Re: is it possible to install freebsd on tablet?

2012-07-27 Thread Matthias Apitz 
El día Tuesday, July 24, 2012 a las 07:23:03AM -0500, Robert Bonomi escribió:

> 
> > From: Mr U 
> > Date: Tue, 24 Jul 2012 04:34:14 -0700 (PDT)
> > Subject: is it possible to install freebsd on tablet?
> >
> > hi
> >
> > I have a question, is it possible to install freebsd (or netbsd) on an 
> > android tablet?
> 
> Authoritative answer:
>   "Theoetically poszible? yes.
>Realistically doable? Maybe".
> 
> And it's a _big_ "maybe".
> 
> It depends on the -exact- hardware details of the tablet device in question.
> 
> If the particular make/model of tablet is not explicitly listed in the
> 'supported hardware' list ffor the vesion of FreeBSD that you are consideing,
> then it will take a -lot- of research to deteming whether FreeBSD will
> run without modification on that device.
> ...

I would be better to spent such efforts in porting FreeBSD to an open
device, and not to such propriety beast; there have been steps in the
past to port to Openmoko Freerunner:

http://wiki.openmoko.org/wiki/Main_Page
http://wiki.openmoko.org/wiki/FreeBSD

I'm using such a mobile as my one and only daily cell phone, but it
still runs a Linux distribution, SHR

http://www.shr-project.org/trac/wiki

matthias
-- 
Matthias Apitz
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e  - w http://www.unixarea.de/
UNIX since V7 on PDP-11 | UNIX on mainframe since ESER 1055 (IBM /370)
UNIX on x86 since SVR4.2 UnixWare 2.1.2 | FreeBSD since 2.2.5
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: geli - selecting cipher

2012-07-27 Thread Wojciech Puchar 

Saying that geli's CBC implementation "is good enough" for someone
seems to imply that it's somehow worse than XTS in general. Could you


true. i still don't really understand the difference.

I don't need actually anything other that inability to read data from my 
disk for a potential thief.




The rationale of the change isn't clear to me either.
Until recently I wasn't aware of the performance impact, though.


It is huge 5-8 times depending if you have hardware acceleration or not. 
AES-CBC is fast enough so encrypting SSD drives make sense.



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: On-access AV scanning

2012-07-27 Thread Wojciech Puchar 
I did some testing several years ago with ClamAV, Sophos and McAfee (scanning 
incoming mail), and ClamAV was comparable to McAfee in detection rates - over 
98%.


i use clamav for mail virus checking and IMHO it is the only place where 
realtime virus checking make sense.


some windows users have NOD32 antivirus and i never got a case that NOD32 
detected email virus after clamav filter.


Of course this is all windows only problem, unix doesn't have viruses.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: On-access AV scanning

2012-07-27 Thread Polytropon 
On Fri, 27 Jul 2012 13:10:12 -0500, Mark Felder wrote:
> Virus scanning should not be your problem. If the Windows users in the  
> organization have an antivirus solution there is no need for you to have  
> one. It doesn't matter if you share files over SAMBA -- when they access  
> the files their virus scanner will check them.

His "problem" is that there's a corporate reglementation
of what he has to do, which he needs to obey in order to
keep his job. Even though this ruleset contains something
stupid (or even impossible), it's a requirement. Of course
a stupid one, but it does exist.

Surely it would be better for the company that has _admitted_
to have had more than one significant infection to do the
simplest, most stupid and absolutely basic tasks:

1. educate users, repeat educating users, continue
   educating users

2. connect "Windows" PCs through a non-"Windows" scanning
   facility to the Internet; think about who needs Internet
   and who doesn't

3. limit access to local storage (CD, DVD, USB sticks) and
   force those to be "inserted" to the network (e. g. as
   a CIFS share) again through a non-"Windows" scanning
   facility; again think about who should be allowed to
   enter "foreign data" to the company network and _how_
   it is _required_ to be done

4. consider the whole network, also think about (W)LAN or
   BT connected smartphones, printers, networking gear

5. learn about viruses, trojans, malware: how they work,
   how they are used and therefore how to "actively act
   against them"

6. understand security as a process, not a stupid list that
   tells you to "have a virus scanner on the system that
   works on access"; now go to item 1 again

Of course, _none_ of those points seems to be on the agenda
at the moment. There's still the rule "You must have a
virus scanner on your computer that acts as on-access scanner
and scans for any viruses." It misses both that FreeBSD is
not infectable by "Windows" viruses, and it does not prevent
any "non-virus" attacks (such as per smartphone, per printer,
per human stupidity and carelessness).

So I think Daniel is actually on the best road at the moment.
Sure, it won't make _his_ system safer, and it won't make
other systems safer, but it will conform to the rules. If
he's able to use FAM/Ganim as the "on-access" part, and
a virus scanner he finds suitable for the "virus scan" part,
that should be sufficient.

if(system_has_scanner && scan_on_access)
allow_system();
else
if(insist_on_system)
fire(Daniel);
else
deny_system();

Obeying can be fun, if it _is_ that easy. :-)

Maybe later on, he can convince his superior to switch
on his brain for thinking about the corporate guidelines.
It's worth it, and it saves money. I'm confident that it
is a chance to finally dump the stupid idea of insisting
to have a virus scanner on FreeBSD where there are no
viruses it could scan for.



-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: On-access AV scanning

2012-07-27 Thread Mark Felder 
Virus scanning should not be your problem. If the Windows users in the  
organization have an antivirus solution there is no need for you to have  
one. It doesn't matter if you share files over SAMBA -- when they access  
the files their virus scanner will check them.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: geli - selecting cipher

2012-07-27 Thread Fabian Keil 
RW  wrote:

> On Thu, 26 Jul 2012 17:47:10 +0200
> Ivan Voras wrote:
> 
> > On 26/07/2012 04:14, RW wrote:
> > 
> > > I asked a similar questions to the OPs in the geom list and didn't
> > > get an answer. Geli doesn't need or isn't using any advantages of
> > > XTS. And CBC in geli is actually equivalent to ESSIV (see the
> > > previously linked wikipedia page). 

> > You didn't get an answer because in security, the answer depends on
> > exact circumstances of use. The short answer is that if you don't
> > have a specific adversary you need to protect your data from, I'd say
> > that GELI's CBC is good enough for you.

Most answers depend on the circumstances. At least to me this doesn't
seem like a good reason to completely ignore questions, even if they
are related to security.

Saying that geli's CBC implementation "is good enough" for someone
seems to imply that it's somehow worse than XTS in general. Could you
please clarify in which scenario you think XTS offers better protection?

> Actually the reason I asked is that I wanted to check whether I was
> ovelooking some key advantage of XTS that justified its being the
> default.

The rationale of the change isn't clear to me either.
Until recently I wasn't aware of the performance impact, though.

> AES-XTS was chosen to provide the best protection against modified
> ciphertext without using authentication which would expand the size
> of the data.
> 
> It seem to me than anyone that worries about attackers tampering with
> a drive should use authentication in geli, and anyone that doesn't
> should leave it off and use CBC.

If ZFS is used and checksums aren't disabled, I don't see any
advantage of additionally enabling geli's authentication whose
protection seems a lot weaker. For tampering resistance I would
thus recommend ZFS on geli without authentication in geli.

Fabian


signature.asc
Description: PGP signature

Re: how to speed up port make??

2012-07-27 Thread David Naylor 
On Friday, 27 July 2012 09:22:52 Wojciech Puchar wrote:
> >> A few things you could try adding to make.conf:
> >> FORCE_MAKE_JOBS=yes
> >> MAKE_JOBS_NUMBER=4
> > 
> > I'm not sure this is supported on a _single_ core Pentium 4 CPU
> > (or will gain speed if it was "emulated").
> 
> MAKE_JOBS_NUMBER=2 make sense - one process I/O may overlap with other
> compute

Also, with portbuilder it splits the build process so will fetch (network 
limited) on port's files while it builds another (CPU limited) and installs 
another (I/O limited).  


signature.asc
Description: This is a digitally signed message part.

Re: On-access AV scanning

2012-07-27 Thread Daniel Bye 
On Fri, Jul 27, 2012 at 10:02:26AM -0500, Paul Schmehl wrote:
> --On July 27, 2012 11:43:08 AM +0100 Daniel Bye
>  wrote:
> 
> >Are there any current options available to support on-access antivirus
> >scanning on FreeBSD?
> >
> 
> Clamav.

I use it on my home mail server (I have a Windows machine on my network, so
want to trap anything nasty that comes in to protect that). It integrates
well with exim's malware ACL checks.

> 
> I did some testing several years ago with ClamAV, Sophos and McAfee
> (scanning incoming mail), and ClamAV was comparable to McAfee in
> detection rates - over 98%.

Yes, it's a good product, no doubt.

> 
> If you run the daemon you have on access scanning.  Seems like that
> would satisfy the policy.

No - the daemon only provides on-demand scanning on FreeBSD. That is, it
only scans files that are explicitly passed to it by some other process -
usually an MTA or the clamscan command line tool.  On-access scanning
requires an additional layer on top of the file system, which intercepts
certain file system operations, sending files transparently to the scanner. 
Opening a file in your editor, for example, might cause the file to first be
scanned before your editor can get it.  Likewise, trying to download
something from the web in your browser would cause the file to be scanned
before it's saved to disk.  That's what the dazuko port was for (although it
doesn't work on FreeBSD9, and the latest version is a Linux-only rewrite.)
As Polytropon pointed out, it should be possible to create a passing
approximation by using FAM/Gamin.

Thanks, everyone, for all your input. I think I have enough to be able to
put a strong case forward.

Dan

-- 
Daniel Bye
 _
  ASCII ribbon campaign ( )
 - against HTML, vCards and  X
- proprietary attachments in e-mail / \


pgpWnIudkhITd.pgp
Description: PGP signature

Re: On-access AV scanning

2012-07-27 Thread Paul Schmehl 
--On July 27, 2012 11:43:08 AM +0100 Daniel Bye 
 wrote:



Are there any current options available to support on-access antivirus
scanning on FreeBSD?



Clamav.

I did some testing several years ago with ClamAV, Sophos and McAfee 
(scanning incoming mail), and ClamAV was comparable to McAfee in detection 
rates - over 98%.


If you run the daemon you have on access scanning.  Seems like that would 
satisfy the policy.


It's in ports, so it should be easy to install and keep up to date.

--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
***
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: mc-light with tcsh receives segfault

2012-07-27 Thread Solmin Vladimir 

Hello, my system doesn't work with tcsh too (

$ uname -a
FreeBSD xxx.xx 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Thu Jul 5 
16:54:22 MSK 2012 root@x:/usr/obj/usr/src/sys/PORT amd64

$ env | grep SHELL
SHELL=/bin/tcsh
$ mc
Segmentation fault

$ mc -V
The Midnight Commander 4.1.40-pre9
with mouse support on xterm.
Edition: text mode.
Virtual File System: tarfs, extfs, ftpfs, mcfs.
With builtin Editor
Using S-lang library with termcap database
With subshell support: as default
With DUSUM command
With support for background operations

after setenv SHELL /bin/csh
mc-light is running normally

27.07.2012 18:08, Jeff Tipton пишет:

On 07/26/2012 18:17, Jeff Tipton wrote:

Hi,

My mc-light doesn't work with tcsh. When I try to launch it:
>mc
Segmentation fault (core dumped)
>

>uname -a
FreeBSD jeff-netf 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Tue Jun 
12 01:47:53 UTC 2012 
r...@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386

>

System and ports are all up to date.
> mc -V
The Midnight Commander 4.1.40-pre9
with mouse support on xterm.
Edition: text mode.
Virtual File System: tarfs, extfs, ftpfs, mcfs.
With builtin Editor
Using S-lang library with termcap database
With subshell support: as default
With DUSUM command
With support for background operations
>

It works with sh and csh but doesn't with tcsh. Actually, it even 
works within tcsh, if the SHELL variable is arbitrarily set to 
/bin/csh. Doesn't matter whether root or a regular user. Any ideas of 
what might be wrong?


Jeff
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
"freebsd-questions-unsubscr...@freebsd.org"

So, no ideas of how to fix mc-light in tcsh?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
"freebsd-questions-unsubscr...@freebsd.org"


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: geli - selecting cipher

2012-07-27 Thread RW 
On Thu, 26 Jul 2012 17:47:10 +0200
Ivan Voras wrote:

> On 26/07/2012 04:14, RW wrote:
> 
> > I asked a similar questions to the OPs in the geom list and didn't
> > get an answer. Geli doesn't need or isn't using any advantages of
> > XTS. And CBC in geli is actually equivalent to ESSIV (see the
> > previously linked wikipedia page). 
> 
> Hi,
> 
> You didn't get an answer because in security, the answer depends on
> exact circumstances of use. The short answer is that if you don't
> have a specific adversary you need to protect your data from, I'd say
> that GELI's CBC is good enough for you.

