man7 -> $(SEC_CRIT) (recurse = true) ; # /usr/local/krb5/man/man8 -> $(SEC_CRIT) (recurse = true) ; # /usr/local/krb5/man/man9 -> $(SEC_CRIT) (recurse = true) ; # /usr/local/krb5/man/manl -> $(SEC_CRIT) (recurse = true) ; # /usr/local/krb5/man/mann -> $(SEC_CRIT) (recurse = true) ; ! /usr/local/krb5/man/cat1 ; ! /usr/local/krb5/man/cat2 ; ! /usr/local/krb5/man/cat3 ; ! /usr/local/krb5/man/cat4 ; ! /usr/local/krb5/man/cat5 ; ! /usr/local/krb5/man/cat6 ; ! /usr/local/krb5/man/cat7 ; ! /usr/local/krb5/man/cat8 ; ! /usr/local/krb5/man/cat9 ; ! /usr/local/krb5/man/catl ; ! /usr/local/krb5/man/catn ; /usr/local/www -> $(SEC_CONFIG) (recurse = true) ; } ( rulename = "Security Control", severity = $(SIG_HI) ) { /etc/group -> $(SEC_CRIT) ; /etc/crontab -> $(SEC_CRIT) ; } #============================================================================= # # Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, # Inc. in the United States and other countries. All rights reserved. # # FreeBSD is a registered trademark of the FreeBSD Project Inc. # # UNIX is a registered trademark of The Open Group. # #============================================================================= # # Permission is granted to make and distribute verbatim copies of this document # provided the copyright notice and this permission notice are preserved on all # copies. # # Permission is granted to copy and distribute modified versions of this # document under the conditions for verbatim copying, provided that the entire # resulting derived work is distributed under the terms of a permission notice # identical to this one. # # Permission is granted to copy and distribute translations of this document # into another language, under the above conditions for modified versions, # except that this permission notice may be stated in a translation approved by # Tripwire, Inc. # # DCM --------------080807060209030208070604-- --------------ms080509000205090600050401 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIIDTCC AmEwggHKoAMCAQICAw826DANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwNzI4MTUyMjQyWhcNMDYwNzI4MTUyMjQy WjBOMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSswKQYJKoZIhvcNAQkBFhxi cmV0LXdhbGtlckBub3J0aHdlc3Rlcm4uZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQDSCypw+5wpRl4ZlH6em39b5c5m5tm41n+OJpkv527owfrxHDhqtO7rOUEkVlgGdG0267WS vgSzhs0St7rCGPrVg+d7utJIrKJ8MCCh8/7pZXTLb29+57DypLvfk4WWoDVlKejzr9qqpkez /S33QTKgD0ODVwXFpXPdXyi2gyqFdwIDAQABozkwNzAnBgNVHREEIDAegRxicmV0LXdhbGtl ckBub3J0aHdlc3Rlcm4uZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAk3eV 7mbER7K4kjPo2RMV/r8toOOfN8z0UpzUyAkVNUAUE4gnIIDgBepL6AkBm86x9YDJtgZRkLW5 4H3YW4e7XfycRpIS6SoR5uWpHRVmeBNrAdfktltPDAvxJOzAef9N8Wt7SkjIH5qf8t33SfzA N+2KtXDhJhGFhDMzURaoYEEwggJhMIIByqADAgECAgMPNugwDQYJKoZIhvcNAQEEBQAwYjEL MAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAq BgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA1MDcyODE1 MjI0MloXDTA2MDcyODE1MjI0MlowTjEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJl cjErMCkGCSqGSIb3DQEJARYcYnJldC13YWxrZXJAbm9ydGh3ZXN0ZXJuLmVkdTCBnzANBgkq hkiG9w0BAQEFAAOBjQAwgYkCgYEA0gsqcPucKUZeGZR+npt/W+XOZubZuNZ/jiaZL+du6MH6 8Rw4arTu6zlBJFZYBnRtNuu1kr4Es4bNEre6whj61YPne7rSSKyifDAgofP+6WV0y29vfuew 8qS735OFlqA1ZSno86/aqqZHs/0t90EyoA9Dg1cFxaVz3V8otoMqhXcCAwEAAaM5MDcwJwYD VR0RBCAwHoEcYnJldC13YWxrZXJAbm9ydGh3ZXN0ZXJuLmVkdTAMBgNVHRMBAf8EAjAAMA0G CSqGSIb3DQEBBAUAA4GBAJN3le5mxEeyuJIz6NkTFf6/LaDjnzfM9FKc1MgJFTVAFBOIJyCA 4AXqS+gJAZvOsfWAybYGUZC1ueB92FuHu138nEaSEukqEeblqR0VZngTawHX5LZbTwwL8STs wHn/TfFre0pIyB+an/Ld90n8wDftirVw4SYRhYQzM1EWqGBBMIIDPzCCAqigAwIBAgIBDTAN BgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTES MBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UE CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBl cnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0 aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMC WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAK MNcCY1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTX p6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYB Af8CAQAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBl cnNvbmFsRnJlZW1haWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYD VQQDExFQcml2YXRlTGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2as Zw9/r6y+whehQ5aUnX9MIbj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSe JVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHT HUb/XV9lTzGCArowggK2AgEBMGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBD b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp bCBJc3N1aW5nIENBAgMPNugwCQYFKw4DAhoFAKCCAacwGAYJKoZIhvcNAQkDMQsGCSqGSIb3 DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUwOTI4MDAzMDE0WjAjBgkqhkiG9w0BCQQxFgQUUfqr Ubs3l5bsK/pE9sZRWlIbPMMwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG 9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgweAYJKwYB BAGCNxAEMWswaTBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcg KFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vpbmcg Q0ECAw826DB6BgsqhkiG9w0BCRACCzFroGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRo YXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBG cmVlbWFpbCBJc3N1aW5nIENBAgMPNugwDQYJKoZIhvcNAQEBBQAEgYCpx/jlYr/+blO1V0lU 9rWtAjanLCy+WCkX6+LBqcww0kVhdZ5sS5U7P0cgTMBBp4h33qzq4pbpA+2fPmzj+zxgf+NY 5UqVF3Bce2oDm2PGXaEBGLzLRw97T9MAtCM0HltS0Y3gElw5/VTw+kvQLqCFftX5aw0PDM5x Q/oreUmSewAAAAAAAA== --------------ms080509000205090600050401-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 28 21:49:23 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CA6016A41F; Wed, 28 Sep 2005 21:49:23 +0000 (GMT) (envelope-from nox@saturn.kn-bremen.de) Received: from gwyn.kn-bremen.de (gwyn.kn-bremen.de [212.63.36.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6514943D48; Wed, 28 Sep 2005 21:49:19 +0000 (GMT) (envelope-from nox@saturn.kn-bremen.de) Received: from gwyn.kn-bremen.de (gwyn [127.0.0.1]) by gwyn.kn-bremen.de (8.13.4/8.13.4/Debian-3) with ESMTP id j8SLnJhv007390; Wed, 28 Sep 2005 23:49:19 +0200 Received: from saturn.kn-bremen.de (uucp@localhost) by gwyn.kn-bremen.de (8.13.4/8.13.4/Submit) with UUCP id j8SLnI6B007388; Wed, 28 Sep 2005 23:49:18 +0200 Received: from saturn.kn-bremen.de (localhost [127.0.0.1]) by saturn.kn-bremen.de (8.13.1/8.13.1) with ESMTP id j8SLjvdL092874; Wed, 28 Sep 2005 23:45:57 +0200 (CEST) (envelope-from nox@saturn.kn-bremen.de) Received: (from nox@localhost) by saturn.kn-bremen.de (8.13.1/8.13.1/Submit) id j8SLjuR0092873; Wed, 28 Sep 2005 23:45:56 +0200 (CEST) (envelope-from nox) Date: Wed, 28 Sep 2005 23:45:56 +0200 (CEST) From: Juergen Lock Message-Id: <200509282145.j8SLjuR0092873@saturn.kn-bremen.de> To: nectar@freebsd.org X-Newsgroups: local.list.freebsd.security In-Reply-To: Organization: home X-Mailman-Approved-At: Thu, 29 Sep 2005 12:02:03 +0000 Cc: freebsd-security@freebsd.org Subject: Re: New FreeBSD Security Officer X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2005 21:49:23 -0000 Btw, should one expect a confirmation email when emailing security-officer@FreeBSD.org about a (possibly) new hole? I'm wondering if two mails i sent got lost somehow... Juergen From owner-freebsd-security@FreeBSD.ORG Thu Sep 29 12:12:28 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B759D16A41F for ; Thu, 29 Sep 2005 12:12:28 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: from web30315.mail.mud.yahoo.com (web30315.mail.mud.yahoo.com [68.142.201.233]) by mx1.FreeBSD.org (Postfix) with SMTP id 41F0443D4C for ; Thu, 29 Sep 2005 12:12:28 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 15621 invoked by uid 60001); 29 Sep 2005 12:12:27 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=j8cpxdoLPnt/5VwYuXsVF9MCfJxRjxZye5nPzju0ZnPnutjTPCW82GwhnC318wJGhjczHSx1yK21dQ0h/4DjnKPzs7Mg9Et0UuU9m3fSH8B7VkpaaZ1mcmlOeXbyC2Fcuf4PkduZAIHlIZYCa0yVO0C3o5AWLK6q7FTX2Te6UKo= ; Message-ID: <20050929121227.15619.qmail@web30315.mail.mud.yahoo.com> Received: from [213.54.67.248] by web30315.mail.mud.yahoo.com via HTTP; Thu, 29 Sep 2005 05:12:27 PDT Date: Thu, 29 Sep 2005 05:12:27 -0700 (PDT) From: Arne "Wörner" To: Juergen Lock In-Reply-To: <200509282145.j8SLjuR0092873@saturn.kn-bremen.