From toasty@celery.dragondata.com  Tue Dec 28 00:23:36 1999
Return-Path: <toasty@celery.dragondata.com>
Received: from celery.dragondata.com (celery.dragondata.com [205.253.12.6])
	by hub.freebsd.org (Postfix) with ESMTP id 26F7D14A13
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 28 Dec 1999 00:23:35 -0800 (PST)
	(envelope-from toasty@celery.dragondata.com)
Received: (from root@localhost)
	by celery.dragondata.com (8.9.3/8.9.3) id CAA15129;
	Tue, 28 Dec 1999 02:23:40 -0600 (CST)
	(envelope-from toasty)
Message-Id: <199912280823.CAA15129@celery.dragondata.com>
Date: Tue, 28 Dec 1999 02:23:40 -0600 (CST)
From: Kevin Day <toasty@dragondata.com>
Sender: toasty@celery.dragondata.com
Reply-To: toasty@dragondata.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: rc.conf should have '-s' for syslogd options
X-Send-Pr-Version: 3.2

>Number:         15737
>Category:       conf
>Synopsis:       rc.conf should have '-s' for syslogd options
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    billf
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Dec 28 00:30:00 PST 1999
>Closed-Date:    Mon Mar 20 11:51:57 PST 2000
>Last-Modified:  Mon Mar 20 12:03:04 PST 2000
>Originator:     Kevin Day
>Release:        FreeBSD 3.2-STABLE i386
>Organization:
DragonData Internet Services
>Environment:

Any networked FreeBSD system

>Description:

To quote syslogd's man page:

     The ability to log messages received in UDP packets is equivalent to an
     unauthenticated remote disk-filling service, and should probably be dis-
     abled by default. 


FreeBSD systems ship with syslogd enabled, but not with -s added to the
command line. If the goal is to make systems secure 'out of the box', it
would probably be wise to add -s.

After having a new machine 'remotely disk filled' for me, it occurred to me
that changing the defailt would be good.

If an option to make syslogd discard foreign packets silently is desired,
I'll whip up a patch.

>How-To-Repeat:


>Fix:
	
change etc/defaults/rc.conf to:

 ### Network daemon (miscellaneous) & NFS options: ###
 syslogd_enable="YES"		# Run syslog daemon (or NO).
-syslogd_flags=""		# Flags to syslogd (if enabled).
+syslogd_flags="-s"		# Flags to syslogd (if enabled).



>Release-Note:
>Audit-Trail:

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: toasty@dragondata.com
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: conf/15737: rc.conf should have '-s' for syslogd options 
Date: Wed, 29 Dec 1999 14:31:56 +0200

 On Tue, 28 Dec 1999 02:23:40 CST, Kevin Day wrote:
 
 > FreeBSD systems ship with syslogd enabled, but not with -s added to the
 > command line. If the goal is to make systems secure 'out of the box', it
 > would probably be wise to add -s.
 
 Don't you think it'd be even wiser to add -ss, once PR 15414 is
 resolved?
 
 Ciao,
 Sheldon.
 
Responsible-Changed-From-To: freebsd-bugs->billf 
Responsible-Changed-By: billf 
Responsible-Changed-When: Mon Jan 17 07:53:12 PST 2000 
Responsible-Changed-Why:  
I'll be looking into this (and most likely committing it soon). 
State-Changed-From-To: open->closed 
State-Changed-By: billf 
State-Changed-When: Mon Mar 20 11:51:57 PST 2000 
State-Changed-Why:  
Committed. thanks. 
>Unformatted:
