Re: UnixWare

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: MICHAEL R. WIDNER: "ICMP filtering?"
• Previous message: Perry E. Metzger: "Re: UnixWare"
• Maybe in reply to: Carl Corey: "UnixWare"
• Next in thread: der Mouse: "Re: UnixWare"

>This is NOT what I meant. I explicitly mean that you should go beyond
>simply leaving the machine as shipped and should actively remove
>existing SUID facilities to the extent possible and change all
>persistant system processes to run unprivileged if at all possible. I
>do not merely mean "regulating" SUID facilities. I really mean
>actively yanking them out and replacing them with non-SUID facilities.
>I also mean eliminating openings like world writable utmp files,
>devices, etc.

COPS generates a list of SUID files, one of its more useful features.  I am
in the process of going through and determining what _needs_ to be run as
root, and if it does, if anyone else should have access.  I also have
reduced tcp/udp services to a minimum, and any that connect are logged with
tcpwrapper.  Right now it's only a LAN that can connect via tcp, but we are
getting a 56k (ug) connection soon - and it will help to be ready by then.

I know we are getting a cisco router, and I have a question for anyone -
what is the latest version of the router software I need to run to keep
fake ICMP packets from reaching my hosts?  I believe that this was a
somewhat recent upgrade by cisco, thus the presence of nuke.c or whatever
being used to annoy people.  

Also, is there a way to block people running FSP without blocking all udp
packets or relying on blocking udp to certain ports?  I may not be around
full-time on this system, so it is conceivable for a user to set up their
own fsp server in their home dir and not have me notice it for a few weeks
or so.

cc

• Next message: MICHAEL R. WIDNER: "ICMP filtering?"
• Previous message: Perry E. Metzger: "Re: UnixWare"
• Maybe in reply to: Carl Corey: "UnixWare"
• Next in thread: der Mouse: "Re: UnixWare"