Actually the reason I asked is that I wanted to check whether I was
ovelooking some key advantage of XTS that justified its being the
default.

AES-XTS was chosen to provide the best protection against modified
ciphertext without using authentication which would expand the size
of the data.

It seem to me than anyone that worries about attackers tampering with
a drive should use authentication in geli, and anyone that doesn't
should leave it off and use CBC.

If you run geli init without -a or -e options, you get AES-XTS
without authentication, a default that doesn't seem right for
anyone.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: On-access AV scanning

2012-07-27 Thread Arthur Chance 

On 07/27/12 13:14, Daniel Bye wrote:

On Fri, Jul 27, 2012 at 01:52:16PM +0200, Damien Fleuriot wrote:


FUSE ClamFS


Ah, thanks for that. I'll check it out.



But then, FUSE... ew...


I know. But, if it gets me my workstation... ;-)


The wiki suggests that FUSE might be part of release 10:

http://wiki.freebsd.org/FreeBSD10 (under Filesystem header), but I 
gather it's a subject that causes a degree of debate :-}


Anyone who knows more about this care to comment?

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: mc-light with tcsh receives segfault

2012-07-27 Thread Jeff Tipton 

On 07/26/2012 18:17, Jeff Tipton wrote:

Hi,

My mc-light doesn't work with tcsh. When I try to launch it:
>mc
Segmentation fault (core dumped)
>

>uname -a
FreeBSD jeff-netf 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Tue Jun 12 
01:47:53 UTC 2012 
r...@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386

>

System and ports are all up to date.
> mc -V
The Midnight Commander 4.1.40-pre9
with mouse support on xterm.
Edition: text mode.
Virtual File System: tarfs, extfs, ftpfs, mcfs.
With builtin Editor
Using S-lang library with termcap database
With subshell support: as default
With DUSUM command
With support for background operations
>

It works with sh and csh but doesn't with tcsh. Actually, it even 
works within tcsh, if the SHELL variable is arbitrarily set to 
/bin/csh. Doesn't matter whether root or a regular user. Any ideas of 
what might be wrong?


Jeff
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
"freebsd-questions-unsubscr...@freebsd.org"

So, no ideas of how to fix mc-light in tcsh?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Freebsd build problem

2012-07-27 Thread Venkat Duvvuru 
reinstalling the sources fixed the problem. Thanks.

/Venkat

On Thu, Jul 26, 2012 at 5:49 PM, Damien Fleuriot  wrote:

>
>
> On 7/26/12 2:08 PM, Venkat Duvvuru wrote:
> > Hi,
> > Please find my repsonses in line.
> >
> > On Thu, Jul 26, 2012 at 4:57 PM, Damien Fleuriot   > > wrote:
> >
> >
> > On 7/26/12 12:48 PM, Venkat Duvvuru wrote:
> > > Hi,
> > > I'm  unable to compile the kernel code (for that matter any kernel
> > module
> > > also). The following is the error.
> > > My guess is that it is trying to compile the code for x86 instead
> > of amd64
> > > as you can a symbolic link create for x86 includes.
> > > Please suggest the change to be done inorder to compile it for
> amd64.
> > > "Uname -a" of the system "FreeBsd 9.0-RELEASE-p3 FreeBSD
> > 9.0-RELEASE-p3 #0:
> > > Tue Jun 12 02:52:29 UTC 2012
> > > r...@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC
> >  amd64"
> > >
> > >
> >
> 
> > > --
> >  stage 3.1: making dependencies
> > > --
> > > cd /usr/obj/usr/src/sys/MYKERNEL; MAKEOBJDIRPREFIX=/usr/obj
> > > MACHINE_ARCH=amd64  MACHINE=amd64  CPUTYPE=
> > > GROFF_BIN_PATH=/usr/obj/usr/src/tmp/legacy/usr/bin
> > > GROFF_FONT_PATH=/usr/obj/usr/src/tmp/legacy/usr/share/groff_font
> > > GROFF_TMAC_PATH=/usr/obj/usr/src/tmp/legacy/usr/share/tmac
> > > _SHLIBDIRPREFIX=/usr/obj/usr/src/tmp  VERSION="FreeBSD
> > 9.0-RELEASE-p3 amd64
> > > 900044"  INSTALL="sh /usr/src/tools/install.sh"
> > >
> >
> PATH=/usr/obj/usr/src/tmp/legacy/usr/sbin:/usr/obj/usr/src/tmp/legacy/usr/bin:/usr/obj/usr/src/tmp/legacy/usr/games:/usr/obj/usr/src/tmp/usr/sbin:/usr/obj/usr/src/tmp/usr/bin:/usr/obj/usr/src/tmp/usr/games:/sbin:/bin:/usr/sbin:/usr/bin
> > > NO_CTF=1 make KERNEL=kernel depend -DNO_MODULES_OBJ
> > > machine -> /usr/src/sys/amd64/include
> > > x86 -> /usr/src/sys/x86/include
> > > cc -c -O2 -frename-registers -pipe -fno-strict-aliasing -std=c99
> > -g -Wall
> > > -Wredundant-decls -Wnested-externs -Wstrict-prototypes
> > -Wmissing-prototypes
> > > -Wpointer-arith -Winline -Wcast-qual -Wundef -Wno-pointer-sign
> > > -fformat-extensions -Wmissing-include-dirs
> -fdiagnostics-show-option
> > > -nostdinc -I. -I/usr/src/sys -I/usr/src/sys/contrib/altq
> > > -I/usr/src/sys/contrib/ipfilter -I/usr/src/sys/contrib/pf
> > > -I/usr/src/sys/dev/ath -I/usr/src/sys/dev/ath/ath_hal
> > > -I/usr/src/sys/contrib/ngatm -I/usr/src/sys/dev/twa
> > > -I/usr/src/sys/gnu/fs/xfs/FreeBSD
> > -I/usr/src/sys/gnu/fs/xfs/FreeBSD/support
> > > -I/usr/src/sys/gnu/fs/xfs -I/usr/src/sys/dev/cxgb
> > -I/usr/src/sys/dev/cxgbe
> > > -D_KERNEL -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h
> > > -finline-limit=8000 --param inline-unit-growth=100 --param
> > > large-function-growth=1000 -fno-omit-frame-pointer -mno-sse
> > -mcmodel=kernel
> > > -mno-red-zone -mno-mmx -msoft-float -fno-asynchronous-unwind-tables
> > > -ffreestanding -fstack-protector
> /usr/src/sys/amd64/amd64/genassym.c
> > > In file included from ./x86/_align.h:6,
> > >  from ./x86/_align.h:6,
> > >  from ./x86/_align.h:6,
> > >  from ./x86/_align.h:6,
> > >  from ./x86/_align.h:6,
> > >  from ./machine/_align.h:6,
> > >  from ./machine/param.h:46,
> > >  from /usr/src/sys/sys/param.h:115,
> > >  from /usr/src/sys/amd64/amd64/genassym.c:42:
> > > ./x86/_align.h:6:24: error: #include nested too deeply
> > > In file included from ./x86/_align.h:6,
> > >  from ./x86/_align.h:6,
> > >  from ./x86/_align.h:6,
> > >  from ./machine/_align.h:6,
> > >  from /usr/src/sys/sys/socket.h:39,
> > >  from /usr/src/sys/amd64/amd64/genassym.c:54:
> > > ./x86/_align.h:6:24: error: #include nested too deeply
> > > /usr/src/sys/amd64/amd64/genassym.c:69:25: error: x86/apicreg.h:
> > No such
> > > file or directory
> > > /usr/src/sys/amd64/amd64/genassym.c:230: error: invalid use of
> > undefined
> > > type 'struct LAPIC'
> > > *** Error code 1
> > > Stop in /usr/obj/usr/src/sys/MYKERNEL.
> > > *** Error code 1
> > > Stop in /usr/src.
> > > *** Error code 1
> > > Stop in /usr/src.
> > >
> >
> =

