* Re: Suggestions for linux security patches
2001-12-19 20:48 Suggestions for linux security patches Jason Czerak
@ 2001-12-19 21:28 ` Tomas Konir
2001-12-19 21:44 ` Jason Czerak
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Tomas Konir @ 2001-12-19 21:28 UTC (permalink / raw)
To: Jason Czerak; +Cc: linux-kernel
On 19 Dec 2001, Jason Czerak wrote:
> I'm running linux 2.4.16, and I"m looking to the best possibly kernel
> patch to harden things up a bit. Primarly I wish to have what is in
> openwall's and grsecurity's patches is the buffer oveflow protection,
> but I'm unable to use the openwall patch because it only support 2.2.X
> kernels ATM. I applied the grsecurity patch but for some reason when
> running mozilla as non-root, the GUI for mozilla is all messed up (and I
> enabled sysctl support so nothing was enabled by default except stuff
> that isn't able to use sysctl).
>
> So to advoid applying 20 or so differnet patches, and evaluate each of
> them (taking up what little time I have in a day...), I wish to get the
> lists opinions on the matter.
>
> Local security/control isn't much of an issue and most likly won't be
> for a while. Remote security and protection from server deamons that
> have buffer problems are high priority to get the best protection for.
>
>
Try http://www.grsecurity.net
MOJE
--
Tomas Konir
Brno
ICQ 25849167
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: Suggestions for linux security patches
2001-12-19 20:48 Suggestions for linux security patches Jason Czerak
2001-12-19 21:28 ` Tomas Konir
@ 2001-12-19 21:44 ` Jason Czerak
2001-12-19 23:50 ` Chris Wright
2001-12-20 5:19 ` Kevin
3 siblings, 0 replies; 6+ messages in thread
From: Jason Czerak @ 2001-12-19 21:44 UTC (permalink / raw)
To: linux-kernel
On Wed, 2001-12-19 at 15:48, Jason Czerak wrote:
> I'm running linux 2.4.16, and I"m looking to the best possibly kernel
> patch to harden things up a bit. Primarly I wish to have what is in
> openwall's and grsecurity's patches is the buffer oveflow protection,
> but I'm unable to use the openwall patch because it only support 2.2.X
> kernels ATM. I applied the grsecurity patch but for some reason when
> running mozilla as non-root, the GUI for mozilla is all messed up (and
I
> enabled sysctl support so nothing was enabled by default except stuff
> that isn't able to use sysctl).
>
> So to advoid applying 20 or so differnet patches, and evaluate each of
> them (taking up what little time I have in a day...), I wish to get
the
> lists opinions on the matter.
>
Ok, so 20 or so was a little off base. :) it's more like 3 packages that
are for my type of system and that appear to be activtly developed
1: SeLinux
2. Grsecurity
3. Lids
Lids, and grsecurity appear to be highly configureable and grsecurity
isn't playing nice with some applictions on my system. I'll be testing
out SeLinux and Lids tomarrow, but as one list memeber emailed me
ealier, LIDS has over 500 differnent options, That right there maybe a
turn off for sake of sanity right now. :)
--
Jason Czerak
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Suggestions for linux security patches
2001-12-19 20:48 Suggestions for linux security patches Jason Czerak
2001-12-19 21:28 ` Tomas Konir
2001-12-19 21:44 ` Jason Czerak
@ 2001-12-19 23:50 ` Chris Wright
2001-12-20 5:19 ` Kevin
3 siblings, 0 replies; 6+ messages in thread
From: Chris Wright @ 2001-12-19 23:50 UTC (permalink / raw)
To: Jason Czerak; +Cc: linux-kernel
* Jason Czerak (Jason-Czerak@Jasnik.net) wrote:
> So to advoid applying 20 or so differnet patches, and evaluate each of
> them (taking up what little time I have in a day...), I wish to get the
> lists opinions on the matter.
have you looked at linux security modules? the patches are at
http://lsm.immunix.org. it pushes security policy into modules so you can
try different modules to see which policy you prefer.
> Local security/control isn't much of an issue and most likly won't be
> for a while. Remote security and protection from server deamons that
> have buffer problems are high priority to get the best protection for.
note, non-executable stack does not prevent buffer overflow attacks.
the exploit just needs to change. check out tools like libsafe and
StackGuard as well for buffer overflow protection.
thanks,
-chris
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Suggestions for linux security patches
2001-12-19 20:48 Suggestions for linux security patches Jason Czerak
` (2 preceding siblings ...)
2001-12-19 23:50 ` Chris Wright
@ 2001-12-20 5:19 ` Kevin
2001-12-21 11:07 ` Tracy R Reed
3 siblings, 1 reply; 6+ messages in thread
From: Kevin @ 2001-12-20 5:19 UTC (permalink / raw)
To: Jason Czerak; +Cc: linux-kernel
On 19 Dec 2001, Jason Czerak grunted something like:
[Jason-] I'm running linux 2.4.16, and I"m looking to the best possibly kernel
[Jason-] patch to harden things up a bit. Primarly I wish to have what is in
[Jason-] openwall's and grsecurity's patches is the buffer oveflow protection,
[Jason-] but I'm unable to use the openwall patch because it only support 2.2.X
[Jason-] kernels ATM. I applied the grsecurity patch but for some reason when
[Jason-] running mozilla as non-root, the GUI for mozilla is all messed up (and I
[Jason-] enabled sysctl support so nothing was enabled by default except stuff
[Jason-] that isn't able to use sysctl).
Has anyone tried the NSA linux security setup? I've looked it over but
haven't gone so far as to actually run it.
BTW, mozilla gets F-ed up for me sometimes when I foolishly run Netscape 6
and NS6 rewrites several of the config files. Usually rm'ing ~/.mozilla
does it. Could be very unrelated though.
-[ kevin@pheared.net devel.pheared.net ]-
-[ Rather be forgotten, than remembered for giving in. ]-
-[ ZZ = g ^ (xb * xa) mod p g = h^{(p-1)/q} mod p ]-
^ permalink raw reply [flat|nested] 6+ messages in thread