New IBM Linux security publication: Pervasive Encryption for Data Volumes

[Dorothea Matthaeus]

Pervasive Encryption for Data Volumes 

It's a good time to pervasively encrypt with Linux!
A new Linux publication from IBM describes an infrastructure for protected 
volume encryption, which provides end-to-end protection for data at rest 
for Linux on IBM Z and LinuxONE.
Read it here:  
 
IBM Knowledge Center
https://www.ibm.com/support/knowledgecenter/linuxonibm/com.ibm.linux.z.lxdc/lxdc_linuxonz.html
 

PDF link
http://public.dhe.ibm.com/software/dw/linux390/docu/l5n1dc00.pdf
 



Dorothea Matthaeus
Linux on Z Information Development
IBM Deutschland Research and Development GmbH


--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: LINUX & Security

[John Summerfield]

On Tue, 17 Dec 2002, Matt Zimmerman wrote:

> On Tue, Dec 17, 2002 at 04:08:26PM +0100, Susanne Oberhauser wrote:
>
> > Nevertheless would you agree with me that for systmes claiming to run on
> > *Linux*, relying on the existence of a user 'root' should be ok?  This
> > would allow portable software to have just *one* platform specific backend
> > for *all* flavors of Linux, and would ease porting of such software to
> > Linux.
>
> Certainly, a program which is not expected to work on anything but an
> LSB-compliant system can make this assumption, and many others.  But in this
> specific case, it is (in many cases) in fact easier to check for uid=0 than
> username="root" anyway, and in general, there are relatively few cases where
> it makes sense to test for root privileges rather than something more
> specific.  With the continuing development and proliferation of more
> fine-grained access control systems for Linux, root will become less magic,
> and could be removed or assigned reduced privileges.


Indeed. Engarde Linux has been around a while, and it's hardened with
LIDS. There's no gurantee that root can do anything you'd want to if
you're running LIDS-enabled.

I'm pretty sure you will encounter difficulty if you're using selinux or
Bastille.

Possessors of such systems won't care whether they're LSB-compliant,
though they mare care that tests for privilege fail.

--


Cheers
John.

Join the "Linux Support by Small Businesses" list at
http://mail.computerdatasafe.com.au/mailman/listinfo/lssb

Re: LINUX & Security

[Matt Zimmerman]

On Tue, Dec 17, 2002 at 04:08:26PM +0100, Susanne Oberhauser wrote:

> Nevertheless would you agree with me that for systmes claiming to run on
> *Linux*, relying on the existence of a user 'root' should be ok?  This
> would allow portable software to have just *one* platform specific backend
> for *all* flavors of Linux, and would ease porting of such software to
> Linux.

Certainly, a program which is not expected to work on anything but an
LSB-compliant system can make this assumption, and many others.  But in this
specific case, it is (in many cases) in fact easier to check for uid=0 than
username="root" anyway, and in general, there are relatively few cases where
it makes sense to test for root privileges rather than something more
specific.  With the continuing development and proliferation of more
fine-grained access control systems for Linux, root will become less magic,
and could be removed or assigned reduced privileges.

--
 - mdz

Re: LINUX & Security

[Alan Cox]

On Tue, 2002-12-17 at 15:08, Susanne Oberhauser wrote:
> Nevertheless would you agree with me that for systmes claiming to run
> on *Linux*, relying on the existence of a user 'root' should be ok?
> This would allow portable software to have just *one* platform
> specific backend for *all* flavors of Linux, and would ease porting of
> such software to Linux.

Its a very bad habit but generally safe. If you want be more correct you
canuse getpwuid(0) and ask the OS what root is

Re: LINUX & Security

[Susanne Oberhauser]

Matt Zimmerman <[EMAIL PROTECTED]> writes:

> On Mon, Dec 16, 2002 at 05:08:54PM +0100, Susanne Oberhauser wrote:
>
> > Sergey Korzhevsky <[EMAIL PROTECTED]> writes:
> >
> > > Could you explain me, please, what is the reason to remove 'root'
> > > name from a system?
> >
> > there is none --- to the contrary doing so is Evil (tm) for LSB
> > compliant distributions.
>
> However, to rely on LSB compliance in portable programs is just as
> Evil.
>
> 10 Thou shalt foreswear, renounce, and abjure the vile heresy which
> claimeth that ``All the world's [an LSB-compliant Linux system]'',
> and have no commerce with the benighted heathens who cling to this
> barbarous belief, that the days of thy program may be long even
> though the days of thy current machine be short.


:))) ok, ok, I do --- being no native speaker, I can't abjure that
poetically, but yes, of course there are other operating systems out
there ;), I've even heard of some with very strange names for root,
Stratminidator or the like...

Nevertheless would you agree with me that for systmes claiming to run
on *Linux*, relying on the existence of a user 'root' should be ok?
This would allow portable software to have just *one* platform
specific backend for *all* flavors of Linux, and would ease porting of
such software to Linux.


Susanne

Re: LINUX & Security

[John Summerfield]

On Mon, 16 Dec 2002, Sergey Korzhevsky wrote:

> It is all right, but when i asked this question, i mean for security. Does
> it improve security?

Not nearly as much as having a decent password.



--


Cheers
John.

Join the "Linux Support by Small Businesses" list at
http://mail.computerdatasafe.com.au/mailman/listinfo/lssb

Re: LINUX & Security

[Matt Zimmerman]

On Mon, Dec 16, 2002 at 05:08:54PM +0100, Susanne Oberhauser wrote:

> Sergey Korzhevsky <[EMAIL PROTECTED]> writes:
>
> > Could you explain me, please, what is the reason to remove 'root'
> > name from a system?
>
> there is none --- to the contrary doing so is Evil (tm) for LSB
> compliant distributions.

However, to rely on LSB compliance in portable programs is just as Evil.

10   Thou shalt foreswear, renounce, and abjure the vile heresy which claimeth
that ``All the world's [an LSB-compliant Linux system]'', and have no commerce
with the benighted heathens who cling to this barbarous belief, that the days
of thy program may be long even though the days of thy current machine be
short.


--
 - mdz

Re: LINUX & Security

[Susanne Oberhauser]

Sergey Korzhevsky <[EMAIL PROTECTED]> writes:

> Hi
> 
> Could you explain me, please, what is the reason to remove 'root'
> name from a system?


there is none --- to the contrary doing so is Evil (tm) for LSB
compliant distributions.

>From http://www.linuxbase.org/spec/gLSB/gLSB/usernames.html:

   Linux Standard Base Specification 1.3.pr8   
Prev  Chapter 19. Users & Groups   Next
---

User & Group Names

Below is a table of required mnemonic user and group names. This specification
makes no attempt to numerically assign uid or gid numbers. The exception is the
uid and gid for "root" which are equal to 0.

Table 19-1. Required User & Group Names

+-+
|User  |Group |Comments   |
|--+--+---|
|root  |root  |Administrative user with no restrictions   |

...

Table 19-2. Optional User & Group Names

+---+
|User|Group   |Comments |
|++-|
|adm |adm |Administrative special privileges|
|lp  |lp  |Printer special privileges   |
|sync|sync|Login to sync the system |
|shutdown|shutdown|Login to shutdown the system |
|halt|halt|Login to halt the system |
|mail|mail|Mail special privileges  |
|news|news|News special privileges  |
|uucp|uucp|UUCP special privileges  |
|operator|root|Operator special privileges  |
|man |man |Man special privileges   |
|nobody  |nobody  |Used by NFS  |
+---+




-- 
Susanne Oberhauser penguins SuSE Linux AG
+49-911-74053-574enjoy  Deutschherrnstr. 15-19
<[EMAIL PROTECTED]> dinosaurs90429 Nürnberg

Re: LINUX & Security

[Sergey Korzhevsky]

It is all right, but when i asked this question, i mean for security. Does
it improve security?


WBR, Sergey




Alan Cox <[EMAIL PROTECTED]>
Sent by: Linux on 390 Port <[EMAIL PROTECTED]>
16.12.2002 18:12
Please respond to Linux on 390 Port


To: [EMAIL PROTECTED]
cc:
Subject:    Re: LINUX & Security


On Mon, 2002-12-16 at 14:53, Daniel Jarboe wrote:
> So what about names like like /etc, /mnt, /var, /bin, /proc, which
> probably don't translate well either.  And commands (ls, mv, cp), and
> file names (/etc/shadow, /etc/fstab).  Where does one draw the line?

Wherever you like. Note that for file naming you want symlinks because
the standards make guarantees. Normally people just translate the gui.
However, when you log in, you do with your username...

Re: LINUX & Security

[Alan Cox]

On Mon, 2002-12-16 at 14:53, Daniel Jarboe wrote:
> So what about names like like /etc, /mnt, /var, /bin, /proc, which
> probably don't translate well either.  And commands (ls, mv, cp), and
> file names (/etc/shadow, /etc/fstab).  Where does one draw the line?

Wherever you like. Note that for file naming you want symlinks because
the standards make guarantees. Normally people just translate the gui.
However, when you log in, you do with your username...

Re: LINUX & Security

[Daniel Jarboe]

Alan Cox wrote:
> On Mon, 2002-12-16 at 11:04, Sergey Korzhevsky wrote:
> > Could you explain me, please, what is the reason to remove
> > 'root' name from a system?
>
> In many languages the letter sequence "root" is meaningless,
> or even not
> in their default characters.
>

So what about names like like /etc, /mnt, /var, /bin, /proc, which
probably don't translate well either.  And commands (ls, mv, cp), and
file names (/etc/shadow, /etc/fstab).  Where does one draw the line?

But of course I agree with the UID/GID thing... If something needs
priveledges of UID 0, then the process should check that UID is 0, not
that username is root.  Most any requirement that a username/groupname
be news, ftp, root, nobody, etc is poor design (a bug), but all in all,
standardized system usernames are a good thing, aren't they?

~ Daniel










---

This message is the property of Time Inc. or its affiliates. It may be
legally privileged and/or confidential and is intended only for the use
of the addressee(s). No addressee should forward, print, copy, or
otherwise reproduce this message in any manner that would allow it to be
viewed by any individual not originally listed as a recipient. If the
reader of this message is not the intended recipient, you are hereby
notified that any unauthorized disclosure, dissemination, distribution,
copying or the taking of any action in reliance on the information
herein is strictly prohibited. If you have received this communication
in error, please immediately notify the sender and delete this message.
Thank you.

Re: LINUX & Security

[Alan Cox]

On Mon, 2002-12-16 at 11:04, Sergey Korzhevsky wrote:
> Hi
>
> Could you explain me, please, what is the reason to remove 'root' name
> from a system?

In many languages the letter sequence "root" is meaningless, or even not
in their default characters.

Re: LINUX & Security

[Sergey Korzhevsky]

Hi

Could you explain me, please, what is the reason to remove 'root' name
from a system?
Local user can read /etc/passwd and find out who is really root, so it is
not save us.
For remote logins we can disable root. Is this not enough?

Thank you.
WBR, Sergey

Re: LINUX & Security

[John Summerfield]

On Thu, 12 Dec 2002, Matt Zimmerman wrote:

> On Thu, Dec 12, 2002 at 04:53:54PM -0500, Matt Zimmerman wrote:
>
> > Bug
>
> Bug #172831, that is.

Thanks Matt.

One of the things I like about Debian is the ability to report bugs bu
email.

I've not yet tried reporting a bug offline, but I have hopes.


--


Cheers
John.

Join the "Linux Support by Small Businesses" list at
http://mail.computerdatasafe.com.au/mailman/listinfo/lssb

Re: LINUX & Security

[Jeremy Warren]

We have not tried it yet but there exists MKS AD4Unix which is an NT/2000
Active Directory Extension to allow Unix authentication and user
information to be stored in Active Directory.

Check out:
http://www.css-solutions.ca/ad4unix/

and

http://online.securityfocus.com/infocus/1563






  James Melin
  <[EMAIL PROTECTED]To:   [EMAIL PROTECTED]
  epin.mn.us>   cc:
  Sent by: Linux on Subject:  Re: [LINUX-390] LINUX & 
Security
  390 Port
  <[EMAIL PROTECTED]
  ST.EDU>


  12/10/2002 01:26
  PM
  Please respond to
  Linux on 390 Port






I'd like to add a follow-on question to this

Has anone gotten Linux to update user ID's/Passwords from an NT central
domain ? Is it possible to synchronize those, or failing that has anyone
gotten Linux security to refresh from RACF or ACF2 secuirity databases, or
even authenticate logon using LDAP into RACF or ACF2 instead of manually
trying to synchronize Linux user lists/passwords/groups/ etc



|-+>
| |   Joseph Sumi  |
| |   <[EMAIL PROTECTED]|
| |   v>   |
| |   Sent by: Linux on|
| |   390 Port |
| |   <[EMAIL PROTECTED]|
| |   IST.EDU> |
| ||
| ||
| |   12/10/2002 09:42 |
| |   AM   |
| |   Please respond to|
| |   Linux on 390 Port|
| ||
|-+>
  >
--|

  |
|
  |   To:   [EMAIL PROTECTED]
|
  |   cc:
|
  |   Subject:  LINUX & Security
|
  >
--|





Hello, we have just started to research SUSE Linux under z/VM, and I've
been asked these questions:

- Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM
environment ? If not, how is security handled ?

- Are there any types of "SMF" records cut to record access or violations
to resources in a Linux z/VM environment ?

- Does anyone have a link to more specific security / Linux information ?

Thanks.

Re: LINUX & Security

[Matt Zimmerman]

On Thu, Dec 12, 2002 at 04:53:54PM -0500, Matt Zimmerman wrote:

> Bug

Bug #172831, that is.

--
 - mdz

Re: LINUX & Security

[Matt Zimmerman]

On Fri, Dec 13, 2002 at 05:25:52AM +0800, John Summerfield wrote:

> On Thu, 12 Dec 2002, Matt Zimmerman wrote:
> > Please report a bug against that package, or tell me where you saw this and
> > I will report the bug.
>
> The script is su-to-root, the package menu.

Bug

> I'd certainly not bet that the same thing doesn't occur in Red Hat Linux,
> and the fact someone ran RHL without an account called root doesn't mean a
> lot. I'm sure I could run this system for a long time without running into
> the problem.

Probably so.  This is generally valid, but definitely nonstandard.  In the
case of su-to-root, the script will do the wrong thing for users with uid 0
which are not named 'root', which is wrong anyway.

> I don't think using UID=0 as a test for whether a user has the capacity to
> perform some action is all that wonderful either, though I don't know a
> better way. In some cases, one can test by trying to do it - to see if I
> can write in a particular directory, try to create a file there.Lots of
> people here have /usr mounted ro. Some may have played with LIDS. I had a
> play with Engarde Linux a while ago, and root is severely curtailed.

In the case of su-to-root, checking for uid 0 is the best solution available
due to the nature of the interface provided.  It provides a means for
arbitrary commands which require root privileges to be (for example)
launched from a menu interface, by providing the user the opportunity to su.
If they are already root, this is obviously unnecessary.

On a filesystem, the access() system call is the right thing to do.

--
 - mdz

Re: LINUX & Security

[John Summerfield]

On Thu, 12 Dec 2002, Matt Zimmerman wrote:

> On Thu, Dec 12, 2002 at 10:18:07AM +0800, John Summerfield wrote:
>
> > However, don't suppose that not having a root account called root is
> > something you would want to do.
>
> It would earn you dirty looks from wizened UNIX folk, but should be
> supported.
>
> > Just a couple of hours ago I was looking at a Debian script that asumes
> > "id -u -n" returns root for UID=0.
>
> Please report a bug against that package, or tell me where you saw this and
> I will report the bug.

The script is su-to-root, the package menu.

I'd certainly not bet that the same thing doesn't occur in Red Hat
Linux, and the fact someone ran RHL without an account called root
doesn't mean a lot. I'm sure I could run this system for a long time
without running into the problem.

I don't think using UID=0 as a test for whether a user has the capacity
to perform some action is all that wonderful either, though I don't know
a better way. In some cases, one can test by trying to do it - to see if
I can write in a particular directory, try to create a file there.Lots
of people here have /usr mounted ro. Some may have played with LIDS. I
had a play with Engarde Linux a while ago, and root is severely
curtailed.



--


Cheers
John.

Join the "Linux Support by Small Businesses" list at
http://mail.computerdatasafe.com.au/mailman/listinfo/lssb

Re: LINUX & Security

[Matt Zimmerman]

On Thu, Dec 12, 2002 at 10:18:07AM +0800, John Summerfield wrote:

> However, don't suppose that not having a root account called root is
> something you would want to do.

It would earn you dirty looks from wizened UNIX folk, but should be
supported.

> Just a couple of hours ago I was looking at a Debian script that asumes
> "id -u -n" returns root for UID=0.

Please report a bug against that package, or tell me where you saw this and
I will report the bug.

--
 - mdz

Re: LINUX & Security

[Alan Cox]

On Thu, 2002-12-12 at 02:18, John Summerfield wrote:
> However, don't suppose that not having a root account called root is something
> you would want to do.
>
> Just a couple of hours ago I was looking at a Debian script that asumes "id -u
> -n" returns root for UID=0.

I've run RH boxes without "root". If your Debian script makes that
assumption file a debian bug against it.

(Reasons include such trivial things as "our language doesn't use the
A-Z symbols)"

Re: LINUX & Security

[John Summerfield]

On Wed, 11 Dec 2002 23:42, you wrote:
> On Wed, 2002-12-11 at 13:02, Carlos Ordonez wrote:
> > Vince, I guess my question is, if I have 50 linux images running under VM
> > and each of them have a root user, can I have a different password for
> > each of them? Carlos :-)
>
> You don't have to call your uid 0 root either btw. Unix cares about uid
> and cap bits not about the name. The name is a userspace construct
> purely for human convenience. So you can have
>
> bofh:*:0:... etc for your root

However, don't suppose that not having a root account called root is something
you would want to do.

Just a couple of hours ago I was looking at a Debian script that asumes "id -u
-n" returns root for UID=0.



--
Cheers
John Summerfield


Microsoft's most solid OS: http://www.geocities.com/rcwoolley/
Join the "Linux Support by Small Businesses" list at
http://mail.computerdatasafe.com.au/mailman/listinfo/lssb

Re: LINUX & Security

[Michael Katz]

Beware though that with the current rootkits available a total idiot with a
browser can download programs that can bypass many of these schemes and
become root very, very, very easily.  You really need to know nothing in
most cases to run these rootkits so beware and keep your ftp, ssh and ssl
daemons patched up to the minute.

M Katz
RAE Internet

-Original Message-
From: Linux on 390 Port [mailto:[EMAIL PROTECTED]]On Behalf Of
Jere Julian
Sent: Wednesday, December 11, 2002 11:24 AM
To: [EMAIL PROTECTED]
Subject: Re: LINUX & Security


While there are exceptions to every rule it is VERY BAD form to use the
root account for much of anything!  Its just too dangerous.   The
current best practice is to disable logins as root.  First root should
never login over a network and probably should be locked completely.
what one should do instead is setup sudo such that groups of persons
have explicit access to what they need to do.  This has the advantage of
logging any "root" level actions that are performed and any unauthorized
attempts to perform root level actions.

for more information see 'man sudo' 'man sudoers' and do a google search
on sudo.

-Jere

On Wed, Dec 11, 2002 at 04:35:43PM +0100, Rob van der Heij wrote:
> At 23:20 10-12-02, Re, Vincent wrote:
>
> >If you're asking whether you can have multiple user IDs with UID=0, then
> >the answer is yes.
>
> We tried this because I thought it would be nice to automatically logon
the account 'Operator' on the console and let it have uid=0, but be able to
separate from 'root' in that it has its own home directory and things.
> Unfortunately that made the 'id' command under root return 'Operator' with
all kind of annoying effects.
>
> Rob
---end quoted text---

--
-
   | Jere Julian, RHCE, CCNA  Cisco Systems, Inc.  ITD - IBM Sustaining  |
   | mailto:[EMAIL PROTECTED]  7025 Kit Creek Rd, RTP, NC 27709  |
-

Re: LINUX & Security

[Jere Julian]

While there are exceptions to every rule it is VERY BAD form to use the
root account for much of anything!  Its just too dangerous.   The
current best practice is to disable logins as root.  First root should
never login over a network and probably should be locked completely.
what one should do instead is setup sudo such that groups of persons
have explicit access to what they need to do.  This has the advantage of
logging any "root" level actions that are performed and any unauthorized
attempts to perform root level actions.

for more information see 'man sudo' 'man sudoers' and do a google search
on sudo.

-Jere

On Wed, Dec 11, 2002 at 04:35:43PM +0100, Rob van der Heij wrote:
> At 23:20 10-12-02, Re, Vincent wrote:
> 
> >If you're asking whether you can have multiple user IDs with UID=0, then
> >the answer is yes.
> 
> We tried this because I thought it would be nice to automatically logon the account 
>'Operator' on the console and let it have uid=0, but be able to separate from 'root' 
>in that it has its own home directory and things.
> Unfortunately that made the 'id' command under root return 'Operator' with all kind 
>of annoying effects.
> 
> Rob
---end quoted text---

-- 
-
   | Jere Julian, RHCE, CCNA  Cisco Systems, Inc.  ITD - IBM Sustaining  |
   | mailto:[EMAIL PROTECTED]  7025 Kit Creek Rd, RTP, NC 27709  |
-



msg10239/pgp0.pgp
Description: PGP signature

Re: LINUX & Security

[Rob van der Heij]

At 23:20 10-12-02, Re, Vincent wrote:

>If you're asking whether you can have multiple user IDs with UID=0, then
>the answer is yes.

We tried this because I thought it would be nice to automatically logon the account 
'Operator' on the console and let it have uid=0, but be able to separate from 'root' 
in that it has its own home directory and things.
Unfortunately that made the 'id' command under root return 'Operator' with all kind of 
annoying effects.

Rob

Re: LINUX & Security

[Alan Cox]

On Wed, 2002-12-11 at 13:02, Carlos Ordonez wrote:
> Vince, I guess my question is, if I have 50 linux images running under VM
> and each of them have a root user, can I have a different password for each
> of them? Carlos :-)

You don't have to call your uid 0 root either btw. Unix cares about uid
and cap bits not about the name. The name is a userspace construct
purely for human convenience. So you can have

bofh:*:0:... etc for your root

Re: LINUX & Security

[Kittendorf, Craig]

Does it work with Top Secret on z/OS 1.4 ?

 -Original Message-
From:   Re, Vincent [mailto:[EMAIL PROTECTED]]
Sent:   Tuesday, December 10, 2002 3:32 PM
To: [EMAIL PROTECTED]
Subject:Re: LINUX & Security

The short answer is that yes, we're committed to including PAM server
components in all of our security products.

I believe ACF2 VM and Top Secret VM PAM support are already announced,
and I also believe VM:Secure is in the works. We're also looking at
providing PAM server support in our eTrust Access Control product, which
runs on Windows, Linux (mainframe and Intel) and a number of UNIX
platforms.


Vince Re
Computer Associates

Re: LINUX & Security

[John Summerfield]

On Wed, 11 Dec 2002, Ihno Krumreich wrote:

>
> I hope my understanding of the terms is right..
> For me accouting is to find out WHO has used a resource how much (to write bills).
> systat does not provide this information. systat just tells you
> how much a resource has been used at a given time. Its main goal
> is to find bottlenecks or to find a reason to the statement "the
> system is slow".

I don't know; I've not used it. However, this makes me think it might do
more:
   -x pid | SELF | SUM | ALL
  Report statistics for a given process.  pid is the process
iden-
  tification number. The SELF keyword  indicates  that
statistics

Maybe the information's there. Presumably, Sebastien Godard
<[EMAIL PROTECTED]>, the author, would know what's there and
what can be added.


--


Cheers
John.

Join the "Linux Support by Small Businesses" list at
http://mail.computerdatasafe.com.au/mailman/listinfo/lssb

Re: LINUX & Security

[Carlos Ordonez]

Thanks... that's cool - very nicely done Carlos :-)


Saying goes: Great minds think alike - I say: Great minds think for
themselves!

Carlos A. Ordonez
IBM Corporation
Server Consolidation



|-+--->
| |   "Re, Vincent"   |
| |   <[EMAIL PROTECTED]|
| |   om> |
| |   Sent by: Linux  |
| |   on 390 Port |
| |   <[EMAIL PROTECTED]|
| |   RIST.EDU>   |
| |   |
| |   |
| |   12/11/2002 09:22|
| |   AM  |
| |   Please respond  |
| |   to Linux on 390 |
| |   Port|
| |   |
|-+--->
  
>---|
  |
   |
  |To:  [EMAIL PROTECTED]
   |
  |cc: 
   |
  | From:  
   |
  |       Subject:  Re: LINUX & Security   
   |
  |
   |
  
>---|




> if I have 50 linux images running under VM and
> each of them have a root user, can I have a different
> password for each of them?

There are lots of options here, depending on exactly what you're trying
to achieve. Personally (as one who hates to remember different
passwords), I would rather have one ID and password, and use security
policy to control which systems I'm allowed to connect to. But if I
prefer, I could just as easily have a different root account/password on
each system. Or a mixture of both. The exact details vary depending on
which security product (ACF2, Top Secret, eTrust Access Control) you're
working with, but in general all of the system entry validation features
of the security products apply.

Vince Re
 Computer Associates

Re: LINUX & Security

[Re, Vincent]

> if I have 50 linux images running under VM and 
> each of them have a root user, can I have a different 
> password for each of them?

There are lots of options here, depending on exactly what you're trying
to achieve. Personally (as one who hates to remember different
passwords), I would rather have one ID and password, and use security
policy to control which systems I'm allowed to connect to. But if I
prefer, I could just as easily have a different root account/password on
each system. Or a mixture of both. The exact details vary depending on
which security product (ACF2, Top Secret, eTrust Access Control) you're
working with, but in general all of the system entry validation features
of the security products apply. 

Vince Re
Computer Associates

Re: LINUX & Security

[Ihno Krumreich]

On Wed, Dec 11, 2002 at 08:02:49AM -0500, Carlos Ordonez wrote:
> Vince, I guess my question is, if I have 50 linux images running under VM
> and each of them have a root user, can I have a different password for each
> of them? Carlos :-)
>

Every image is a complete linux system independend of other linux images.
So the short answer is: yes.

Ihno

--
Ihno Krumreich[EMAIL PROTECTED]
SuSE Linux AG S390 & zSeries
Deutschherrnstr. 15-19+49-911-74053-439
90429 N|rnberghttp://www.suse.de

Re: LINUX & Security

[Arty Ecock]

On Tue, 10 Dec 2002 15:06:39 -0500 David Boyes said:
>> If you are an ACF2 (or CA-Top Secret) customer, then we have an
>> open-source PAM plug-in that lets you authenticate directly
>> against ACF2
>> or Top Secret. The client side (the part that runs on Linux) is
>> available in source code or pre-built RPM form (both Intel
>> and mainframe
>> Linux). The server is simply a built-in integrated part of ACF2. With
>> our plug-in installed, you need no user definition on Linux - your
>> existing mainframe security rules and passwords are all
>> that's needed.
>
>Nice. Will it be available for VM:Secure?

How about RACF?

Cheers,
Arty

Re: LINUX & Security

[Carlos Ordonez]

Vince, I guess my question is, if I have 50 linux images running under VM
and each of them have a root user, can I have a different password for each
of them? Carlos :-)


Saying goes: Great minds think alike - I say: Great minds think for
themselves!

Carlos A. Ordonez
IBM Corporation
Server Consolidation



|-+--->
| |   "Re, Vincent"   |
| |   <[EMAIL PROTECTED]|
| |   om> |
| |   Sent by: Linux  |
| |   on 390 Port |
| |   <[EMAIL PROTECTED]|
| |   RIST.EDU>   |
| |   |
| |   |
| |   12/10/2002 05:20|
| |   PM  |
| |   Please respond  |
| |   to Linux on 390 |
| |   Port|
| |   |
|-+--->
  
>---|
  |
   |
  |To:  [EMAIL PROTECTED]
   |
  |cc: 
   |
  | From:  
   |
  |       Subject:  Re: LINUX & Security   
   |
  |
   |
  
>---|




> Vince, can you have multiple root ids and passwords? Carlos :-)

If you're asking whether you can have multiple user IDs with UID=0, then
the answer is yes. UID/GID, shell program and home directory all come
from the PAM server (ACF2, Top Secret, etc.), and there's no reason you
couldn't have multiple UID 0 IDs if you wanted to.

The nice thing about our PAM implementation is that you have a lot of
flexibility when it comes to restricting which Linux images (or
facilities within a Linux system) a given user can access. You might set
it up so that users get root privileges, but only on a particular Linux
image. Or, perhaps you'd let them use Telnet but not FTP. Because the
authentication is processed by ACF2/Top Secret, all of the normal system
entry controls are extended and apply to Linux as well. For example, an
earlier post asked about auditing, and with our PAM plug-in, you will
most definitely see a complete audit trail of Linux sign-on activity in
your z/OS SMF records.

Having said that, multiple UID 0 users might or might not be a good
thing on Linux because there would be no way to segregate their
permissions (that is, once logged on, any root user would have access to
all resources). Keep in mind that PAM is just for user authentication -
if you want true access control then you need something more. This is
where our eTrust Access Control product fits in: it's essentially
z/OS-style resource protection for Linux, and it provides the kind of
granular resource protection (including controlling what root users may
do), auditing, etc. that mainframe sites would be accustomed to.


Vince Re
Computer Associates

Re: LINUX & Security

[Joseph Sumi]

Thanks to everyone !!
Joe 

>>> [EMAIL PROTECTED] 12/10/02 06:11PM >>>
On Wednesday 11 December 2002 04:42 am, you wrote:
> Hello, we have just started to research SUSE Linux under z/VM, and I've
> been asked these questions:
>
> - Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM
> environment ? If not, how is security handled ?
>
> - Are there any types of "SMF" records cut to record access or violations
> to resources in a Linux z/VM environment ?
>
> - Does anyone have a link to more specific security / Linux information ?

http://www.linuxsecurity.com/ 
http://lsm.immunix.org/ 
http://www.nsa.gov/selinux/ 
http://sourceforge.net/project/showfiles.php?group_id=21266 
http://www.grsecurity.net/ 
http://www.snort.org/ 
http://www.chkrootkit.org/ 
http://www.wiretapped.net/ 
http://www.cert.org/ 

That's what I came up with on short notice.

security-enhanced linux and grsecurity-linux have an intensive development of 
Access Control Lists and Role Based Access Control, though in different ways.  
I expect they would be of equal interest at this preliminary stage.

I don't know anything about SuSE; I don't use it.

Wesley Parish

>
> Thanks.

-- 
Mau e ki, "He aha te mea nui?"
You ask, "What is the most important thing?"
Maku e ki, "He tangata, he tangata, he tangata."
I reply, "It is people, it is people, it is people."

Re: LINUX & Security

[Wesley Parish]

On Wednesday 11 December 2002 04:42 am, you wrote:
> Hello, we have just started to research SUSE Linux under z/VM, and I've
> been asked these questions:
>
> - Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM
> environment ? If not, how is security handled ?
>
> - Are there any types of "SMF" records cut to record access or violations
> to resources in a Linux z/VM environment ?
>
> - Does anyone have a link to more specific security / Linux information ?

http://www.linuxsecurity.com/
http://lsm.immunix.org/
http://www.nsa.gov/selinux/
http://sourceforge.net/project/showfiles.php?group_id=21266
http://www.grsecurity.net/
http://www.snort.org/
http://www.chkrootkit.org/
http://www.wiretapped.net/
http://www.cert.org/

That's what I came up with on short notice.

security-enhanced linux and grsecurity-linux have an intensive development of 
Access Control Lists and Role Based Access Control, though in different ways.  
I expect they would be of equal interest at this preliminary stage.

I don't know anything about SuSE; I don't use it.

Wesley Parish

>
> Thanks.

-- 
Mau e ki, "He aha te mea nui?"
You ask, "What is the most important thing?"
Maku e ki, "He tangata, he tangata, he tangata."
I reply, "It is people, it is people, it is people."

Re: LINUX & Security

[Ihno Krumreich]

On Wed, Dec 11, 2002 at 05:33:02AM +0800, John Summerfield wrote:
> On Tue, 10 Dec 2002, A. Harry Williams wrote:
>
> > >> - Are there any types of "SMF" records cut to record access
> > >> or violations to resources in a Linux z/VM environment ?
>
> I don't know of a way to detect accesses to datasets a user shouldn't be
> accessing. An ordinary user can't read /etc/shadow, but I don't know how
> to detect the attempt.
>
> > >There are entries in /var/log, just as on a normal Unix system. Neale's
> > >hcp command can be used to write those messages from syslog to a
> > >VM-based service, but it is not in the standard distributions.  There is
> > >also rudimentary SVC 76 support for writing accounting records, but this
> > >also doesn't fit the bill.
> There is accounting available. Look at sysstat, homepage
> http://perso.wanadoo.fr/sebastien.godard/
>
> I've no idea how it performs, accounting is not something I've wanted to
> do.

I hope my understanding of the terms is right..
For me accouting is to find out WHO has used a resource how much (to write bills).
systat does not provide this information. systat just tells you
how much a resource has been used at a given time. Its main goal
is to find bottlenecks or to find a reason to the statement "the
system is slow".

Ihno

--
Ihno Krumreich[EMAIL PROTECTED]
SuSE Linux AG S390 & zSeries
Deutschherrnstr. 15-19+49-911-74053-439
90429 N|rnberghttp://www.suse.de

Re: LINUX & Security

[Re, Vincent]

> Vince, can you have multiple root ids and passwords? Carlos :-)

If you're asking whether you can have multiple user IDs with UID=0, then
the answer is yes. UID/GID, shell program and home directory all come
from the PAM server (ACF2, Top Secret, etc.), and there's no reason you
couldn't have multiple UID 0 IDs if you wanted to. 

The nice thing about our PAM implementation is that you have a lot of
flexibility when it comes to restricting which Linux images (or
facilities within a Linux system) a given user can access. You might set
it up so that users get root privileges, but only on a particular Linux
image. Or, perhaps you'd let them use Telnet but not FTP. Because the
authentication is processed by ACF2/Top Secret, all of the normal system
entry controls are extended and apply to Linux as well. For example, an
earlier post asked about auditing, and with our PAM plug-in, you will
most definitely see a complete audit trail of Linux sign-on activity in
your z/OS SMF records.   

Having said that, multiple UID 0 users might or might not be a good
thing on Linux because there would be no way to segregate their
permissions (that is, once logged on, any root user would have access to
all resources). Keep in mind that PAM is just for user authentication -
if you want true access control then you need something more. This is
where our eTrust Access Control product fits in: it's essentially
z/OS-style resource protection for Linux, and it provides the kind of
granular resource protection (including controlling what root users may
do), auditing, etc. that mainframe sites would be accustomed to. 


Vince Re
Computer Associates
 

Re: LINUX & Security

[Joe Poole]

Will do.  Also, for those with access to the presentations from the 
October Tech Conference in Miami (VM/VSE/zOS/Linux) see A02 and A08 
by Jon Furminger of IBM.  Good overviews.  

On Tuesday 10 December 2002 15:37, you wrote:
 Keep us informed on this, will you Joe?

 "Christmas is a funny season.  What other time of the year do you
 sit in front of a dead tree and eat candy out of your socks?" Gordon
 Wolfe, Ph.D. (425)865-5940
 VM Technical Services, The Boeing Company

 > --
 > From: Joe Poole
 > Reply To: Linux on 390 Port
 > Sent: Tuesday, December 10, 2002 11:31 AM
 > To:   [EMAIL PROTECTED]
 > Subject:  Re: LINUX & Security
 >
 > Although I'm not deep enough into the process to be dangerous, you
 > might want to look at the z/OS LDAP server.  Check the Redbook
 > "Securing Linux for zSeries with a Central z/OS (RACF) LDAP
 > Server" and the two publications SC24-5923-03 and SC24-5924-02
 > dealing with administration and Client programming.  It might
 > answer some of your questions.  We're looking at it as a way to
 > perform the old RACHECK from a client application to authenticate
 > a user's connection to a specific RACF group.
 >
 > On Tuesday 10 December 2002 13:26, you wrote:
 >  I'd like to add a follow-on question to this
 >
 >  Has anone gotten Linux to update user ID's/Passwords from an NT
 >  central domain ? Is it possible to synchronize those, or failing
 >  that has anyone gotten Linux security to refresh from RACF or
 > ACF2 secuirity databases, or even authenticate logon using LDAP
 > into RACF or ACF2 instead of manually trying to synchronize Linux
 > user lists/passwords/groups/ etc
 >
 >  |-+>
 >  |
 >  | |   Joseph Sumi  |
 >  | |   <[EMAIL PROTECTED]|
 >  | |   v>   |
 >  | |   Sent by: Linux on|
 >  | |   390 Port |
 >  | |   <[EMAIL PROTECTED]|
 >  | |   IST.EDU> |
 >  | |
 >  | |
 >  | |   12/10/2002 09:42 |
 >  | |   AM   |
 >  | |   Please respond to|
 >  | |   Linux on 390 Port|
 >  |
 >  |-+>
 >  |
 >>--
 >>---
 >> ---------
 >>|
 >>
 >|   To:   [EMAIL PROTECTED]
 >|
 >| cc:
 >|   | 
Subject:
 >|
 >|  LINUX & Security
 >|
 >>--
 >>---
 >> -
 >>|
 >
 >  Hello, we have just started to research SUSE Linux under z/VM,
 > and I've been asked these questions:
 >
 >  - Does SUSE Linux issue any SAF (RACF) calls for security in the
 >  z/VM environment ? If not, how is security handled ?
 >
 >  - Are there any types of "SMF" records cut to record access or
 >  violations to resources in a Linux z/VM environment ?
 >
 >  - Does anyone have a link to more specific security / Linux
 >  information ?
 >
 >  Thanks.

Re: LINUX & Security

[John Summerfield]

On Tue, 10 Dec 2002, A. Harry Williams wrote:

> >> - Are there any types of "SMF" records cut to record access
> >> or violations to resources in a Linux z/VM environment ?

I don't know of a way to detect accesses to datasets a user shouldn't be
accessing. An ordinary user can't read /etc/shadow, but I don't know how
to detect the attempt.

> >There are entries in /var/log, just as on a normal Unix system. Neale's
> >hcp command can be used to write those messages from syslog to a
> >VM-based service, but it is not in the standard distributions.  There is
> >also rudimentary SVC 76 support for writing accounting records, but this
> >also doesn't fit the bill.
There is accounting available. Look at sysstat, homepage
http://perso.wanadoo.fr/sebastien.godard/

I've no idea how it performs, accounting is not something I've wanted to
do.


>

--


Cheers
John.

Join the "Linux Support by Small Businesses" list at
http://mail.computerdatasafe.com.au/mailman/listinfo/lssb

Re: LINUX & Security

[Wolfe, Gordon W]

Keep us informed on this, will you Joe?

"Christmas is a funny season.  What other time of the year do you sit in front of a 
dead tree and eat candy out of your socks?"
Gordon Wolfe, Ph.D. (425)865-5940
VM Technical Services, The Boeing Company

> --
> From: Joe Poole
> Reply To: Linux on 390 Port
> Sent: Tuesday, December 10, 2002 11:31 AM
> To:   [EMAIL PROTECTED]
> Subject:  Re: LINUX & Security
> 
> Although I'm not deep enough into the process to be dangerous, you 
> might want to look at the z/OS LDAP server.  Check the Redbook 
> "Securing Linux for zSeries with a Central z/OS (RACF) LDAP Server" 
> and the two publications SC24-5923-03 and SC24-5924-02 dealing with 
> administration and Client programming.  It might answer some of your 
> questions.  We're looking at it as a way to perform the old RACHECK 
> from a client application to authenticate a user's connection to a 
> specific RACF group.
> 
> On Tuesday 10 December 2002 13:26, you wrote:
>  I'd like to add a follow-on question to this
> 
>  Has anone gotten Linux to update user ID's/Passwords from an NT
>  central domain ? Is it possible to synchronize those, or failing
>  that has anyone gotten Linux security to refresh from RACF or ACF2
>  secuirity databases, or even authenticate logon using LDAP into RACF
>  or ACF2 instead of manually trying to synchronize Linux user
>  lists/passwords/groups/ etc
> 
>  |-+>
>  |
>  | |   Joseph Sumi  |
>  | |   <[EMAIL PROTECTED]|
>  | |   v>   |
>  | |   Sent by: Linux on|
>  | |   390 Port |
>  | |   <[EMAIL PROTECTED]|
>  | |   IST.EDU> |
>  | |
>  | |
>  | |   12/10/2002 09:42 |
>  | |   AM   |
>  | |   Please respond to|
>  | |   Linux on 390 Port|
>  |
>  |-+>
>  |
>>-
>>-|
>>
>|   To:   [EMAIL PROTECTED] 
>    | |
>| cc: 
>|   | Subject:
>|  LINUX & Security   
>|  |
>|
>>-
>>-|
> 
>  Hello, we have just started to research SUSE Linux under z/VM, and
>  I've been asked these questions:
> 
>  - Does SUSE Linux issue any SAF (RACF) calls for security in the
>  z/VM environment ? If not, how is security handled ?
> 
>  - Are there any types of "SMF" records cut to record access or
>  violations to resources in a Linux z/VM environment ?
> 
>  - Does anyone have a link to more specific security / Linux
>  information ?
> 
>  Thanks.
> 
> 

Re: LINUX & Security

[Re, Vincent]

> Is this a proprietary solution?

The client side (the PAM plug-in that runs on Linux) is open-source. In
the example we talked about below, the *server* - which is an integrated
feature of our ACF2 (or our other security products) - is proprietary,
but there's no reason that IBM (or anyone else) couldn't develop an
alternate server of their own. In this regard, our PAM plug-in is
exactly like what you're using for LDAP: the protocol and clients are
open-source, but the LDAP server implementation (whether you use IBM's
or ours) is proprietary. 

> How would the CA "Direct-to-ACF2/TopSecret" solution be faster?

The short answer is that our protocol is more efficient because it's
tailored to the specific needs of a Linux user logging on through PAM.
In contrast, LDAP is a general purpose function capable of much more
than just authenticating Linux users, and this added complexity makes it
less efficient. Since ACF2 includes both LDAP and direct PAM interfaces,
you could certainly setup both and compare...I believe you'll see less
CPU utilization and network traffic with our PAM solution. 


Vince Re
Computer Associates  

Re: LINUX & Security

[Carlos Ordonez]

Vince, can you have multiple root ids and passwords? Carlos :-)


Saying goes: Great minds think alike - I say: Great minds think for
themselves!

Carlos A. Ordonez
IBM Corporation
Server Consolidation



|-+--->
| |   "Re, Vincent"   |
| |   <[EMAIL PROTECTED]|
| |   om> |
| |   Sent by: Linux  |
| |   on 390 Port |
| |   <[EMAIL PROTECTED]|
| |   RIST.EDU>   |
| |   |
| |   |
| |   12/10/2002 02:48|
| |   PM  |
| |   Please respond  |
| |   to Linux on 390 |
| |   Port|
| |   |
|-+--->
  
>---|
  |
   |
  |To:  [EMAIL PROTECTED]
   |
  |cc: 
   |
  | From:  
   |
  |       Subject:  Re: LINUX & Security   
   |
  |
   |
  
>---|




If you are an ACF2 (or CA-Top Secret) customer, then we have an
open-source PAM plug-in that lets you authenticate directly against ACF2
or Top Secret. The client side (the part that runs on Linux) is
available in source code or pre-built RPM form (both Intel and mainframe
Linux). The server is simply a built-in integrated part of ACF2. With
our plug-in installed, you need no user definition on Linux - your
existing mainframe security rules and passwords are all that's needed.

Compared to the LDAP approach, our PAM implementation is faster, just as
secure (we use OpenSSL on the network connection), and includes a number
of additional features that help you control who should be able to
connect to a particular Linux image.

It's described in the ACF2 6.5 Product Announcement, which you can read
here:
http://www3.ca.com/Files/ProductAnnouncements/etrust_acf2_pd_rel65.pdf

Vince Re
Computer Associates

-Original Message-
From: James Melin [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 10, 2002 1:27 PM
To: [EMAIL PROTECTED]
Subject: Re: LINUX & Security

I'd like to add a follow-on question to this

Has anone gotten Linux to update user ID's/Passwords from an NT central
domain ? Is it possible to synchronize those, or failing that has anyone
gotten Linux security to refresh from RACF or ACF2 secuirity databases,
or
even authenticate logon using LDAP into RACF or ACF2 instead of manually
trying to synchronize Linux user lists/passwords/groups/ etc



|-+>
| |   Joseph Sumi  |
| |   <[EMAIL PROTECTED]|
| |   v>   |
| |   Sent by: Linux on|
| |   390 Port |
| |   <[EMAIL PROTECTED]|
| |   IST.EDU> |
| ||
| ||
| |   12/10/2002 09:42 |
| |   AM   |
| |   Please respond to|
| |   Linux on 390 Port|
| ||
|-+>

>---
---|
  |
|
  |   To:   [EMAIL PROTECTED]
|
  |   cc:
|
  |   Subject:  LINUX & Security
|

>---
---|




Hello, we have just started to research SUSE Linux under z/VM, and I've
been asked these questions:

- Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM
environment ? If not, how is security handled ?

- Are there any types of "SMF" records cut to record access or
violations
to resources in a Linux z/VM environment ?

- Does anyone have a link to more specific security / Linux information
?

 Thanks.

Re: LINUX & Security

[Re, Vincent]

The short answer is that yes, we're committed to including PAM server
components in all of our security products. 

I believe ACF2 VM and Top Secret VM PAM support are already announced,
and I also believe VM:Secure is in the works. We're also looking at
providing PAM server support in our eTrust Access Control product, which
runs on Windows, Linux (mainframe and Intel) and a number of UNIX
platforms. 


Vince Re
Computer Associates  

-Original Message-
From: David Boyes [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, December 10, 2002 3:07 PM
To: [EMAIL PROTECTED]
Subject: Re: LINUX & Security

> If you are an ACF2 (or CA-Top Secret) customer, then we have an
> open-source PAM plug-in that lets you authenticate directly
> against ACF2
> or Top Secret. The client side (the part that runs on Linux) is
> available in source code or pre-built RPM form (both Intel
> and mainframe
> Linux). The server is simply a built-in integrated part of ACF2. With
> our plug-in installed, you need no user definition on Linux - your
> existing mainframe security rules and passwords are all
> that's needed.

Nice. Will it be available for VM:Secure?

-- db

>

Re: LINUX & Security

[Gowans, Chuck]

Is this a proprietary solution?

We have installed (on an Intel-based Linux) a PAM plug-in that authenticates
- via LDAP - to both RACF and ACF2 LDAP servers running on OS/390 2.10; We
are just starting to test the same on S390-based Linux.

How would the CA "Direct-to-ACF2/TopSecret" solution be faster?

