Help with Hardening Linux

Help with Hardening Linux

[Barbara Picci]

Hi all,

I'm a server administrator (Dell PowerEdge). I usually use Debian.

Before now I used lcap to disable some capabilities (with success 
with kernel 2.4).

Now I'm configuring some machines with Debian etch and kernel 2.6.25.
I enable with makemenuconfig "Enable different security models" >> 
"Default Linux Capabilities" and my .config is:

#
# Security options
#
CONFIG_KEYS=y
# CONFIG_KEYS_DEBUG_PROC_KEYS is not set
CONFIG_SECURITY=y
# CONFIG_SECURITY_NETWORK is not set
CONFIG_SECURITY_CAPABILITIES=y
# CONFIG_SECURITY_FILE_CAPABILITIES is not set
# CONFIG_SECURITY_ROOTPLUG is not set
CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=0

I try to install lcap_0.0.6-3.1_i386.deb from packages.debian.org 
but, if I louch lcap, instead of the list of capabilities, I've:

/proc/sys/kernel/cap-bound: No such file or directory

I googled on forums, sites, etc. but I can't find a solution.

Thanks in advance
Barbara Picci
-- 

Re: Help with Hardening Linux

[Andi Kleen]

Barbara Picci <barbara.picci@sardi.it> writes:
> # CONFIG_KEYS_DEBUG_PROC_KEYS is not set
> CONFIG_SECURITY=y
> # CONFIG_SECURITY_NETWORK is not set
> CONFIG_SECURITY_CAPABILITIES=y
> # CONFIG_SECURITY_FILE_CAPABILITIES is not set
> # CONFIG_SECURITY_ROOTPLUG is not set
> CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=0
>
> I try to install lcap_0.0.6-3.1_i386.deb from packages.debian.org but,
> if I louch lcap, instead of the list of capabilities, I've:

The capabilities interface changed to require a later input data type
for more capabilities.

You probably need at least to recompile that program with uptodate
kernel headers.

Yes it bit lots of other people too. There's no good workaround.

-Andi