From owner-freebsd-security  Fri Sep 17 13:20: 8 1999
Delivered-To: freebsd-security@freebsd.org
Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131])
	by hub.freebsd.org (Postfix) with ESMTP id 6394614EA8
	for <security@FreeBSD.ORG>; Fri, 17 Sep 1999 13:20:01 -0700 (PDT)
	(envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
	by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id WAA05084;
	Fri, 17 Sep 1999 22:18:35 +0200 (CEST)
	(envelope-from phk@critter.freebsd.dk)
To: Warner Losh <imp@village.org>
Cc: Liam Slusser <liam@tiora.net>,
	Kenny Drobnack <kdrobnac@mission.mvnc.edu>,
	"Harry M. Leitzell" <Harry_M_Leitzell@cmu.edu>, security@FreeBSD.ORG
Subject: Re: BPF on in 3.3-RC GENERIC kernel 
In-reply-to: Your message of "Fri, 17 Sep 1999 14:04:10 MDT."
             <199909172004.OAA04763@harmony.village.org> 
Date: Fri, 17 Sep 1999 22:18:35 +0200
Message-ID: <5082.937599515@critter.freebsd.dk>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


There is a new kid in town if it comes to fortifying your FreeBSD
box:  jail(2|8)

I have installed a couple of machines now where everything it does
for a living happens inside a jail.  One of the machines have no
network services running in the "unjailed" part, you can only access
it from the console.

The advantage to this approach is that the *REAL* system is protected
independently of any application needed specific weak points.

The way I set it up:

	boot normally:
		no network configured
		application disks not mounted.

	fsck application disks.

	mount application disks.

	consistency check specified files using only tools from
	the un-jailed part of the system.

	ifconfig interfaces.

	Start jail(s) running on application disks

	optional: start sshd in unjailed part.

In essence this gives you a machine "that boots before it boots",
and it allows you to really close some doors.  It also limits
the abilities of a intruder gaining root in the jail.

try it...

--
Poul-Henning Kamp             FreeBSD coreteam member
phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
FreeBSD -- It will take a long time before progress goes too far!


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message