Re: how to speed up port make??
A few things you could try adding to make.conf: FORCE_MAKE_JOBS=yes MAKE_JOBS_NUMBER=4 I'm not sure this is supported on a _single_ core Pentium 4 CPU (or will gain speed if it was emulated). MAKE_JOBS_NUMBER=2 make sense - one process I/O may overlap with other compute ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Apache FCGI in a a jail under FBSD 9 won't start due to shared memory creation error
Hi I run systems using FreeBSD 9.0 FreeBSD utah.XXXcom 9.0-STABLE FreeBSD 9.0-STABLE #1: Wed Mar 21 15:22:14 MDT 2012 chad@underhill:/usr/obj/usr/src/sys/UNDERHILL-XEN amd64 and on those systems run a bunch of jails. I have Apache 2.2 built and running in the jail in question, and recently had need to add mod_fcgid to it. NOTE that the Apache and mod_fcgid were not installed through ports or packages. I download the source and build myself (for various reasons). Apache inside the Jail, with mod_fcgid enabled will not start: [Mon Jul 23 10:59:35 2012] [emerg] (78)Function not implemented: mod_fcgid: Can't create shared memory for size 1192488 bytes I did a search on this and found that I would probably need a system kernel parameter changed from 0 - 1 security.jail.sysvipc_allowed So I did that. (And restarted the jail). However, I still get the same error when trying to start apache. I noticed a similar parameter security.jail.param.allow.sysvipc but cannot change this at run time and did not find anything useful about what this parameter is for using a search engine. (As an aside, how would I change security.jail.sysvipc_allowed and also security.jail.param.allow.sysvipc at boot time? I added them both to /boot/loader.conf but they did not get changed at boot and I had to do the security.jail.sysvipc_allowed one again on the command line -- I have some vfs type kernel state variables set there and they stick) I would appreciate some help with getting things set up so that I can run apache with mod_fcgid under my Jails on FBSD 9. Thanks! Chad ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
On-access AV scanning
Are there any current options available to support on-access antivirus scanning on FreeBSD? security/dazuko doesn't build on FreeBSD more recent than 8[0], so that's a non-starter, and it looks as if the FreeBSD zfs implementation lacks support for the vscan property[1], so using vscan with c-icap[2] is apparently not an option, either. I am in no way clever enough to even consider attempting to add vscan support. I met the new CIO of my company yesterday, and out of that conversation, I am putting together a case for getting a FreeBSD or Solaris workstation to replace the aged Windows XP machine I've been on for the last three years. My first choice would be FreeBSD, but I need to convince him that AV provisions are adequate to meet corporate IT policy guidelines. With the hardware specifications we are looking at, it would be possible to configure a full, on-demand scan every few hours, but on-access capability would be nice. And yes, I know that neither FreeBSD nor Solaris are renowned for their sickly vulnerability to viruses, but we operate in a mixed environment, with a lot of Windows machines and ZFS file systems exported by SMB/CIFS, so we need the AV to ensure any viruses are stopped before they infect a susceptible machine. It seems a small price to pay to finally get a decent workstation! Thanks for any hints, Dan [0]: security/dazuko/Makefile:22 [1]: cddl/contrib/opensolaris/lib/libzfs/common/libzfs_dataset.c:1456-1461 (FreeBSD 9.1-PRERELEASE from two days ago) [2]: https://www.sunwfrk.com/2009/04/19/zfs-with-on-access-virus-scan/ -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgph8o2CvNoPi.pgp Description: PGP signature
Re: On-access AV scanning
Are there any current options available to support on-access antivirus scanning on FreeBSD? FreeBSD doesn't need this as there are no viruses on that system. And yes, I know that neither FreeBSD nor Solaris are renowned for their sickly vulnerability to viruses, but we operate in a mixed environment, with a lot of Windows machines and ZFS file systems exported by SMB/CIFS, so we need the AV to ensure any viruses are stopped before they infect a susceptible machine. It seems a small price to pay to finally get a decent workstation! No idea - YOU will not spread wiruses, and viruses from other winstations will not affect you. so just install antivirus software on winstations. Or finally educate users as it is really simple to avoid viruses even with windows ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar wrote: Are there any current options available to support on-access antivirus scanning on FreeBSD? FreeBSD doesn't need this as there are no viruses on that system. Well, thanks. And yes, I know that neither FreeBSD nor Solaris are renowned for their sickly vulnerability to viruses, but we operate in a mixed environment, with a lot of Windows machines and ZFS file systems exported by SMB/CIFS, so we need the AV to ensure any viruses are stopped before they infect a susceptible machine. It seems a small price to pay to finally get a decent workstation! No idea - YOU will not spread wiruses, and viruses from other winstations will not affect you. so just install antivirus software on winstations. Or finally educate users as it is really simple to avoid viruses even with windows I refer you to the part where I specifically talk about our corporate IT policy. All desktops/workstations (that is, all of them, every single one), must have AV software running on them. There will be no exceptions, on pain of dismissal. I don't want to lose my job, because you said I didn't need AV software. -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgp5nybljJpkE.pgp Description: PGP signature
Re: On-access AV scanning
On Fri, 27 Jul 2012 12:00:19 +0100, Daniel Bye wrote: All desktops/workstations (that is, all of them, every single one), must have AV software running on them. There will be no exceptions, on pain of dismissal. Why is the AV software running on FreeBSD not sufficient in the opinion of your superior (or by the guidelines of the corporate directives)? And those who bring a smartphone to work (private or company use), how do they run AV software on those _IT devices_? :-) Oh, and how is AV software brought to the company network printers, the LAN gear and WLAN APs and everything else that can be infected, exploited, ruined or damaged? Or do they simply not count as desktop/workstation as you mentioned? In that case: Happy attack vectors. :-) Excuse my sarcasm, but there's a little truth in it, when seen from an IT security point of view. Really, I _do_ understand your problem (or better the problems others created for you). Try to get more specific statements to what kind of AV software with which action attributes is required and try to construct a solution that will be sufficient in the _view_ of the responsible superiors. The less they do actually understand, the easier it should be. FreeBSD does _have_ AV software, but not _for_ FreeBSD per se (as it cannot be infected by viruses, trojans and malware that are designed explicitely for Windows platforms), but it can very well detect them. This all still does not help against human stupidity. Feel free to show this article and make use of its arguments: Robert McMillan: Is Antivirus Software a Waste of Money? http://www.wired.com/wiredenterprise/2012/03/antivirus/ A _responsible_ and well-educated IT representative should form his own intelligent opinions, instead of trying to blindly corporate guidelines which are possibly _impossible_ to instantiate. My idea for a solution: You can use a file access monitor (FAM) to detect when a new file enters the system, and then immediately have it scanned by a virus scanner you have already installed from ports. Next issue: You need a virus scanner that inspects network packets! :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
On Fri, Jul 27, 2012 at 07:19:45AM -0400, Daniel Feenberg wrote: On Fri, 27 Jul 2012, Daniel Bye wrote: On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar wrote: Are there any current options available to support on-access antivirus scanning on FreeBSD? FreeBSD doesn't need this as there are no viruses on that system. Well, thanks. And yes, I know that neither FreeBSD nor Solaris are renowned for their sickly vulnerability to viruses, but we operate in a mixed environment, with a lot of Windows machines and ZFS file systems exported by SMB/CIFS, so we need the AV to ensure any viruses are stopped before they infect a susceptible machine. It seems a small price to pay to finally get a decent workstation! No idea - YOU will not spread wiruses, and viruses from other winstations will not affect you. so just install antivirus software on winstations. Or finally educate users as it is really simple to avoid viruses even with windows I refer you to the part where I specifically talk about our corporate IT policy. All desktops/workstations (that is, all of them, every single one), must have AV software running on them. There will be no exceptions, on pain Well, there is AV software for FreeBSD - we use Kaspersky on our FreeBSD based mailserver, but the viruses it looks for are Windows viruses. I don't know if that will satisfy your IT policy. Maybe you should be looking at Cygwin? Or, can FreeBSD run under HyperV? Thanks, Daniel. I have looked at Kaspersky, and various others, but the main sticking point, as I see it, is that there is no on-access scanning capability in any of the AV packages available for FreeBSD. It's not essential to build my case, but it would certainly strengthen it. I use ClamAV on my home mail server, and it works well. I have also tested it out on a desktop machine to run on-demand scans, and it works just fine, and doesn't impose so much of a load as to be a nuisance. We have had a couple of virus outbreaks recently, so this is quite a high profile concern around here at the moment. The CIO is from a technical background, so I might well be able to convince him of FreeBSD's strengths as a very secure system, but I will still need to accede to the IT policy, sadly - no way around it. Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpmcMu7t87SO.pgp Description: PGP signature
Re: On-access AV scanning
On Fri, 27 Jul 2012, Daniel Bye wrote: On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar wrote: Are there any current options available to support on-access antivirus scanning on FreeBSD? FreeBSD doesn't need this as there are no viruses on that system. Well, thanks. And yes, I know that neither FreeBSD nor Solaris are renowned for their sickly vulnerability to viruses, but we operate in a mixed environment, with a lot of Windows machines and ZFS file systems exported by SMB/CIFS, so we need the AV to ensure any viruses are stopped before they infect a susceptible machine. It seems a small price to pay to finally get a decent workstation! No idea - YOU will not spread wiruses, and viruses from other winstations will not affect you. so just install antivirus software on winstations. Or finally educate users as it is really simple to avoid viruses even with windows I refer you to the part where I specifically talk about our corporate IT policy. All desktops/workstations (that is, all of them, every single one), must have AV software running on them. There will be no exceptions, on pain Well, there is AV software for FreeBSD - we use Kaspersky on our FreeBSD based mailserver, but the viruses it looks for are Windows viruses. I don't know if that will satisfy your IT policy. Maybe you should be looking at Cygwin? Or, can FreeBSD run under HyperV? daniel feenberg NBER of dismissal. I don't want to lose my job, because you said I didn't need AV software. -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
On 7/27/12 1:47 PM, Daniel Bye wrote: On Fri, Jul 27, 2012 at 07:19:45AM -0400, Daniel Feenberg wrote: On Fri, 27 Jul 2012, Daniel Bye wrote: On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar wrote: Are there any current options available to support on-access antivirus scanning on FreeBSD? FreeBSD doesn't need this as there are no viruses on that system. Well, thanks. And yes, I know that neither FreeBSD nor Solaris are renowned for their sickly vulnerability to viruses, but we operate in a mixed environment, with a lot of Windows machines and ZFS file systems exported by SMB/CIFS, so we need the AV to ensure any viruses are stopped before they infect a susceptible machine. It seems a small price to pay to finally get a decent workstation! No idea - YOU will not spread wiruses, and viruses from other winstations will not affect you. so just install antivirus software on winstations. Or finally educate users as it is really simple to avoid viruses even with windows I refer you to the part where I specifically talk about our corporate IT policy. All desktops/workstations (that is, all of them, every single one), must have AV software running on them. There will be no exceptions, on pain Well, there is AV software for FreeBSD - we use Kaspersky on our FreeBSD based mailserver, but the viruses it looks for are Windows viruses. I don't know if that will satisfy your IT policy. Maybe you should be looking at Cygwin? Or, can FreeBSD run under HyperV? Thanks, Daniel. I have looked at Kaspersky, and various others, but the main sticking point, as I see it, is that there is no on-access scanning capability in any of the AV packages available for FreeBSD. It's not essential to build my case, but it would certainly strengthen it. I use ClamAV on my home mail server, and it works well. I have also tested it out on a desktop machine to run on-demand scans, and it works just fine, and doesn't impose so much of a load as to be a nuisance. We have had a couple of virus outbreaks recently, so this is quite a high profile concern around here at the moment. The CIO is from a technical background, so I might well be able to convince him of FreeBSD's strengths as a very secure system, but I will still need to accede to the IT policy, sadly - no way around it. Dan FUSE ClamFS But then, FUSE... ew... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
On Fri, Jul 27, 2012 at 01:23:36PM +0200, Polytropon wrote: On Fri, 27 Jul 2012 12:00:19 +0100, Daniel Bye wrote: All desktops/workstations (that is, all of them, every single one), must have AV software running on them. There will be no exceptions, on pain of dismissal. Why is the AV software running on FreeBSD not sufficient in the opinion of your superior (or by the guidelines of the corporate directives)? And those who bring a smartphone to work (private or company use), how do they run AV software on those _IT devices_? :-) Oh, and how is AV software brought to the company network printers, the LAN gear and WLAN APs and everything else that can be infected, exploited, ruined or damaged? Or do they simply not count as desktop/workstation as you mentioned? In that case: Happy attack vectors. :-) Well, no, they don't count, according to our policy, because they're not desktops. I know, I know - but I didn't write the damn policy - I just have to live by it! :-/ Excuse my sarcasm, but there's a little truth in it, when seen from an IT security point of view. I know, you make valid points - but I am merely a minor functionary on the content development department, and not a global IT policy maker. If it were up to me, everyone in the company would be on UNIX of some kind or other, but it just isn't up to me. Hopefully, I can convince those that need convincing that what is available is sufficient. I've only been using FreeBSD for the last 13 years, after all, and in that time can count on the fingers of no hands the number of security flaws that have allowed any of the machines under my care to be compromised... I know that's no reason for complacency, and that I have been lucky, but it's still a comforting statistic. Thanks for your thoughts, guys. Of course, I'm going to extol FreeBSD's virtues (it'd be great to get it in the datacentre, wouldn't it?), and we'll see how we go! Really, I _do_ understand your problem (or better the problems others created for you). Try to get more specific statements to what kind of AV software with which action attributes is required and try to construct a solution that will be sufficient in the _view_ of the responsible superiors. The less they do actually understand, the easier it should be. FreeBSD does _have_ AV software, but not _for_ FreeBSD per se (as it cannot be infected by viruses, trojans and malware that are designed explicitely for Windows platforms), but it can very well detect them. This all still does not help against human stupidity. Aye, quite so. Preaching to the choir, brother. Feel free to show this article and make use of its arguments: Robert McMillan: Is Antivirus Software a Waste of Money? http://www.wired.com/wiredenterprise/2012/03/antivirus/ Thanks for the link - I'll certainly have a read of it, and might well drop the link in my email to him. A _responsible_ and well-educated IT representative should form his own intelligent opinions, instead of trying to blindly corporate guidelines which are possibly _impossible_ to instantiate. Oh, this guy isn't frightened of change, so I'm just trying to build the best case I can for his accepting FreeBSD. He seems very reasonable, and I'm sure will be able to make an informed decision based on what I tell him, and his own knowledge and experience. To be honest, when I asked him for a UNIX workstation, I was expecting him to just laugh at me, so to be given the opportunity to make a case for FreeBSD came as a very welcome surprise. My idea for a solution: You can use a file access monitor (FAM) to detect when a new file enters the system, and then immediately have it scanned by a virus scanner you have already installed from ports. Yep - exactly the solution that occurred to me a few minutes ago. A project for the weekend! Because looking after a 6-month-old baby doesn't take up all our time... Next issue: You need a virus scanner that inspects network packets! :-) lol. Don't! Like I said, I'm just a code jockey in the content development department - all that stuff happens way up there, out sight of us mere bottom-dwellers! Cheers, Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpDEDncQmqJK.pgp Description: PGP signature
Re: On-access AV scanning
Hi, On Fri, 27 Jul 2012 12:47:29 +0100 Daniel Bye freebsd-questi...@slightlystrange.org wrote: On Fri, Jul 27, 2012 at 07:19:45AM -0400, Daniel Feenberg wrote: On Fri, 27 Jul 2012, Daniel Bye wrote: On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar wrote: Are there any current options available to support on-access antivirus scanning on FreeBSD? why should it be available when it is not needed? FreeBSD doesn't need this as there are no viruses on that system. Ok, this is a bad reasoning. Thanks, Daniel. I have looked at Kaspersky, and various others, but the main sticking point, as I see it, is that there is no on-access scanning capability in any of the AV packages available for FreeBSD. You will not find them. The scanners running on FreeBSD are looking for Windows pests. It's not essential to build my case, but it would certainly strengthen it. I use ClamAV on my home mail server, and it works well. I have also tested it out on a desktop machine to run on-demand scans, and it works just fine, and doesn't impose so much of a load as to be a nuisance. Does it scan for FreeBSD viruses? I would wonder. We have had a couple of virus outbreaks recently, so this is quite a high profile concern around here at the moment. The CIO is from a technical background, so I might well be able to convince him of FreeBSD's strengths as a very secure system, but I will still need to accede to the IT policy, sadly - no way around it. You will have to give it a miss then. The security concepts of FreeBSD are 100% different. They will never match this kind of policy. Erich ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
On Fri, Jul 27, 2012 at 01:52:16PM +0200, Damien Fleuriot wrote: FUSE ClamFS Ah, thanks for that. I'll check it out. But then, FUSE... ew... I know. But, if it gets me my workstation... ;-) Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgp6MJm1b2W4J.pgp Description: PGP signature
calculating difference of times
Hello, Do we have something (in the ports) to calculate easy the difference of two times given as hh:mm - hh:mm? Some hack in bc(1) or something like this? Well, I could translate the times into UNIX seconds of epoche, build the diff and reconvert, but something more easy (and not in Perl or C, just shell); thanks matthias -- Matthias Apitz e g...@unixarea.de - w http://www.unixarea.de/ UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370) UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
On Fri, Jul 27, 2012 at 07:15:29PM +0700, Erich Dollansky wrote: Hi, On Fri, 27 Jul 2012 12:47:29 +0100 Daniel Bye freebsd-questi...@slightlystrange.org wrote: On Fri, Jul 27, 2012 at 07:19:45AM -0400, Daniel Feenberg wrote: On Fri, 27 Jul 2012, Daniel Bye wrote: On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar wrote: Are there any current options available to support on-access antivirus scanning on FreeBSD? why should it be available when it is not needed? Because the IT policy (currently) requires it. I don't agree with that policy, but there you are - I don't have the authority to simply ignore it. FreeBSD doesn't need this as there are no viruses on that system. Ok, this is a bad reasoning. Thanks, Daniel. I have looked at Kaspersky, and various others, but the main sticking point, as I see it, is that there is no on-access scanning capability in any of the AV packages available for FreeBSD. You will not find them. The scanners running on FreeBSD are looking for Windows pests. Yes, I know. But we have petabytes of file systems shared over SMB/CIFS, so if a Windows machine inroduces something to the network, it strikes me as reasonable that if my (still putative) FreeBSD system finds it before another Windows system, I have potentially prevented a much wider problem. It's not essential to build my case, but it would certainly strengthen it. I use ClamAV on my home mail server, and it works well. I have also tested it out on a desktop machine to run on-demand scans, and it works just fine, and doesn't impose so much of a load as to be a nuisance. Does it scan for FreeBSD viruses? I would wonder. I wouldn't waste your time wondering, if I were you. Of course they *all* look for malware that infests Windows machines. But, that nontwithstanding, I have to adhere to the policy, whether I like it or not. We have had a couple of virus outbreaks recently, so this is quite a high profile concern around here at the moment. The CIO is from a technical background, so I might well be able to convince him of FreeBSD's strengths as a very secure system, but I will still need to accede to the IT policy, sadly - no way around it. You will have to give it a miss then. The security concepts of FreeBSD are 100% different. They will never match this kind of policy. Yes, and I am hoping that that fact is enough to persuade him that the current policy (which he inherited, by the way, he didn't have a hand it its establishment) is no longer applicable in an increasingly mixed environment (Polytropon brought up the obvious matter of smartphones and tablets and other devices). Thanks for your thoughts. Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpZZcvYWv02S.pgp Description: PGP signature
calculating difference of times
Matthias Apitz writes: Do we have something (in the ports) to calculate easy the difference of two times given as hh:mm - hh:mm? Some hack in bc(1) or something like this? Well, I could translate the times into UNIX seconds of epoche, build the diff and reconvert, but something more easy (and not in Perl or C, just shell); thanks I don't know if there's something already available. (Sorry - never had this problem.) If the format is fixed, then parsing it with awk is trivial. After that, the math should be doable with expr. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
Hi, On Fri, 27 Jul 2012 13:38:11 +0100 Daniel Bye freebsd-questi...@slightlystrange.org wrote: On Fri, Jul 27, 2012 at 07:15:29PM +0700, Erich Dollansky wrote: On Fri, 27 Jul 2012 12:47:29 +0100 Daniel Bye freebsd-questi...@slightlystrange.org wrote: On Fri, Jul 27, 2012 at 07:19:45AM -0400, Daniel Feenberg wrote: On Fri, 27 Jul 2012, Daniel Bye wrote: On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar wrote: Are there any current options available to support on-access antivirus scanning on FreeBSD? why should it be available when it is not needed? Because the IT policy (currently) requires it. I don't agree with that policy, but there you are - I don't have the authority to simply ignore it. no, no, I meant why should FreeBSD need them. I am aware of your problem. Yes, I know. But we have petabytes of file systems shared over SMB/CIFS, so if a Windows machine inroduces something to the network, it strikes me as reasonable that if my (still putative) FreeBSD system finds it before another Windows system, I have potentially prevented a much wider problem. Why don't you get a FreeBSD machine which scans the network traffic and have some fun with the results? The security concepts of FreeBSD are 100% different. They will never match this kind of policy. Yes, and I am hoping that that fact is enough to persuade him that the current policy (which he inherited, by the way, he didn't have a hand it its establishment) is no longer applicable in an increasingly mixed environment (Polytropon brought up the obvious matter of smartphones and tablets and other devices). Why don't you have another try? We use very often a FreeBSD machine with more CPU power as a server and older machines just as thin clients. These machines can be Windows machines running whatever virus scanners you want and an X server (cygwin will do). Your applications run actually on the FreeBSD machine and the Windows machine is only a terminal. I think that this could match your policy and also shows how pointless the policy is. Erich ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: calculating difference of times
On 27/07/2012 13:34, Matthias Apitz wrote: Do we have something (in the ports) to calculate easy the difference of two times given as hh:mm - hh:mm? Some hack in bc(1) or something like this? Well, I could translate the times into UNIX seconds of epoche, build the diff and reconvert, but something more easy (and not in Perl or C, just shell); thanks Not as such. Generic toolkits for doing time differences are fairly common, but they tend to be a) quite large and b) written in higher level languages than shell. However they usually account for all the annoying corner cases like switching to daylight savings time. If your times are always going to be strictly hh:mm (24h clock) and you aren't worried about time differences over more than one day, then something like this in shell: t1=08:12 t2=12:08 h1=${t1%:*} h2=${t2%:*} m1=${t1#*:} m2=${t2#*:} mdelta=$(echo $h2 * 60 + $m2 - $h1 * 60 - $m1 | bc) hdelta=$(( $mdelta / 60 )) mdelta=$(( $mdelta % 60 )) tdelta=printf %02d:%02d $hdelta $mdelta This will calculate the duration from 23:59 to 00:01 as -23:58; ie. it assumes both times are on the same calendar day. Coming up with the answer 00:02 is left as an exercise for the student. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey signature.asc Description: OpenPGP digital signature
Re: On-access AV scanning
On 27/07/2012 13:15, Erich Dollansky wrote: You will not find them. The scanners running on FreeBSD are looking for Windows pests. Does it scan for FreeBSD viruses? I would wonder. AV Scanners are looking for the signature of any known malware. The important word there is 'known' -- it's malware that has come to the attention of the AV software manufacturers and that they have published a fingerprint of. They don't generally work heuristically; ie. so that they could detect and stop a 0-day malware automatically. Now, as the vast majority of known malware affects Windows -- there are 3 or 4 known worms that used to affect Linux and I think one that would also have affected FreeBSD (but those all relied on old and vulnerable versions of Apache to spread and they are from many years ago in any case) plus a recent virus or two that attacks MacOS X -- then any AV scanner is, pretty much by definition, going to be looking for Windows malware. In the light of that, the OP's workplace AV policy is clearly nonsensical when applied to a FreeBSD desktop. Scanning shared filesystems at regular intervals and scanning incoming mail or web content is generally sufficient to keep a FreeBSD box clean and also protect a whole network-full of Windows clients that access it as a server from most avenues of infection. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Freebsd build problem
reinstalling the sources fixed the problem. Thanks. /Venkat On Thu, Jul 26, 2012 at 5:49 PM, Damien Fleuriot m...@my.gd wrote: On 7/26/12 2:08 PM, Venkat Duvvuru wrote: Hi, Please find my repsonses in line. On Thu, Jul 26, 2012 at 4:57 PM, Damien Fleuriot m...@my.gd mailto:m...@my.gd wrote: On 7/26/12 12:48 PM, Venkat Duvvuru wrote: Hi, I'm unable to compile the kernel code (for that matter any kernel module also). The following is the error. My guess is that it is trying to compile the code for x86 instead of amd64 as you can a symbolic link create for x86 includes. Please suggest the change to be done inorder to compile it for amd64. Uname -a of the system FreeBsd 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Tue Jun 12 02:52:29 UTC 2012 r...@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 -- stage 3.1: making dependencies -- cd /usr/obj/usr/src/sys/MYKERNEL; MAKEOBJDIRPREFIX=/usr/obj MACHINE_ARCH=amd64 MACHINE=amd64 CPUTYPE= GROFF_BIN_PATH=/usr/obj/usr/src/tmp/legacy/usr/bin GROFF_FONT_PATH=/usr/obj/usr/src/tmp/legacy/usr/share/groff_font GROFF_TMAC_PATH=/usr/obj/usr/src/tmp/legacy/usr/share/tmac _SHLIBDIRPREFIX=/usr/obj/usr/src/tmp VERSION=FreeBSD 9.0-RELEASE-p3 amd64 900044 INSTALL=sh /usr/src/tools/install.sh PATH=/usr/obj/usr/src/tmp/legacy/usr/sbin:/usr/obj/usr/src/tmp/legacy/usr/bin:/usr/obj/usr/src/tmp/legacy/usr/games:/usr/obj/usr/src/tmp/usr/sbin:/usr/obj/usr/src/tmp/usr/bin:/usr/obj/usr/src/tmp/usr/games:/sbin:/bin:/usr/sbin:/usr/bin NO_CTF=1 make KERNEL=kernel depend -DNO_MODULES_OBJ machine - /usr/src/sys/amd64/include x86 - /usr/src/sys/x86/include cc -c -O2 -frename-registers -pipe -fno-strict-aliasing -std=c99 -g -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions -Wmissing-include-dirs -fdiagnostics-show-option -nostdinc -I. -I/usr/src/sys -I/usr/src/sys/contrib/altq -I/usr/src/sys/contrib/ipfilter -I/usr/src/sys/contrib/pf -I/usr/src/sys/dev/ath -I/usr/src/sys/dev/ath/ath_hal -I/usr/src/sys/contrib/ngatm -I/usr/src/sys/dev/twa -I/usr/src/sys/gnu/fs/xfs/FreeBSD -I/usr/src/sys/gnu/fs/xfs/FreeBSD/support -I/usr/src/sys/gnu/fs/xfs -I/usr/src/sys/dev/cxgb -I/usr/src/sys/dev/cxgbe -D_KERNEL -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -finline-limit=8000 --param inline-unit-growth=100 --param large-function-growth=1000 -fno-omit-frame-pointer -mno-sse -mcmodel=kernel -mno-red-zone -mno-mmx -msoft-float -fno-asynchronous-unwind-tables -ffreestanding -fstack-protector /usr/src/sys/amd64/amd64/genassym.c In file included from ./x86/_align.h:6, from ./x86/_align.h:6, from ./x86/_align.h:6, from ./x86/_align.h:6, from ./x86/_align.h:6, from ./machine/_align.h:6, from ./machine/param.h:46, from /usr/src/sys/sys/param.h:115, from /usr/src/sys/amd64/amd64/genassym.c:42: ./x86/_align.h:6:24: error: #include nested too deeply In file included from ./x86/_align.h:6, from ./x86/_align.h:6, from ./x86/_align.h:6, from ./machine/_align.h:6, from /usr/src/sys/sys/socket.h:39, from /usr/src/sys/amd64/amd64/genassym.c:54: ./x86/_align.h:6:24: error: #include nested too deeply /usr/src/sys/amd64/amd64/genassym.c:69:25: error: x86/apicreg.h: No such file or directory /usr/src/sys/amd64/amd64/genassym.c:230: error: invalid use of undefined type 'struct LAPIC' *** Error code 1 Stop in /usr/obj/usr/src/sys/MYKERNEL. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. The first question that comes to mind is, do you manage to compile a GENERIC kernel ? cd /usr/src make clean make buildkernel KERNCONF=GENERIC == Yes, all was well with compiling
Re: mc-light with tcsh receives segfault
On 07/26/2012 18:17, Jeff Tipton wrote: Hi, My mc-light doesn't work with tcsh. When I try to launch it: mc Segmentation fault (core dumped) uname -a FreeBSD jeff-netf 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Tue Jun 12 01:47:53 UTC 2012 r...@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 System and ports are all up to date. mc -V The Midnight Commander 4.1.40-pre9 with mouse support on xterm. Edition: text mode. Virtual File System: tarfs, extfs, ftpfs, mcfs. With builtin Editor Using S-lang library with termcap database With subshell support: as default With DUSUM command With support for background operations It works with sh and csh but doesn't with tcsh. Actually, it even works within tcsh, if the SHELL variable is arbitrarily set to /bin/csh. Doesn't matter whether root or a regular user. Any ideas of what might be wrong? Jeff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org So, no ideas of how to fix mc-light in tcsh? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
On 07/27/12 13:14, Daniel Bye wrote: On Fri, Jul 27, 2012 at 01:52:16PM +0200, Damien Fleuriot wrote: FUSE ClamFS Ah, thanks for that. I'll check it out. But then, FUSE... ew... I know. But, if it gets me my workstation... ;-) The wiki suggests that FUSE might be part of release 10: http://wiki.freebsd.org/FreeBSD10 (under Filesystem header), but I gather it's a subject that causes a degree of debate :-} Anyone who knows more about this care to comment? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: geli - selecting cipher
On Thu, 26 Jul 2012 17:47:10 +0200 Ivan Voras wrote: On 26/07/2012 04:14, RW wrote: I asked a similar questions to the OPs in the geom list and didn't get an answer. Geli doesn't need or isn't using any advantages of XTS. And CBC in geli is actually equivalent to ESSIV (see the previously linked wikipedia page). Hi, You didn't get an answer because in security, the answer depends on exact circumstances of use. The short answer is that if you don't have a specific adversary you need to protect your data from, I'd say that GELI's CBC is good enough for you. Actually the reason I asked is that I wanted to check whether I was ovelooking some key advantage of XTS that justified its being the default. AES-XTS was chosen to provide the best protection against modified ciphertext without using authentication which would expand the size of the data. It seem to me than anyone that worries about attackers tampering with a drive should use authentication in geli, and anyone that doesn't should leave it off and use CBC. If you run geli init without -a or -e options, you get AES-XTS without authentication, a default that doesn't seem right for anyone. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: mc-light with tcsh receives segfault
Hello, my system doesn't work with tcsh too ( $ uname -a FreeBSD xxx.xx 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Thu Jul 5 16:54:22 MSK 2012 root@x:/usr/obj/usr/src/sys/PORT amd64 $ env | grep SHELL SHELL=/bin/tcsh $ mc Segmentation fault $ mc -V The Midnight Commander 4.1.40-pre9 with mouse support on xterm. Edition: text mode. Virtual File System: tarfs, extfs, ftpfs, mcfs. With builtin Editor Using S-lang library with termcap database With subshell support: as default With DUSUM command With support for background operations after setenv SHELL /bin/csh mc-light is running normally 27.07.2012 18:08, Jeff Tipton пишет: On 07/26/2012 18:17, Jeff Tipton wrote: Hi, My mc-light doesn't work with tcsh. When I try to launch it: mc Segmentation fault (core dumped) uname -a FreeBSD jeff-netf 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Tue Jun 12 01:47:53 UTC 2012 r...@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 System and ports are all up to date. mc -V The Midnight Commander 4.1.40-pre9 with mouse support on xterm. Edition: text mode. Virtual File System: tarfs, extfs, ftpfs, mcfs. With builtin Editor Using S-lang library with termcap database With subshell support: as default With DUSUM command With support for background operations It works with sh and csh but doesn't with tcsh. Actually, it even works within tcsh, if the SHELL variable is arbitrarily set to /bin/csh. Doesn't matter whether root or a regular user. Any ideas of what might be wrong? Jeff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org So, no ideas of how to fix mc-light in tcsh? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
--On July 27, 2012 11:43:08 AM +0100 Daniel Bye freebsd-questi...@slightlystrange.org wrote: Are there any current options available to support on-access antivirus scanning on FreeBSD? Clamav. I did some testing several years ago with ClamAV, Sophos and McAfee (scanning incoming mail), and ClamAV was comparable to McAfee in detection rates - over 98%. If you run the daemon you have on access scanning. Seems like that would satisfy the policy. It's in ports, so it should be easy to install and keep up to date. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead. Thomas Jefferson There are some ideas so wrong that only a very intelligent person could believe in them. George Orwell ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
On Fri, Jul 27, 2012 at 10:02:26AM -0500, Paul Schmehl wrote: --On July 27, 2012 11:43:08 AM +0100 Daniel Bye freebsd-questi...@slightlystrange.org wrote: Are there any current options available to support on-access antivirus scanning on FreeBSD? Clamav. I use it on my home mail server (I have a Windows machine on my network, so want to trap anything nasty that comes in to protect that). It integrates well with exim's malware ACL checks. I did some testing several years ago with ClamAV, Sophos and McAfee (scanning incoming mail), and ClamAV was comparable to McAfee in detection rates - over 98%. Yes, it's a good product, no doubt. If you run the daemon you have on access scanning. Seems like that would satisfy the policy. No - the daemon only provides on-demand scanning on FreeBSD. That is, it only scans files that are explicitly passed to it by some other process - usually an MTA or the clamscan command line tool. On-access scanning requires an additional layer on top of the file system, which intercepts certain file system operations, sending files transparently to the scanner. Opening a file in your editor, for example, might cause the file to first be scanned before your editor can get it. Likewise, trying to download something from the web in your browser would cause the file to be scanned before it's saved to disk. That's what the dazuko port was for (although it doesn't work on FreeBSD9, and the latest version is a Linux-only rewrite.) As Polytropon pointed out, it should be possible to create a passing approximation by using FAM/Gamin. Thanks, everyone, for all your input. I think I have enough to be able to put a strong case forward. Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpWnIudkhITd.pgp Description: PGP signature
Re: how to speed up port make??
On Friday, 27 July 2012 09:22:52 Wojciech Puchar wrote: A few things you could try adding to make.conf: FORCE_MAKE_JOBS=yes MAKE_JOBS_NUMBER=4 I'm not sure this is supported on a _single_ core Pentium 4 CPU (or will gain speed if it was emulated). MAKE_JOBS_NUMBER=2 make sense - one process I/O may overlap with other compute Also, with portbuilder it splits the build process so will fetch (network limited) on port's files while it builds another (CPU limited) and installs another (I/O limited). signature.asc Description: This is a digitally signed message part.
