Re: Debian Hardened project status.
On Mon, 27 Sep 2004 00:39, Lorenzo Hernandez Garcia-Hierro [EMAIL PROTECTED] wrote: Most of the features you list are things that are difficult to get into Debian/main. Not too really difficult, it depends on how it gets developed: http://www.debian-hardened.org/wiki/index.php/CVS_Development_Organization SSP and PIE don't affect the binaries performance (not seriously), and arbitrary patches get tested before using them. It goes under the lead210 pool before it goes to system-dh. These things are obviously difficult due to the amount of time that has been spent on them without anything getting into main. The last discussion of SSP resulted in the GCC package maintainers indicating that they wanted to wait for Mudflap, other discussion indicates that Mudflap won't do what we really want in regard to such things (more of a debugging tool than a method of securing production code). So I guess SSP is on hold until after Mudflap. About the kernels...the work is in production state, i've currently tested them on some machines , 2 of them are shared environments (software-libre.org ourproject.org) with user chroots, etc. I've also did the DHKP, but i'm going to remix it and use instead of the current patches (OW and others) the PaX + RSBAC + SELinux mix. You have RSBAC and SE Linux in the same kernel? What's the point? I haven't done that work, we are just starting to decided what's the painless solution. Best thing to do is to have separate kernels for GRSEC, RSBAC, and SE Linux. I am happy to test out all the SE Linux kernels you produce and review all code and configuration that you use. Let me know when you are ready for me to do this. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Hardened project status.
On Sun, 26 Sep 2004 07:22, Lorenzo Hernandez Garcia-Hierro [EMAIL PROTECTED] wrote: - openssh (i'm working on the patches that bring SecurID Token use features, and others from independent hackers) Most of the features you list are things that are difficult to get into Debian/main. But token based security for openssh is something that seems like it could go in without too much pain. Have you talked to Matthew Vernon about this? About the kernels...the work is in production state, i've currently tested them on some machines , 2 of them are shared environments (software-libre.org ourproject.org) with user chroots, etc. I've also did the DHKP, but i'm going to remix it and use instead of the current patches (OW and others) the PaX + RSBAC + SELinux mix. You have RSBAC and SE Linux in the same kernel? What's the point? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Hardened project status.
On Sun, Sep 26, 2004 at 10:02:03PM +1000, Russell Coker wrote: On Sun, 26 Sep 2004 07:22, Lorenzo Hernandez Garcia-Hierro [EMAIL PROTECTED] wrote: - openssh (i'm working on the patches that bring SecurID Token use features, and others from independent hackers) Most of the features you list are things that are difficult to get into Debian/main. But token based security for openssh is something that seems like it could go in without too much pain. Have you talked to Matthew Vernon about this? This is something that should be handled at the pam level and shouldn't require special handling from ssh. (Assuming a good ssh pam implementation.) The last time I looked at the securid pam module from rsa it didn't work with our ssh, but that's because they made it dependent on bugs in ssh pam handling from older versions of ssh. shrug Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Hardened project status.
Hi Russell, El dom, 26-09-2004 a las 14:02, Russell Coker escribió: On Sun, 26 Sep 2004 07:22, Lorenzo Hernandez Garcia-Hierro [EMAIL PROTECTED] wrote: - openssh (i'm working on the patches that bring SecurID Token use features, and others from independent hackers) Most of the features you list are things that are difficult to get into Debian/main. Not too really difficult, it depends on how it gets developed: http://www.debian-hardened.org/wiki/index.php/CVS_Development_Organization SSP and PIE don't affect the binaries performance (not seriously), and arbitrary patches get tested before using them. It goes under the lead210 pool before it goes to system-dh. But token based security for openssh is something that seems like it could go in without too much pain. Have you talked to Matthew Vernon about this? Not yet, i would do it.Anyway, the patches are not mine, i'm just porting them to the Debian packages (converting and implementing them as dpatches). About the kernels...the work is in production state, i've currently tested them on some machines , 2 of them are shared environments (software-libre.org ourproject.org) with user chroots, etc. I've also did the DHKP, but i'm going to remix it and use instead of the current patches (OW and others) the PaX + RSBAC + SELinux mix. You have RSBAC and SE Linux in the same kernel? What's the point? I haven't done that work, we are just starting to decided what's the painless solution. Cheers, -- Lorenzo Hernandez Garcia-Hierro [EMAIL PROTECTED] signature.asc Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
Re: Debian Hardened project status.
On Sun, Sep 26, 2004 at 11:45:23AM -0400, Stephen Frost wrote: That's unfortunate. Do you know of any workarounds? Haven't looked into it lately. We're seriously considering using RSA secureid with ssh (and quite possibly other things via pam...). Has RSA acknowledged this or said anything about correcting it? When I was looking at it they were very careful to state that the pam module worked only with one specific version of ssh. I assume that when redhat uses a newer version in their enterprise edition rsa will suddenly make it all work. :) That may have already happened, as I said it's been a little while since I looked at it. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]