Re: Strongest linux - kernel patches
Am 02:55 2003-07-03 +0200 hat Luis Gomez - InfoEmergencias geschrieben: On Miércoles, 2 de Julio de 2003 15:05, Preben Randhol wrote: What about: http://www.nsa.gov/selinux/ ? For the sake of God, how in hell can we associate nsa.gov with secure? Excuse me if I'm bullshitting, but I understand that those people who refuse to export strong criptography unless it contains backdoors, cannot be trusted at all. I may be wrong, but what the hell is their interest in providing the whole world with a secure system? I'd appreciate any comments or explanations on this. Thanks Does: deb http://www.nsa.gov/selinux/ woody main contrib non-free non-US work ??? ;-)) Then it will be a real joke !!! Michelle -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strongest linux - kernel patches
Am 02:55 2003-07-03 +0200 hat Luis Gomez - InfoEmergencias geschrieben: On Miércoles, 2 de Julio de 2003 15:05, Preben Randhol wrote: What about: http://www.nsa.gov/selinux/ ? For the sake of God, how in hell can we associate nsa.gov with secure? Excuse me if I'm bullshitting, but I understand that those people who refuse to export strong criptography unless it contains backdoors, cannot be trusted at all. I may be wrong, but what the hell is their interest in providing the whole world with a secure system? I'd appreciate any comments or explanations on this. Thanks Does: deb http://www.nsa.gov/selinux/ woody main contrib non-free non-US work ??? ;-)) Then it will be a real joke !!! Michelle
Re: Strongest linux - kernel patches
Peter == Peter Cordes [EMAIL PROTECTED] writes: [...] Peter Luckily, that's a solved problem. Con Kolivas's -ck3 patch for Peter 2.4.21 includes grsecurity and XFS. There's also wolk, which contains grsecurity, XFS, and a ton of other patches. http://sourceforge.net/projects/wolk -- Hubert Chan [EMAIL PROTECTED] - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. pgp0.pgp Description: PGP signature
Re: Strongest linux - kernel patches
Oh men, I didn't pay attention to the thread for all the day. Thank you VERY much!!! I'll be taking a look at them ASAP. Thanks ppl!!! Pope On Jueves, 3 de Julio de 2003 04:28, Hubert Chan wrote: Peter == Peter Cordes [EMAIL PROTECTED] writes: [...] Peter Luckily, that's a solved problem. Con Kolivas's -ck3 patch for Peter 2.4.21 includes grsecurity and XFS. There's also wolk, which contains grsecurity, XFS, and a ton of other patches. http://sourceforge.net/projects/wolk -- Luis Gomez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strongest linux - kernel patches
On Thu, Jul 03, 2003 at 07:43:23PM +0200, Ulrich Scholler wrote: During the reign of 2.4.19, I've had problems with kswapd dying after a few days of uptime when I used the -ck patches. Is this still the case? I'll let you know in a few days... root 4 0.0 0.0 00 ?RW Jul02 0:08 [kswapd] (I don't use my machine constantly, so it probably doesn't swap as much as a desktop used all day.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , s.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strongest linux - kernel patches
Peter == Peter Cordes [EMAIL PROTECTED] writes: [...] Peter Luckily, that's a solved problem. Con Kolivas's -ck3 patch for Peter 2.4.21 includes grsecurity and XFS. There's also wolk, which contains grsecurity, XFS, and a ton of other patches. http://sourceforge.net/projects/wolk -- Hubert Chan [EMAIL PROTECTED] - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. pgpBWkC4FEEwL.pgp Description: PGP signature
Re: Strongest linux - kernel patches
Hi, On Wed Jul 02, 2003 at 22:50:20 -0300, Peter Cordes wrote: Luckily, that's a solved problem. Con Kolivas's -ck3 patch for 2.4.21 includes grsecurity and XFS. (I didn't mention it before because I didn't realize it was significant. (I'm not using ACLs).) Con's webpage is http://members.optusnet.com.au/ckolivas/kernel/ During the reign of 2.4.19, I've had problems with kswapd dying after a few days of uptime when I used the -ck patches. Is this still the case? regards, uLI
Re: Strongest linux - kernel patches
Oh men, I didn't pay attention to the thread for all the day. Thank you VERY much!!! I'll be taking a look at them ASAP. Thanks ppl!!! Pope On Jueves, 3 de Julio de 2003 04:28, Hubert Chan wrote: Peter == Peter Cordes [EMAIL PROTECTED] writes: [...] Peter Luckily, that's a solved problem. Con Kolivas's -ck3 patch for Peter 2.4.21 includes grsecurity and XFS. There's also wolk, which contains grsecurity, XFS, and a ton of other patches. http://sourceforge.net/projects/wolk -- Luis Gomez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc
Re: Strongest linux - kernel patches
On Tue, 1 Jul 2003, valerian wrote: On Tue, Jul 01, 2003 at 02:36:37PM +0200, Javier Castillo Alcibar wrote: Hi all, I want to setup a new linux server in internet (apache, php, postfix, mysql, dns...), and I would like to patch the standard kernel with some security patches. but my question is, what patches are the best?? - Openwall ?? - TrustedDebian ?? - LIDS?? it's not one or the other sorta thing - lots of to dos and how much time and $$$ to spend vs risk of what happens if they did get into your server Any suggestions?? Check this out: http://www.grsecurity.net/features.php rest of the kernel hardening patches http://linux-sec.net/Harden/kernel.gwif.html -- at a minimum, you should be using linux-2.4.21 and openwall and lids and .. -- than use the latest php, apache, postfix, mysql, dns - probably want to chroot your dns app ( watch out for any mysql+php incompatibilities at the ( bleeding edges though c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strongest linux - kernel patches
Alvin Oga [EMAIL PROTECTED] wrote on 02/07/2003 (12:46) : rest of the kernel hardening patches http://linux-sec.net/Harden/kernel.gwif.html What about: http://www.nsa.gov/selinux/ ? -- Ada95 is good for you. http://www.crystalcode.com/codemage/MainMenu/Coding/Ada/IntroducingAda.php -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strongest linux - kernel patches
On Wed, Jul 02, 2003 at 01:17:22PM +0200, Thomas Sjgren wrote: -- than use the latest php, apache, postfix, mysql, dns - probably want to chroot your dns app ... and don't forget to build the packages with your SSP patched GCC :) I doubt if SSP provides additional security beyound PaX. Any argument in favour of the combination? bit, adam ps: thank all of you very much for your opinions regarding the IP-MAC question -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strongest linux - kernel patches
On Miércoles, 2 de Julio de 2003 15:05, Preben Randhol wrote: What about: http://www.nsa.gov/selinux/ ? For the sake of God, how in hell can we associate nsa.gov with secure? Excuse me if I'm bullshitting, but I understand that those people who refuse to export strong criptography unless it contains backdoors, cannot be trusted at all. I may be wrong, but what the hell is their interest in providing the whole world with a secure system? I'd appreciate any comments or explanations on this. Thanks Pope -- Luis Gomez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strongest linux - kernel patches
On Thu, Jul 03, 2003 at 02:55:53AM +0200, Luis Gomez - InfoEmergencias wrote: On Mi?rcoles, 2 de Julio de 2003 15:05, Preben Randhol wrote: What about: http://www.nsa.gov/selinux/ ? For the sake of God, how in hell can we associate nsa.gov with secure? Excuse me if I'm bullshitting, but I understand that those people who refuse to export strong criptography unless it contains backdoors, cannot be trusted at all. I may be wrong, but what the hell is their interest in providing the whole world with a secure system? I'd appreciate any comments or explanations on this. Thanks Maybe some good guys got hired there, and are plotting the revolution from the inside :) Besides that, maybe some people within the NSA have changed their mind about how to keep their nation secure. Maybe they learned something from their anti-crypto stance resulting in congress-people's cell-phones being eavesdropped on, and so on. Also, they could be trying to combat the proliferation of insecure systems on the Internet, which is bad for everyone, including them. The selinux code has been out there for a long time now, and lots of people other than shady three-letter-agency types have gone over it. I haven't heard of anyone discovering any apparent attempts to leave back doors in it. By now, it's probably been exposed to enough eyeballs that the conventional wisdom about Free software being well debugged should apply, wrt. intentional or unintentional security problems. I detest the bad things US gov't agencies have done, but I'm prepared to accept good things that they (or a few people working for them) do, unless and until someone shows that they're really up to no good. I certainly don't trust them, but I'm prepared to consider the possibility that they aren't _always_ up to no good. This is starting to get a bit off topic, and it was for the most part agreed in a recent thread about US foreign policy that this doesn't belong on deb-sec. Further discussion about politics, rather than specifically about selinux, should probably happen on a newgroup like alt.impeach.bush, for example. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , s.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strongest linux - kernel patches
On Jueves, 3 de Julio de 2003 03:18, Peter Cordes wrote: (...) This is starting to get a bit off topic, and it was for the most part agreed in a recent thread about US foreign policy that this doesn't belong on deb-sec. Further discussion about politics, rather than specifically about selinux, should probably happen on a newgroup like alt.impeach.bush, for example. You're right, I'll go on-topic now. Lots of thanks for your comment, if as you say the code has been out there for some time and suspicious things haven't been discovered, then I think I should take a look at it, cos maybe I'm missing a good piece of software. I am as well trying to build secure systems (what an ethereus term!). In my case I wanted to try grsecurity but I think I won't be able to use it in a good way unless I spend quite a lot of time reading their docs first. However I'm right now coming to a problem that probably others face as well: combining multiple kernel patches. In our particular case, it's Linux 2.4.21 + grsecurity + XFS. It's been a headache today, tomorrow I'll keep on trying to merge the two patches together. BTW, we opted for XFS because of its ACL system, which allowed us to obey the granular permissions of W2K clients when connecting to our Samba servers (I mean that W2K can adjust the perms in a file of the Samba server, to the same point that it can with a local file in a NTFS filesystem). Any opinions on this? Regards from Spain The Pope -- Luis Gomez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strongest linux - kernel patches
On Tue, 1 Jul 2003, valerian wrote: On Tue, Jul 01, 2003 at 02:36:37PM +0200, Javier Castillo Alcibar wrote: Hi all, I want to setup a new linux server in internet (apache, php, postfix, mysql, dns...), and I would like to patch the standard kernel with some security patches. but my question is, what patches are the best?? - Openwall ?? - TrustedDebian ?? - LIDS?? it's not one or the other sorta thing - lots of to dos and how much time and $$$ to spend vs risk of what happens if they did get into your server Any suggestions?? Check this out: http://www.grsecurity.net/features.php rest of the kernel hardening patches http://linux-sec.net/Harden/kernel.gwif.html -- at a minimum, you should be using linux-2.4.21 and openwall and lids and .. -- than use the latest php, apache, postfix, mysql, dns - probably want to chroot your dns app ( watch out for any mysql+php incompatibilities at the ( bleeding edges though c ya alvin
Re: Strongest linux - kernel patches
Ugly reply, but here goes... On Tue, Jul 01, 2003 at 04:27:21PM -0700, Alvin Oga wrote: On Tue, 1 Jul 2003, valerian wrote: On Tue, Jul 01, 2003 at 02:36:37PM +0200, Javier Castillo Alcibar wrote: Hi all, I want to setup a new linux server in internet (apache, php, postfix, mysql, dns...), and I would like to patch the standard kernel with some security patches. but my question is, what patches are the best?? Best? Well what do you want to do? How much time are you prepared to spend to secure your system? Are you looking for a general, basic security model (Openwall works good and is easy to apply) or do you want to spend time on ACLs (SELinux or RSBAC or Grsecuritys simple system)? - Openwall ?? Good is you just want to apply it and basically forget about it. - TrustedDebian ?? Is not a kernel patch. Now called Adamantix (have a look at www.adamantix.org) and is a Debian deriviate that uses PaX, builds every package (including the kernel) with IBMs stack smashing protector and lets you choose if you want to use an RSBAC (www.rsbac.org) enabled kernel. - LIDS?? And RSBAC, SELinux to the list if you want to check similar patches out. -- at a minimum, you should be using linux-2.4.21 and openwall and lids and .. or wait for .22 which _might_ include some crypto. -- than use the latest php, apache, postfix, mysql, dns - probably want to chroot your dns app ... and don't forget to build the packages with your SSP patched GCC :) /Thomas -- == [EMAIL PROTECTED] == [EMAIL PROTECTED] == 0x114AA85C --
Re: Strongest linux - kernel patches
Alvin Oga [EMAIL PROTECTED] wrote on 02/07/2003 (12:46) : rest of the kernel hardening patches http://linux-sec.net/Harden/kernel.gwif.html What about: http://www.nsa.gov/selinux/ ? -- Ada95 is good for you. http://www.crystalcode.com/codemage/MainMenu/Coding/Ada/IntroducingAda.php
Re: Strongest linux - kernel patches
On Wed, Jul 02, 2003 at 01:17:22PM +0200, Thomas Sjögren wrote: -- than use the latest php, apache, postfix, mysql, dns - probably want to chroot your dns app ... and don't forget to build the packages with your SSP patched GCC :) I doubt if SSP provides additional security beyound PaX. Any argument in favour of the combination? bit, adam ps: thank all of you very much for your opinions regarding the IP-MAC question -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: Strongest linux - kernel patches
On Miércoles, 2 de Julio de 2003 15:05, Preben Randhol wrote: What about: http://www.nsa.gov/selinux/ ? For the sake of God, how in hell can we associate nsa.gov with secure? Excuse me if I'm bullshitting, but I understand that those people who refuse to export strong criptography unless it contains backdoors, cannot be trusted at all. I may be wrong, but what the hell is their interest in providing the whole world with a secure system? I'd appreciate any comments or explanations on this. Thanks Pope -- Luis Gomez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc
Re: Strongest linux - kernel patches
On Thu, Jul 03, 2003 at 02:55:53AM +0200, Luis Gomez - InfoEmergencias wrote: On Mi?rcoles, 2 de Julio de 2003 15:05, Preben Randhol wrote: What about: http://www.nsa.gov/selinux/ ? For the sake of God, how in hell can we associate nsa.gov with secure? Excuse me if I'm bullshitting, but I understand that those people who refuse to export strong criptography unless it contains backdoors, cannot be trusted at all. I may be wrong, but what the hell is their interest in providing the whole world with a secure system? I'd appreciate any comments or explanations on this. Thanks Maybe some good guys got hired there, and are plotting the revolution from the inside :) Besides that, maybe some people within the NSA have changed their mind about how to keep their nation secure. Maybe they learned something from their anti-crypto stance resulting in congress-people's cell-phones being eavesdropped on, and so on. Also, they could be trying to combat the proliferation of insecure systems on the Internet, which is bad for everyone, including them. The selinux code has been out there for a long time now, and lots of people other than shady three-letter-agency types have gone over it. I haven't heard of anyone discovering any apparent attempts to leave back doors in it. By now, it's probably been exposed to enough eyeballs that the conventional wisdom about Free software being well debugged should apply, wrt. intentional or unintentional security problems. I detest the bad things US gov't agencies have done, but I'm prepared to accept good things that they (or a few people working for them) do, unless and until someone shows that they're really up to no good. I certainly don't trust them, but I'm prepared to consider the possibility that they aren't _always_ up to no good. This is starting to get a bit off topic, and it was for the most part agreed in a recent thread about US foreign policy that this doesn't belong on deb-sec. Further discussion about politics, rather than specifically about selinux, should probably happen on a newgroup like alt.impeach.bush, for example. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , s.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BC
Re: Strongest linux - kernel patches
On Jueves, 3 de Julio de 2003 03:18, Peter Cordes wrote: (...) This is starting to get a bit off topic, and it was for the most part agreed in a recent thread about US foreign policy that this doesn't belong on deb-sec. Further discussion about politics, rather than specifically about selinux, should probably happen on a newgroup like alt.impeach.bush, for example. You're right, I'll go on-topic now. Lots of thanks for your comment, if as you say the code has been out there for some time and suspicious things haven't been discovered, then I think I should take a look at it, cos maybe I'm missing a good piece of software. I am as well trying to build secure systems (what an ethereus term!). In my case I wanted to try grsecurity but I think I won't be able to use it in a good way unless I spend quite a lot of time reading their docs first. However I'm right now coming to a problem that probably others face as well: combining multiple kernel patches. In our particular case, it's Linux 2.4.21 + grsecurity + XFS. It's been a headache today, tomorrow I'll keep on trying to merge the two patches together. BTW, we opted for XFS because of its ACL system, which allowed us to obey the granular permissions of W2K clients when connecting to our Samba servers (I mean that W2K can adjust the perms in a file of the Samba server, to the same point that it can with a local file in a NTFS filesystem). Any opinions on this? Regards from Spain The Pope -- Luis Gomez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc
Re: Strongest linux - kernel patches
On Thu, Jul 03, 2003 at 03:43:32AM +0200, Luis Gomez - InfoEmergencias wrote: I am as well trying to build secure systems (what an ethereus term!). In my case I wanted to try grsecurity but I think I won't be able to use it in a good way unless I spend quite a lot of time reading their docs first. However I'm right now coming to a problem that probably others face as well: combining multiple kernel patches. In our particular case, it's Linux 2.4.21 + grsecurity + XFS. It's been a headache today, tomorrow I'll keep on trying to merge the two patches together. Luckily, that's a solved problem. Con Kolivas's -ck3 patch for 2.4.21 includes grsecurity and XFS. (I didn't mention it before because I didn't realize it was significant. (I'm not using ACLs).) Con's webpage is http://members.optusnet.com.au/ckolivas/kernel/ -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , s.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BC
kernel patches - lsm vs. grsecurity
I'm starting to experiment with the security kernel patches, and I was wondering if anyone could comment on the lsm (kernel-patch-2.4-lsm) and grsecurity (kernel-patch-2.4-grsecurity) set of patches, and their relative advantages/disadvantages. I just set up the grsecurity patch on my machine yesterday, and it seems pretty interesting, but I haven't done any extensive testing on it. -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. msg06680/pgp0.pgp Description: PGP signature
kernel patches - lsm vs. grsecurity
I'm starting to experiment with the security kernel patches, and I was wondering if anyone could comment on the lsm (kernel-patch-2.4-lsm) and grsecurity (kernel-patch-2.4-grsecurity) set of patches, and their relative advantages/disadvantages. I just set up the grsecurity patch on my machine yesterday, and it seems pretty interesting, but I haven't done any extensive testing on it. -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. pgpktzyGaP6O1.pgp Description: PGP signature
Re: Secure 2.4.x kernel - kernel patches
hi ya for a simple 5 minute kernel patch... http://www.Linux-Sec.net/Harden/kernel.gwif.html - apply openwall if you are using 2.2.x kernels - ruh libsafe if you wanna try a prevent some buffer overflows - if you wanna get into all the fun stuff... lots of other patches to evaluate for oyur networks remember that most security exploits is mostly internal or self created - if they have physical access to the machine ... all security rests in do you trust them to not steal data or take your server offline ..and having to work with them daily makes it a big challenge - turn off telnet, pop3, ftp, etc... ( self created holes ) ( i dont like clear text passwds ) - another sanity check is give your proported security auditor the passwd for the users... and see if they can become root - had a manager that said give um(or cracker) root access to the server and he expected no data loss upon restore from backups and an hour downtime to recover was acceptable... attacks from outside your network is probably easier to defend against than to nervously watch your less experienced winNT types mucking with your companies web/email/db server ... nothing oyu can do when they( ceo/managers) wanna read their emails from home or out of the office - just gotta make them use a more secure email methodology -- i'd worry about local/obvious holes in security before i'd worry about buffer overflows ... -- a good/knowledgeable cracker will get in... no matter what you did... - if you're a bank... you have to be one step ahead of them ... c ya alvin On Mon, 24 Dec 2001, Gary MacDougall wrote: On Friday, December 21, 2001, at 03:25 , Gary MacDougall wrote: Wouldn't it be nice to be able to run the kernel in secure mode? I'm curious to know if we could limit the amount of root exploits by this method, it would REALLY harden up security on a Linux box... anyone have any opinions on that? No, it wouldn't, at least from someone who is determined to hack your box in particular (as opposed to a script kiddy who just wants zombies). Script kiddies for the most part can be stopped fairly easily by making their rootkit fail. Examples: o Mount filesystems read-only. o Make disks physically read-only [e.g., CD-ROM] o apt-get remove gcc and, most important: o apt-get update apt-get upgrade Remember, exec'ing a shell is just convenient; no reason you can't, for example, just make normal syscalls like open/close/read/write to do your dirty work. I'm sure, given enough time attacking, you could manage to malloc enough memory to upload bash/csh/tcsh/ksh/etc. and then execute it without even touching the exec syscall. No, actually, if you read my previous messages, I proposed that the kernel protect against buffer overruns by limiting or restricting the event *after* the overrun occurs. Someone said that St. Jude was what I was looking for, and I think its pretty much *exactly* what I was pointing out. The problem you're trying to solve is to get the kernel to refuse to execute exploit code. Exploit code looks just like any other code to CPU. Good luck trying to get the kernel to tell the difference. The problem really isn't the code that an exploit executes, the problem is that the exploit can allow for root access by allowing the malicious code to spawn a new shell. In short: Would EPERM from exec stop a script kiddie? Probably. Would it stop a dedicated attacker? No. Ok, maybe i'm missing something, but a script kiddie basically needs access to your box to trojan it right? An attacker, needs access to the box to attack it, right? Whats the difference? I don't see the difference. A dedicated attacker in my mind is probably someone who wants to take ownership of the box and do malicious stuff. A script kiddie wants to pretty much plant a trojan to have access to the box whenever they want... whats the difference? g. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
kernel-patches
Hi, I'm trying to apply the lids2.2.19 kernel patch to a group of 5 machines. I was hoping to use make-kpkg's patching facility to automate the kernel build process. however, when I try to use the PATCH_THE_KERNEL env variable, or adding patch_the_kernel := yes or patch_the_kernel = yes to etc/kernel-pkg.conf, neither one will automatically apply the lids patch, openwall patch or the ReiserFS patch. I have also tried using ~/.kernel-pkg.conf, to no avail. The machines are identically configured Compaq Deskpro's that will be used as routers firewalls for highspeed (cable and adsl) connections. When I configure everything manually, either using the apply scripts and make-kpkg, or using the fully manual (make zImage), everything works. I would like to use make-kpkg's patching capabilities automate things I eventually plan on writing some perl scripts that will apt-get the kernel source, and relevant patches, and compile the kernel, then install it. I think I'm missing something simple.. any suggestions Thanks, David ps. how good of a solution is lids for keeping users out of areas they should not be in? would a restricted sheel be any better?
Re: Re[2]: kernel patches
On Sat, 10 Mar 2001 01:12:46 Uriah Welcome wrote: | On Fri, Mar 09, 2001 at 04:05:17PM -0700, Kevin wrote: | | | Then they only have to compile their own version. Openwall shows only | you when you run 'w' but shows everyone if you 'who'. Anyone know | why? | | | Because 'who' just read /var/log/wtmp, where as 'w' looks at the process | that | currently logged in users are running, reading /proc, which under the | openwall patches is restricted. | | To limit 'who' you'd need a restricted /var/log/wtmp.. Would this explain the following behaviour on my Potato box (all of them), which is not running Openwall. sausage:/home/bds w 3:31pm up 2:42, 2 users, load average: 0.03, 0.07, 0.24 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 -12:49pm 25:02 1.05s 0.26s apt-get sausage:/home/bds who root tty1 Mar 11 12:49 bds :0 Mar 11 15:13 (console) ie. 'w' does not show the X user. I've tried this with xdm and gdm. 'w' does correctly show '2 users'. It just doesn't list them all. Its not very nice :( | -- | - U | | Memory is like an orgasm. It's a lot better if you don't have | to fake it. -- Seymour Cray commenting on virtual memory | | | -- | To UNSUBSCRIBE, email to [EMAIL PROTECTED] | with a subject of unsubscribe. Trouble? Contact | [EMAIL PROTECTED] | Kind regards, Berend -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS
Re: kernel patches
Am Samstag, 10. Mrz 2001 00:05 schrieb Kevin: Then they only have to compile their own version. Openwall shows only you when you run 'w' but shows everyone if you 'who'. Anyone know why? No experience with tools like this (LIDS/Openwall etc.) w and who are different binaries on my system, so they might use different ways of accessing the information. If users can actually compile their own stuff in a restricted environment there are many possibilities of circumventing restrictions. The only restrictions which are not easily circumvented are those imposed by the kernel and its components. -- Patrick Dreker - Is there anything else I can contribute? The latitude and longtitude of the bios writers current position, and a ballistic missile. Alan Cox on [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: kernel patches
On Wed, 7 Mar 2001, [iso-8859-1] Niklas H?glund wrote: Hi! Anyone know where I can find a kernel patch that restricts users so.. 'who' shows only the user himself 'netstat -a' only ports that root/the user owns 'ls' only files that are owned by root/the user ?? //Niklas Take a look at http://www.openwall.com/linux ... Here you find the kernel patches ( 2.2.18 is the latest ). A look at www.lids.org might be usefull too bye Faith
Re: kernel patches
Hello, On Wed, Mar 07, 2001 at 05:03:55PM +0100, Niklas H?glund wrote: Hi! Anyone know where I can find a kernel patch that restricts users so.. 'who' shows only the user himself who is not a kernel function, it's a system utility. Something like this will work: alias who=me=`whoami`; who | grep $me You could put it in /home/user/.bashrc ... Regards, Robert -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: kernel patches
On Fri, Mar 09, 2001 at 05:40:03PM -0500, Robert Mognet wrote: Anyone know where I can find a kernel patch that restricts users so.. 'who' shows only the user himself who is not a kernel function, it's a system utility. That doesn't mean a kernel patch can't modify its behavior. Have you ever seen the Knark module in action? It's frightening. All filesystem, process listings, user listings, etc come straight from the kernel. With Knark you can modify any of it. You can hide users, files, processes and so on. You can even modify the behavior of executables without actually changing them (i.e. run 'ls' and suddently your system reboots itself...just as an example). Knark can also completely hide itself from tools like lsmod and rmmod, making it *impossible* to remove or detect (without rebooting to a trusted kernel). Not that this is directly on topic, and it's not what the original poster is looking for. I just wanted to let you know that on some level, everything calls kernel functions, and you can definitely modify their behavior. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpEB5sZPmZo9.pgp Description: PGP signature
Re: kernel patches
Am Freitag, 9. März 2001 23:40 schrieb Robert Mognet: Hello, On Wed, Mar 07, 2001 at 05:03:55PM +0100, Niklas H?glund wrote: Hi! Anyone know where I can find a kernel patch that restricts users so.. 'who' shows only the user himself who is not a kernel function, it's a system utility. Something like this will work: alias who=me=`whoami`; who | grep $me You could put it in /home/user/.bashrc ... Brilliant idea. The user then does unalias who and the restrictions are gone. The Openwall and LIDS Patches should provide some functionality to restrict users from doing some things they are not supposed to. If one really needs a system which is strongly tied up one maybe even has to change some utilities to provide a different and more restrictive behaviour (i.e. who only returning oneself, for example) -- Patrick Dreker - Is there anything else I can contribute? The latitude and longtitude of the bios writers current position, and a ballistic missile. Alan Cox on linux-kernel@vger.kernel.org
Re[2]: kernel patches
Then they only have to compile their own version. Openwall shows only you when you run 'w' but shows everyone if you 'who'. Anyone know why? -- Kevin - [EMAIL PROTECTED] -- Original message -- Am Freitag, 9. März 2001 23:40 schrieb Robert Mognet: Hello, On Wed, Mar 07, 2001 at 05:03:55PM +0100, Niklas H?glund wrote: Hi! Anyone know where I can find a kernel patch that restricts users so.. 'who' shows only the user himself who is not a kernel function, it's a system utility. Something like this will work: alias who=me=`whoami`; who | grep $me You could put it in /home/user/.bashrc ... Brilliant idea. The user then does unalias who and the restrictions are gone. The Openwall and LIDS Patches should provide some functionality to restrict users from doing some things they are not supposed to. If one really needs a system which is strongly tied up one maybe even has to change some utilities to provide a different and more restrictive behaviour (i.e. who only returning oneself, for example)
Re: Re[2]: kernel patches
On Fri, Mar 09, 2001 at 04:05:17PM -0700, Kevin wrote: Then they only have to compile their own version. Openwall shows only you when you run 'w' but shows everyone if you 'who'. Anyone know why? Because 'who' just read /var/log/wtmp, where as 'w' looks at the process that currently logged in users are running, reading /proc, which under the openwall patches is restricted. To limit 'who' you'd need a restricted /var/log/wtmp.. -- - U Memory is like an orgasm. It's a lot better if you don't have to fake it. -- Seymour Cray commenting on virtual memory
Re: Re[2]: kernel patches
also sprach Kevin (on Fri, 09 Mar 2001 04:05:17PM -0700): Then they only have to compile their own version. Openwall shows only you when you run 'w' but shows everyone if you 'who'. Anyone know why? well, afaik w and who are two separate programs. it appears that who uses utmp information whereas w collects its information from the /proc filesystem. martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] -- declared guilty... of displaying feelings of an almost human nature. -- roger waters, 1979
Re: kernel patches
Am Samstag, 10. März 2001 00:05 schrieb Kevin: Then they only have to compile their own version. Openwall shows only you when you run 'w' but shows everyone if you 'who'. Anyone know why? No experience with tools like this (LIDS/Openwall etc.) w and who are different binaries on my system, so they might use different ways of accessing the information. If users can actually compile their own stuff in a restricted environment there are many possibilities of circumventing restrictions. The only restrictions which are not easily circumvented are those imposed by the kernel and its components. -- Patrick Dreker - Is there anything else I can contribute? The latitude and longtitude of the bios writers current position, and a ballistic missile. Alan Cox on linux-kernel@vger.kernel.org
kernel patches
Hi! Anyone know where I can find a kernel patch that restricts users so.. 'who' shows only the user himself 'netstat -a' only ports that root/the user owns 'ls' only files that are owned by root/the user ?? //Niklas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
kernel patches
Hi! Anyone know where I can find a kernel patch that restricts users so.. 'who' shows only the user himself 'netstat -a' only ports that root/the user owns 'ls' only files that are owned by root/the user ?? //Niklas
Re: kernel patches
On Wed, Mar 07, 2001 at 05:04:17PM +0100, Niklas Höglund wrote: Anyone know where I can find a kernel patch that restricts users so.. 'who' shows only the user himself http://www.openwall.com/linux/ 'netstat -a' only ports that root/the user owns Openwall can set access rights for /proc 'ls' only files that are owned by root/the user Good access rights -- Francois Deppierraz [EMAIL PROTECTED] Nimag Networks Sàrl - www.nimag.net Phone +41 21 847 00 75 - Fax +41 21 847 00 77 PGP Key ID: 9D283BC9