Re: geli - selecting cipher
RW rwmailli...@googlemail.com wrote: On Thu, 26 Jul 2012 17:47:10 +0200 Ivan Voras wrote: On 26/07/2012 04:14, RW wrote: I asked a similar questions to the OPs in the geom list and didn't get an answer. Geli doesn't need or isn't using any advantages of XTS. And CBC in geli is actually equivalent to ESSIV (see the previously linked wikipedia page). You didn't get an answer because in security, the answer depends on exact circumstances of use. The short answer is that if you don't have a specific adversary you need to protect your data from, I'd say that GELI's CBC is good enough for you. Most answers depend on the circumstances. At least to me this doesn't seem like a good reason to completely ignore questions, even if they are related to security. Saying that geli's CBC implementation is good enough for someone seems to imply that it's somehow worse than XTS in general. Could you please clarify in which scenario you think XTS offers better protection? Actually the reason I asked is that I wanted to check whether I was ovelooking some key advantage of XTS that justified its being the default. The rationale of the change isn't clear to me either. Until recently I wasn't aware of the performance impact, though. AES-XTS was chosen to provide the best protection against modified ciphertext without using authentication which would expand the size of the data. It seem to me than anyone that worries about attackers tampering with a drive should use authentication in geli, and anyone that doesn't should leave it off and use CBC. If ZFS is used and checksums aren't disabled, I don't see any advantage of additionally enabling geli's authentication whose protection seems a lot weaker. For tampering resistance I would thus recommend ZFS on geli without authentication in geli. Fabian signature.asc Description: PGP signature
Re: On-access AV scanning
Virus scanning should not be your problem. If the Windows users in the organization have an antivirus solution there is no need for you to have one. It doesn't matter if you share files over SAMBA -- when they access the files their virus scanner will check them. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
On Fri, 27 Jul 2012 13:10:12 -0500, Mark Felder wrote: Virus scanning should not be your problem. If the Windows users in the organization have an antivirus solution there is no need for you to have one. It doesn't matter if you share files over SAMBA -- when they access the files their virus scanner will check them. His problem is that there's a corporate reglementation of what he has to do, which he needs to obey in order to keep his job. Even though this ruleset contains something stupid (or even impossible), it's a requirement. Of course a stupid one, but it does exist. Surely it would be better for the company that has _admitted_ to have had more than one significant infection to do the simplest, most stupid and absolutely basic tasks: 1. educate users, repeat educating users, continue educating users 2. connect Windows PCs through a non-Windows scanning facility to the Internet; think about who needs Internet and who doesn't 3. limit access to local storage (CD, DVD, USB sticks) and force those to be inserted to the network (e. g. as a CIFS share) again through a non-Windows scanning facility; again think about who should be allowed to enter foreign data to the company network and _how_ it is _required_ to be done 4. consider the whole network, also think about (W)LAN or BT connected smartphones, printers, networking gear 5. learn about viruses, trojans, malware: how they work, how they are used and therefore how to actively act against them 6. understand security as a process, not a stupid list that tells you to have a virus scanner on the system that works on access; now go to item 1 again Of course, _none_ of those points seems to be on the agenda at the moment. There's still the rule You must have a virus scanner on your computer that acts as on-access scanner and scans for any viruses. It misses both that FreeBSD is not infectable by Windows viruses, and it does not prevent any non-virus attacks (such as per smartphone, per printer, per human stupidity and carelessness). So I think Daniel is actually on the best road at the moment. Sure, it won't make _his_ system safer, and it won't make other systems safer, but it will conform to the rules. If he's able to use FAM/Ganim as the on-access part, and a virus scanner he finds suitable for the virus scan part, that should be sufficient. if(system_has_scanner scan_on_access) allow_system(); else if(insist_on_system) fire(Daniel); else deny_system(); Obeying can be fun, if it _is_ that easy. :-) Maybe later on, he can convince his superior to switch on his brain for thinking about the corporate guidelines. It's worth it, and it saves money. I'm confident that it is a chance to finally dump the stupid idea of insisting to have a virus scanner on FreeBSD where there are no viruses it could scan for. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
I did some testing several years ago with ClamAV, Sophos and McAfee (scanning incoming mail), and ClamAV was comparable to McAfee in detection rates - over 98%. i use clamav for mail virus checking and IMHO it is the only place where realtime virus checking make sense. some windows users have NOD32 antivirus and i never got a case that NOD32 detected email virus after clamav filter. Of course this is all windows only problem, unix doesn't have viruses. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: geli - selecting cipher
Saying that geli's CBC implementation is good enough for someone seems to imply that it's somehow worse than XTS in general. Could you true. i still don't really understand the difference. I don't need actually anything other that inability to read data from my disk for a potential thief. The rationale of the change isn't clear to me either. Until recently I wasn't aware of the performance impact, though. It is huge 5-8 times depending if you have hardware acceleration or not. AES-CBC is fast enough so encrypting SSD drives make sense. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org