lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1079384911.2551.115.camel@coruscant.weisserth.net>
From: tobias at weisserth.de (Tobias Weisserth)
Subject: Re: a secure base system

Hi Martin,

Am Mo, den 15.03.2004 schrieb martin f krafft um 21:15:
> also sprach harry <Rik.Bobbaers@...kuleuven.ac.be> [2004.03.15.1237 +0100]:
> > - /var and /tmp mounted nosuid and noexec
> 
> as others have probably written, this won't do much. first, noexec
> can be easily overriden:
> 
>   /lib/ld-linux.so.2 /tmp/trojan

True. But I guess a great deal of ready-to-run exploits need some fine
tuning before they can be run this way since they were written to run
directly from /tmp.

And it might be appropriate to assume that this will someday be fixed,
so mounting partitions with noexec isn't a bad idea. Maybe the 2.6
series will make an end of this. I don't know though.

> and second, nosuid on /var will make a couple of programs in Debian
> fail. i don't remember which.

There used to be a problem with apt as far as I remember. But it might
already be fixed.

> > - grsec kernel
> 
> why not use SELinux?

[kidding]Maybe he doesn't trust NSA? :-)[/kidding]

But I agree. SELinux looks promising.

...

> also sprach Tobias Weisserth <tobias@...sserth.de> [2004.03.15.1933 +0100]:
> > If you want an up to date and modern productivity distribution with a
> > good security policy you mustn't use Debian but an alternative like
> > Fedora or SuSE or maybe Mandrake.
> 
> You may just as well use Debian and stay up to date with the
> security problems.

Which means that he has to a little bit more work because he can't
*rely* on the distributor to supply patches in time. It's a trade-off.
He'll have to stay informed himself if the Debian Security Team doesn't
warn in time about critical packages in unstable or testing. Maybe it
mustn't be this way and there are regular updates for unstable. But the
Debian site itself advises against the use of unstable regarding the
security issues.

> > I know this will raise flames en masse from Debian fans. But it's
> > a sour truth that Debian woody is hopefully outdated and as long
> > as the Debian security team doesn't support the other releases
> > it's no option at all to use these other releases in productive
> > environments.
> 
> Productive environments are one of two kinds: servers and
> workstations.

He didn't mention. But I guess he's talking about many identical
workstation installations.

> What's missing from Woody for a server?

Nothing :-) I'm running two :-) But I don't expect state of the art
desktop computing on a server. Debian woody doesn't offer this. And
after all, I'm just following the advice on the Debian site ;-) see
http://www.debian.org/releases ;-) The right tool for the right job...

> And concerning workstations: your security better shield a security
> problem on a workstation.

Non comprende? ;-)

> > /tmp should always be mounted noexec. Add /home as well with noexec. Why
> > should users be able to install or run programs from within their home
> > directories anyway? Administered systems supply everything users need,
> > so there's no need to give them this freedom. This may be a trade-off,
> > but the result is more security.
> 
> whatever. read above.

[grumpy]Well, at least it raises the bar a bit...[/grumpy]

> > You have missed the most important thing: file integrity checking. Take
> > a look at Tripwire or AIDE.
> 
> good point!

Though a lot of work if we're talking about workstations here...
Checking on Tripwire changes regularly on a couple of hundreds
individual machines might be tricky... But if we're talking about a base
installation, thus an image that is to be written over a compromised
installation, it might be helpful to check on this machine and see if
the attacker tries the same approach again. The Tripwire database and
the differences might then give away the angle of attack and allow for
counteraction, adapting the image and resulting in a new image which
resists _this_ approach.

regards,
Tobias W.

-- 
***************************************************
   ____  _____
  |  _ \| ____| Tobias Weisserth
  | | | |  _|   tobias@...sserth.[de|com|net|org]
 _| |_| | |___  http://www.weisserth.org
(_)____/|_____|
                
Encrypted mail is welcome.
Key and fingerprint: http://imprint.weisserth.org

***************************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040315/50e5bc42/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