Re: UnixWare

[ccdes () ccdes princeton nj us (Carl Corey)]

> This is NOT what I meant. I explicitly mean that you should go beyond
> simply leaving the machine as shipped and should actively remove
> existing SUID facilities to the extent possible and change all
> persistant system processes to run unprivileged if at all possible. I
> do not merely mean "regulating" SUID facilities. I really mean
> actively yanking them out and replacing them with non-SUID facilities.
> I also mean eliminating openings like world writable utmp files,
> devices, etc.

COPS generates a list of SUID files, one of its more useful features.  I am
in the process of going through and determining what _needs_ to be run as
root, and if it does, if anyone else should have access.  I also have
reduced tcp/udp services to a minimum, and any that connect are logged with
tcpwrapper.  Right now it's only a LAN that can connect via tcp, but we are
getting a 56k (ug) connection soon - and it will help to be ready by then.

I know we are getting a cisco router, and I have a question for anyone -
what is the latest version of the router software I need to run to keep
fake ICMP packets from reaching my hosts?  I believe that this was a
somewhat recent upgrade by cisco, thus the presence of nuke.c or whatever
being used to annoy people.  

Also, is there a way to block people running FSP without blocking all udp
packets or relying on blocking udp to certain ports?  I may not be around
full-time on this system, so it is conceivable for a user to set up their
own fsp server in their home dir and not have me notice it for a few weeks
or so.

cc