I was just examining the satan_doc file, and much to my chagrin it uses
perl5, and does a lot of scripting. Now, there is *no* way I'm going to
let these scripts run unless they're inside a jail. But, perl5 is a mess
to try and build inside a jail, and I really don't think it's a good idea
to have it there anyway.
It occurs to me that virtually any system administrator with something to
lose (like they're job!) is in the same boat. They can't afford to run
SATAN because to do so would be expose them to potential traps they'd like
to avoid.
It seems that even if you run the beast on a dedicated machine outside your
firewall, that you are *still* exposing your firewall to a rather harsh
threat.
But, what about administrators of small machines, single-user, served by
SLIP say, who want to ensure that their SLIP tunnel-driver and network
configuration are adequately protected? Is the only solution to recode
SATAN completely by hand, thus ensuring no trapdoors are there? Is it
possible to build a chroot'd jail which is safe and yet powerful enough to
allow SATAN to run? If so, I'd greatly welcome any suggestions.
My apologies if this is the inappropriate place to ask this. Let me know,
and I'll redirect it to the correct mailing list.
Dave Barrett barrett @
cs .
Colorado .
EDU
|
|
