doc/en/security/security.sgml

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN" [
<!ENTITY base CDATA "..">
<!ENTITY date "$Date: 1998-11-15 16:23:09 $">
<!ENTITY title "FreeBSD Security Guide">
<!ENTITY % includes SYSTEM "../includes.sgml"> %includes;
]>
<!-- $Id: security.sgml,v 1.7 1998-11-15 16:23:09 wosch Exp $ -->

<html>
    &header;

<P>This guide attempts to document some of the tips and tricks used by
many FreeBSD security experts for securing systems and writing secure
code.  It is designed to help you learn about the various ways of protecting
a FreeBSD system against outside attacks and how to recover from such attacks
if and when they should happen.  It also lists the various ways in which
the systems programmer can become more security conscious so he will
 less likely introduce security holes in the first place.</P>

<P>We welcome your comments on the contents and correctness of this page.
Please send email to the <A HREF="mailto:security-officer@FreeBSD.org">
FreeBSD Security Officers</A> if you have changes you'd like to see here.</P>

<H2>The FreeBSD security officer</H2>

<P>FreeBSD takes security seriously, a dedicated team of security officers
providing a focal point for security related communications. A security
officers' main task is to send out advisories when there are known security
holes and otherwise keep abreast of security issues.  The security officers
also communicate with the various <A HREF="http://www.cert.org">CERT</A>
and <A HREF="http://www.first.org/">FIRST</A> teams around the world,
sharing information about vulnerabilities in FreeBSD or utilities commonly
used by FreeBSD, and keeping up to date on security issues in the world at
large.  The security officers are also active members of those
organizations.</P>

<P>When you need to contact the security officers about a sensitive matter,
please use their
<A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc">PGP key</A>
to encrypt your message before sending it.</P>

<H2>FreeBSD security advisories:</H2>

<P>The FreeBSD security officers provide security advisories for
the following releases of FreeBSD:</P>

<UL>
<LI>	the most recent official release of FreeBSD,
<LI>	FreeBSD-current,
<LI>	FreeBSD-stable, when at least 2 releases are based on it.
<LI>	the previous FreeBSD-stable when a "new stable" does not
        yet have 2 releases based on it.
</UL>

At this time, security advisories are available for:
<UL>
<LI>	FreeBSD 2.2.6
<LI>	FreeBSD-current
<LI>	FreeBSD-stable
</UL>

<P>Older releases will not be actively maintained and users are strongly
encouraged to upgrade to one of the supported releases.</P>

<P>An advisory will be sent out when a security hole exists that is
either being actively abused (as indicated to us via reports from end
users or CERT like organizations), or when the security hole is public
knowledge (e.g. because a report has been posted to a public mailing
list).</P>

<P>Like all development efforts, security fixes are first brought into
the <A HREF="../handbook/current.html">FreeBSD-current</A>
branch.  After a couple of days and some testing, the fix is retrofitted
into the supported FreeBSD-stable branch(es) and an advisory then sent out.</P>

<P>Advisories are sent to the following FreeBSD mailing lists:
<UL>
<LI>FreeBSD-security-notifications@freebsd.org
<LI>FreeBSD-security@freebsd.org
<LI>FreeBSD-announce@freebsd.org
</UL>

<P>Advisories are always signed using the FreeBSD security officer
<A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc">PGP key</A>
and are archived, along with their associated patches, at our
<A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/index.html">FTP CERT
repository</A>.  At the time of this writing, the following advisories are
currently available:</P>