Re: On-access AV scanning

2012-07-27 Thread Matthew Seaman 
On 27/07/2012 13:15, Erich Dollansky wrote:
> You will not find them. The scanners running on FreeBSD are looking for
> Windows pests.

> Does it scan for FreeBSD viruses? I would wonder.

AV Scanners are looking for the signature of any known malware.  The
important word there is 'known' -- it's malware that has come to the
attention of the AV software manufacturers and that they have published
a "fingerprint" of.  They don't generally work heuristically; ie. so
that they could detect and stop a 0-day malware automatically.

Now, as the vast majority of known malware affects Windows -- there are
3 or 4 known worms that used to affect Linux and I think one that would
also have affected FreeBSD (but those all relied on old and vulnerable
versions of Apache to spread and they are from many years ago in any
case) plus a recent virus or two that attacks MacOS X -- then any AV
scanner is, pretty much by definition, going to be looking for Windows
malware.

In the light of that, the OP's workplace AV policy is clearly
nonsensical when applied to a FreeBSD desktop.  Scanning shared
filesystems at regular intervals and scanning incoming mail or web
content is generally sufficient to keep a FreeBSD box clean and also
protect a whole network-full of Windows clients that access it as a
server from most avenues of infection.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

Re: calculating difference of times

2012-07-27 Thread Matthew Seaman 
On 27/07/2012 13:34, Matthias Apitz wrote:
> Do we have something (in the ports) to calculate easy the difference of
> two times given as hh:mm - hh:mm? Some hack in bc(1) or something like
> this? Well, I could translate the times into UNIX seconds of epoche,
> build the diff and reconvert, but something more easy (and not in Perl
> or C, just shell); thanks

Not as such.  Generic toolkits for doing time differences are fairly
common, but they tend to be a) quite large and b) written in higher
level languages than shell.  However they usually account for all the
annoying corner cases like switching to daylight savings time.

If your times are always going to be strictly hh:mm (24h clock) and you
aren't worried about time differences over more than one day, then
something like this in shell:

t1=08:12
t2=12:08

h1=${t1%:*}
h2=${t2%:*}

m1=${t1#*:}
m2=${t2#*:}

mdelta=$(echo "$h2 * 60 + $m2 - $h1 * 60 - $m1" | bc)
hdelta=$(( $mdelta / 60 ))
mdelta=$(( $mdelta % 60 ))
tdelta=printf "%02d:%02d" $hdelta $mdelta"

This will calculate the duration from 23:59 to 00:01 as -23:58; ie. it
assumes both times are on the same calendar day.  Coming up with the
answer 00:02 is left as an exercise for the student.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey




signature.asc
Description: OpenPGP digital signature

Re: On-access AV scanning

2012-07-27 Thread Erich Dollansky 
Hi,

On Fri, 27 Jul 2012 13:38:11 +0100
Daniel Bye  wrote:
> On Fri, Jul 27, 2012 at 07:15:29PM +0700, Erich Dollansky wrote:
> > On Fri, 27 Jul 2012 12:47:29 +0100
> > Daniel Bye  wrote:
> > > On Fri, Jul 27, 2012 at 07:19:45AM -0400, Daniel Feenberg wrote:
> > > > On Fri, 27 Jul 2012, Daniel Bye wrote:
> > > > >On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar
> > > > >wrote:
> > > > >>>Are there any current options available to support on-access
> > > > >>>antivirus scanning on FreeBSD?
> > 
> > why should it be available when it is not needed?
> 
> Because the IT policy (currently) requires it. I don't agree with that
> policy, but there you are - I don't have the authority to simply
> ignore it.
> 
no, no, I meant why should FreeBSD need them. I am aware of your
problem.
> 
> Yes, I know. But we have petabytes of file systems shared over
> SMB/CIFS, so if a Windows machine inroduces something to the network,
> it strikes me as reasonable that if my (still putative) FreeBSD
> system finds it before another Windows system, I have potentially
> prevented a much wider problem.
> 
Why don't you get a FreeBSD machine which scans the network traffic and
have some fun with the results?
> 
> > The security concepts of FreeBSD are 100% different. They will never
> > match this kind of policy.
> 
> Yes, and I am hoping that that fact is enough to persuade him that the
> current policy (which he inherited, by the way, he didn't have a hand
> it its establishment) is no longer applicable in an increasingly
> mixed environment (Polytropon brought up the obvious matter of
> smartphones and tablets and other devices).
> 
Why don't you have another try? We use very often a FreeBSD machine
with more CPU power as a server and older machines just as thin
clients. These machines can be Windows machines running whatever virus
scanners you want and an X server (cygwin will do). Your applications
run actually on the FreeBSD machine and the Windows machine is only a
terminal.

I think that this could match your policy and also shows how pointless
the policy is.

Erich
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

calculating difference of times

2012-07-27 Thread Robert Huff 

Matthias Apitz writes:

>  Do we have something (in the ports) to calculate easy the
>  difference of two times given as hh:mm - hh:mm? Some hack in
>  bc(1) or something like this? Well, I could translate the times
>  into UNIX seconds of epoche, build the diff and reconvert, but
>  something more easy (and not in Perl or C, just shell); thanks

I don't know if there's something already available. (Sorry -
never had this problem.)
If the format is fixed, then parsing it with awk is trivial.
After that, the math should be doable with "expr".


Robert Huff


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: On-access AV scanning

2012-07-27 Thread Daniel Bye 
On Fri, Jul 27, 2012 at 07:15:29PM +0700, Erich Dollansky wrote:
> Hi,
> 
> On Fri, 27 Jul 2012 12:47:29 +0100
> Daniel Bye  wrote:
> 
> > On Fri, Jul 27, 2012 at 07:19:45AM -0400, Daniel Feenberg wrote:
> > > 
> > > 
> > > On Fri, 27 Jul 2012, Daniel Bye wrote:
> > > 
> > > >On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar wrote:
> > > >>>Are there any current options available to support on-access
> > > >>>antivirus scanning on FreeBSD?
> 
> why should it be available when it is not needed?

Because the IT policy (currently) requires it. I don't agree with that
policy, but there you are - I don't have the authority to simply ignore it.


> > > >>>
> > > >>FreeBSD doesn't need this as there are no viruses on that system.
> 
> Ok, this is a bad reasoning.
> > > >
> > Thanks, Daniel. I have looked at Kaspersky, and various others, but
> > the main sticking point, as I see it, is that there is no on-access
> > scanning capability in any of the AV packages available for FreeBSD.
> 
> You will not find them. The scanners running on FreeBSD are looking for
> Windows pests.

Yes, I know. But we have petabytes of file systems shared over SMB/CIFS, so
if a Windows machine inroduces something to the network, it strikes me as
reasonable that if my (still putative) FreeBSD system finds it before
another Windows system, I have potentially prevented a much wider problem.


> 
> > It's not essential to build my case, but it would certainly
> > strengthen it.  I use ClamAV on my home mail server, and it works
> > well.  I have also tested it out on a desktop machine to run
> > on-demand scans, and it works just fine, and doesn't impose so much
> > of a load as to be a nuisance.
> > 
> Does it scan for FreeBSD viruses? I would wonder.

I wouldn't waste your time wondering, if I were you. Of course they *all*
look for malware that infests Windows machines. But, that nontwithstanding,
I have to adhere to the policy, whether I like it or not.

> 
> > We have had a couple of virus outbreaks recently, so this is quite a
> > high profile concern around here at the moment. The CIO is from a
> > technical background, so I might well be able to convince him of
> > FreeBSD's strengths as a very secure system, but I will still need to
> > accede to the IT policy, sadly - no way around it.
> 
> You will have to give it a miss then.
> 
> The security concepts of FreeBSD are 100% different. They will never
> match this kind of policy.

Yes, and I am hoping that that fact is enough to persuade him that the
current policy (which he inherited, by the way, he didn't have a hand it its
establishment) is no longer applicable in an increasingly mixed environment
(Polytropon brought up the obvious matter of smartphones and tablets and
other devices).

Thanks for your thoughts.

Dan

-- 
Daniel Bye
 _
  ASCII ribbon campaign ( )
 - against HTML, vCards and  X
- proprietary attachments in e-mail / \


pgpZZcvYWv02S.pgp
Description: PGP signature

calculating difference of times

2012-07-27 Thread Matthias Apitz 

Hello,

Do we have something (in the ports) to calculate easy the difference of
two times given as hh:mm - hh:mm? Some hack in bc(1) or something like
this? Well, I could translate the times into UNIX seconds of epoche,
build the diff and reconvert, but something more easy (and not in Perl
or C, just shell); thanks

matthias
-- 
Matthias Apitz
e  - w http://www.unixarea.de/
UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370)
UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: On-access AV scanning

2012-07-27 Thread Daniel Bye 
On Fri, Jul 27, 2012 at 01:52:16PM +0200, Damien Fleuriot wrote:
> 
> FUSE ClamFS

Ah, thanks for that. I'll check it out.

> 
> 
> But then, FUSE... ew...

I know. But, if it gets me my workstation... ;-)

Dan

-- 
Daniel Bye
 _
  ASCII ribbon campaign ( )
 - against HTML, vCards and  X
- proprietary attachments in e-mail / \


pgp6MJm1b2W4J.pgp
Description: PGP signature

Re: On-access AV scanning

2012-07-27 Thread Erich Dollansky 
Hi,

On Fri, 27 Jul 2012 12:47:29 +0100
Daniel Bye  wrote:

> On Fri, Jul 27, 2012 at 07:19:45AM -0400, Daniel Feenberg wrote:
> > 
> > 
> > On Fri, 27 Jul 2012, Daniel Bye wrote:
> > 
> > >On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar wrote:
> > >>>Are there any current options available to support on-access
> > >>>antivirus scanning on FreeBSD?

why should it be available when it is not needed?
> > >>>
> > >>FreeBSD doesn't need this as there are no viruses on that system.

Ok, this is a bad reasoning.
> > >
> Thanks, Daniel. I have looked at Kaspersky, and various others, but
> the main sticking point, as I see it, is that there is no on-access
> scanning capability in any of the AV packages available for FreeBSD.

You will not find them. The scanners running on FreeBSD are looking for
Windows pests.

> It's not essential to build my case, but it would certainly
> strengthen it.  I use ClamAV on my home mail server, and it works
> well.  I have also tested it out on a desktop machine to run
> on-demand scans, and it works just fine, and doesn't impose so much
> of a load as to be a nuisance.
> 
Does it scan for FreeBSD viruses? I would wonder.

> We have had a couple of virus outbreaks recently, so this is quite a
> high profile concern around here at the moment. The CIO is from a
> technical background, so I might well be able to convince him of
> FreeBSD's strengths as a very secure system, but I will still need to
> accede to the IT policy, sadly - no way around it.

You will have to give it a miss then.

The security concepts of FreeBSD are 100% different. They will never
match this kind of policy.

Erich
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: On-access AV scanning

2012-07-27 Thread Daniel Bye 
On Fri, Jul 27, 2012 at 01:23:36PM +0200, Polytropon wrote:
> On Fri, 27 Jul 2012 12:00:19 +0100, Daniel Bye wrote:
> > All desktops/workstations (that is, all of them, every single one),
> > must have AV software running on them. There will be no exceptions, on pain
> > of dismissal.
> 
> Why is the AV software running on FreeBSD not sufficient in
> the opinion of your superior (or by the guidelines of the
> corporate directives)?
> 
> And those who bring a smartphone to work (private or company
> use), how do they run AV software on those _IT devices_? :-)
> 
> Oh, and how is AV software brought to the company network
> printers, the LAN gear and WLAN APs and everything else
> that can be infected, exploited, ruined or damaged?
> 
> Or do they simply not count as "desktop/workstation" as you
> mentioned? In that case: Happy attack vectors. :-)

Well, no, they don't count, according to our policy, because they're not
desktops. I know, I know - but I didn't write the damn policy - I just have
to live by it! :-/

> 
> 
> 
> Excuse my sarcasm, but there's a little truth in it, when
> seen from an IT security point of view.

I know, you make valid points - but I am merely a minor functionary on the
content development department, and not a global IT policy maker.  If it
were up to me, everyone in the company would be on UNIX of some kind or
other, but it just isn't up to me.

Hopefully, I can convince those that need convincing that what is available
is sufficient. I've only been using FreeBSD for the last 13 years, after
all, and in that time can count on the fingers of no hands the number of
security flaws that have allowed any of the machines under my care to be
compromised... I know that's no reason for complacency, and that I have been
lucky, but it's still a comforting statistic.

Thanks for your thoughts, guys. Of course, I'm going to extol FreeBSD's
virtues (it'd be great to get it in the datacentre, wouldn't it?), and we'll
see how we go!

> 
> 
> 
> Really, I _do_ understand your problem (or better the problems
> others created for you). Try to get more specific statements
> to what kind of AV software with which "action attributes" is
> required and try to construct a solution that will be sufficient
> in the _view_ of the responsible superiors. The less they do
> actually understand, the easier it should be. FreeBSD does
> _have_ AV software, but not _for_ FreeBSD per se (as it cannot
> be infected by viruses, trojans and malware that are designed
> explicitely for "Windows" platforms), but it can very well
> detect them. This all still does not help against human
> stupidity.

Aye, quite so. Preaching to the choir, brother.

> 
> Feel free to show this article and make use of its arguments:
> 
> Robert McMillan: Is Antivirus Software a Waste of Money?
> 
> http://www.wired.com/wiredenterprise/2012/03/antivirus/

Thanks for the link - I'll certainly have a read of it, and might well drop
the link in my email to him.

> 
> A _responsible_ and well-educated IT representative should
> form his own intelligent opinions, instead of trying to
> blindly corporate guidelines which are possibly _impossible_
> to instantiate.

Oh, this guy isn't frightened of change, so I'm just trying to build the
best case I can for his accepting FreeBSD. He seems very reasonable, and I'm
sure will be able to make an informed decision based on what I tell him, and
his own knowledge and experience. To be honest, when I asked him for a UNIX
workstation, I was expecting him to just laugh at me, so to be given the
opportunity to make a case for FreeBSD came as a very welcome surprise.

> 
> 
> 
> My idea for a solution: You can use a file access monitor
> (FAM) to detect when a new file enters the system, and then
> immediately have it scanned by a virus scanner you have
> already installed from ports.

Yep - exactly the solution that occurred to me a few minutes ago. A project
for the weekend!  Because looking after a 6-month-old baby doesn't take up
all our time...

> 
> 
> 
> Next issue: "You need a virus scanner that inspects network
> packets!" :-)

lol. Don't! Like I said, I'm just a code jockey in the content development
department - all that stuff happens way up there, out sight of us mere
bottom-dwellers!

Cheers,

Dan

-- 
Daniel Bye
 _
  ASCII ribbon campaign ( )
 - against HTML, vCards and  X
- proprietary attachments in e-mail / \


pgpDEDncQmqJK.pgp
Description: PGP signature

Re: On-access AV scanning

2012-07-27 Thread Damien Fleuriot 


On 7/27/12 1:47 PM, Daniel Bye wrote:
> On Fri, Jul 27, 2012 at 07:19:45AM -0400, Daniel Feenberg wrote:
>>
>>
>> On Fri, 27 Jul 2012, Daniel Bye wrote:
>>
>>> On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar wrote:
> Are there any current options available to support on-access antivirus
> scanning on FreeBSD?
>
 FreeBSD doesn't need this as there are no viruses on that system.
>>>
>>> Well, thanks.
>>>

> And yes, I know that neither FreeBSD nor Solaris are renowned for their
> sickly vulnerability to viruses, but we operate in a mixed environment, 
> with
> a lot of Windows machines and ZFS file systems exported by SMB/CIFS, so we
> need the AV to ensure any viruses are stopped before they infect a
> susceptible machine.  It seems a small price to pay to finally get a 
> decent
> workstation!
 No idea - YOU will not spread wiruses, and viruses from other
 winstations will not affect you.

 so just install antivirus software on winstations.