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: New FreeBSD Security Officer X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2005 12:12:28 -0000 --- Juergen Lock wrote: > Btw, should one expect a confirmation email when emailing > security-officer@FreeBSD.org about a (possibly) new hole? I'm > wondering if two mails i sent got lost somehow... > On http://www.freebsd.org./security/ I found the following: "All FreeBSD Security issues should be reported directly to the Security Officer Team (mailto:security@FreeBSD.org) personally or otherwise to the Security Officer (mailto:security-officer@FreeBSD.org). All reports should at least contain: A description of the vulnerability; What versions of FreeBSD seem to be affected if possible; Any plausible workaround; And example code if possible. After this information has been reported the Security Officer or a Security Team delegate will get back with you." This clearly says, that you contacted the right person, and that somebody should "get back with you"... But it does not say when... Maybe in a "timely manner"? :-)) I say, have u tried both email addresses (team and the SecOff himself)? I say, when did you send those two emails? -Arne __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Thu Sep 29 12:25:52 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D52216A41F; Thu, 29 Sep 2005 12:25:52 +0000 (GMT) (envelope-from simon@eddie.nitro.dk) Received: from eddie.nitro.dk (cpe.atm2-0-71337.0x535ccf26.taanxx2.customer.tele.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4A3643D53; Thu, 29 Sep 2005 12:25:51 +0000 (GMT) (envelope-from simon@eddie.nitro.dk) Received: by eddie.nitro.dk (Postfix, from userid 1000) id 6B8B811A320; Thu, 29 Sep 2005 14:26:41 +0200 (CEST) Date: Thu, 29 Sep 2005 14:26:41 +0200 From: "Simon L. Nielsen" To: Juergen Lock Message-ID: <20050929122640.GB75250@eddie.nitro.dk> References: <200509282145.j8SLjuR0092873@saturn.kn-bremen.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="dc+cDN39EJAMEtIO" Content-Disposition: inline In-Reply-To: <200509282145.j8SLjuR0092873@saturn.kn-bremen.de> User-Agent: Mutt/1.5.11 Cc: nectar@freebsd.org, freebsd-security@freebsd.org Subject: Re: New FreeBSD Security Officer X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2005 12:25:52 -0000 --dc+cDN39EJAMEtIO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.09.28 23:45:56 +0200, Juergen Lock wrote: > Btw, should one expect a confirmation email when emailing > security-officer@FreeBSD.org about a (possibly) new hole? I'm > wondering if two mails i sent got lost somehow... You will not get an automated reply, but somebody should get back to you. I just checked both my main so@ (AKA security-officer@FreeBSD.org) mailbox and my so@ spam mailbox, and I don't see a mail from you either place. I was only added to the so@ alias a month ago, so if the mail is from before around August 30 I will not have it (but cperciva, nectar, and rwatson will). Please try to resend to security-officer@, and/or to Colin and me. --=20 Simon L. Nielsen FreeBSD Deputy Security Officer --dc+cDN39EJAMEtIO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDO92Ah9pcDSc1mlERAp3hAKDChyjRa/HIg/J2bOhi8LTkprkXXwCgo+JK cBrlWXLcHttmwePVRCfTrAE= =UY0I -----END PGP SIGNATURE----- --dc+cDN39EJAMEtIO--