Suggestions for linux security patches

Suggestions for linux security patches

[Jason Czerak]

I'm running linux 2.4.16, and I"m looking to the best possibly kernel
patch to harden things up a bit. Primarly I wish to have what is in
openwall's and grsecurity's patches is the buffer oveflow protection,
but I'm unable to use the openwall patch because it only support 2.2.X
kernels ATM. I applied the grsecurity patch but for some reason when
running mozilla as non-root, the GUI for mozilla is all messed up (and I
enabled sysctl support so nothing was enabled by default except stuff
that isn't able to use sysctl).

So to advoid applying 20 or so differnet patches, and evaluate each of
them (taking up what little time I have in a day...), I wish to get the
lists opinions on the matter.

Local security/control isn't much of an issue and most likly won't be
for a while. Remote security and protection from server deamons that
have buffer problems are high priority to get the best protection for. 


--
Jason Czerak

Re: Suggestions for linux security patches

[Tomas Konir]

On 19 Dec 2001, Jason Czerak wrote:

> I'm running linux 2.4.16, and I"m looking to the best possibly kernel
> patch to harden things up a bit. Primarly I wish to have what is in
> openwall's and grsecurity's patches is the buffer oveflow protection,
> but I'm unable to use the openwall patch because it only support 2.2.X
> kernels ATM. I applied the grsecurity patch but for some reason when
> running mozilla as non-root, the GUI for mozilla is all messed up (and I
> enabled sysctl support so nothing was enabled by default except stuff
> that isn't able to use sysctl).
>
> So to advoid applying 20 or so differnet patches, and evaluate each of
> them (taking up what little time I have in a day...), I wish to get the
> lists opinions on the matter.
>
> Local security/control isn't much of an issue and most likly won't be
> for a while. Remote security and protection from server deamons that
> have buffer problems are high priority to get the best protection for.
>
>

Try http://www.grsecurity.net

 MOJE

-- 
Tomas Konir
Brno
ICQ 25849167

Re: Suggestions for linux security patches

[Jason Czerak]

On Wed, 2001-12-19 at 15:48, Jason Czerak wrote:
> I'm running linux 2.4.16, and I"m looking to the best possibly kernel
> patch to harden things up a bit. Primarly I wish to have what is in
> openwall's and grsecurity's patches is the buffer oveflow protection,
> but I'm unable to use the openwall patch because it only support 2.2.X
> kernels ATM. I applied the grsecurity patch but for some reason when
> running mozilla as non-root, the GUI for mozilla is all messed up (and
I
> enabled sysctl support so nothing was enabled by default except stuff
> that isn't able to use sysctl).
> 
> So to advoid applying 20 or so differnet patches, and evaluate each of
> them (taking up what little time I have in a day...), I wish to get
the
> lists opinions on the matter.
> 

Ok, so 20 or so was a little off base. :) it's more like 3 packages that
are for my type of system and that appear to be activtly developed

1: SeLinux
2. Grsecurity
3. Lids

Lids, and grsecurity appear to be highly configureable and grsecurity
isn't playing nice with some applictions on my system. I'll be testing
out SeLinux and Lids tomarrow, but as one list memeber emailed me
ealier, LIDS has over 500 differnent options, That right there maybe a
turn off for sake of sanity right now. :)



--
Jason Czerak

Re: Suggestions for linux security patches

[Chris Wright]

* Jason Czerak (Jason-Czerak@Jasnik.net) wrote:
> So to advoid applying 20 or so differnet patches, and evaluate each of
> them (taking up what little time I have in a day...), I wish to get the
> lists opinions on the matter.

have you looked at linux security modules?  the patches are at
http://lsm.immunix.org.  it pushes security policy into modules so you can
try different modules to see which policy you prefer.

> Local security/control isn't much of an issue and most likly won't be
> for a while. Remote security and protection from server deamons that
> have buffer problems are high priority to get the best protection for. 

note, non-executable stack does not prevent buffer overflow attacks.
the exploit just needs to change.  check out tools like libsafe and
StackGuard as well for buffer overflow protection.

thanks,
-chris

Re: Suggestions for linux security patches

[Kevin]

On 19 Dec 2001, Jason Czerak grunted something like:

[Jason-] I'm running linux 2.4.16, and I"m looking to the best possibly kernel
[Jason-] patch to harden things up a bit. Primarly I wish to have what is in
[Jason-] openwall's and grsecurity's patches is the buffer oveflow protection,
[Jason-] but I'm unable to use the openwall patch because it only support 2.2.X
[Jason-] kernels ATM. I applied the grsecurity patch but for some reason when
[Jason-] running mozilla as non-root, the GUI for mozilla is all messed up (and I
[Jason-] enabled sysctl support so nothing was enabled by default except stuff
[Jason-] that isn't able to use sysctl).

Has anyone tried the NSA linux security setup?  I've looked it over but
haven't gone so far as to actually run it.

BTW, mozilla gets F-ed up for me sometimes when I foolishly run Netscape 6
and NS6 rewrites several of the config files.  Usually rm'ing ~/.mozilla
does it.  Could be very unrelated though.

-[ kevin@pheared.net                 devel.pheared.net ]-
-[ Rather be forgotten, than remembered for giving in. ]-
-[ ZZ = g ^ (xb * xa) mod p      g = h^{(p-1)/q} mod p ]-

Re: Suggestions for linux security patches

[Tracy R Reed]

[-- Attachment #1: Type: text/plain, Size: 692 bytes --]

On Thu, Dec 20, 2001 at 12:19:41AM -0500, Kevin wrote:
> Has anyone tried the NSA linux security setup?  I've looked it over but
> haven't gone so far as to actually run it.

I have and it is very impressive. It looks much more manageable and more
flexible than LIDS. I have played with LIDS quite extensively but having
used both now I really prefer the concept of processes running in
different domains over just assigning capabilities. I'm still learning how
to configure SE Linux though. They are both rather daunting.

-- 
Tracy Reed      http://www.ultraviolet.org
If Microsoft built cars instead of software, the airbag system would say
"Are you sure?" before going off.

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]