 Or finally educate users as it is really simple to avoid viruses
 even with windows
>>>
>>> I refer you to the part where I specifically talk about our corporate IT
>>> policy. All desktops/workstations (that is, all of them, every single one),
>>> must have AV software running on them. There will be no exceptions, on pain
>>
>> Well, there is AV software for FreeBSD - we use Kaspersky on our
>> FreeBSD based mailserver, but the viruses it looks for are Windows
>> viruses. I don't know if that will satisfy your IT policy. Maybe you
>> should be looking at Cygwin? Or, can FreeBSD run under HyperV?
> 
> Thanks, Daniel. I have looked at Kaspersky, and various others, but the main
> sticking point, as I see it, is that there is no on-access scanning
> capability in any of the AV packages available for FreeBSD.  It's not
> essential to build my case, but it would certainly strengthen it.  I use
> ClamAV on my home mail server, and it works well.  I have also tested it out
> on a desktop machine to run on-demand scans, and it works just fine, and
> doesn't impose so much of a load as to be a nuisance.
> 
> We have had a couple of virus outbreaks recently, so this is quite a high
> profile concern around here at the moment. The CIO is from a technical
> background, so I might well be able to convince him of FreeBSD's strengths
> as a very secure system, but I will still need to accede to the IT policy,
> sadly - no way around it.
> 
> Dan
> 



FUSE ClamFS


But then, FUSE... ew...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: On-access AV scanning

2012-07-27 Thread Daniel Feenberg 



On Fri, 27 Jul 2012, Daniel Bye wrote:


On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar wrote:

Are there any current options available to support on-access antivirus
scanning on FreeBSD?


FreeBSD doesn't need this as there are no viruses on that system.


Well, thanks.




And yes, I know that neither FreeBSD nor Solaris are renowned for their
sickly vulnerability to viruses, but we operate in a mixed environment, with
a lot of Windows machines and ZFS file systems exported by SMB/CIFS, so we
need the AV to ensure any viruses are stopped before they infect a
susceptible machine.  It seems a small price to pay to finally get a decent
workstation!

No idea - YOU will not spread wiruses, and viruses from other
winstations will not affect you.

so just install antivirus software on winstations.

Or finally educate users as it is really simple to avoid viruses
even with windows


I refer you to the part where I specifically talk about our corporate IT
policy. All desktops/workstations (that is, all of them, every single one),
must have AV software running on them. There will be no exceptions, on pain


Well, there is AV software for FreeBSD - we use Kaspersky on our FreeBSD 
based mailserver, but the viruses it looks for are Windows viruses. I 
don't know if that will satisfy your IT policy. Maybe you should be 
looking at Cygwin? Or, can FreeBSD run under HyperV?


daniel feenberg
NBER


of dismissal. I don't want to lose my job, because you said I didn't need AV
software.

--
Daniel Bye
_
 ASCII ribbon campaign ( )
- against HTML, vCards and  X
   - proprietary attachments in e-mail / \


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: On-access AV scanning

2012-07-27 Thread Daniel Bye 
On Fri, Jul 27, 2012 at 07:19:45AM -0400, Daniel Feenberg wrote:
> 
> 
> On Fri, 27 Jul 2012, Daniel Bye wrote:
> 
> >On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar wrote:
> >>>Are there any current options available to support on-access antivirus
> >>>scanning on FreeBSD?
> >>>
> >>FreeBSD doesn't need this as there are no viruses on that system.
> >
> >Well, thanks.
> >
> >>
> >>>And yes, I know that neither FreeBSD nor Solaris are renowned for their
> >>>sickly vulnerability to viruses, but we operate in a mixed environment, 
> >>>with
> >>>a lot of Windows machines and ZFS file systems exported by SMB/CIFS, so we
> >>>need the AV to ensure any viruses are stopped before they infect a
> >>>susceptible machine.  It seems a small price to pay to finally get a decent
> >>>workstation!
> >>No idea - YOU will not spread wiruses, and viruses from other
> >>winstations will not affect you.
> >>
> >>so just install antivirus software on winstations.
> >>
> >>Or finally educate users as it is really simple to avoid viruses
> >>even with windows
> >
> >I refer you to the part where I specifically talk about our corporate IT
> >policy. All desktops/workstations (that is, all of them, every single one),
> >must have AV software running on them. There will be no exceptions, on pain
> 
> Well, there is AV software for FreeBSD - we use Kaspersky on our
> FreeBSD based mailserver, but the viruses it looks for are Windows
> viruses. I don't know if that will satisfy your IT policy. Maybe you
> should be looking at Cygwin? Or, can FreeBSD run under HyperV?

Thanks, Daniel. I have looked at Kaspersky, and various others, but the main
sticking point, as I see it, is that there is no on-access scanning
capability in any of the AV packages available for FreeBSD.  It's not
essential to build my case, but it would certainly strengthen it.  I use
ClamAV on my home mail server, and it works well.  I have also tested it out
on a desktop machine to run on-demand scans, and it works just fine, and
doesn't impose so much of a load as to be a nuisance.

We have had a couple of virus outbreaks recently, so this is quite a high
profile concern around here at the moment. The CIO is from a technical
background, so I might well be able to convince him of FreeBSD's strengths
as a very secure system, but I will still need to accede to the IT policy,
sadly - no way around it.

Dan

-- 
Daniel Bye
 _
  ASCII ribbon campaign ( )
 - against HTML, vCards and  X
- proprietary attachments in e-mail / \


pgpmcMu7t87SO.pgp
Description: PGP signature

Re: On-access AV scanning

2012-07-27 Thread Polytropon 
On Fri, 27 Jul 2012 12:00:19 +0100, Daniel Bye wrote:
> All desktops/workstations (that is, all of them, every single one),
> must have AV software running on them. There will be no exceptions, on pain
> of dismissal.

Why is the AV software running on FreeBSD not sufficient in
the opinion of your superior (or by the guidelines of the
corporate directives)?

And those who bring a smartphone to work (private or company
use), how do they run AV software on those _IT devices_? :-)

Oh, and how is AV software brought to the company network
printers, the LAN gear and WLAN APs and everything else
that can be infected, exploited, ruined or damaged?

Or do they simply not count as "desktop/workstation" as you
mentioned? In that case: Happy attack vectors. :-)



Excuse my sarcasm, but there's a little truth in it, when
seen from an IT security point of view.



Really, I _do_ understand your problem (or better the problems
others created for you). Try to get more specific statements
to what kind of AV software with which "action attributes" is
required and try to construct a solution that will be sufficient
in the _view_ of the responsible superiors. The less they do
actually understand, the easier it should be. FreeBSD does
_have_ AV software, but not _for_ FreeBSD per se (as it cannot
be infected by viruses, trojans and malware that are designed
explicitely for "Windows" platforms), but it can very well
detect them. This all still does not help against human
stupidity.

Feel free to show this article and make use of its arguments:

Robert McMillan: Is Antivirus Software a Waste of Money?

http://www.wired.com/wiredenterprise/2012/03/antivirus/

A _responsible_ and well-educated IT representative should
form his own intelligent opinions, instead of trying to
blindly corporate guidelines which are possibly _impossible_
to instantiate.



