[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What to do about checksecurity



> At present, the checksecurity script doesn't check nfs/afs/whatever
> disks only if they are mounted (nosuid or noexec) and nodev. About
> once a month I get an e-mail or bug report from someone who doesn't
> like this, because of the extensive network access involved. I write
> back a letter saying that if they don't want this to happen they
> can either do their nfs/afs/whatever mounts nosuid,nodev, or modify
> /etc/checksecurity.conf to skip all n/a/w type mounts and abandon all
> pretense of checksecurity usefulness.
> 
> However, I'm getting tired of responding to these letters. I'm becoming
> less and less convinced of checksecurity's usefulness, mostly because I
> suspect most people choose to skip n/a/w mounted disks, even if those
> mounts might have suid programs on them. I guess my questions are:
> 
> 1. Does anybody actually care about the checksecurity script?
> 
> 2. If you do, have you modified checksecurity.conf? How so?
> 
> I'm strongly considering removing the checksecurity functionality from
> the cron package, if I can figure out a safe way to move the conf file.

I modify the checksecurity.conf to not search any nfs mounted disks.
It adds way to much network traffic when every client does this, not
to mention error messages from the cron job when it can't access
certain directories.  

I do find the script useful though.  And it would be one useful check
if we had a comprimise or suspected one.

Jim

Jim Mintha, Geography System Administrator, U.B.C.
mintha@geog.ubc.ca, or jmintha@debian.org  <www.geog.ubc.ca/jim>
Home: 604 731-7240  Work: 604 822-2174  Fax: 604 822-6150

Where you want to be tommorow... Debian GNU/Linux <www.debian.org>


--
E-mail the word "unsubscribe" to debian-devel-request@lists.debian.org
TO UNSUBSCRIBE FROM THIS MAILING LIST. Trouble?  E-mail to listmaster@debian.org .


Reply to: