Additional Security in the Linux Kernel?

nyx asks: "Recently, I was looking for some way to improve security on my linux boxes. I found few linux patches like grsecurity, LIDS (now also as Linux Security Module), Medusa DS9. I'm testing grsecurity (and it's ACLs) now and I'm quite satisfied with it, but I wonder, what are pros and cons of other solutions. Anybody tried them and can share his experience with us?"

Additional Security

[SpanishInquisition]

Lock the door when you leave the computer room.

Re:Additional Security

[dirvish]

Remove the boot floppy from the disk drive.

Re:Additional Security

[peterpi]

Funny, but also very very true.

Re:Additional Security

[ph1nn]

Man some of you people are so uptight... What he said really wasnt all that bad.

Taking it seriously I cant tell you how many people left doors open and themselves rooted on important machines at my previous work. Ive taken advantage of that more than once.

Re:Additional Security

[Iguanaphobic]

Remove the boot floppy from the disk drive.

Remove the floppy drive.

Re:Additional Security

controller from the motherboard.

Re:Additional Security

remove the idiot from /etc/passwd

Re:Additional Security

remove linux from the hard disk.

install openbsd.

Linux is for bitches.

Re:Additional Security

[_Sprocket_]

One of my favorite dysfunctional security guidelines documents involved "hide the keyboard". Apparently the concept was that a keyboard visible from a room's entrance would act as a magnet and draw in wiley hackers. Hiding the keyboard was the first step to twarting such riff-raff.

Re:Additional Security

[lecter,hannibal_md]

eh... are you just trying to piss people off? on a side note... the nsa is actually developing a distribution of linux, called security enhanced linux... http://www.nsa.gov/selinux/

Re:Additional Security

[zCyl]

Lock the door when you leave the computer room.

And don't leave the thing logged in as root!! If they're going to make a physical compromise, at least make them work for it to increase the chance they get caught.

Re:Additional Security

Well they did such a wondrous job for NT4 SP6 I don't see who WOULDN'T want to use it!

Re:Additional Security

[Asprin]

Lock the door when you leave the computer room.

This got modded up as funny, but those of you out there who are new to network security and administration need to take note - this one is pretty fundamental.

No matter what patches you install, services you disable, firewalls you configure, or holes you plug; if I can get unrestriced (private) console access for < 1 hour, U R probly 0wn3d. I might not even need to r00t your box right away - I'll just image the hard drive to a spare I keep in my backpack and walk out with your data -- I'll have all the time I need to dig out the interesting bits later.

Encrypted filesystems *should* invalidate this approach, but we'll see.

Re:Additional Security

Precisely. I was working at AT&T and found a RH62 box in the cubicle I was moving into. Oh, it's logged in.

whoami
root

Really? just a quick edit of /etc/passwd, create a new account called "roto", uid 0, no password. Take down the IP. The guy who's box it is comes by later in the day and picks it up to clean out my cube. Voila instant network *weapon*. Left the assignment before I could ever work up anything halfway interesting. Oh well. ;)

Re:Additional Security

[suedehed]

1 hour? how about reboot, at lilo type linux single, hit enter, and you're in the system as root.

physical security is where most of my sys admins have made their mistakes. As a tech director, I like to see if they fail on security like this, and I will change the root password on them, to freak them out/prove a point. Nasty? maybe, but they learn FAST.

Re:Additional Security

[CoolVibe]

And disconnect it from the network. Oh better yet, leave it turned off...

Re:Additional Security

[Scaba]

Yea, but this only works for Hackers who are less than 4th level. 4th level and beyond Hackers can automatically Detect Keyboards within a 30' radius, so if they are wandering through your dungeon, hiding the keyboard won't do any good. Your best bet is to put iocaine powder on the keys and leave the keyboard plainly visible with a sign above that says "This workstation is unattended between the hours of 5 PM and 5 AM" and hope this hacker hasn't spent the last few years building up an immunity to iocaine powder.

Re:Additional Security

Please moderate the parent down... this does not deserve a rating of 2.

Re:Additional Security

Oh shush... you're just jealous of his Excellent karma. Oh and it _is_ on topic.

Re:Additional Security

[martinflack]

Actually on a serious note, it's a good idea to put this in ~/.bashrc, especially /root/.bashrc:

TMOUT=1800

It makes bash logout after half an hour (1800 secs) idle at the prompt. This is good if you _forget_ to lock the door when you leave the computer room. I usually have several remote terminals open on my desktop. If I step away for a few minutes to attend to something else, they start closing automatically.