Chuck Gowans
USDA - Nat'l IT Center



-Original Message-
From: Re, Vincent [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 10, 2002 1:49 PM
To: [EMAIL PROTECTED]
Subject: Re: LINUX & Security


If you are an ACF2 (or CA-Top Secret) customer, then we have an
open-source PAM plug-in that lets you authenticate directly against ACF2
or Top Secret. The client side (the part that runs on Linux) is
available in source code or pre-built RPM form (both Intel and mainframe
Linux). The server is simply a built-in integrated part of ACF2. With
our plug-in installed, you need no user definition on Linux - your
existing mainframe security rules and passwords are all that's needed.

Compared to the LDAP approach, our PAM implementation is faster, just as
secure (we use OpenSSL on the network connection), and includes a number
of additional features that help you control who should be able to
connect to a particular Linux image.

It's described in the ACF2 6.5 Product Announcement, which you can read
here:
http://www3.ca.com/Files/ProductAnnouncements/etrust_acf2_pd_rel65.pdf

Vince Re
Computer Associates

-Original Message-
From: James Melin [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 10, 2002 1:27 PM
To: [EMAIL PROTECTED]
Subject: Re: LINUX & Security

I'd like to add a follow-on question to this

Has anone gotten Linux to update user ID's/Passwords from an NT central
domain ? Is it possible to synchronize those, or failing that has anyone
gotten Linux security to refresh from RACF or ACF2 secuirity databases,
or
even authenticate logon using LDAP into RACF or ACF2 instead of manually
trying to synchronize Linux user lists/passwords/groups/ etc



|-+>
| |   Joseph Sumi  |
| |   <[EMAIL PROTECTED]|
| |   v>   |
| |   Sent by: Linux on|
| |   390 Port |
| |   <[EMAIL PROTECTED]|
| |   IST.EDU> |
| ||
| ||
| |   12/10/2002 09:42 |
| |   AM   |
| |   Please respond to|
| |   Linux on 390 Port|
| ||
|-+>

>---
---|
  |
|
  |   To:   [EMAIL PROTECTED]
|
  |   cc:
|
  |   Subject:  LINUX & Security
|

>---
---|




Hello, we have just started to research SUSE Linux under z/VM, and I've
been asked these questions:

- Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM
environment ? If not, how is security handled ?

- Are there any types of "SMF" records cut to record access or
violations
to resources in a Linux z/VM environment ?

- Does anyone have a link to more specific security / Linux information
?

Thanks.

Re: LINUX & Security

[James Melin]

We are currently an ACF2 shop, but as of Sunday the 15th, we're RACF  -
unfortunately for us. We are removing every piece of CA software on our
OS/390 system because of the prohibitively high licensing costs our manager
'negotiated'.  I would have preferred to keep ACF2, but alas.




|-+>
| |   "Re, Vincent"|
| |   <[EMAIL PROTECTED]|
| |   m>   |
| |   Sent by: Linux on|
| |   390 Port |
| |   <[EMAIL PROTECTED]|
| |   IST.EDU> |
| ||
| ||
| |   12/10/2002 01:48 |
| |   PM   |
| |   Please respond to|
| |   Linux on 390 Port|
| ||
|-+>
  
>--|
  |
  |
  |   To:   [EMAIL PROTECTED]
  |
  |   cc:  
      |
  |   Subject:  Re: LINUX & Security   
  |
  
>--|




If you are an ACF2 (or CA-Top Secret) customer, then we have an
open-source PAM plug-in that lets you authenticate directly against ACF2
or Top Secret. The client side (the part that runs on Linux) is
available in source code or pre-built RPM form (both Intel and mainframe
Linux). The server is simply a built-in integrated part of ACF2. With
our plug-in installed, you need no user definition on Linux - your
existing mainframe security rules and passwords are all that's needed.

Compared to the LDAP approach, our PAM implementation is faster, just as
secure (we use OpenSSL on the network connection), and includes a number
of additional features that help you control who should be able to
connect to a particular Linux image.

It's described in the ACF2 6.5 Product Announcement, which you can read
here:
http://www3.ca.com/Files/ProductAnnouncements/etrust_acf2_pd_rel65.pdf

Vince Re
Computer Associates

-Original Message-
From: James Melin [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 10, 2002 1:27 PM
To: [EMAIL PROTECTED]
Subject: Re: LINUX & Security

I'd like to add a follow-on question to this

Has anone gotten Linux to update user ID's/Passwords from an NT central
domain ? Is it possible to synchronize those, or failing that has anyone
gotten Linux security to refresh from RACF or ACF2 secuirity databases,
or
even authenticate logon using LDAP into RACF or ACF2 instead of manually
trying to synchronize Linux user lists/passwords/groups/ etc



|-+>
| |   Joseph Sumi  |
| |   <[EMAIL PROTECTED]|
| |   v>   |
| |   Sent by: Linux on|
| |   390 Port |
| |   <[EMAIL PROTECTED]|
| |   IST.EDU> |
| ||
| ||
| |   12/10/2002 09:42 |
| |   AM   |
| |   Please respond to|
| |   Linux on 390 Port|
| ||
|-+>

>---
-------|
  |
|
  |   To:   [EMAIL PROTECTED]
|
  |   cc:
|
  |   Subject:  LINUX & Security
|

>---
---|




Hello, we have just started to research SUSE Linux under z/VM, and I've
been asked these questions:

- Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM
environment ? If not, how is security handled ?

- Are there any types of "SMF" records cut to record access or
violations
to resources in a Linux z/VM environment ?

- Does anyone have a link to more specific security / Linux information
?

Thanks.

Re: LINUX & Security

[David Boyes]

> If you are an ACF2 (or CA-Top Secret) customer, then we have an
> open-source PAM plug-in that lets you authenticate directly
> against ACF2
> or Top Secret. The client side (the part that runs on Linux) is
> available in source code or pre-built RPM form (both Intel
> and mainframe
> Linux). The server is simply a built-in integrated part of ACF2. With
> our plug-in installed, you need no user definition on Linux - your
> existing mainframe security rules and passwords are all
> that's needed.

Nice. Will it be available for VM:Secure?

-- db

>

Re: LINUX & Security

[Re, Vincent]

If you are an ACF2 (or CA-Top Secret) customer, then we have an
open-source PAM plug-in that lets you authenticate directly against ACF2
or Top Secret. The client side (the part that runs on Linux) is
available in source code or pre-built RPM form (both Intel and mainframe
Linux). The server is simply a built-in integrated part of ACF2. With
our plug-in installed, you need no user definition on Linux - your
existing mainframe security rules and passwords are all that's needed. 

Compared to the LDAP approach, our PAM implementation is faster, just as
secure (we use OpenSSL on the network connection), and includes a number
of additional features that help you control who should be able to
connect to a particular Linux image. 

It's described in the ACF2 6.5 Product Announcement, which you can read
here:
http://www3.ca.com/Files/ProductAnnouncements/etrust_acf2_pd_rel65.pdf

Vince Re
Computer Associates

-Original Message-
From: James Melin [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, December 10, 2002 1:27 PM
To: [EMAIL PROTECTED]
Subject: Re: LINUX & Security

I'd like to add a follow-on question to this

Has anone gotten Linux to update user ID's/Passwords from an NT central
domain ? Is it possible to synchronize those, or failing that has anyone
gotten Linux security to refresh from RACF or ACF2 secuirity databases,
or
even authenticate logon using LDAP into RACF or ACF2 instead of manually
trying to synchronize Linux user lists/passwords/groups/ etc



|-+>
| |   Joseph Sumi  |
| |   <[EMAIL PROTECTED]|
| |   v>   |
| |   Sent by: Linux on|
| |   390 Port |
| |   <[EMAIL PROTECTED]|
| |   IST.EDU> |
| ||
| ||
| |   12/10/2002 09:42 |
| |   AM   |
| |   Please respond to|
| |   Linux on 390 Port|
| ||
|-+>
 
>---
---|
  |
|
  |   To:   [EMAIL PROTECTED]
|
  |   cc:
|
  |   Subject:  LINUX & Security
|
 
>---
---|




Hello, we have just started to research SUSE Linux under z/VM, and I've
been asked these questions:

- Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM
environment ? If not, how is security handled ?

- Are there any types of "SMF" records cut to record access or
violations
to resources in a Linux z/VM environment ?

- Does anyone have a link to more specific security / Linux information
?

Thanks.

Re: LINUX & Security

[Joe Poole]

Although I'm not deep enough into the process to be dangerous, you 
might want to look at the z/OS LDAP server.  Check the Redbook 
"Securing Linux for zSeries with a Central z/OS (RACF) LDAP Server" 
and the two publications SC24-5923-03 and SC24-5924-02 dealing with 
administration and Client programming.  It might answer some of your 
questions.  We're looking at it as a way to perform the old RACHECK 
from a client application to authenticate a user's connection to a 
specific RACF group.

On Tuesday 10 December 2002 13:26, you wrote:
 I'd like to add a follow-on question to this

 Has anone gotten Linux to update user ID's/Passwords from an NT
 central domain ? Is it possible to synchronize those, or failing
 that has anyone gotten Linux security to refresh from RACF or ACF2
 secuirity databases, or even authenticate logon using LDAP into RACF
 or ACF2 instead of manually trying to synchronize Linux user
 lists/passwords/groups/ etc

 |-+>
 |
 | |   Joseph Sumi  |
 | |   <[EMAIL PROTECTED]|
 | |   v>   |
 | |   Sent by: Linux on|
 | |   390 Port |
 | |   <[EMAIL PROTECTED]|
 | |   IST.EDU> |
 | |
 | |
 | |   12/10/2002 09:42 |
 | |   AM   |
 | |   Please respond to|
 | |   Linux on 390 Port|
 |
 |-+>
 |
   >-
   >-|
   >
   |   To:   [EMAIL PROTECTED] 
   | |
   | cc: 
   |       | Subject:
   |  LINUX & Security   
   |  |
   |
   >-
   >-|

 Hello, we have just started to research SUSE Linux under z/VM, and
 I've been asked these questions:

 - Does SUSE Linux issue any SAF (RACF) calls for security in the
 z/VM environment ? If not, how is security handled ?

 - Are there any types of "SMF" records cut to record access or
 violations to resources in a Linux z/VM environment ?

 - Does anyone have a link to more specific security / Linux
 information ?

 Thanks.

Re: LINUX & Security

[Marist EDU]

I am currently using Samba's Winbind to authenticate users for Samba access,
I have also gotten it to work for ftp and telnet access.  It doesn't really
synchronize the id's it just passes the authentication info on and verifies
it's correct.

HTH

Josh

-Original Message-
From: James Melin [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 10, 2002 12:27 PM
To: [EMAIL PROTECTED]
Subject: Re: LINUX & Security


I'd like to add a follow-on question to this

Has anone gotten Linux to update user ID's/Passwords from an NT central
domain ? Is it possible to synchronize those, or failing that has anyone
gotten Linux security to refresh from RACF or ACF2 secuirity databases, or
even authenticate logon using LDAP into RACF or ACF2 instead of manually
trying to synchronize Linux user lists/passwords/groups/ etc



|-+>
| |   Joseph Sumi  |
| |   <[EMAIL PROTECTED]|
| |   v>   |
| |   Sent by: Linux on|
| |   390 Port |
| |   <[EMAIL PROTECTED]|
| |   IST.EDU> |
| ||
| ||
| |   12/10/2002 09:42 |
| |   AM   |
| |   Please respond to|
| |   Linux on 390 Port|
| ||
|-+>

>---
---|
  |
|
  |   To:   [EMAIL PROTECTED]
|
  |   cc:
|
  |   Subject:  LINUX & Security
|

>---
---|




Hello, we have just started to research SUSE Linux under z/VM, and I've
been asked these questions:

- Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM
environment ? If not, how is security handled ?

- Are there any types of "SMF" records cut to record access or violations
to resources in a Linux z/VM environment ?

- Does anyone have a link to more specific security / Linux information ?

Thanks.

Re: LINUX & Security

[James Melin]

I'd like to add a follow-on question to this

Has anone gotten Linux to update user ID's/Passwords from an NT central
domain ? Is it possible to synchronize those, or failing that has anyone
gotten Linux security to refresh from RACF or ACF2 secuirity databases, or
even authenticate logon using LDAP into RACF or ACF2 instead of manually
trying to synchronize Linux user lists/passwords/groups/ etc



|-+>
| |   Joseph Sumi  |
| |   <[EMAIL PROTECTED]|
| |   v>   |
| |   Sent by: Linux on|
| |   390 Port |
| |   <[EMAIL PROTECTED]|
| |   IST.EDU> |
| ||
| ||
| |   12/10/2002 09:42 |
| |   AM   |
| |   Please respond to|
| |   Linux on 390 Port|
| ||
|-+>
  
>--|
  |
  |
  |   To:   [EMAIL PROTECTED]
  |
  |   cc:  
      |
  |   Subject:  LINUX & Security   
  |
  
>--|




Hello, we have just started to research SUSE Linux under z/VM, and I've
been asked these questions:

- Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM
environment ? If not, how is security handled ?

- Are there any types of "SMF" records cut to record access or violations
to resources in a Linux z/VM environment ?

- Does anyone have a link to more specific security / Linux information ?

Thanks.

Re: LINUX & Security

[A. Harry Williams]

On Tue, 10 Dec 2002 11:52:52 -0500 David Boyes said:
>> - Does SUSE Linux issue any SAF (RACF) calls for security in
>> the z/VM environment ?
>
>No.
>
>> If not, how is security handled ?
>
>Purely internally. Treat it as a standalone Unix system, with the exact
>same requirements.
>
>> - Are there any types of "SMF" records cut to record access
>> or violations to resources in a Linux z/VM environment ?
>
>There are entries in /var/log, just as on a normal Unix system. Neale's
>hcp command can be used to write those messages from syslog to a
>VM-based service, but it is not in the standard distributions.  There is
>also rudimentary SVC 76 support for writing accounting records, but this
>also doesn't fit the bill.


SVC 76 is LOGREC (aka EREP), and while similar in many ways to syslog,
isn't going to have SMF80 records, which I believe is what
you would want from MVS.  The syslog is going to record that in Linux.
One of the biggest differences between SMF and syslog is that SMF
allows binary data.

For VM, if journalling is turned on, SMF80 would be accounting records
cut and collected by DISKACNT on most systems or your ESM would do it itself.
Other type of SMF records would end up being Monitor records.  With the
DIAG driver, you could use DIAG 4C to cut VM accounting records from
Linux, but you would need OPTION ACCT in the CP directory and
they still wouldn't be the exact same format as the CP generated bad logon,
bad link etc.



>
>> - Does anyone have a link to more specific security / Linux
>> information ?
>
>It is done exactly like discrete Intel boxes. Your local bookstore
>should have plenty of Linux security books.

Re: LINUX & Security

[David Boyes]

> - Does SUSE Linux issue any SAF (RACF) calls for security in
> the z/VM environment ?

No.

> If not, how is security handled ?

Purely internally. Treat it as a standalone Unix system, with the exact
same requirements.

> - Are there any types of "SMF" records cut to record access
> or violations to resources in a Linux z/VM environment ?

There are entries in /var/log, just as on a normal Unix system. Neale's
hcp command can be used to write those messages from syslog to a
VM-based service, but it is not in the standard distributions.  There is
also rudimentary SVC 76 support for writing accounting records, but this
also doesn't fit the bill.

> - Does anyone have a link to more specific security / Linux
> information ?

It is done exactly like discrete Intel boxes. Your local bookstore
should have plenty of Linux security books.

LINUX & Security

[Joseph Sumi]

Hello, we have just started to research SUSE Linux under z/VM, and I've been asked 
these questions:

- Does SUSE Linux issue any SAF (RACF) calls for security in the z/VM environment ? If 
not, how is security handled ?

- Are there any types of "SMF" records cut to record access or violations to resources 
in a Linux z/VM environment ?

- Does anyone have a link to more specific security / Linux information ?

Thanks.

Re: Linux security questions

[John Summerfield]

> I have to find some answers to these questions for our security
> plan (why is that part always harder than the install).  This is
> for SuSE 2.4.7 kernel.
>
>
> 1. How can I enforce a password to contain at least 1
>numeric, 1 alpha, and 1 special character?

I suspect you will need to change passwd (unix passwords) or smbpasswd
(passwords for Windows users) or provide a wrapper and hide those programs.

>
> 2. How can I lockout a userid after 3 bad attempts at
>password

pass.

It's an invitation to a DoS attack tough.
>
> 3. How can I set a login to timeout if a valid userid/pwd
>is not entered within 2 minutes?


Isn't one minute good enough?

The standard login has one minute; ssh (I think) has its own limit which may be
different, but it does time out.

I have to say one minute can be a pain. I've had problems when the system was
thrashing (on Linux AND OS/2) and I could not login within the minute so as to
be able to investigate.



--
Cheers
John Summerfield

Microsoft's most solid OS: http://www.geocities.com/rcwoolley/

Note: mail delivered to me is deemed to be intended for me, for my disposition.

==
If you don't like being told you're wrong,
be right!

Re: Linux security questions

[Post, Mark K]

Marcy,

Most of this would be controlled by /etc/login.defs.  I don't know if PAM
overrules what's in here, honors it, ignores it, or what, though.

1. I'm not sure you can enforce this, per se, but if you enable cracklib
checking of passwords, they'll be reasonably strong passwords.
CRACKLIB_DICTPATH  /var/cache/cracklib/cracklib_dict

2. I don't know if "locking out" someone is possible, out of the box.

3. Two minutes is kind of long, but:
LOGIN_TIMEOUT   120

Mark Post

-Original Message-
From: Marcy Cortes [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 02, 2002 4:37 PM
To: [EMAIL PROTECTED]
Subject: Linux security questions


I have to find some answers to these questions for our security
plan (why is that part always harder than the install).  This is
for SuSE 2.4.7 kernel.


1. How can I enforce a password to contain at least 1
   numeric, 1 alpha, and 1 special character?

2. How can I lockout a userid after 3 bad attempts at
   password

3. How can I set a login to timeout if a valid userid/pwd
   is not entered within 2 minutes?

Thanks in advance!

Marcy Cortes
VM Systems Programming
Wells Fargo Services Company

Re: Linux security questions

[Ulrich Weigand]

Mary Cortes wrote:

>1. How can I enforce a password to contain at least 1
>   numeric, 1 alpha, and 1 special character?
>
>2. How can I lockout a userid after 3 bad attempts at
>   password
>
>3. How can I set a login to timeout if a valid userid/pwd
>   is not entered within 2 minutes?

This is all stuff handled by the PAM (Pluggable Authentication
Modules) mechanism.

Unfortunately, PAM is so infinitely configurable that I'm
always at a loss trying to find out how to achieve any
particular setting ;-(

Maybe someone else knows the details, otherwise I can only
suggest reading the documentation, starting with 'man pam'
and looking under /usr/doc/packages/pam/.

Bye,
Ulrich

--
  Dr. Ulrich Weigand
  [EMAIL PROTECTED]

Linux security questions

[Marcy Cortes]

I have to find some answers to these questions for our security
plan (why is that part always harder than the install).  This is
for SuSE 2.4.7 kernel.


1. How can I enforce a password to contain at least 1
   numeric, 1 alpha, and 1 special character?

2. How can I lockout a userid after 3 bad attempts at
   password

3. How can I set a login to timeout if a valid userid/pwd
   is not entered within 2 minutes?

Thanks in advance!

Marcy Cortes
VM Systems Programming
Wells Fargo Services Company

Re: Yahoo News Article - Linux security auditing to get a boost

[John Summerfield]

[EMAIL PROTECTED] said:
> "Last month, after a memo from Microsoft Chairman Bill Gates directing
> the software giant's programmers to make security the No. 1 priority,
> top execs said the company would spend three to four weeks training
> its developers in secure coding techniques and auditing existing
> code."


Previous posts have given me the impression that the entire bug-finding
effort was to take four weeks. A training effort requiring four weeks'
attendance of every developer doesn't seem to me so bad.

I've not seen the press release myself - by and large I ignore Windows
as I don't use it unless pressed really hard, or for reasons other than
those Chairman Bill might expect.



--
Cheers
John Summerfield

Microsoft's most solid OS: http://www.geocities.com/rcwoolley/

Note: mail delivered to me is deemed to be intended for me, for my
disposition.

Yahoo News Article - Linux security auditing to get a boost

[Post, Mark K]

A colleague forwarded this URL to me today.  The article talks about DARPA
funding a project to better ensure Open Source software gets audited for
security exposures.  One _hilarious_ statement though is this:
"Software security holes caused by a lack of proper review don't plague just
the open-source world."

And if that weren't funny enough, the writer immediately follows that with
this:
"Last month, after a memo from Microsoft Chairman Bill Gates directing the
software giant's programmers to make security the No. 1 priority, top execs
said the company would spend three to four weeks training its developers in
secure coding techniques and auditing existing code."

When I stop laughing so hard, I think I might start to cry.

http://story.news.yahoo.com/news?tmpl=story&u=/cn/20020206/tc_cn/linux_secur
ity_auditing_to_get_a_boost

Mark Post

IBM developerWorks: Linux Security for the Enterprise and Service Providers

[Ferguson, Neale]

See: http://linuxtoday.com/news_story.php3?ltsn=2002-01-08-004-20-SC-EL-HE

"Here are a couple of white papers recently released by the
IBM T.J. Watson Research Center in January of 2002 concerning
the state of Linux Security for Enterprise systems. In addition
to that you can take a look at agood white paper containing
informaion about securing Linux Servers for Service Providers."

Re: Linux Security

[Werner]

On Thu, 20 Dec 2001, Gerard Graham wrote:

> In our efforts to move Linux along we are try to get internet access to our
> mainframe running Linux under VM. With that said I need to furnish my security
> department with documentation and articles that releate to Linux security. This
> is a new world for them and the better understanding they have of Linux security
> the faster they will move in getting our Linux out to the net. The VM RACF or
> ACF2 stuff I can handle I just need more security doc on Linux. Can anyone point
> me in the right direction?

I'm doing a lot of security work and part of my job was to come up with a
comprehensive security standard and procedure for all our Linux servers
which are connected to the Internet (we are constantly under a security
audit by another company).

Here are my recommendations:

- "Securing Linux: Step-by-Step" from the SANS institute:
   http://www.sansstore.org/

   Try to follow these steps as close as possible for getting "basic"
   security installed on your servers.

- "Securing & Optimizing Linux: The Ultimate Solution"
  http://www.puschitz.com/Security.html

  This book is a must. It helps you to install _very_ secure Linux
  servers.

Hope this helps
Werner

Re: Linux Security

[Holly, Jason]

I've heard many folks say two books no sysadmin should be without are the
O'Reilly titles: "Essential System Administration" (which has a surprising
amount of info re: security) and that mentioned below "Practical Unix and
Internet Security" which is, imho, the definitive guide.

I've got 'em both, and they have come in handy over the years...

-Original Message-
From: Post, Mark K [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 20, 2001 10:26 AM
To: [EMAIL PROTECTED]
Subject: Re: Linux Security


Something else came to mind, and that is non-online resources.  O'Reilly has
a book called "Practical UNIX & Internet Security, 2nd Edition," which is
written by Gene Spafford and Simson Garfinkel.  You may recognize Spafford's
name as being well-known within the security community.  I've not read the
book, and so cannot recommend it personally, but you can see if it would be
of interest by going to http://www.oreilly.com/catalog/puis/.  They have the
complete table of contents of the book, as well as a sample chapter,
"Appendix A: UNIX Security Checklist."

Mark Post

-Original Message-
From: Gerard Graham [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 20, 2001 10:00 AM
To: [EMAIL PROTECTED]
Subject: Linux Security


In our efforts to move Linux along we are try to get internet access to our
mainframe running Linux under VM. With that said I need to furnish my
security
department with documentation and articles that releate to Linux security.
This
is a new world for them and the better understanding they have of Linux
security
the faster they will move in getting our Linux out to the net. The VM RACF
or
ACF2 stuff I can handle I just need more security doc on Linux. Can anyone
point
me in the right direction?

Re: Linux Security

[Post, Mark K]

Something else came to mind, and that is non-online resources.  O'Reilly has
a book called "Practical UNIX & Internet Security, 2nd Edition," which is
written by Gene Spafford and Simson Garfinkel.  You may recognize Spafford's
name as being well-known within the security community.  I've not read the
book, and so cannot recommend it personally, but you can see if it would be
of interest by going to http://www.oreilly.com/catalog/puis/.  They have the
complete table of contents of the book, as well as a sample chapter,
"Appendix A: UNIX Security Checklist."

Mark Post

-Original Message-
From: Gerard Graham [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 20, 2001 10:00 AM
To: [EMAIL PROTECTED]
Subject: Linux Security


In our efforts to move Linux along we are try to get internet access to our
mainframe running Linux under VM. With that said I need to furnish my
security
department with documentation and articles that releate to Linux security.
This
is a new world for them and the better understanding they have of Linux
security
the faster they will move in getting our Linux out to the net. The VM RACF
or
ACF2 stuff I can handle I just need more security doc on Linux. Can anyone
point
me in the right direction?

Re: Linux Security

[Robert J Brenneman]

Check here:

http://www.linux.org/docs/ldp/howto/Security-HOWTO.html

Jay Brenneman






  Gerard Graham
  <[EMAIL PROTECTED]To:   [EMAIL PROTECTED]
  >cc:
  Sent by: Linux onSubject:  Linux Security
  390 Port
  <[EMAIL PROTECTED]
  IST.EDU>


  12/20/01 09:59 AM
  Please respond to
  Linux on 390 Port





In our efforts to move Linux along we are try to get internet access to our
mainframe running Linux under VM. With that said I need to furnish my
security
department with documentation and articles that releate to Linux security.
This
is a new world for them and the better understanding they have of Linux
security
the faster they will move in getting our Linux out to the net. The VM RACF
or
ACF2 stuff I can handle I just need more security doc on Linux. Can anyone
point
me in the right direction?

Re: Linux Security

[Post, Mark K]

Gerard,

Just a quick look at the links on the linuxvm.org site turned up these.
There are others that will be more valuable coming from other people (and
then I get to add them to the list of links!):
Site Security Handbook - http://www.faqs.org/rfcs/rfc2196.html
Securing DNS (Linux version) - http://www.psionic.com/papers/dns/dns-linux
Linux-Privs - POSIX capabilities (security) -
http://www.uk.kernel.org/pub/linux/libs/security/linux-privs/
Linux Security "State of the Union" -
http://oss.software.ibm.com/developer/opensource/linux/whitepapers/LTC-Secur
ity-Whitepaper-external.pdf

Mark Post

-Original Message-
From: Gerard Graham [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 20, 2001 10:00 AM
To: [EMAIL PROTECTED]
Subject: Linux Security


In our efforts to move Linux along we are try to get internet access to our
mainframe running Linux under VM. With that said I need to furnish my
security
department with documentation and articles that releate to Linux security.
This
is a new world for them and the better understanding they have of Linux
security
the faster they will move in getting our Linux out to the net. The VM RACF
or
ACF2 stuff I can handle I just need more security doc on Linux. Can anyone
point
me in the right direction?

Re: Linux Security

[Jon Doyle]

Hummm, I remember some things and links here www.suse.de/~marc and you
might try linuxsecurity.com


Regards,

Jon

Jon R. Doyle
Sendmail Inc.
6425 Christie Ave
Emeryville, Ca. 94608


   (o_
   (o_   (o_   //\
   (/)_  (\)_  V_/_



On Thu, 20 Dec 2001, Gerard Graham wrote:

> In our efforts to move Linux along we are try to get internet access to our
> mainframe running Linux under VM. With that said I need to furnish my security
> department with documentation and articles that releate to Linux security. This
> is a new world for them and the better understanding they have of Linux security
> the faster they will move in getting our Linux out to the net. The VM RACF or
> ACF2 stuff I can handle I just need more security doc on Linux. Can anyone point
> me in the right direction?
>

Linux Security

[Gerard Graham]

In our efforts to move Linux along we are try to get internet access to our
mainframe running Linux under VM. With that said I need to furnish my security
department with documentation and articles that releate to Linux security. This
is a new world for them and the better understanding they have of Linux security
the faster they will move in getting our Linux out to the net. The VM RACF or
ACF2 stuff I can handle I just need more security doc on Linux. Can anyone point
me in the right direction?