On Sun, May 17, 2009 at 03:04:18AM +0200, Ingo Schwarze wrote:
> Hi Joachim, hi Yurij,
>
> Joachim Schipper wrote on Sat, May 16, 2009 at 01:23:20PM +0200:
> > On Fri, May 15, 2009 at 10:39:06PM +0500, Yuriy Grishin wrote:
>
> >> I've installed OpenBSD 4.5 on my home gateway.
> >> Random pids and critical files permission are really cool.
> >> I just confused a little bit because I haven't found any way
> >> to check the vulnerabilities of my configuration.
> >> Are there any?
>
> > This is not what you are asking for, but security(8) will run nightly
> > and check various files. This detects unsophisticated intruders and -
> > more importantly - makes it easy to spot and fix misconfigurations.
>
> But be aware of this:
>
> $ man security | tail -n 7
> BUGS
> The name of this script may provide a false sense of security.
>
> There are perhaps an infinite number of ways the system can be
> compromised without this script noticing.
Of course.
> > Of course, it can be extended with your own critical files, if desired.
>
> Actually, security(8), in contrast to daily(8)/weekly/monthly, does not
> support security.local additions right now. I don't see a pressing need
> to implement that hook, either; it would be easy enough, though, just
> adding the two lines
>
> next_part "Running /etc/security.local:"
> run_script "security.local"
>
> at the very end of /etc/security does the trick.
>
> Apart from that, i would recommend against locally modifying the script
> /etc/security itself. You can use daily.local for local additions.
> Of course, you can also add files to the changelist(5).
> Perhaps the latter is what you were hinting at.
Oh, I'm sorry, I should have been more clear.
security(8) runs mtree(8) on, amongst others, /etc/mtree/*.secure. Such
files can be freely added, no?
That is what I intended to say, but I didn't actually say it... sorry
for any confusion that may have resulted!
Joachim
