os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
doc/en/security/security.sgml
Wolfram Schneider fcbb5212c8 Fix CERT URLs. 
Submitted by:	 yossman <yossman@yoss.nonline.net>
1998-06-23 22:42:14 +00:00

166 lines
6.3 KiB
Text
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN" [
<!ENTITY base CDATA "..">
<!ENTITY date "$Date: 1998-06-23 22:42:14 $">
<!ENTITY title "FreeBSD Security Guide">
<!ENTITY % includes SYSTEM "../includes.sgml"> %includes;
]>
<!-- $Id: security.sgml,v 1.2 1998-06-23 22:42:14 wosch Exp $ -->
<html>
&header;
<P>This guide attempts to document some of the tips and tricks used by
many FreeBSD security experts for securing systems and writing secure
code. It is designed to help you learn about the various ways of protecting
a FreeBSD system against outside attacks and how to recover from such attacks
if and when they should happen. It also lists the various ways in which
the systems programmer can become more security conscious so he will
less likely introduce security holes in the first place.
</P><P>We welcome your comments on the contents and correctness of this page.
Please send email to the <A HREF="mailto:security-officer@FreeBSD.org">
FreeBSD Security Officers</A> if you have changes you'd like to see here.
</P><H2>The FreeBSD security officer</H2>
As FreeBSD takes security seriously, there is a security officer who is
the focal point for security related communications. The security officers'
main task is to send out advisories when there are known security holes
so FreeBSD users will be able to keep their systems secure. The security
officer also communicates with the various CERTs around the world to
give them information about vulnerabilities within FreeBSD and to receive
information about new ones. As such, the security officer is a member of
<A HREF="http://www.first.org/">FIRST</A>, the Forum of Incident Response
and Security Teams.
<P>
When you contact the security officer about sensitive matters, please use
our <A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc">PGP key</A> to encrypt your
message.
</P><H2>FreeBSD security related information</H2>
If you want to stay up to date on FreeBSD security, you can subscribe
yorself to one of the following mailing lists:
<PRE>
freebsd-security General security related discussion
freebsd-security-notification Security notifications (moderated mailing list)
</PRE>
Send mail to <A HREF="mailto:majordomo@freebsd.org">majordomo@FreeBSD.ORG</A>
with
<PRE>
subscribe &lt;listname&gt; [&lt;optional address&gt;]
</PRE>
in the body of the message in order to subscribe yourself.
<P>
Publications of the FreeBSD security officer can also be found on
<A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/">ftp://ftp.freebsd.org/pub/FreeBSD/CERT/</A>
<P>Handbook?
</P><H2>FreeBSD security advisories:</H2>
FreeBSD provides security advisories. The advisories will cover
recent releases of FreeBSD. The security advisories will cover
these releases:
<UL>
<LI> the most recent official release of FreeBSD,
<LI> FreeBSD-current,
<LI> FreeBSD-stable, when 2 releases are based on it.
<LI> the previous FreeBSD-stable in case the new stable does not
yet have 2 releases based on it.
</UL>
At this time, security advisories are available for:
<UL>
<LI> FreeBSD 2.2.6
<LI> FreeBSD-current
<LI> FreeBSD-stable
</UL>
Older releases will not be actively maintained.
<p>
You are encouraged to upgrade to one of the supported releases.
<p>
An advisory will be sent out when a security hole exists that is either being
actively abused (as indicated to us via reports from end users or CERT
like organizations), or when the security hole is public knowledge
(e.g. because a report has been posted to a public mailing list).
<p>
Like all development efforts, security fixes are first brought into the
FreeBSD-current branch. After a couple of days, the fix will be retrofitted
into the covered FreeBSD-stable branch(es). Then an advisory will
be sent out.
<p>
Advisories will be sent to the following FreeBSD mailing lists:
<UL>
<LI> FreeBSD-security-notifications
<LI> FreeBSD-security
<LI> FreeBSD-announce
</UL>
Advisories will always be signed using the FreeBSD security-officer
<A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc">PGP key</A>
<p>
Advisories and patches are archived at our
<A HREF="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/">FTP site</A>.
</P>
<H2>What to do when you detect a security compromise </H2>
<UL>
<LI>determine the level of security breack<BR>
What privilege did the attack get? That of another user or more (up to
root privileges)?
<LI>determine the part of the system that is not in its original state
anymore<BR>
What software has been tampered with? You may decide to re-install the
operating system from a safe medium, or you might have MD5 checksums of
the original software with which you can check your system. The tripwire
package keeps MD5 checksums. Be aware that tripwire might be tampered
with as well.
<LI>find out how the breakin was done<BR>
Via a well-known security bug? A misconfiguration? When it's a new bug,
warn the FreeBSD Security Officer.
<LI>fix the hole(s)<BR>
Install new software that fixes the problems. If you aren't able to get
a fix quickly, you can temporarily disable remote access to your system.
</UL>
Other questions you may ask yourself are:
<UL>
<LI>Who do I warn? You can contact the security officer, or even the
local authorities. The choice is up to you.
<LI>Do I want to trace the person responsible? By not fixing the hole
right away, you have a chance to catch the cracker. Then again, you have
the chance the cracker wipes your disk. The choice is up to you.
</UL>
<h2><a href="secure.html">How to secure a FreeBSD system</a></h2>
There are several steps involved in securing a FreeBSD system, or in
fact any UNIX system.
<h2><a href="programmers.html">Security Do's and Don'ts for Programmers</a></h2>
<H2>Other usefull security information:</H2>
<UL>
<LI><A href="http://www.cs.purdue.edu/coast/archive/index.html">The COAST
archive</A>
Contains a huge collection of security related material.
<LI><A href="http://www.cs.purdue.edu/homes/spaf/hotlists/csec.htm">
The COAST Security hotlist</A>
This page is THE place to start looking for security related
material. It contains hundreds of usefull
security pointers. Everything you always wanted to know about
security...and more...
<LI>The various CERTs (e.g. <A href="http://www.cert.org">www.cert.org</A> and
<A href="http://www.auscert.org.au">www.auscert.org.au</A>)
<LI>Mailing lists: Bugtraq, BOS
</ul>
&footer
</body>
</html>
Reference in a new issue View git blame Copy permalink