My idea for a solution: You can use a file access monitor
(FAM) to detect when a new file enters the system, and then
immediately have it scanned by a virus scanner you have
already installed from ports.



Next issue: "You need a virus scanner that inspects network
packets!" :-)


-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: On-access AV scanning

2012-07-27 Thread Daniel Bye 
On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar wrote:
> >Are there any current options available to support on-access antivirus
> >scanning on FreeBSD?
> >
> FreeBSD doesn't need this as there are no viruses on that system.

Well, thanks.

> 
> >And yes, I know that neither FreeBSD nor Solaris are renowned for their
> >sickly vulnerability to viruses, but we operate in a mixed environment, with
> >a lot of Windows machines and ZFS file systems exported by SMB/CIFS, so we
> >need the AV to ensure any viruses are stopped before they infect a
> >susceptible machine.  It seems a small price to pay to finally get a decent
> >workstation!
> No idea - YOU will not spread wiruses, and viruses from other
> winstations will not affect you.
> 
> so just install antivirus software on winstations.
> 
> Or finally educate users as it is really simple to avoid viruses
> even with windows

I refer you to the part where I specifically talk about our corporate IT
policy. All desktops/workstations (that is, all of them, every single one),
must have AV software running on them. There will be no exceptions, on pain
of dismissal. I don't want to lose my job, because you said I didn't need AV
software.

-- 
Daniel Bye
 _
  ASCII ribbon campaign ( )
 - against HTML, vCards and  X
- proprietary attachments in e-mail / \


pgp5nybljJpkE.pgp
Description: PGP signature

Re: On-access AV scanning

2012-07-27 Thread Wojciech Puchar 

Are there any current options available to support on-access antivirus
scanning on FreeBSD?


FreeBSD doesn't need this as there are no viruses on that system.


And yes, I know that neither FreeBSD nor Solaris are renowned for their
sickly vulnerability to viruses, but we operate in a mixed environment, with
a lot of Windows machines and ZFS file systems exported by SMB/CIFS, so we
need the AV to ensure any viruses are stopped before they infect a
susceptible machine.  It seems a small price to pay to finally get a decent
workstation!
No idea - YOU will not spread wiruses, and viruses from other winstations 
will not affect you.


so just install antivirus software on winstations.

Or finally educate users as it is really simple to avoid viruses even 
with windows

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

On-access AV scanning

2012-07-27 Thread Daniel Bye 
Are there any current options available to support on-access antivirus
scanning on FreeBSD?

security/dazuko doesn't build on FreeBSD more recent than 8[0], so that's a
non-starter, and it looks as if the FreeBSD zfs implementation lacks support
for the vscan property[1], so using vscan with c-icap[2] is apparently not
an option, either. I am in no way clever enough to even consider attempting
to add vscan support.

I met the new CIO of my company yesterday, and out of that conversation, I
am putting together a case for getting a FreeBSD or Solaris workstation to
replace the aged Windows XP machine I've been on for the last three years. 
My first choice would be FreeBSD, but I need to convince him that AV
provisions are adequate to meet corporate IT policy guidelines.  With the
hardware specifications we are looking at, it would be possible to configure
a full, on-demand scan every few hours, but on-access capability would be
nice.

And yes, I know that neither FreeBSD nor Solaris are renowned for their
sickly vulnerability to viruses, but we operate in a mixed environment, with
a lot of Windows machines and ZFS file systems exported by SMB/CIFS, so we
need the AV to ensure any viruses are stopped before they infect a
susceptible machine.  It seems a small price to pay to finally get a decent
workstation!

Thanks for any hints,

Dan

[0]: security/dazuko/Makefile:22
[1]: cddl/contrib/opensolaris/lib/libzfs/common/libzfs_dataset.c:1456-1461
 (FreeBSD 9.1-PRERELEASE from two days ago)
[2]: https://www.sunwfrk.com/2009/04/19/zfs-with-on-access-virus-scan/


-- 
Daniel Bye
 _
  ASCII ribbon campaign ( )
 - against HTML, vCards and  X
- proprietary attachments in e-mail / \


pgph8o2CvNoPi.pgp
Description: PGP signature

Apache FCGI in a a jail under FBSD 9 won't start due to shared memory creation error

2012-07-27 Thread Chad Leigh Shire . Net LLC 
Hi

I run systems using FreeBSD 9.0

FreeBSD utah.XXXcom 9.0-STABLE FreeBSD 9.0-STABLE #1: Wed Mar 21 15:22:14 
MDT 2012 chad@underhill:/usr/obj/usr/src/sys/UNDERHILL-XEN  amd64

and on those systems run a bunch of jails.  I have Apache 2.2 built and running 
in the jail in question, and recently had need to add mod_fcgid to it.  NOTE 
that the Apache and mod_fcgid were not installed through ports or packages.  I 
download the source and build myself (for various reasons).  

Apache inside the Jail, with mod_fcgid enabled will not start:

[Mon Jul 23 10:59:35 2012] [emerg] (78)Function not implemented: mod_fcgid: 
Can't create shared memory for size 1192488 bytes


I did a search on this and found that I would probably need a system kernel 
parameter changed from 0 -> 1

security.jail.sysvipc_allowed

So I did that.  (And restarted the jail).  However, I still get the same error 
when trying to start apache.

I noticed a similar parameter  security.jail.param.allow.sysvipc  but cannot 
change this at run time and did not find anything useful about what this 
parameter is for using a search engine.

(As an aside, how would I change security.jail.sysvipc_allowed   and also 
security.jail.param.allow.sysvipc at boot time?  I added them both to 
/boot/loader.conf but they did not get changed at boot and I had to do the 
security.jail.sysvipc_allowed one again on the command line -- I have some vfs 
type kernel state variables set there and they stick)

I would appreciate some help with getting things set up so that I can run 
apache with mod_fcgid under my Jails on FBSD 9.

Thanks!
Chad


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: how to speed up port make??

2012-07-27 Thread Wojciech Puchar 

A few things you could try adding to make.conf:
FORCE_MAKE_JOBS=yes
MAKE_JOBS_NUMBER=4


I'm not sure this is supported on a _single_ core Pentium 4 CPU
(or will gain speed if it was "emulated").
MAKE_JOBS_NUMBER=2 make sense - one process I/O may overlap with other 
compute

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"