iptables - inside accessing outside ip and being bounced back inside

2003-11-28 Thread Hanasaki JiJi 
i have a firewwall with 2 nics .. its running iptables.   the outside 
nic forwards port 80 to an internal webserver on an internal ip.  this 
works great.  if an internal host hits the external ip.  traffic does 
not go to the internal web server.  if an external host hits the 
external ip traffic goes to the internal web server fine.  what iptable 
rule will fix this?


External Host - ipOutsideHost-1
|
|
|
Firewall NIC - ipOutsideFW
Firewall NIC - ipInsideFW
|
|
|
Internal Host - ipInsideHost-1
Internal Host - ipInsideHTTPServer-1


Rules are setup for the following and work
 OK - ipInsideHost-1 => ipOutsideHost-1
 OK - ipOutsideHost-1 => ipOutsideFW
forwarded to ipInsideHTTPServer-1
The following fails and is what I need a iptables rule for
FAIL - ipInsideHost-1 => ipOutsideFW
forward back to ipInsideHTTPServer-1

Any assistence in writting this rule would be appreciated

Thank you.

Re: Improved Debian Project Emergency Communications

2003-11-28 Thread Rick Moen 
Quoting Roland Mas ([EMAIL PROTECTED]):

> /me suggests the Debian Planet and Debian Help (both .org) websites.
 ^^^

"Session initialisation failed."  Problems?

-- 
Cheers,A: No.  
Rick Moen  Q: Should I include quotations after my reply? 
[EMAIL PROTECTED]

iptables - inside accessing outside ip and being bounced back inside

2003-11-28 Thread Hanasaki JiJi 
i have a firewwall with 2 nics .. its running iptables.   the outside 
nic forwards port 80 to an internal webserver on an internal ip.  this 
works great.  if an internal host hits the external ip.  traffic does 
not go to the internal web server.  if an external host hits the 
external ip traffic goes to the internal web server fine.  what iptable 
rule will fix this?

External Host - ipOutsideHost-1
|
|
|
Firewall NIC - ipOutsideFW
Firewall NIC - ipInsideFW
|
|
|
Internal Host - ipInsideHost-1
Internal Host - ipInsideHTTPServer-1
Rules are setup for the following and work
 OK - ipInsideHost-1 => ipOutsideHost-1
 OK - ipOutsideHost-1 => ipOutsideFW
forwarded to ipInsideHTTPServer-1
The following fails and is what I need a iptables rule for
FAIL - ipInsideHost-1 => ipOutsideFW
forward back to ipInsideHTTPServer-1
Any assistence in writting this rule would be appreciated

Thank you.

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Improved Debian Project Emergency Communications

2003-11-28 Thread Rick Moen 
Quoting Roland Mas ([EMAIL PROTECTED]):

> /me suggests the Debian Planet and Debian Help (both .org) websites.
 ^^^

"Session initialisation failed."  Problems?

-- 
Cheers,A: No.  
Rick Moen  Q: Should I include quotations after my reply? 
[EMAIL PROTECTED]  


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: getting started with SELinux

2003-11-28 Thread Forrest L Norvell 
On Fri, Nov 28, 2003 at 11:40:12AM -0500, Colin Walters wrote:
> On Fri, 2003-11-28 at 06:03, Forrest L Norvell wrote:
> > Hi!
> > 
> > I'm attempting to set up an SELinux system using the Debian packages
> > and am unashamed to admit that I'm a little stuck at the moment.
> 
> If you're planning to run a production system, I'd recommend
> starting from Debian woody and Brian May's woody SELinux packages.
> You don't get some of the nice newer features, but it is quite
> stable and works well.
> 
> Certainly I would never run a production system on sarge or sid, but
> some prominent people here disagree, so take it for what it's worth
> :)

I understand, but for a variety of reasons it makes more sense for me
to run this system under sarge (I'm trying to avoid pulling from sid).
So far, things have gone surprisingly, but we'll see if I can get
everything working. ;)

yours,
Forrest

-- 
   . . . the self-reflecting image of a narcotized mind . . .
ozymandias G desiderata [EMAIL PROTECTED] desperate, deathless
(415)823-6356   http://www.pushby.com/forrest/   ::AOAIOXXYSZ::

Re: getting started with SELinux

2003-11-28 Thread Forrest L Norvell 
On Fri, Nov 28, 2003 at 11:06:40PM +1100, Russell Coker wrote:
> >  2. When I attempt to boot into my SELinux kernel (all packages,
> > versions, and kernel configuration options at the end of this
> > message), I get an error about being unable to find
> > /usr/bin/load_policy, even with an initrd that uses the script
> > provided by selinux-default-policy. Is there anything special I
> > need to know about building the initrd? I imagine this may be
> 
> Sounds like you have /usr on a separate file system.  If you upgrade to 
> sysvinit 2.85-7.se3 then it should work.

This did the trick, thanks!

> > un  libselinux-dev(no description available)
> > ii  libselinux1   1.2-1.1   SELinux shared libraries
> > un  libselinux1-dev   (no description available)
> > un  old-selinux-policy(no description available)
> > ii  selinux   2003081307-8  Management utilities for
> 
> "selinux" should be removed, it is for the old SE Linux.  It should have been 
> automatically removed because of conflicting with the new packages.

I removed selinux and updated to the new version of coreutils (which
is necessary even though I'm running a 2.4.x kernel -- is this
weird?), which fixed my policy problems, and now I have a policy
installed and loaded. Now I have a question about devfs: I use devfs +
devfsd, but I don't have devfs-se.so, nor do I know where to find
it. selinux-policy-default installs a conf file into devfs's conf
directory that requires it, though. Where do I get devfs-se.so? Do I
need it? Is using devfsd with SELinux silly?

thanks for all the help,
Forrest

-- 
   . . . the self-reflecting image of a narcotized mind . . .
ozymandias G desiderata [EMAIL PROTECTED] desperate, deathless
(415)823-6356   http://www.pushby.com/forrest/   ::AOAIOXXYSZ::

Re: getting started with SELinux

2003-11-28 Thread Forrest L Norvell 
On Fri, Nov 28, 2003 at 11:40:12AM -0500, Colin Walters wrote:
> On Fri, 2003-11-28 at 06:03, Forrest L Norvell wrote:
> > Hi!
> > 
> > I'm attempting to set up an SELinux system using the Debian packages
> > and am unashamed to admit that I'm a little stuck at the moment.
> 
> If you're planning to run a production system, I'd recommend
> starting from Debian woody and Brian May's woody SELinux packages.
> You don't get some of the nice newer features, but it is quite
> stable and works well.
> 
> Certainly I would never run a production system on sarge or sid, but
> some prominent people here disagree, so take it for what it's worth
> :)

I understand, but for a variety of reasons it makes more sense for me
to run this system under sarge (I'm trying to avoid pulling from sid).
So far, things have gone surprisingly, but we'll see if I can get
everything working. ;)

yours,
Forrest

-- 
   . . . the self-reflecting image of a narcotized mind . . .
ozymandias G desiderata [EMAIL PROTECTED] desperate, deathless
(415)823-6356   http://www.pushby.com/forrest/   ::AOAIOXXYSZ::


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: getting started with SELinux

2003-11-28 Thread Forrest L Norvell 
On Fri, Nov 28, 2003 at 11:06:40PM +1100, Russell Coker wrote:
> >  2. When I attempt to boot into my SELinux kernel (all packages,
> > versions, and kernel configuration options at the end of this
> > message), I get an error about being unable to find
> > /usr/bin/load_policy, even with an initrd that uses the script
> > provided by selinux-default-policy. Is there anything special I
> > need to know about building the initrd? I imagine this may be
> 
> Sounds like you have /usr on a separate file system.  If you upgrade to 
> sysvinit 2.85-7.se3 then it should work.

This did the trick, thanks!

> > un  libselinux-dev(no description available)
> > ii  libselinux1   1.2-1.1   SELinux shared libraries
> > un  libselinux1-dev   (no description available)
> > un  old-selinux-policy(no description available)
> > ii  selinux   2003081307-8  Management utilities for
> 
> "selinux" should be removed, it is for the old SE Linux.  It should have been 
> automatically removed because of conflicting with the new packages.

I removed selinux and updated to the new version of coreutils (which
is necessary even though I'm running a 2.4.x kernel -- is this
weird?), which fixed my policy problems, and now I have a policy
installed and loaded. Now I have a question about devfs: I use devfs +
devfsd, but I don't have devfs-se.so, nor do I know where to find
it. selinux-policy-default installs a conf file into devfs's conf
directory that requires it, though. Where do I get devfs-se.so? Do I
need it? Is using devfsd with SELinux silly?

thanks for all the help,
Forrest

-- 
   . . . the self-reflecting image of a narcotized mind . . .
ozymandias G desiderata [EMAIL PROTECTED] desperate, deathless
(415)823-6356   http://www.pushby.com/forrest/   ::AOAIOXXYSZ::


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: getting started with SELinux

2003-11-28 Thread Peter Busser 
Hi!

On Sat, 29 Nov 2003 05:10, "Martin G.H. Minkler" <[EMAIL PROTECTED]> wrote:
>> A little OT, but http://www.adamantix.org 's distro provides everything
>> and more SELinux has to offer while IMHO being a little easier to handle.
> Adamantix is not Debian. The people subscribed to this list are here for 
> Debian security not other OS security.

Adamantix is still Debian, only more secure. One of the enhancements is the use
of SSP: Stack Smashing Protector (also known as ProPolice). It is a patch for
GCC which adds protection against a number of stack overflows. OpenBSD uses it
too, Theo de Raadt even says that it is as good as normal GCC. In Adamantix we
still use GCC 2.95, which has some issues with some C++ code. Other than that,
it works fine. Even the Adamantix kernel has been compiled with SSP.

SSP protects the base pointer and the return address on the stack by placing
a so called canary before these two addresses. When an overflow overwrites the
canary, this will be detected by SSP before the function returns. Thus the
program is terminated before the exploit code is called.

The overhead introduced by SSP is relatively low, because it tries to do some
optimisations. It only adds checking code to functions which it considers
dangerous. The optimisation algorithm is not perfect, and therefore it can
skip functions that need protection. But it is possible to let SSP generate
code for every function, at a higher performance cost of course.

Another useful feature is that SSP reorganises local variables. Arrays are
placed closer to the canary value on the stack. And pointer variables are moved
away (they could be damaged too by overflows that do not overwrite the canary
value). It is therefore more effective than similar solutions that do not
reorder local variable.

SSP is certainly not perfect, it can only stop a limited number of exploits.
But it is not wise to depend on only one security mechanism. Therefore it will
be more effective when used together with a kernel patch like PaX and a
mandatory access control system like RSBAC, like in Adamantix.

Last time I looked, the GCC 3.3 package in Debian already had the patch
included. It is just not enabled by default. Remove one #, rebuild the package
and you can use the stack protector enabled GCC compiler.

You have to watch out though, an SSP compiled object file will require several
symbols that are normally provided when you compile everything with SSP. This
can cause problems when SSP is used to compile a library, but not the main
executable. There are other things to watch out for, like GRUB and the Linux
kernel do not link without adding a few lines of code. Trivial to fix, but
still something to watch out for. Other than that, it has been working fine. I
have not yet seen SSP related problems for packages that compiled succesfully,
other than missing symbols when mixing Debian Woody packages with Adamantix
packages.

All in all I can certainly recommend it.

>> Don't want to discourage anybody from SELinux, especially not with
>> kernel 2.6 reaching production status, just my 2c ;-)
> I doubt that there's any risk of that.

It looks like SELinux is an interesting concept, but it is lacking some
important functionality. This is mostly because the LSM concept on which it is
based is has a number of problems. See also:

http://www.rsbac.org/lsm.htm
http://www.grsecurity.net/lsm.php

Fortunately, RSBAC is not limited by the limitations of LSM. People who have
used SELinux before using RSBAC told me that RSBAC is easier to use than
SELinux.

Groetjes,
Peter Busser
-- 
The Adamantix Project
Taking high-security Linux out of the labs, and into the real world
http://www.adamantix.org/

Re: getting started with SELinux

2003-11-28 Thread Peter Busser 
Hi!

On Sat, 29 Nov 2003 05:10, "Martin G.H. Minkler" <[EMAIL PROTECTED]> wrote:
>> A little OT, but http://www.adamantix.org 's distro provides everything
>> and more SELinux has to offer while IMHO being a little easier to handle.
> Adamantix is not Debian. The people subscribed to this list are here for 
> Debian security not other OS security.

Adamantix is still Debian, only more secure. One of the enhancements is the use
of SSP: Stack Smashing Protector (also known as ProPolice). It is a patch for
GCC which adds protection against a number of stack overflows. OpenBSD uses it
too, Theo de Raadt even says that it is as good as normal GCC. In Adamantix we
still use GCC 2.95, which has some issues with some C++ code. Other than that,
it works fine. Even the Adamantix kernel has been compiled with SSP.

SSP protects the base pointer and the return address on the stack by placing
a so called canary before these two addresses. When an overflow overwrites the
canary, this will be detected by SSP before the function returns. Thus the
program is terminated before the exploit code is called.

The overhead introduced by SSP is relatively low, because it tries to do some
optimisations. It only adds checking code to functions which it considers
dangerous. The optimisation algorithm is not perfect, and therefore it can
skip functions that need protection. But it is possible to let SSP generate
code for every function, at a higher performance cost of course.

Another useful feature is that SSP reorganises local variables. Arrays are
placed closer to the canary value on the stack. And pointer variables are moved
away (they could be damaged too by overflows that do not overwrite the canary
value). It is therefore more effective than similar solutions that do not
reorder local variable.

SSP is certainly not perfect, it can only stop a limited number of exploits.
But it is not wise to depend on only one security mechanism. Therefore it will
be more effective when used together with a kernel patch like PaX and a
mandatory access control system like RSBAC, like in Adamantix.

Last time I looked, the GCC 3.3 package in Debian already had the patch
included. It is just not enabled by default. Remove one #, rebuild the package
and you can use the stack protector enabled GCC compiler.

You have to watch out though, an SSP compiled object file will require several
symbols that are normally provided when you compile everything with SSP. This
can cause problems when SSP is used to compile a library, but not the main
executable. There are other things to watch out for, like GRUB and the Linux
kernel do not link without adding a few lines of code. Trivial to fix, but
still something to watch out for. Other than that, it has been working fine. I
have not yet seen SSP related problems for packages that compiled succesfully,
other than missing symbols when mixing Debian Woody packages with Adamantix
packages.

All in all I can certainly recommend it.

>> Don't want to discourage anybody from SELinux, especially not with
>> kernel 2.6 reaching production status, just my 2c ;-)
> I doubt that there's any risk of that.

It looks like SELinux is an interesting concept, but it is lacking some
important functionality. This is mostly because the LSM concept on which it is
based is has a number of problems. See also:

http://www.rsbac.org/lsm.htm
http://www.grsecurity.net/lsm.php

Fortunately, RSBAC is not limited by the limitations of LSM. People who have
used SELinux before using RSBAC told me that RSBAC is easier to use than
SELinux.

Groetjes,
Peter Busser
-- 
The Adamantix Project
Taking high-security Linux out of the labs, and into the real world
http://www.adamantix.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Improved Debian Project Emergency Communications

2003-11-28 Thread Roland Mas 
Karsten M. Self, 2003-11-28 13:30:28 +0100 :

[...]

>   - Where to provide information.  Personal websites and news
>   channels served well, but an advance statement of "here's where
>   you should turn in the event of an emergency" would be useful.

/me suggests the Debian Planet and Debian Help (both .org) websites.
As far as I can see, Debian Planet has had this story since the 22nd
of November.

Roland.
-- 
Roland Mas

Two elephants fell off a cliff.
Boom, boom.

Re: getting started with SELinux

2003-11-28 Thread Russell Coker 
On Sat, 29 Nov 2003 05:10, "Martin G.H. Minkler" <[EMAIL PROTECTED]> wrote:
> A little OT, but http://www.adamantix.org 's distro provides everything
> and more SELinux has to offer while IMHO being a little easier to handle.

Adamantix is not Debian.  The people subscribed to this list are here for 
Debian security not other OS security.

> Don't want to discourage anybody from SELinux, especially not with
> kernel 2.6 reaching production status, just my 2c ;-)

I doubt that there's any risk of that.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Re: Improved Debian Project Emergency Communications

2003-11-28 Thread Roland Mas 
Karsten M. Self, 2003-11-28 13:30:28 +0100 :

[...]

>   - Where to provide information.  Personal websites and news
>   channels served well, but an advance statement of "here's where
>   you should turn in the event of an emergency" would be useful.

/me suggests the Debian Planet and Debian Help (both .org) websites.
As far as I can see, Debian Planet has had this story since the 22nd
of November.

Roland.
-- 
Roland Mas

Two elephants fell off a cliff.
Boom, boom.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: chkrootkit and lkm

2003-11-28 Thread Stephen Gran 
This one time, at band camp, Michael Parkinson said:
> 
> Umm, I have the same problem.
> 
> If I kill Exim and Spamassassin no hidden processes reported.
> 
> Under normal load sometimes get 1-7 hidden processes.   Was is a state of
> panic but it does appear that Exim and Spamassassin combined do create false
> positives.

This is a known bug in chkrootkit - there is a race condition in the
code such that on a relatively busy system (or a sluggish one), there is a
difference in the ouput because of time lag - first it checks ps, then
it checks /proc, and if they disagree, it reports.

> Can this be fixed?

Hopefully.  It is irksome, but not the end of the world.

-- 
 -
|   ,''`.Stephen Gran |
|  : :' :[EMAIL PROTECTED] |
|  `. `'Debian user, admin, and developer |
|`- http://www.debian.org |
 -


pgpdD7XzO6rNq.pgp
Description: PGP signature

Re: getting started with SELinux

2003-11-28 Thread Russell Coker 
On Sat, 29 Nov 2003 05:10, "Martin G.H. Minkler" <[EMAIL PROTECTED]> wrote:
> A little OT, but http://www.adamantix.org 's distro provides everything
> and more SELinux has to offer while IMHO being a little easier to handle.

Adamantix is not Debian.  The people subscribed to this list are here for 
Debian security not other OS security.

> Don't want to discourage anybody from SELinux, especially not with
> kernel 2.6 reaching production status, just my 2c ;-)

I doubt that there's any risk of that.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Uhm, so, what happened...?

2003-11-28 Thread Jean Christophe ANDRÉ 
Le vendredi 28 novembre 2003 à 09h36 (-0500), Stephen Frost écrivait :
> > It says "Somehow they got root [...]", does anybody yet know how?
> Did you *read* what they said?

Mhhh... I think so... But I'm not a native english speaker actually... :)
Did I miss something?

I read this: "(I believe) an unknown local root exploit in the wild"
and that: "we try and exhaust all reasonable avenues of investigation
to determine how the attacker went from unprivileged to root."

This is why I asked if somebody already knows...
And this is why I suggested some idea, wishing to help a bit...

> That should only gain group utmp privs on Debian systems, at least from
> what I can tell.  Not sure of the difficulty of going from that to root.

Right, I forgot to check if screen was suid root or not in Debian...
Debian never stop surprising and please me! ;-)
-- 
J.C. "プログフ" ANDRÉ <[EMAIL PROTECTED]> http://www.vn.refer.org/
Coordonnateur technique régional / Associé technologie projet Reflets (CODA)
Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP)
Adresse postale : AUF, 21 Lê Thánh Tông, T.T. Hoàn Kiếm, Hà Nội, Việt Nam
Tél. : +84 4 9331108   Fax : +84 4 8247383   Mobile : +84 91 3248747
⎧ Note personnelle : merci d'éviter de m'envoyer des fichiers PowerPoint   ⎫
⎩ ou Word ; voir http://www.fsf.org/philosophy/no-word-attachments.fr.html ⎭


signature.asc
Description: Digital signature

Re: Improved Debian Project Emergency Communications (was Re: communication structures crumbled)

2003-11-28 Thread Ross Boylan 
On Fri, Nov 28, 2003 at 04:14:19AM -0800, Karsten M. Self wrote:
> I'll disagree with Martin's comment that the server compromise didn't
> constitute a security issue despite the lack of an archive compromise.
> For someone well versed in Debian procedures, it might have been
> plausible that the archives themselves weren't compromised.  For a
> typical user, I don't think this was the case.  For the typical user's
> management or clients, it's very likely _not_ the case, and a timely
> positive statement of status would be very, very helpful.
> 
> Security affecting Debian servers _potentially_ affects Debian packages.
> As it was, I cleared my locale package cache and stopped updates on
> hearing about the compromise.  It wasn't for another few hours that I
> was aware that the archive was reportedly _not_ compromised.
> 
> In the absense of any information, the security status of Debian project
> packages in the event of a known or rumored server compromise is at best
> unknown.

It wasn't clear to me that the packages that I had downloaded were
safe, and it even wasn't clear after reading that the archives were
safe.  I suggest some phrase like "packages in the debian archive" or
just "debian packages."

The reason is that "archive" usually means something covering
(ancient) history.  I initially thought it referred to the mailing
list archives.  If I'd thought harder, I might have thought it
referred to past debian packages (which I think are provided via
snapshot.debian.org?? I've never used them).

Perhaps I should have known better, but since the confusion seems
pretty easy, and pretty easy to fix, I suggest fixing it if we should
ever have such an unfortunate incident again.

Thanks to all those who worked so hard to detect, and then correct,
this problem.

Ross Boylan

Re: chkrootkit and lkm

2003-11-28 Thread Stephen Gran 
This one time, at band camp, Michael Parkinson said:
> 
> Umm, I have the same problem.
> 
> If I kill Exim and Spamassassin no hidden processes reported.
> 
> Under normal load sometimes get 1-7 hidden processes.   Was is a state of
> panic but it does appear that Exim and Spamassassin combined do create false
> positives.

This is a known bug in chkrootkit - there is a race condition in the
code such that on a relatively busy system (or a sluggish one), there is a
difference in the ouput because of time lag - first it checks ps, then
it checks /proc, and if they disagree, it reports.

> Can this be fixed?

Hopefully.  It is irksome, but not the end of the world.

-- 
 -
|   ,''`.Stephen Gran |
|  : :' :[EMAIL PROTECTED] |
|  `. `'Debian user, admin, and developer |
|`- http://www.debian.org |
 -


pgp0.pgp
Description: PGP signature

Re: Uhm, so, what happened...?

2003-11-28 Thread Jean Christophe ANDRÉ 
Le vendredi 28 novembre 2003 Ã 09h36 (-0500), Stephen Frost Ãcrivait :
> > It says "Somehow they got root [...]", does anybody yet know how?
> Did you *read* what they said?

Mhhh... I think so... But I'm not a native english speaker actually... :)
Did I miss something?

I read this: "(I believe) an unknown local root exploit in the wild"
and that: "we try and exhaust all reasonable avenues of investigation
to determine how the attacker went from unprivileged to root."

This is why I asked if somebody already knows...
And this is why I suggested some idea, wishing to help a bit...

> That should only gain group utmp privs on Debian systems, at least from
> what I can tell.  Not sure of the difficulty of going from that to root.

Right, I forgot to check if screen was suid root or not in Debian...
Debian never stop surprising and please me! ;-)
-- 
J.C. "" ANDRÃ <[EMAIL PROTECTED]> http://www.vn.refer.org/
Coordonnateur technique rÃgional / Associà technologie projet Reflets (CODA)
Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP)
Adresse postale : AUF, 21 LÃ ThÃnh TÃng, T.T. HoÃn Kiám, HÃ Nái, Viát Nam
TÃl. : +84 4 9331108   Fax : +84 4 8247383   Mobile : +84 91 3248747
â Note personnelle : merci d'Ãviter de m'envoyer des fichiers PowerPoint   â
â ou Word ; voir http://www.fsf.org/philosophy/no-word-attachments.fr.html â


signature.asc
Description: Digital signature

Re: Improved Debian Project Emergency Communications (was Re: communication structures crumbled)

2003-11-28 Thread Ross Boylan 
On Fri, Nov 28, 2003 at 04:14:19AM -0800, Karsten M. Self wrote:
> I'll disagree with Martin's comment that the server compromise didn't
> constitute a security issue despite the lack of an archive compromise.
> For someone well versed in Debian procedures, it might have been
> plausible that the archives themselves weren't compromised.  For a
> typical user, I don't think this was the case.  For the typical user's
> management or clients, it's very likely _not_ the case, and a timely
> positive statement of status would be very, very helpful.
> 
> Security affecting Debian servers _potentially_ affects Debian packages.
> As it was, I cleared my locale package cache and stopped updates on
> hearing about the compromise.  It wasn't for another few hours that I
> was aware that the archive was reportedly _not_ compromised.
> 
> In the absense of any information, the security status of Debian project
> packages in the event of a known or rumored server compromise is at best
> unknown.

It wasn't clear to me that the packages that I had downloaded were
safe, and it even wasn't clear after reading that the archives were
safe.  I suggest some phrase like "packages in the debian archive" or
just "debian packages."

The reason is that "archive" usually means something covering
(ancient) history.  I initially thought it referred to the mailing
list archives.  If I'd thought harder, I might have thought it
referred to past debian packages (which I think are provided via
snapshot.debian.org?? I've never used them).

Perhaps I should have known better, but since the confusion seems
pretty easy, and pretty easy to fix, I suggest fixing it if we should
ever have such an unfortunate incident again.

Thanks to all those who worked so hard to detect, and then correct,
this problem.

Ross Boylan


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: getting started with SELinux

2003-11-28 Thread Martin G.H. Minkler 

Alohá!

A little OT, but http://www.adamantix.org 's distro provides everything 
and more SELinux has to offer while IMHO being a little easier to handle.


Don't want to discourage anybody from SELinux, especially not with 
kernel 2.6 reaching production status, just my 2c ;-)


best regards

Martin

Re: getting started with SELinux

2003-11-28 Thread Martin G.H. Minkler 
Alohá!

A little OT, but http://www.adamantix.org 's distro provides everything 
and more SELinux has to offer while IMHO being a little easier to handle.

Don't want to discourage anybody from SELinux, especially not with 
kernel 2.6 reaching production status, just my 2c ;-)

best regards

Martin



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian servers "hacked"?

2003-11-28 Thread Matt Zimmerman 
On Thu, Nov 27, 2003 at 06:03:13AM -0500, Anthony DeRobertis wrote:

> 
> On Nov 26, 2003, at 15:34, Matt Zimmerman wrote:
> >None of those packages are new; they are all from
> >security.debian.org and correspnod to security advisories released 
> >since
> >3.0r1.
> 
> Really? There were 13 or so things on 3.0r2 that my machines never 
> picked up from security.debian.org. Don't stable revisions, in general, 
> contain more than fixes for DSA's?

Yes, of course they do.  But in George Georgalis' original message, he was
asking about the messages on debian-changes which listed "stable-security;
urgency=high" changelog entries.  All of those came from
security.debian.org.

-- 
 - mdz

Re: getting started with SELinux

2003-11-28 Thread Colin Walters 
On Fri, 2003-11-28 at 06:03, Forrest L Norvell wrote:
> Hi!
> 
> I'm attempting to set up an SELinux system using the Debian packages
> and am unashamed to admit that I'm a little stuck at the moment.

If you're planning to run a production system, I'd recommend starting
from Debian woody and Brian May's woody SELinux packages.
You don't get some of the nice newer features, but it is quite stable
and works well.

Certainly I would never run a production system on sarge or sid, but
some prominent people here disagree, so take it for what it's worth :)



signature.asc
Description: This is a digitally signed message part

Re: Debian servers "hacked"?

2003-11-28 Thread Matt Zimmerman 
On Thu, Nov 27, 2003 at 06:03:13AM -0500, Anthony DeRobertis wrote:

> 
> On Nov 26, 2003, at 15:34, Matt Zimmerman wrote:
> >None of those packages are new; they are all from
> >security.debian.org and correspnod to security advisories released 
> >since
> >3.0r1.
> 
> Really? There were 13 or so things on 3.0r2 that my machines never 
> picked up from security.debian.org. Don't stable revisions, in general, 
> contain more than fixes for DSA's?

Yes, of course they do.  But in George Georgalis' original message, he was
asking about the messages on debian-changes which listed "stable-security;
urgency=high" changelog entries.  All of those came from
security.debian.org.

-- 
 - mdz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: getting started with SELinux

2003-11-28 Thread Colin Walters 
On Fri, 2003-11-28 at 06:03, Forrest L Norvell wrote:
> Hi!
> 
> I'm attempting to set up an SELinux system using the Debian packages
> and am unashamed to admit that I'm a little stuck at the moment.

If you're planning to run a production system, I'd recommend starting
from Debian woody and Brian May's woody SELinux packages.
You don't get some of the nice newer features, but it is quite stable
and works well.

Certainly I would never run a production system on sarge or sid, but
some prominent people here disagree, so take it for what it's worth :)



signature.asc
Description: This is a digitally signed message part

Re: Uhm, so, what happened...?

2003-11-28 Thread Jean Christophe ANDRÉ 
Le vendredi 28 novembre 2003 à 14h21 (+), Dale Amon écrivait :
> > See there: http://www.secunia.com/advisories/10310/
> Yow! TWO GIGABITS OF SEMICOLONS?

2 giga bytes.

> One would think someone would notice an attack like
> that if it ever occurred!

Not necessarly if we can generate it localy, using something like this:
  perl -e 'for($i=1;$i<=2000;$i++){print ";"x100 }' >/dev/pts/0
Off course, you'll have to redirect output if you do it remotely.
But I still think it may be feasible without being noticed...
-- 
J.C. "プログフ" ANDRÉ <[EMAIL PROTECTED]> http://www.vn.refer.org/
Coordonnateur technique régional / Associé technologie projet Reflets (CODA)
Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP)
Adresse postale : AUF, 21 Lê Thánh Tông, T.T. Hoàn Kiếm, Hà Nội, Việt Nam
Tél. : +84 4 9331108   Fax : +84 4 8247383   Mobile : +84 91 3248747
⎧ Note personnelle : merci d'éviter de m'envoyer des fichiers PowerPoint   ⎫
⎩ ou Word ; voir http://www.fsf.org/philosophy/no-word-attachments.fr.html ⎭

Re: Uhm, so, what happened...?

2003-11-28 Thread Stephen Frost 
* Jean Christophe ANDR? ([EMAIL PROTECTED]) wrote:
> Le vendredi 28 novembre 2003 à 12h06 (+0100), Boris Stanislavski écrivait :
> > Subject: more details on the recent compromise of debian.org machines
> > Date: Fri, 28 Nov 2003 01:04:00 +
> > http://lists.debian.org/debian-devel-announce/2003/debian-devel-announce-200311/msg00012.html
> 
> It says "Somehow they got root [...]", does anybody yet know how?

Did you *read* what they said?

> May be because of the last screen local privilege escalation...?
> See there: http://www.secunia.com/advisories/10310/

That should only gain group utmp privs on Debian systems, at least from
what I can tell.  Not sure of the difficulty of going from that to root.

Stephen


signature.asc
Description: Digital signature

Re: Uhm, so, what happened...?

2003-11-28 Thread Dale Amon 
On Fri, Nov 28, 2003 at 07:46:45PM +0700, Jean Christophe ANDR? wrote:
> May be because of the last screen local privilege escalation...?
> See there: http://www.secunia.com/advisories/10310/

Yow! TWO GIGABITS OF SEMICOLONS?

One would think someone would notice an attack like
that if it ever occurred!

-- 
--
   Dale Amon [EMAIL PROTECTED]+44-7802-188325
   International linux systems consultancy
 Hardware & software system design, security
and networking, systems programming and Admin
  "Have Laptop, Will Travel"
--

Re: Uhm, so, what happened...?

2003-11-28 Thread Jean Christophe ANDRÉ 
Le vendredi 28 novembre 2003 Ã 14h21 (+), Dale Amon Ãcrivait :
> > See there: http://www.secunia.com/advisories/10310/
> Yow! TWO GIGABITS OF SEMICOLONS?

2 giga bytes.

> One would think someone would notice an attack like
> that if it ever occurred!

Not necessarly if we can generate it localy, using something like this:
  perl -e 'for($i=1;$i<=2000;$i++){print ";"x100 }' >/dev/pts/0
Off course, you'll have to redirect output if you do it remotely.
But I still think it may be feasible without being noticed...
-- 
J.C. "" ANDRÃ <[EMAIL PROTECTED]> http://www.vn.refer.org/
Coordonnateur technique rÃgional / Associà technologie projet Reflets (CODA)
Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP)
Adresse postale : AUF, 21 LÃ ThÃnh TÃng, T.T. HoÃn Kiám, HÃ Nái, Viát Nam
TÃl. : +84 4 9331108   Fax : +84 4 8247383   Mobile : +84 91 3248747
â Note personnelle : merci d'Ãviter de m'envoyer des fichiers PowerPoint   â
â ou Word ; voir http://www.fsf.org/philosophy/no-word-attachments.fr.html â


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Uhm, so, what happened...?