<UL>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:01.sliplogin.asc">FreeBSD-SA-96:01.sliplogin.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:02.apache.asc">FreeBSD-SA-96:02.apache.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:03.sendmail-suggestion.asc">FreeBSD-SA-96:03.sendmail-suggestion.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:08.syslog.asc">FreeBSD-SA-96:08.syslog.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:09.vfsload.asc">FreeBSD-SA-96:09.vfsload.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:10.mount_union.asc">FreeBSD-SA-96:10.mount_union.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:11.man.asc">FreeBSD-SA-96:11.man.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:12.perl.asc">FreeBSD-SA-96:12.perl.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:13.comsat.asc">FreeBSD-SA-96:13.comsat.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:14.ipfw.asc">FreeBSD-SA-96:14.ipfw.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:15.ppp.asc">FreeBSD-SA-96:15.ppp.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:16.rdist.asc">FreeBSD-SA-96:16.rdist.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:17.rzsz.asc">FreeBSD-SA-96:17.rzsz.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:18.lpr.asc">FreeBSD-SA-96:18.lpr.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:19.modstat.asc">FreeBSD-SA-96:19.modstat.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:20.stack-overflow.asc">FreeBSD-SA-96:20.stack-overflow.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-96:21.talkd.asc">FreeBSD-SA-96:21.talkd.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-97:01.setlocale">FreeBSD-SA-97:01.setlocale</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-97:02.lpd.asc">FreeBSD-SA-97:02.lpd.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-97:03.sysinstall.asc">FreeBSD-SA-97:03.sysinstall.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-97:04.procfs.asc">FreeBSD-SA-97:04.procfs.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-97:05.open.asc">FreeBSD-SA-97:05.open.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-97:06.f00f.asc">FreeBSD-SA-97:06.f00f.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:01.land.asc">FreeBSD-SA-98:01.land.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:02.mmap.asc">FreeBSD-SA-98:02.mmap.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:03.ttcp.asc">FreeBSD-SA-98:03.ttcp.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:04.mmap.asc">FreeBSD-SA-98:04.mmap.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:05.nfs.asc">FreeBSD-SA-98:05.nfs.asc</A></LI>
<LI><A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:06.icmp.asc">FreeBSD-SA-98:06.icmp.asc</A></LI>
</UL>

<H2>FreeBSD security related information</H2>

<P>If you want to stay up to date on FreeBSD security, you can subscribe
yorself to one of the following mailing lists:</P>

<PRE>
freebsd-security		General security related discussion
freebsd-security-notifications	Security notifications (moderated mailing list)
</PRE>

Send mail to <A HREF="mailto:majordomo@freebsd.org">majordomo@FreeBSD.ORG</A>
with
<PRE>
     subscribe &lt;listname&gt;  [&lt;optional address&gt;]
</PRE>
in the body of the message in order to subscribe yourself.

<H2>What to do when you detect a security compromise:</H2>

<UL>
<LI><B>Determine the level of security breach:</B><BR>
What privilege did the attack get? That of another user or more (up to
root privileges)?</LI>

<LI><B>Determine those parts of the system which are not in their original state
anymore:</B><BR>
What software has been tampered with? You may decide to re-install the
operating system from a safe medium, or you might have MD5 checksums of
the original software with which you can check your system. The tripwire
package also keeps MD5 checksums, though be aware that tripwire might
be tampered with as well and be sure and use a known-good copy.</LI>

<LI><B>Find out how the breakin was done:</B><BR>
Via a well-known security bug? A misconfiguration?  If it's a new bug,
you should warn the <A HREF="mailto:security-officer@freebsd.org">
FreeBSD Security Officer</A>.</LI>

<LI><B>Fix the hole(s):</B><BR>
Install new software that fixes the problems. If you aren't able to get
a fix quickly, you should temporarily disable remote access to your system
until you have done so.</LI>
</UL>

<P><B>Other questions you may ask yourself are:</B></P>
<UL>
<LI>Who do I warn? You can contact the security officer, or even the
local authorities. The choice is up to you.</LI>

<LI>Do I want to trace the person responsible? By not fixing the hole
right away, you have a chance to catch the cracker. Then again, you have
the chance the cracker wipes your disk. The choice is up to you.</LI>

</UL>

<H2><A href="secure.html">How to secure a FreeBSD system</A></H2>

<P>There are several steps involved in securing a FreeBSD system, or in
fact, any UNIX system:</P>

<H2><a href="programmers.html">Security Do's and Don'ts for Programmers</a></H2>

<H2>Other useful security information:</H2>

<UL>
<LI><A href="http://www.cs.purdue.edu/coast/archive/index.html">The COAST
	archive</A>
	Contains a huge collection of security related material.</LI>

<LI><A href="http://www.cs.purdue.edu/coast/hotlist/">
	The COAST Security hotlist</A>
	This page is THE place to start looking for security related
	material. It contains hundreds of useful
	security pointers. Everything you always wanted to know about
	security...and more...</LI>

<LI>The various CERTs (e.g. <A href="http://www.cert.org">www.cert.org</A> and
	<A href="http://www.auscert.org.au">www.auscert.org.au</A>)</LI>

<li><a href="http://SecurityPortal.com">SecurityPortal.com</a>
is intended to be the comprehensive Web site for Internet
Security.   It is dedicated to providing corporate security professionals
with the information and resources needed to protect their networks. We
summarize breaking security news and provide a jumping off point for
Security Alerts, Products, Tools, Tips & Tricks and other Resources.
</li>

<LI>Mailing lists: Bugtraq, BOS, etc.</LI>

</UL>

      &footer
  </body>
</html>