From owner-freebsd-security@FreeBSD.ORG  Wed Jul 30 11:04:29 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6877537B401
	for <security@freebsd.org>; Wed, 30 Jul 2003 11:04:29 -0700 (PDT)
Received: from cicero2.cybercity.dk (cicero2.cybercity.dk [212.242.40.53])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 176CA43F93
	for <security@freebsd.org>; Wed, 30 Jul 2003 11:04:28 -0700 (PDT)
	(envelope-from db@traceroute.dk)
Received: from user5.cybercity.dk (fxp0.user5.ip.cybercity.dk [212.242.41.51])
	by cicero2.cybercity.dk (Postfix) with ESMTP
	id C3FBD18F4CA; Wed, 30 Jul 2003 20:04:26 +0200 (CEST)
Received: from main (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73])
	by user5.cybercity.dk (Postfix) with SMTP
	id 7F7CF56301; Wed, 30 Jul 2003 20:04:26 +0200 (CEST)
Date: Wed, 30 Jul 2003 20:14:00 +0200
From: Socketd <db@traceroute.dk>
To: twig les <twigles@yahoo.com>, security@freebsd.org
Message-Id: <20030730201400.1708d588.db@traceroute.dk>
In-Reply-To: <20030730171658.65834.qmail@web10102.mail.yahoo.com>
References: <20030730015431.4120c648.db@traceroute.dk>
	<20030730171658.65834.qmail@web10102.mail.yahoo.com>
X-Mailer: Sylpheed version 0.8.10claws (GTK+ 1.2.10; i386-portbld-freebsd4.8)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: Re: suid bit files + securing FreeBSD (new program: LockDown)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2003 18:04:29 -0000

On Wed, 30 Jul 2003 10:16:58 -0700 (PDT)
twig les <twigles@yahoo.com> wrote:

> I really like the sound of having a shell script to run and lock
> down systems right after install (or makeworld upgrade); I was
> considering hacking something together myself with my altogether
> mediocre scripting skills.  Might I suggest that it have a conf
> file that sets up a script that we can simply scp to another box
> and run without having to have a conf file on that box?  Also
> can we email you privately with "feature requests" like setting
> umask, etc.?  

Well, LockDown only has two files (the executable and the conf file) and
I'm gonna write it in C++, so making the C++ write a second program in a
different language (which I don't master) is maybe a little overkill ;-)

But feel free to write me. I will start working on LockDown in about 2-3
weeks (I think) and I'll post a notice here when I am "done".
 
> If you run with this I hope you'll post the script somewhere and
> tell us so we can tinker with it until it makes it to the ports
> or whatever.  It makes more sense than me just making a
> checklist and following it every time.

LockDown is just an automatic security checklist ;-)

br
socketd