2003-11-28 Thread Stephen Frost 
* Jean Christophe ANDR? ([EMAIL PROTECTED]) wrote:
> Le vendredi 28 novembre 2003 à 12h06 (+0100), Boris Stanislavski écrivait :
> > Subject: more details on the recent compromise of debian.org machines
> > Date: Fri, 28 Nov 2003 01:04:00 +
> > http://lists.debian.org/debian-devel-announce/2003/debian-devel-announce-200311/msg00012.html
> 
> It says "Somehow they got root [...]", does anybody yet know how?

Did you *read* what they said?

> May be because of the last screen local privilege escalation...?
> See there: http://www.secunia.com/advisories/10310/

That should only gain group utmp privs on Debian systems, at least from
what I can tell.  Not sure of the difficulty of going from that to root.

Stephen


signature.asc
Description: Digital signature

Re: More hacked servers?

2003-11-28 Thread Eric LeBlanc 




On Fri, 28 Nov 2003, Marcel Hicking wrote:

> I'd definitely prefer to have "them" working on getting things
> up and running again and do the forensics. They should waste a
> minute too much on reports that might proove wrong finally anyway.

Minute? Every minute is cucial... So hmm.. They dont eat, talking with
their family, cleaning, sleeping, etc since 21 November? :-)

> This would confuse everyone more than it would help.
> And, honestly, doesn't your experience show that wild guesses
> about how long complex things might take nearly alway provve
> wrong?

Confuse? Come on... we are more intelligent than that.  A lest, their
servers have compromised, and it's a concern of all of us, becase we use
THEIR packages.  I WANT to known what they do actually, and maybe not you,
but I'm sure the majority in this ML want to know...

Let me clear: I don't want details about observations, but WHAT they do
actually.

Same as in company, the manager want to know sometimes what you do in a
critical situation.  I dont want a report with 100 pages, but 2-3 lines is
sufficient. Theses servers have compromised since ~20 November, and we
don't have a word about this, not one.

>
> Why would I want to know who's typing what right now? I'd be
> interested in a all-in-one final report, that's for sure, but
> I'll be happy with this. And in case any urgent security problem
> pops up during investigation I'm pretty sure we'll be
> informed right away. The secteam has done an amazing job in the
> past and I trust them to continue as responsible as before.

I agree with you.


>
> Cheers, Marcel
>

E.
--
Eric LeBlanc
[EMAIL PROTECTED]
--
UNIX is user friendly.
It's just selective about who its friends are.
==

Re: Uhm, so, what happened...?

2003-11-28 Thread Dale Amon 
On Fri, Nov 28, 2003 at 07:46:45PM +0700, Jean Christophe ANDR? wrote:
> May be because of the last screen local privilege escalation...?
> See there: http://www.secunia.com/advisories/10310/

Yow! TWO GIGABITS OF SEMICOLONS?

One would think someone would notice an attack like
that if it ever occurred!

-- 
--
   Dale Amon [EMAIL PROTECTED]+44-7802-188325
   International linux systems consultancy
 Hardware & software system design, security
and networking, systems programming and Admin
  "Have Laptop, Will Travel"
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Improved Debian Project Emergency Communications (was Re: communication structures crumbled)

2003-11-28 Thread Dale Amon 
On Fri, Nov 28, 2003 at 01:52:14PM +0100, Kjetil Kjernsmo wrote:
> I learnt on /. that it had been a password compromise, so that meant, it 
> was in the generic class of problems. We're always vulnerable towards 
> that. But, we're all likely to be vulnerable to the local exploit used 
> to gain root. Besides, it was /. :-) 

>From the report I just read, sniffed password compromise
to get in... but an as yet unknown privilege escalation
from user to root once on board.

-- 
--
   Dale Amon [EMAIL PROTECTED]+44-7802-188325
   International linux systems consultancy
 Hardware & software system design, security
and networking, systems programming and Admin
  "Have Laptop, Will Travel"
--

Re: More hacked servers?

2003-11-28 Thread Eric LeBlanc 




On Fri, 28 Nov 2003, Marcel Hicking wrote:

> I'd definitely prefer to have "them" working on getting things
> up and running again and do the forensics. They should waste a
> minute too much on reports that might proove wrong finally anyway.

Minute? Every minute is cucial... So hmm.. They dont eat, talking with
their family, cleaning, sleeping, etc since 21 November? :-)

> This would confuse everyone more than it would help.
> And, honestly, doesn't your experience show that wild guesses
> about how long complex things might take nearly alway provve
> wrong?

Confuse? Come on... we are more intelligent than that.  A lest, their
servers have compromised, and it's a concern of all of us, becase we use
THEIR packages.  I WANT to known what they do actually, and maybe not you,
but I'm sure the majority in this ML want to know...

Let me clear: I don't want details about observations, but WHAT they do
actually.

Same as in company, the manager want to know sometimes what you do in a
critical situation.  I dont want a report with 100 pages, but 2-3 lines is
sufficient. Theses servers have compromised since ~20 November, and we
don't have a word about this, not one.

>
> Why would I want to know who's typing what right now? I'd be
> interested in a all-in-one final report, that's for sure, but
> I'll be happy with this. And in case any urgent security problem
> pops up during investigation I'm pretty sure we'll be
> informed right away. The secteam has done an amazing job in the
> past and I trust them to continue as responsible as before.

I agree with you.


>
> Cheers, Marcel
>

E.
--
Eric LeBlanc
[EMAIL PROTECTED]
--
UNIX is user friendly.
It's just selective about who its friends are.
==



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Improved Debian Project Emergency Communications (was Re: communication structures crumbled)

2003-11-28 Thread Dale Amon 
On Fri, Nov 28, 2003 at 01:52:14PM +0100, Kjetil Kjernsmo wrote:
> I learnt on /. that it had been a password compromise, so that meant, it 
> was in the generic class of problems. We're always vulnerable towards 
> that. But, we're all likely to be vulnerable to the local exploit used 
> to gain root. Besides, it was /. :-) 

>From the report I just read, sniffed password compromise
to get in... but an as yet unknown privilege escalation
from user to root once on board.

-- 
--
   Dale Amon [EMAIL PROTECTED]+44-7802-188325
   International linux systems consultancy
 Hardware & software system design, security
and networking, systems programming and Admin
  "Have Laptop, Will Travel"
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Uhm, so, what happened...?

2003-11-28 Thread Jean Christophe ANDRÉ 
Le vendredi 28 novembre 2003 à 12h06 (+0100), Boris Stanislavski écrivait :
> Subject: more details on the recent compromise of debian.org machines
> Date: Fri, 28 Nov 2003 01:04:00 +
> http://lists.debian.org/debian-devel-announce/2003/debian-devel-announce-200311/msg00012.html

It says "Somehow they got root [...]", does anybody yet know how?

May be because of the last screen local privilege escalation...?
See there: http://www.secunia.com/advisories/10310/
-- 
J.C. "プログフ" ANDRÉ <[EMAIL PROTECTED]> http://www.vn.refer.org/
Coordonnateur technique régional / Associé technologie projet Reflets (CODA)
Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP)
Adresse postale : AUF, 21 Lê Thánh Tông, T.T. Hoàn Kiếm, Hà Nội, Việt Nam
Tél. : +84 4 9331108   Fax : +84 4 8247383   Mobile : +84 91 3248747
⎧ Note personnelle : merci d'éviter de m'envoyer des fichiers PowerPoint   ⎫
⎩ ou Word ; voir http://www.fsf.org/philosophy/no-word-attachments.fr.html ⎭

Re: Improved Debian Project Emergency Communications (was Re: communication structures crumbled)

2003-11-28 Thread Kjetil Kjernsmo 
On Friday 28 November 2003 13:14, Karsten M. Self wrote:

>That announcement wasn't delivered for all users until _after_ murphy
>was resurrected.  I myself got the debian-security-announce message
>mailed Nov 21 on 25 Nov 2003 15:16:56 -0800.

Hm, I got that late too, but the (unsigned) announcement got to 
debian-announce before the takedown. 

> First I want to say that the Debian project, in extremely adverse
> circumnstances, comported itself well, disseminated information, if
> not fully effectively, well beyond its nominal capacity with both web
> and email services offline.  Disclosures were timely, informative,
> and helpful, while restraining themselves to established facts and
> working within constraints of an as yet ongoing investigation.   Very
> few organizations can claim as much.  Not only this, but it appears
> at this point that the crown jewels -- the Debian archives and
> mirrored distribution points themselves -- were _not_ compromised.
>  Commendable.

Absolutely!

> I'll disagree with Martin's comment that the server compromise didn't
> constitute a security issue despite the lack of an archive
> compromise. 

> Security affecting Debian servers _potentially_ affects Debian
> packages. 

Yes, and I think the point needs emphasis that even if the archives are 
not compromised, what has happened to the Debian servers is very 
relevant to the security of all Debian users.

My first thought when heared about the compromise was "ouch, that 
probably means, I'm vulnerable too". I considered for a moment to take 
my main server offline. The problem is of course that we all run the 
much of the same software that is on the Debian machines. Unless there 
are something generic that is a known problem (such as a sniffed 
password), or something that is special to one of the servers (e.g. 
BTS), the attacker might be able to use the attack he used on the 
Debian servers on pretty much _any_ Debian box. That's really scary. 

I learnt on /. that it had been a password compromise, so that meant, it 
was in the generic class of problems. We're always vulnerable towards 
that. But, we're all likely to be vulnerable to the local exploit used 
to gain root. Besides, it was /. :-) 

For these reasons, I think it is fair to say that any compromise on the 
Debian servers is very relevant to the security of all users. And that 
was the information I was missing earlier, to what extent I would 
myself be vulnerable. 

Also, I'm not a regular IRC user, so it didn't occur to me at the time 
that it was an alternative for gathering information. Besides, how is 
it with signatures on IRC? 

Best,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
[EMAIL PROTECTED]  [EMAIL PROTECTED]  [EMAIL PROTECTED]
Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC

Re: Uhm, so, what happened...?

2003-11-28 Thread Jean Christophe ANDRÉ 
Le vendredi 28 novembre 2003 Ã 12h06 (+0100), Boris Stanislavski Ãcrivait :
> Subject: more details on the recent compromise of debian.org machines
> Date: Fri, 28 Nov 2003 01:04:00 +
> http://lists.debian.org/debian-devel-announce/2003/debian-devel-announce-200311/msg00012.html

It says "Somehow they got root [...]", does anybody yet know how?

May be because of the last screen local privilege escalation...?
See there: http://www.secunia.com/advisories/10310/
-- 
J.C. "" ANDRÃ <[EMAIL PROTECTED]> http://www.vn.refer.org/
Coordonnateur technique rÃgional / Associà technologie projet Reflets (CODA)
Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP)
Adresse postale : AUF, 21 LÃ ThÃnh TÃng, T.T. HoÃn Kiám, HÃ Nái, Viát Nam
TÃl. : +84 4 9331108   Fax : +84 4 8247383   Mobile : +84 91 3248747
â Note personnelle : merci d'Ãviter de m'envoyer des fichiers PowerPoint   â
â ou Word ; voir http://www.fsf.org/philosophy/no-word-attachments.fr.html â


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More hacked servers?

2003-11-28 Thread Marcel Hicking 
--Thursday, November 27, 2003 12:56:18 -0500 Eric LeBlanc <[EMAIL PROTECTED]>:
> A least, they can stay us informed about their actions... for example:
> 
> 21 sep: hacked, we moved all domain to blah, bluh, blih.
> 22 sep: investiguation started, by X, X.  We think it will take X
> hours/day/month/years
> 24 sep: We still investiguate, please be patient, we think we will
> terminate that in two hour/day/month/years.
> ...
> 
> and so on, it's not so hard, and it's take 2 minutes or less.

I'd definitely prefer to have "them" working on getting things
up and running again and do the forensics. They should waste a
minute too much on reports that might proove wrong finally anyway.
This would confuse everyone more than it would help.
And, honestly, doesn't your experience show that wild guesses
about how long complex things might take nearly alway provve
wrong?

Why would I want to know who's typing what right now? I'd be
interested in a all-in-one final report, that's for sure, but
I'll be happy with this. And in case any urgent security problem
pops up during investigation I'm pretty sure we'll be
informed right away. The secteam has done an amazing job in the
past and I trust them to continue as responsible as before.

Cheers, Marcel


pgpzVq3vHaaS1.pgp
Description: PGP signature

Improved Debian Project Emergency Communications (was Re: communication structures crumbled)

2003-11-28 Thread Karsten M. Self 
on Wed, Nov 26, 2003 at 09:30:05AM +0100, Martin Schulze ([EMAIL PROTECTED]) 
wrote:
> Dan Jacobson wrote:
> > To us debian users, the most notable thing during this break in or
> > whatever episode, is how the communication structures crumbled.
> 
> It had to be re-installed.  You probably know that since you've read
> the announcement we were able to send out before the machine was taken
> down for reinstallation.

That announcement wasn't delivered for all users until _after_ murphy
was resurrected.  I myself got the debian-security-announce message
mailed Nov 21 on 25 Nov 2003 15:16:56 -0800.


> > debian-announce had one message on the 21st, five days ago, saying for
> > more information, see www.debian.org.
> 
> You'll find the same information linked on the front-page.  Since the
> web infrastructure was affected as well, but you already knew that
> since it was mentioned in the announcement, it was not that easy
> updating the web server.  However, after a day we finally managed to
> do that.
> 
> > Nothing special there, so I checked http://www.debian.org/security/,
> > same problem.
> 
> As you know http://www.debian.org/security/ if for security
> announcements regarding the packages Debian distributes.  It has
> nothing to do with the security on the Debian machines.  Hence, it's
> the wrong place.

First I want to say that the Debian project, in extremely adverse
circumnstances, comported itself well, disseminated information, if not
fully effectively, well beyond its nominal capacity with both web and
email services offline.  Disclosures were timely, informative, and
helpful, while restraining themselves to established facts and working
within constraints of an as yet ongoing investigation.   Very few
organizations can claim as much.  Not only this, but it appears at this
point that the crown jewels -- the Debian archives and mirrored
distribution points themselves -- were _not_ compromised.  Commendable.

Some bits could be improved, which is what I'm focusing on below.



I'll disagree with Martin's comment that the server compromise didn't
constitute a security issue despite the lack of an archive compromise.
For someone well versed in Debian procedures, it might have been
plausible that the archives themselves weren't compromised.  For a
typical user, I don't think this was the case.  For the typical user's
management or clients, it's very likely _not_ the case, and a timely
positive statement of status would be very, very helpful.

Security affecting Debian servers _potentially_ affects Debian packages.
As it was, I cleared my locale package cache and stopped updates on
hearing about the compromise.  It wasn't for another few hours that I
was aware that the archive was reportedly _not_ compromised.

In the absense of any information, the security status of Debian project
packages in the event of a known or rumored server compromise is at best
unknown.



Communications in an emergency sitation is paramount, and a number of
people clearly _didn't_ get informed through back channels.  I myself
was _on_ IRC as word started leaking out, and still wasn't fully certain
of what was going on or what to trust.  Wichert's website (which I only
learned was his the 27th!) was very helpful, as was the coverage
provided by Slashdot and elsewhere.

Discussion this with Manoj on IRC, my suggestion as summarized by him is
that Debian should have an emergency response plan, part of which is a
communications policy in the event a similar future compromise or
systems failure.  Specifically:


  - Triggering events.  There are thresholds below which notifications
needn't be triggered, and above which they very much should.
Suggested:  any event significantly affecting perceptions of
security of the Debian archives or servers.  Any outage of mail,
web, or archive services anticipated to last beyond  .  E.g.:  6-12 hours, across core servers (but not mirrors).
Any core server root compromise.  *Not* single-package issues.
Nuclear war or asteroid strike:  you're on your own.


  - Where to provide information.  Personal websites and news channels
served well, but an advance statement of "here's where you should
turn in the event of an emergency" would be useful.


  - What information to provide.  
  
Specifically, 

- the known (or unknown) status of archive or package compromise.
- diagnostic checks; and/or
- cleanup procedures.  

Wichert's pages on this would be a good template.  

By "known (or unkown)", I mean:  if the archives are reasonably
known to be safe, or are known to be compromised, this is
communicated.  If an assessment cannot be made with confidence,
_that_ fact should be stated, e.g.:  "the current security of the
archives is unknown".  

By diagnostics and cleanup:  pointers to tools or documentation
explaining how to assess and/or secure a system.  Wipe and rebuild
if necessary.  Again, wiggy.net

Re: Improved Debian Project Emergency Communications (was Re: communication structures crumbled)

2003-11-28 Thread Kjetil Kjernsmo 
On Friday 28 November 2003 13:14, Karsten M. Self wrote:

>That announcement wasn't delivered for all users until _after_ murphy
>was resurrected.  I myself got the debian-security-announce message
>mailed Nov 21 on 25 Nov 2003 15:16:56 -0800.

Hm, I got that late too, but the (unsigned) announcement got to 
debian-announce before the takedown. 

> First I want to say that the Debian project, in extremely adverse
> circumnstances, comported itself well, disseminated information, if
> not fully effectively, well beyond its nominal capacity with both web
> and email services offline.  Disclosures were timely, informative,
> and helpful, while restraining themselves to established facts and
> working within constraints of an as yet ongoing investigation.   Very
> few organizations can claim as much.  Not only this, but it appears
> at this point that the crown jewels -- the Debian archives and
> mirrored distribution points themselves -- were _not_ compromised.
>  Commendable.

Absolutely!

> I'll disagree with Martin's comment that the server compromise didn't
> constitute a security issue despite the lack of an archive
> compromise. 

> Security affecting Debian servers _potentially_ affects Debian
> packages. 

Yes, and I think the point needs emphasis that even if the archives are 
not compromised, what has happened to the Debian servers is very 
relevant to the security of all Debian users.

My first thought when heared about the compromise was "ouch, that 
probably means, I'm vulnerable too". I considered for a moment to take 
my main server offline. The problem is of course that we all run the 
much of the same software that is on the Debian machines. Unless there 
are something generic that is a known problem (such as a sniffed 
password), or something that is special to one of the servers (e.g. 
BTS), the attacker might be able to use the attack he used on the 
Debian servers on pretty much _any_ Debian box. That's really scary. 

I learnt on /. that it had been a password compromise, so that meant, it 
was in the generic class of problems. We're always vulnerable towards 
that. But, we're all likely to be vulnerable to the local exploit used 
to gain root. Besides, it was /. :-) 

For these reasons, I think it is fair to say that any compromise on the 
Debian servers is very relevant to the security of all users. And that 
was the information I was missing earlier, to what extent I would 
myself be vulnerable. 

Also, I'm not a regular IRC user, so it didn't occur to me at the time 
that it was an alternative for gathering information. Besides, how is 
it with signatures on IRC? 

Best,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
[EMAIL PROTECTED]  [EMAIL PROTECTED]  [EMAIL PROTECTED]
Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More hacked servers?

2003-11-28 Thread Marcel Hicking 
--Thursday, November 27, 2003 12:56:18 -0500 Eric LeBlanc <[EMAIL PROTECTED]>:
> A least, they can stay us informed about their actions... for example:
> 
> 21 sep: hacked, we moved all domain to blah, bluh, blih.
> 22 sep: investiguation started, by X, X.  We think it will take X
> hours/day/month/years
> 24 sep: We still investiguate, please be patient, we think we will
> terminate that in two hour/day/month/years.
> ...
> 
> and so on, it's not so hard, and it's take 2 minutes or less.

I'd definitely prefer to have "them" working on getting things
up and running again and do the forensics. They should waste a
minute too much on reports that might proove wrong finally anyway.
This would confuse everyone more than it would help.
And, honestly, doesn't your experience show that wild guesses
about how long complex things might take nearly alway provve
wrong?

Why would I want to know who's typing what right now? I'd be
interested in a all-in-one final report, that's for sure, but
I'll be happy with this. And in case any urgent security problem
pops up during investigation I'm pretty sure we'll be
informed right away. The secteam has done an amazing job in the
past and I trust them to continue as responsible as before.

Cheers, Marcel


pgp0.pgp
Description: PGP signature

Re: getting started with SELinux

2003-11-28 Thread Russell Coker 
On Fri, 28 Nov 2003 22:03, Forrest L Norvell <[EMAIL PROTECTED]> wrote:
> /usr/bin/checkpolicy -o policy policy.conf
> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> ERROR 'attribute file_type is not declared' at token ';' on line 867:
> #
> type device_t, file_type;
> /usr/bin/checkpolicy:  error(s) encountered while parsing

That should be declared at about line 200 in attrib.te.

Try the following:
cd /etc/selinux
make clean
make load

>  2. When I attempt to boot into my SELinux kernel (all packages,
> versions, and kernel configuration options at the end of this
> message), I get an error about being unable to find
> /usr/bin/load_policy, even with an initrd that uses the script
> provided by selinux-default-policy. Is there anything special I
> need to know about building the initrd? I imagine this may be

Sounds like you have /usr on a separate file system.  If you upgrade to 
sysvinit 2.85-7.se3 then it should work.

> un  libselinux-dev(no description available)
> ii  libselinux1   1.2-1.1   SELinux shared libraries
> un  libselinux1-dev   (no description available)
> un  old-selinux-policy(no description available)
> ii  selinux   2003081307-8  Management utilities for

"selinux" should be removed, it is for the old SE Linux.  It should have been 
automatically removed because of conflicting with the new packages.

> CONFIG_SECURITY_DTE=y

You don't want this.  See the attached document (which will be in the next 
version of the kernel-patch-2.4-lsm package).

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
kernel-patch-2.4-lsm for Debian
-

This patch supplies the Linux Security Modules.  It is needed for NSA Security
Enhanced Linux (among other things).

To apply automaticaly, set PATCH_THE_KERNEL=YES before first running of
make-kpkg (from package: kernel-package) and "make-kpkg clean" to remove.

When configuring your kernel do the following:
(Under Networking Options, enable Network Packet Filtering.
 Under Security Options, enable Capabilities and enable
 both IP Networking and SELinux as built-in options.)


This means having the following in your /usr/src/linux/.config:
CONFIG_NETFILTER=y
CONFIG_INET=y
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_CAPABILITIES=y
# CONFIG_SECURITY_ROOTPLUG is not set
CONFIG_SECURITY_SELINUX=y

This release of SE Linux depends on XATTR's.  For the Ext3 file system
use the following settings:
CONFIG_EXT3_FS_XATTR=y
CONFIG_EXT3_FS_XATTR_SHARING=y
CONFIG_EXT3_FS_SECURITY=y

The options CONFIG_EXT3_FS_XATTR_USER and CONFIG_EXT3_FS_XATTR_TRUSTED are
not required for SE Linux, but do not do any harm either.

For the DEVPTS file system (required as the new SE Linux does not support
devfs or the old-styly /dev/pty) the following options are needed:
CONFIG_DEVPTS_FS=y
CONFIG_DEVPTS_FS_XATTR=y
CONFIG_DEVPTS_FS_SECURITY=y

In the recent kernel patches MLS should be functional, but I have never tested
it...

Also note that the labeled networking code is experimental, and that SE Linux
currently doesn't stack with the other security modules (so turn off OpenWall
and LIDS if you plan to use SE Linux).

The CONFIG_SECURITY_SELINUX_DEVELOP config option allows you to turn the SE
capabilities on and off at run time, I recommend that you use it when first
trying SE Linux (otherwise policy mistakes may prevent your machine from
booting).

The CONFIG_SECURITY_SELINUX_BOOTPARAM config option allows you to entirely
disable the SE Linux code.  If you have development mode turned on and boot
with no policy then the machine will give the same behaviour as a non-SE
machine, however there will be a small (maybe 2%) performance hit.  If you
enable this option and boot with "selinux=0" appended to the kernel command
line then SE Linux will be entirely disabled and the performance hit will be
removed.

If you want to use User-Mode-Linux (UML) with SE Linux then you need to apply
the UML kernel patch, the LSM kernel patch, and an additional patch that can
be found on http://www.coker.com.au/uml/ .

Feel free to ask me if you have any queries about how to do this properly.
Russell Coker
[EMAIL PROTECTED]

Re: getting started with SELinux

2003-11-28 Thread Dale Amon 
On Fri, Nov 28, 2003 at 03:03:08AM -0800, Forrest L Norvell wrote:
> I know I'm not the first person to encounter this error, because I

Yes, I'm working through some of these issues with 
Russell as we speak. There are errors in 
/etc/mkinitrd/scripts/selinux which builds the initrd 
file.

Also, there are version problems you have to deal with.
I use this /etc/apt/preferences:

Package: *
Pin: release l=etbe
Pin-Priority: 1200

Package: *
Pin: release o=walters
Pin-Priority: 1100

and this /etc/apt/sources.list:

deb http://www.coker.com.au/newselinux/ ./
deb http://web.verbum.org/debian/ ./experimental/
deb http://ftp.nl.debian.org/debian/ sid main non-free contrib
deb http://ftp.nl.debian.org/debian-non-US sid/non-US main contrib non-free

to get the correct login program. Others are using a pam
library solution, but that currently requires manual
intervention to install it: you have to edit two of
the pam.d files and add a line.

You really should be asking this on the selinux list
rather than debian security.

-- 
--
   Dale Amon [EMAIL PROTECTED]+44-7802-188325
   International linux systems consultancy
 Hardware & software system design, security
and networking, systems programming and Admin
  "Have Laptop, Will Travel"
--

Improved Debian Project Emergency Communications (was Re: communication structures crumbled)

2003-11-28 Thread Karsten M. Self 
on Wed, Nov 26, 2003 at 09:30:05AM +0100, Martin Schulze ([EMAIL PROTECTED]) wrote:
> Dan Jacobson wrote:
> > To us debian users, the most notable thing during this break in or
> > whatever episode, is how the communication structures crumbled.
> 
> It had to be re-installed.  You probably know that since you've read
> the announcement we were able to send out before the machine was taken
> down for reinstallation.

That announcement wasn't delivered for all users until _after_ murphy
was resurrected.  I myself got the debian-security-announce message
mailed Nov 21 on 25 Nov 2003 15:16:56 -0800.


> > debian-announce had one message on the 21st, five days ago, saying for
> > more information, see www.debian.org.
> 
> You'll find the same information linked on the front-page.  Since the
> web infrastructure was affected as well, but you already knew that
> since it was mentioned in the announcement, it was not that easy
> updating the web server.  However, after a day we finally managed to
> do that.
> 
> > Nothing special there, so I checked http://www.debian.org/security/,
> > same problem.
> 
> As you know http://www.debian.org/security/ if for security
> announcements regarding the packages Debian distributes.  It has
> nothing to do with the security on the Debian machines.  Hence, it's
> the wrong place.

First I want to say that the Debian project, in extremely adverse
circumnstances, comported itself well, disseminated information, if not
fully effectively, well beyond its nominal capacity with both web and
email services offline.  Disclosures were timely, informative, and
helpful, while restraining themselves to established facts and working
within constraints of an as yet ongoing investigation.   Very few
organizations can claim as much.  Not only this, but it appears at this
point that the crown jewels -- the Debian archives and mirrored
distribution points themselves -- were _not_ compromised.  Commendable.

Some bits could be improved, which is what I'm focusing on below.



I'll disagree with Martin's comment that the server compromise didn't
constitute a security issue despite the lack of an archive compromise.
For someone well versed in Debian procedures, it might have been
plausible that the archives themselves weren't compromised.  For a
typical user, I don't think this was the case.  For the typical user's
management or clients, it's very likely _not_ the case, and a timely
positive statement of status would be very, very helpful.

Security affecting Debian servers _potentially_ affects Debian packages.
As it was, I cleared my locale package cache and stopped updates on
hearing about the compromise.  It wasn't for another few hours that I
was aware that the archive was reportedly _not_ compromised.

In the absense of any information, the security status of Debian project
packages in the event of a known or rumored server compromise is at best
unknown.



Communications in an emergency sitation is paramount, and a number of
people clearly _didn't_ get informed through back channels.  I myself
was _on_ IRC as word started leaking out, and still wasn't fully certain
of what was going on or what to trust.  Wichert's website (which I only
learned was his the 27th!) was very helpful, as was the coverage
provided by Slashdot and elsewhere.

Discussion this with Manoj on IRC, my suggestion as summarized by him is
that Debian should have an emergency response plan, part of which is a
communications policy in the event a similar future compromise or
systems failure.  Specifically:


  - Triggering events.  There are thresholds below which notifications
needn't be triggered, and above which they very much should.
Suggested:  any event significantly affecting perceptions of
security of the Debian archives or servers.  Any outage of mail,
web, or archive services anticipated to last beyond  .  E.g.:  6-12 hours, across core servers (but not mirrors).
Any core server root compromise.  *Not* single-package issues.
Nuclear war or asteroid strike:  you're on your own.


  - Where to provide information.  Personal websites and news channels
served well, but an advance statement of "here's where you should
turn in the event of an emergency" would be useful.


  - What information to provide.  
  
Specifically, 

- the known (or unknown) status of archive or package compromise.
- diagnostic checks; and/or
- cleanup procedures.  

Wichert's pages on this would be a good template.  

By "known (or unkown)", I mean:  if the archives are reasonably
known to be safe, or are known to be compromised, this is
communicated.  If an assessment cannot be made with confidence,
_that_ fact should be stated, e.g.:  "the current security of the
archives is unknown".  

By diagnostics and cleanup:  pointers to tools or documentation
explaining how to assess and/or secure a system.  Wipe and rebuild
if necessary.  Again, wiggy.net

Re: Uhm, so, what happened...?

2003-11-28 Thread Boris Stanislavski 

Kjetil Kjernsmo schrieb:
 
I bet there are a lot of users running around scared, not knowing what 
to do really... Any advices for us??




Subject: more details on the recent compromise of debian.org machines
Date: Fri, 28 Nov 2003 01:04:00 +
http://lists.debian.org/debian-devel-announce/2003/debian-devel-announce-200311/msg00012.html

--
cheers,
Boris

Re: strange reboot on woody

2003-11-28 Thread Haim Ashkenazi 
François TOURDE wrote:

> Le 12383ième jour après Epoch,
> Haim Ashkenazi écrivait:
> 
>> Hi
>>
>> I've got a server at our ISP's server farm which rebooted last night.
>> I've contact my ISP and no one there did nothing, also it wasn't a power
>> failure because the reboot is written in '/var/log/syslog':
>>
>> ...
>> ov 26 22:26:16 ns-ilweb1 init: Switching to runlevel: 6
>> Nov 26 22:26:19 ns-ilweb1 qmail: 1069878379.427182 status: exiting
>> Nov 26 22:26:20 ns-ilweb1 ntpd[32551]: ntpd exiting on signal 15
>> Nov 26 22:26:22 ns-ilweb1 exiting on signal 15
>> Nov 26 22:28:09 ns-ilweb1 syslogd 1.4.1#10: restart.
>> ...
>>
>> I've run chkrootkit (last version from unstable) and it didn't find
>> anything. I've gone to the logs and didn't see nothing suspicious.
>> (messages, wtmp, faillog, authlog, kern.log).
>>
>> also, nothing suspicious in '/root/bash_history'.
>>
>> Is there anything else I can do to check why it rebooted suddenly?
> 
> See if some PowerSaving is connected to the machine, if some ISP's
> admin tried to do CTRL+ALT+DEL on a wrong keyboard, for example.
I've already asked them that, but even if that what's happened, they didn't
tell me.

thanx
--
Haim

Re: getting started with SELinux

2003-11-28 Thread Russell Coker 
On Fri, 28 Nov 2003 22:03, Forrest L Norvell <[EMAIL PROTECTED]> wrote:
> /usr/bin/checkpolicy -o policy policy.conf
> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> ERROR 'attribute file_type is not declared' at token ';' on line 867:
> #
> type device_t, file_type;
> /usr/bin/checkpolicy:  error(s) encountered while parsing

That should be declared at about line 200 in attrib.te.

Try the following:
cd /etc/selinux
make clean
make load

>  2. When I attempt to boot into my SELinux kernel (all packages,
> versions, and kernel configuration options at the end of this
> message), I get an error about being unable to find
> /usr/bin/load_policy, even with an initrd that uses the script
> provided by selinux-default-policy. Is there anything special I
> need to know about building the initrd? I imagine this may be

Sounds like you have /usr on a separate file system.  If you upgrade to 
sysvinit 2.85-7.se3 then it should work.

> un  libselinux-dev(no description available)
> ii  libselinux1   1.2-1.1   SELinux shared libraries
> un  libselinux1-dev   (no description available)
> un  old-selinux-policy(no description available)
> ii  selinux   2003081307-8  Management utilities for

"selinux" should be removed, it is for the old SE Linux.  It should have been 
automatically removed because of conflicting with the new packages.

> CONFIG_SECURITY_DTE=y

You don't want this.  See the attached document (which will be in the next 
version of the kernel-patch-2.4-lsm package).

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
kernel-patch-2.4-lsm for Debian
-

This patch supplies the Linux Security Modules.  It is needed for NSA Security
Enhanced Linux (among other things).

To apply automaticaly, set PATCH_THE_KERNEL=YES before first running of
make-kpkg (from package: kernel-package) and "make-kpkg clean" to remove.

When configuring your kernel do the following:
(Under Networking Options, enable Network Packet Filtering.
 Under Security Options, enable Capabilities and enable
 both IP Networking and SELinux as built-in options.)


This means having the following in your /usr/src/linux/.config:
CONFIG_NETFILTER=y
CONFIG_INET=y
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_CAPABILITIES=y
# CONFIG_SECURITY_ROOTPLUG is not set
CONFIG_SECURITY_SELINUX=y

This release of SE Linux depends on XATTR's.  For the Ext3 file system
use the following settings:
CONFIG_EXT3_FS_XATTR=y
CONFIG_EXT3_FS_XATTR_SHARING=y
CONFIG_EXT3_FS_SECURITY=y

The options CONFIG_EXT3_FS_XATTR_USER and CONFIG_EXT3_FS_XATTR_TRUSTED are
not required for SE Linux, but do not do any harm either.

For the DEVPTS file system (required as the new SE Linux does not support
devfs or the old-styly /dev/pty) the following options are needed:
CONFIG_DEVPTS_FS=y
CONFIG_DEVPTS_FS_XATTR=y
CONFIG_DEVPTS_FS_SECURITY=y

In the recent kernel patches MLS should be functional, but I have never tested
it...

Also note that the labeled networking code is experimental, and that SE Linux
currently doesn't stack with the other security modules (so turn off OpenWall
and LIDS if you plan to use SE Linux).

The CONFIG_SECURITY_SELINUX_DEVELOP config option allows you to turn the SE
capabilities on and off at run time, I recommend that you use it when first
trying SE Linux (otherwise policy mistakes may prevent your machine from
booting).

The CONFIG_SECURITY_SELINUX_BOOTPARAM config option allows you to entirely
disable the SE Linux code.  If you have development mode turned on and boot
with no policy then the machine will give the same behaviour as a non-SE
machine, however there will be a small (maybe 2%) performance hit.  If you
enable this option and boot with "selinux=0" appended to the kernel command
line then SE Linux will be entirely disabled and the performance hit will be
removed.

If you want to use User-Mode-Linux (UML) with SE Linux then you need to apply
the UML kernel patch, the LSM kernel patch, and an additional patch that can
be found on http://www.coker.com.au/uml/ .

Feel free to ask me if you have any queries about how to do this properly.
Russell Coker
[EMAIL PROTECTED]

getting started with SELinux

2003-11-28 Thread Forrest L Norvell 
Hi!

I'm attempting to set up an SELinux system using the Debian packages
and am unashamed to admit that I'm a little stuck at the moment. I
have two problems that I could use some help with:

 1. I've done the bare minimum amount of tweaking of the default
policy beyond answering all the questions about which programs I'd
like to create domains for (i.e. I've assigned the existing users
on the box user_r contexts and given the sysadmins sysadmin_r).
When I try to run "make policy", I'm given this frustrating
message in return:

/usr/bin/checkpolicy -o policy policy.conf
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
ERROR 'attribute file_type is not declared' at token ';' on line 867:
#
type device_t, file_type;
/usr/bin/checkpolicy:  error(s) encountered while parsing
configuration
make: *** [policy] Error 1

I know I'm not the first person to encounter this error, because I
saw someone else with the exact same problem (down to the same
line number) in a posting on the selinux list. Unfortunately,
there was no response archived. Some grepping demonstrated that
file_type was indeed not defined in any of the .te files, but it's
a base type, right? What does this error really mean?

 2. When I attempt to boot into my SELinux kernel (all packages,
versions, and kernel configuration options at the end of this
message), I get an error about being unable to find
/usr/bin/load_policy, even with an initrd that uses the script
provided by selinux-default-policy. Is there anything special I
need to know about building the initrd? I imagine this may be
linked to my lack of a policy, but the message I get is along the
lines of 'sh: line 1: unable to find /usr/bin/load_policy', which
makes me think something else is going on. I have to pass
'selinux=0' on the kernel command line to get the kernel to boot.

Any pointers? I'm really excited about the idea of putting SELinux
into production, but I'm feeling a little stymied right now.

Yours,
Forrest

VERSIONS:

un  libselinux-dev(no description available)
ii  libselinux1   1.2-1.1   SELinux shared libraries
un  libselinux1-dev   (no description available)
un  old-selinux-policy(no description available)
ii  selinux   2003081307-8  Management utilities for NSA 
Security Enhanced Linux
ii  selinux-doc   1.1-1 documentation for 
Security-Enhanced Linux
un  selinux-policy(no description available)
iF  selinux-policy-defaul 1.2.real-7Policy config files and 
management for NSA Security Enhanc
ii  selinux-utils 1.2-1.1   SELinux utility programs
ii  kernel-image-2.4.22   10.03.FLN Linux kernel binary image for 
version 2.4.22.
ii  initrd-tools  0.1.54Tools to generate an initrd 
image.

CONFIG OPTIONS:

CONFIG_EXT3_FS_XATTR_USER=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_DEVPTS_FS_SECURITY=y
CONFIG_EXT2_FS_XATTR_USER=y
CONFIG_EXT2_FS_SECURITY=y
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_CAPABILITIES=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
# CONFIG_SECURITY_SELINUX_MLS is not set
# CONFIG_SECURITY_OWLSM is not set
CONFIG_SECURITY_DTE=y

-- 
   . . . the self-reflecting image of a narcotized mind . . .
ozymandias G desiderata [EMAIL PROTECTED] desperate, deathless
(415)823-6356   http://www.pushby.com/forrest/   ::AOAIOXXYSZ::

Re: Kernel-Question

2003-11-28 Thread funky soul 
hi Matthias,

On Fri, 28 Nov 2003 10:47:50 +0100
Matthias Wieser <[EMAIL PROTECTED]> wrote:

> Does it make sense to use module-disabled kernels to prevent root kits to be
> used with a kernel?

afaik, yes. set CONFIG_MODULES to no. just not compiling any modules is not
enough.

f. soul.

-- 
  ,   , 
 / \GNU's not Unix
((__-^^-,-^^-__)) 
 `-_---' `---_-'  Funky Soul
  `--|o` 'o|--' 
 \  `  /  funkysoul@
  ): :( swissonline.ch
  :o_o: 
   "-"

Re: Kernel-Question

2003-11-28 Thread Diederik de Vries 
Op vr 28-11-2003, om 10:47 schreef Matthias Wieser:

Matthias,

AFAIK NO, it doesn't. There were programs to ENABLE modules on a
module-disabled kernel.

> Does it make sense to use module-disabled kernels to prevent root kits to be
> used with a kernel?
> 
> Thank you, Matthias Wieser

Regards,

Diederik de Vries
Rotterdam, The Netherlands

Re: Kernel-Question

2003-11-28 Thread Giacomo Mulas 
On Fri, 28 Nov 2003, Matthias Wieser wrote:

> Does it make sense to use module-disabled kernels to prevent root kits to be
> used with a kernel?

There are other ways to insert code into a running kernel. However, it may
break some automated worms or stop script kiddies who don't quite know
what they are doing and what to do if their module insertion fails. If you
are serious about it, and want to spend the time needed to configure
things properly, use grsecurity or SELinux or similar approaches.

just my 2¢...
Giacomo


-- 
_

Giacomo Mulas <[EMAIL PROTECTED]>
_

OSSERVATORIO ASTRONOMICO DI CAGLIARI
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222
Tel. (UNICA): +39 070 675 4916
_

"When the storms are raging around you, stay right where you are"
 (Freddy Mercury)
_

Re: getting started with SELinux

2003-11-28 Thread Dale Amon 
On Fri, Nov 28, 2003 at 03:03:08AM -0800, Forrest L Norvell wrote:
> I know I'm not the first person to encounter this error, because I

Yes, I'm working through some of these issues with 
Russell as we speak. There are errors in 
/etc/mkinitrd/scripts/selinux which builds the initrd 
file.

Also, there are version problems you have to deal with.
I use this /etc/apt/preferences:

Package: *
Pin: release l=etbe
Pin-Priority: 1200

Package: *
Pin: release o=walters
Pin-Priority: 1100

and this /etc/apt/sources.list:

deb http://www.coker.com.au/newselinux/ ./
deb http://web.verbum.org/debian/ ./experimental/
deb http://ftp.nl.debian.org/debian/ sid main non-free contrib
deb http://ftp.nl.debian.org/debian-non-US sid/non-US main contrib non-free

to get the correct login program. Others are using a pam
library solution, but that currently requires manual
intervention to install it: you have to edit two of
the pam.d files and add a line.

You really should be asking this on the selinux list
rather than debian security.

-- 
--
   Dale Amon [EMAIL PROTECTED]+44-7802-188325
   International linux systems consultancy
 Hardware & software system design, security
and networking, systems programming and Admin
  "Have Laptop, Will Travel"
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Uhm, so, what happened...?

2003-11-28 Thread Boris Stanislavski 
Kjetil Kjernsmo schrieb:
 
I bet there are a lot of users running around scared, not knowing what 
to do really... Any advices for us??

Subject: more details on the recent compromise of debian.org machines
Date: Fri, 28 Nov 2003 01:04:00 +
http://lists.debian.org/debian-devel-announce/2003/debian-devel-announce-200311/msg00012.html
--
cheers,
Boris


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: strange reboot on woody

2003-11-28 Thread Haim Ashkenazi 
François TOURDE wrote:

> Le 12383ième jour après Epoch,
> Haim Ashkenazi écrivait:
> 
>> Hi
>>
>> I've got a server at our ISP's server farm which rebooted last night.
>> I've contact my ISP and no one there did nothing, also it wasn't a power
>> failure because the reboot is written in '/var/log/syslog':
>>
>> ...
>> ov 26 22:26:16 ns-ilweb1 init: Switching to runlevel: 6
>> Nov 26 22:26:19 ns-ilweb1 qmail: 1069878379.427182 status: exiting
>> Nov 26 22:26:20 ns-ilweb1 ntpd[32551]: ntpd exiting on signal 15
>> Nov 26 22:26:22 ns-ilweb1 exiting on signal 15
>> Nov 26 22:28:09 ns-ilweb1 syslogd 1.4.1#10: restart.
>> ...
>>
>> I've run chkrootkit (last version from unstable) and it didn't find
>> anything. I've gone to the logs and didn't see nothing suspicious.
>> (messages, wtmp, faillog, authlog, kern.log).
>>
>> also, nothing suspicious in '/root/bash_history'.
>>
>> Is there anything else I can do to check why it rebooted suddenly?
> 
> See if some PowerSaving is connected to the machine, if some ISP's
> admin tried to do CTRL+ALT+DEL on a wrong keyboard, for example.
I've already asked them that, but even if that what's happened, they didn't
tell me.

thanx
--
Haim 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

getting started with SELinux

2003-11-28 Thread Forrest L Norvell 
Hi!

