On Tue, 2 Jun 1998, Mike Johnson wrote:
> At 03:04 PM 6/2/98 +0100, you wrote:
>
> >Are there any other people out there interested in a concerted linux
> >source security auditing process?
>
> Yes, yes, and yes. Did I mention, yes?
OK.
I''ve got a _lot_ of positive response about starting some form of
co-ordinated effort to audit core linux components/daemons/suid binaries
etc.
To this effect, there''s a mailing list for discussion of linux security
auditing and hardening;
security-audit@ferret.lmh.ox.ac.uk
Subscribe address is
security-audit-subscribe@ferret.lmh.ox.ac.uk
NOTE! This is not "yet another security list people should feel obliged to
subscribe to" list. All findings will of course still go to
bugtraq/linux-security.
Alongside this mailing list will need to go a web page with lists of
security sensitive packages needing to be audited, or hardened[1]. Each
package can have its own list of people who have audited it, and how well
they think they scanned it. Additionally, past auditing and security
record of the package in question can be logged. Each package will also be
assigned an "importance", e.g. tcp_wrappers would rate as
"critical", etc.
Hopefully we can highlight packages that haven''t really seen much
auditing
at all in their lifetimes.
Note that my HTML is appalling so anyone wanting to contribute pages to
get the project moving is more than welcome ;-)
I''m looking forward to getting some co-ordination going in this effort!
In
a few days we''ll see who''s got onto the list, and start
discussions.
Cheers
Chris
[1] For example, it never hurts to drop privileges earlier, does it? :)
