Hello all,
I am looking for one or more anonymous FTP sites that would be
interested in hosting a new security software kit called "S4". S4 stands
for the "Secure System Setup Script". The kit is currently about 6.5 megabytes
(and will probably grow), and it may be necessary to keep several versions
archived over time if the kit proves popular.
The kit does not currently contain anything that would cause "export
control" problems if hosted in the U.S., but this COULD change over time.
Because of this (and if sites are interested, of course), the ideal setup
may be for a non-U.S. master FTP site, with mirrors in the U.S or elsewhere.
Better suggestions from people more knowledgeable than me about the problem
are welcome. :-)
Interested sites may contact me at mchatel @
dial .
oleane .
com .
I will need to use a "simple" authentication method to update the FTP area,
since I live in France and basically cannot use any serious crypto without
a permit.
A bit more detail on S4 is included below for your reading pleasure...
Sincere Regards,
Marc Chatel
9, ave Jean Monnet
74940 ANNECY-LE-VIEUX
FRANCE
Private E-mail: mchatel @
dial .
oleane .
com
----------- details on S4 (the Secure System Setup Script) -------------
S4 is best described as "a security glueware compromise". The goal of S4
is to minimize the time necessary to accomplish the following:
Move from a) system with freshly installed base operating system
with no config done yet
to b) system with a maximum number of obvious security holes
closed, ready to connect to an insecure network,
and which offers some basic services that people need today:
FTP/WWW/SMTP/POP. Most services offered (including the ones
I just listed) run chrooted and non-privileged.
The current S4 is able to move a system from a) to b) in approx. 60 minutes.
The installer spends most of that time pressing "Y", "N", and RETURN to accept
default parameters and page through the output. I guess it could be described
as an "automatic system defense tool", as opposed to "automatic system
scanning tools", which are more common...
Although it currently runs on only one platform (OSF/Digital Unix on Alpha),
I believe people will find the tool interesting (even if it is just to pick
some parts out of it). My goal in publishing S4 is to find volunteers that
will find it useful enough to add functionality to it, and help me port it
to other platforms (my experience is that testing a tool like this requires
exclusive access to at least one machine of the type being tested,
preferably two).
The actual S4 "kit" is composed at > 90% of software packages already
published on Internet and written by many people. All packages included are
in source form (S4 compiles all packages during installation, that's why it
takes an hour to run). In some cases, I have made slight modifications to
the packages (usually to improve drop privilege/chroot methods and to fix
syslog issues introduced by chroot environments).
Packages currently included in the S4 kit (either as-is or modified) are:
-----------------------------------------------------------------------------
"aftpd", originally written by Marcus J. Ranum, based on Berkeley
sources
"arpwatch" from the University of California, Lawrence Berkeley Laboratory
the Berkeley "db" package, from the University of California at Berkeley
"gzip", from the Free Software Foundation
"libpcap" from the University of California, Lawrence Berkeley Laboratory
the NCSA "httpd" web server, from the National Center for Supercomputing
Applications at the University of Illinois at Urbana-Champaign
PERL (version 5.003), from Larry Wall
"poppasswd", originally from Daniel L. Leavitt at MITRE (I believe)
"qpopper", a collective work currently hosted at QualComm
"sendmail", from the University of California at Berkeley
"spop", put in the public domain by the RAND Corporation
"tcpd", from Wietse Venema at the Eindhoven University of Technology
-----------------------------------------------------------------------------
The parts of S4 actually written by me are mostly installation shellscripts,
and a few C programs here and there to handle specific issues.
***************************
LICENSING/COPYRIGHT ISSUES:
***************************
My primary goal is usefulness.
To some extent, the S4 kit can be considered an "aggregation" of many
software packages (the S4 shellscripts sit in their own directory and drive
each package's installation script from outside). Each package included
in the S4 kit remains on its own license/copyright terms.
The top directory of the S4 kit includes a file called S4_LICENSE.txt
that includes the basic license text from all of the parties involved
(I think). Each kit included is in source and includes its own license
text.
For the parts of S4 specifically written by me, I chose licensing
terms as convenient as possible. The S4-specific files include the
following text:
# ------------------------------------------------------------------------------
# Copyright (c) 1995,1996 Donated to the public domain
#
# Original author and maintainer: Marc Chatel mchatel @
dial .
oleane .
com
# Last known maintainer: Marc Chatel mchatel @
dial .
oleane .
com
#
# This file was created as part of the S4 (Secure System Setup Script) kit.
# Permission is granted to any person or entity to do any of the following:
# a) use this file alone or in some other software
# b) modify this file or include parts of this file in other files
# c) re-distribute this file AS IS or modified, for non-commercial
# or commercial purposes, alone or as part of some software package
#
# No warranties of any kind, express or implied, on the functionality and safety
# of the contents of this file. Use at your own risk!
#
# If you do useful changes to this file (bug fixes, portability fixes,
# enhancements), you should TRY to contact the current maintainer, who may be
# maintaining a "latest greatest" version of the file. You do not HAVE TO,
# but you should TRY. Promote software reuse! It helps everybody, including you!
# ------------------------------------------------------------------------------
--------------- end of message -----------------
Follow-Ups:
|
|