I'm attempting to set up an SELinux system using the Debian packages
and am unashamed to admit that I'm a little stuck at the moment. I
have two problems that I could use some help with:

 1. I've done the bare minimum amount of tweaking of the default
policy beyond answering all the questions about which programs I'd
like to create domains for (i.e. I've assigned the existing users
on the box user_r contexts and given the sysadmins sysadmin_r).
When I try to run "make policy", I'm given this frustrating
message in return:

/usr/bin/checkpolicy -o policy policy.conf
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
ERROR 'attribute file_type is not declared' at token ';' on line 867:
#
type device_t, file_type;
/usr/bin/checkpolicy:  error(s) encountered while parsing
configuration
make: *** [policy] Error 1

I know I'm not the first person to encounter this error, because I
saw someone else with the exact same problem (down to the same
line number) in a posting on the selinux list. Unfortunately,
there was no response archived. Some grepping demonstrated that
file_type was indeed not defined in any of the .te files, but it's
a base type, right? What does this error really mean?

 2. When I attempt to boot into my SELinux kernel (all packages,
versions, and kernel configuration options at the end of this
message), I get an error about being unable to find
/usr/bin/load_policy, even with an initrd that uses the script
provided by selinux-default-policy. Is there anything special I
need to know about building the initrd? I imagine this may be
linked to my lack of a policy, but the message I get is along the
lines of 'sh: line 1: unable to find /usr/bin/load_policy', which
makes me think something else is going on. I have to pass
'selinux=0' on the kernel command line to get the kernel to boot.

Any pointers? I'm really excited about the idea of putting SELinux
into production, but I'm feeling a little stymied right now.

Yours,
Forrest

VERSIONS:

un  libselinux-dev(no description available)
ii  libselinux1   1.2-1.1   SELinux shared libraries
un  libselinux1-dev   (no description available)
un  old-selinux-policy(no description available)
ii  selinux   2003081307-8  Management utilities for NSA Security 
Enhanced Linux
ii  selinux-doc   1.1-1 documentation for Security-Enhanced 
Linux
un  selinux-policy(no description available)
iF  selinux-policy-defaul 1.2.real-7Policy config files and management for 
NSA Security Enhanc
ii  selinux-utils 1.2-1.1   SELinux utility programs
ii  kernel-image-2.4.22   10.03.FLN Linux kernel binary image for version 
2.4.22.
ii  initrd-tools  0.1.54Tools to generate an initrd image.

CONFIG OPTIONS:

CONFIG_EXT3_FS_XATTR_USER=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_DEVPTS_FS_SECURITY=y
CONFIG_EXT2_FS_XATTR_USER=y
CONFIG_EXT2_FS_SECURITY=y
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_CAPABILITIES=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
# CONFIG_SECURITY_SELINUX_MLS is not set
# CONFIG_SECURITY_OWLSM is not set
CONFIG_SECURITY_DTE=y

-- 
   . . . the self-reflecting image of a narcotized mind . . .
ozymandias G desiderata [EMAIL PROTECTED] desperate, deathless
(415)823-6356   http://www.pushby.com/forrest/   ::AOAIOXXYSZ::


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Kernel-Question

2003-11-28 Thread Matthias Wieser 
Does it make sense to use module-disabled kernels to prevent root kits to be
used with a kernel?

Thank you, Matthias Wieser

Re: Kernel-Question

2003-11-28 Thread funky soul 
hi Matthias,

On Fri, 28 Nov 2003 10:47:50 +0100
Matthias Wieser <[EMAIL PROTECTED]> wrote:

> Does it make sense to use module-disabled kernels to prevent root kits to be
> used with a kernel?

afaik, yes. set CONFIG_MODULES to no. just not compiling any modules is not
enough.

f. soul.

-- 
  ,   , 
 / \GNU's not Unix
((__-^^-,-^^-__)) 
 `-_---' `---_-'  Funky Soul
  `--|o` 'o|--' 
 \  `  /  funkysoul@
  ): :( swissonline.ch
  :o_o: 
   "-" 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Kernel-Question

2003-11-28 Thread Diederik de Vries 
Op vr 28-11-2003, om 10:47 schreef Matthias Wieser:

Matthias,

AFAIK NO, it doesn't. There were programs to ENABLE modules on a
module-disabled kernel.

> Does it make sense to use module-disabled kernels to prevent root kits to be
> used with a kernel?
> 
> Thank you, Matthias Wieser

Regards,

Diederik de Vries
Rotterdam, The Netherlands


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Kernel-Question

2003-11-28 Thread Giacomo Mulas 
On Fri, 28 Nov 2003, Matthias Wieser wrote:

> Does it make sense to use module-disabled kernels to prevent root kits to be
> used with a kernel?

There are other ways to insert code into a running kernel. However, it may
break some automated worms or stop script kiddies who don't quite know
what they are doing and what to do if their module insertion fails. If you
are serious about it, and want to spend the time needed to configure
things properly, use grsecurity or SELinux or similar approaches.

just my 2¢...
Giacomo


-- 
_

Giacomo Mulas <[EMAIL PROTECTED]>
_

OSSERVATORIO ASTRONOMICO DI CAGLIARI
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222
Tel. (UNICA): +39 070 675 4916
_

"When the storms are raging around you, stay right where you are"
 (Freddy Mercury)
_


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Time for apt-secure?

2003-11-28 Thread Camillo Särs 

Bernd Eckenfels wrote:

Developers dont release all binary packages and users normally dont download
source packages. So it is not that easy.


Yes, I did note that "there are many wrinkles to iron out".  That's not the 
point I am trying to make.  I don't think anyone would be foolish enough to 
think apt-secure provides "total security".


What I am suggesting is that it's really silly for Debian not to try to 
benefit from the potential added security that apt-secure could provide.  Much 
of the needed infrastructure is already in place.  Additionally, Debian's 
closely nit social network is ideally suited for a small-scale public-key 
solution.


Unfortunately my current situation does not allow me to sit down and actually 
work on the code.  However, I would be glad to provide ideas and input to 
anyone doing so.  I have some experience in the theory of public key trust 
networks, and would be glad to lend a hand.


Cheers,
Camillo
--
Camillo Särs <[EMAIL PROTECTED]>  **  Aim for the impossible and you
 **   will achieve the improbable.
PGP public key available **

Re: More hacked servers?

2003-11-28 Thread Konstantin Kostadinov 
Yes 'we wait for some info...
what's up the he** ???
Is this an open source project or not ???, we use it not only for apt-*** tools.



> On Thu, 27 Nov 2003, Dan Jacobson wrote:
> 
> > > So, give the people some time and after the details are disclosed -
> > > learn from their experience and use it in your work.
> >
> > Let's examine natural disasters, e.g. a typhoon.  The pros agree that
> > the public must be able to get to timely reports issued from the
> > disaster control center, via e.g. local radio stations.
> >
> > Here in the debian world, there was one announcement posted on the
> > 21st, then blackness.  One assumes those in charge have been replaced
> > by zombies and the typhoon is headed our way.
> >
> 
> I agree.
> 
> A least, they can stay us informed about their actions... for example:
> 
> 21 sep: hacked, we moved all domain to blah, bluh, blih.
> 22 sep: investiguation started, by X, X.  We think it will take X
> hours/day/month/years
> 24 sep: We still investiguate, please be patient, we think we will
> terminate that in two hour/day/month/years.
> ...
> 
> and so on, it's not so hard, and it's take 2 minutes or less.
> 
> E.
> --
> Eric LeBlanc
> [EMAIL PROTECTED]
> --
> UNIX is user friendly.
> It's just selective about who its friends are.
> ==
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 


-- 

Konstantin Kostadinov

Public PGP : http://www.fadata.bg/pgp/konstantinpgp.asc
---

Your business will assume vast proportions.

Kernel-Question

2003-11-28 Thread Matthias Wieser 
Does it make sense to use module-disabled kernels to prevent root kits to be
used with a kernel?

Thank you, Matthias Wieser


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Time for apt-secure?

2003-11-28 Thread Camillo Särs 
Bernd Eckenfels wrote:
Developers dont release all binary packages and users normally dont download
source packages. So it is not that easy.
Yes, I did note that "there are many wrinkles to iron out".  That's not the 
point I am trying to make.  I don't think anyone would be foolish enough to 
think apt-secure provides "total security".

What I am suggesting is that it's really silly for Debian not to try to 
benefit from the potential added security that apt-secure could provide.  Much 
of the needed infrastructure is already in place.  Additionally, Debian's 
closely nit social network is ideally suited for a small-scale public-key 
solution.

Unfortunately my current situation does not allow me to sit down and actually 
work on the code.  However, I would be glad to provide ideas and input to 
anyone doing so.  I have some experience in the theory of public key trust 
networks, and would be glad to lend a hand.

Cheers,
Camillo
--
Camillo Särs <[EMAIL PROTECTED]>  **  Aim for the impossible and you
 **   will achieve the improbable.
PGP public key available **
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More hacked servers?

2003-11-28 Thread Konstantin Kostadinov 
Yes 'we wait for some info...
what's up the he** ???
Is this an open source project or not ???, we use it not only for apt-*** tools.



> On Thu, 27 Nov 2003, Dan Jacobson wrote:
> 
> > > So, give the people some time and after the details are disclosed -
> > > learn from their experience and use it in your work.
> >
> > Let's examine natural disasters, e.g. a typhoon.  The pros agree that
> > the public must be able to get to timely reports issued from the
> > disaster control center, via e.g. local radio stations.
> >
> > Here in the debian world, there was one announcement posted on the
> > 21st, then blackness.  One assumes those in charge have been replaced
> > by zombies and the typhoon is headed our way.
> >
> 
> I agree.
> 
> A least, they can stay us informed about their actions... for example:
> 
> 21 sep: hacked, we moved all domain to blah, bluh, blih.
> 22 sep: investiguation started, by X, X.  We think it will take X
> hours/day/month/years
> 24 sep: We still investiguate, please be patient, we think we will
> terminate that in two hour/day/month/years.
> ...
> 
> and so on, it's not so hard, and it's take 2 minutes or less.
> 
> E.
> --
> Eric LeBlanc
> [EMAIL PROTECTED]
> --
> UNIX is user friendly.
> It's just selective about who its friends are.
> ==
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 


-- 

Konstantin Kostadinov

Public PGP : http://www.fadata.bg/pgp/konstantinpgp.asc
---

Your business will assume vast proportions.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]