Re:Additional Security

[nvainio]

It's not a distribution. Just kernel plus some utilities.

Re:Additional Security

What is a distribution then???

Re:Additional Security

[Yottabyte84]

1 hour? how about reboot, at lilo type linux single, hit enter, and you're in the system as root.

The lilo prompt should be password protected, and the bios password protected, and the case locked, and removable media booting disabled....

Re:Additional Security

[Yottabyte84]

I get "bash: TMOUT: readonly variable" when I try that....

Re:Additional Security

[martinflack]

See if you can get some ideas by looking at section 3.7.1 in this doc:

http://www.signaltonoise.net/library/Adv-Bash-Sc r- HOWTO/variables2.html

I think you have a statement in your setup that you might need to alter.

GRSecurity

[ClickWir]

I've been useing the grsecurity patch on the medium level. Seems to help out a bit, haven't had any problems. Performance does not seem to be affected.

Re:grsecurity

[drightler]

Thats not true (about the JVM), you have to use the chpax utility to modify the properties of the ELF executable and the JVM works again.

That's how I fixed it on my Grsecurity system.

Re:grsecurity

[bozoman42]

I turned all the protections off with chpax and it still failed to run. Probably running into the the address space layout randomization.

Re:grsecurity

[fawadhalim]

Other apps that need to be chpax -p 'ed:

soffice.bin,spadmin.bin in openoffice
all sun jdk binaries (java, javac etc.) (1.4.0 is working perfectly for me on grsec 1.9.5)

I figure that most apps that fail mysteriously with a 'Killed' message usually need to be chpaxed.

Re:grsecurity

what version of kernel/grsecurity/java was this exactly? also when java 'failed', what happened more precisely? did the kernel log a message from PaX (grep PAX /var/log/messages or similar)? if you intend to help out on this, feel free to email pageexec (at) freemail.hu. thanks.

security

If you need absolutely secure linux, use OpenBSD or Trusted BSD with the linux-compatability library.

Re:security

[paladin_tom]

Or, since he probably wants to keep his Linux system, he can slap OpenBSD on an old 486 and use that as a firewall. That's the direction I'd be looking in.

Re:security

[RinkSpringer]

From http://www.trustedbsd.org:

The TrustedBSD project provides a set of trusted operating system extensions to the FreeBSD operating system

In other words, it's not an OS, it's a set of patches and extensions... please, check your facts before you post something.

zerg

[Lord+Omlette]

Let's hear it for NSA Security Enhanced Linux! Whoo!

If the NSA security enhanced your machine, would you even know about it? Suspect it?

Re:zerg

[delysid-x]

I'd never trust any distro put out by the NSA, that probabpy put a bunch of backdoors in in the interests of "national security"

Re:zerg

[polin8]

Ari Fliescher: We can neither confirm nor deny the existance of the NSA, or NSA secure linux. In fact, we can't even confirm the existance of linux.

I suggest vserver

[WetCat]

http://www.solucorp.qc.ca
You can create virtual servers on your machine, tailored for specific tasks.
For example, you can create virtual server where you'll work on your project, virtual server which will run apache, virtual server in which you'll browse web and read mail.
You then can put them on different IP addresses (or no addresses at all) and make them indepedent, changing information only by means YOU approve (shared directory, TCP sockets under firewall, etc).
It's a kernel patch and some user-mode programs.
Virtual servers can share binaries for saving disk space.

Re:I suggest vserver

How secure is vserver? I mean, someone could still hack the virtual server and then gain full access to the network. I think that's the real problem.

I've thought about using VMware for the same thing. Same problem though, they can break one of the virtual machines then have full network access.

Re:I suggest vserver

[WetCat]

Vserver use special system call to isolate all its structures from other servers. All vservers' structures have security context which limits its rights. Vserver uses also linux capability system to further restrict operations.
Yes, it's possible that somebody hack into vserver but unless he will not done anything that
stop main kernel (like FOOF bug), he cannot get anywhere else
Firewall on child vserver is created by main vserver which is not under control from child vserver... So if hacker hack vserver - he'll get only that vserver and only that rights (including network access) that have been given to that vserver.

Moreover, main vserver can spy on child vserver
if enabled to do so.

Re:I suggest vserver

How does the firewall work?

If it is IP based (like many) then it won't work because the broken vserver could speak directly to the network (RAW packets, change the IP address, etc.)

Re:I suggest vserver

Also check out User Mode Linux. Its an open source project which does similar things. Rather than creating a whole new virtual machine, this allows you to run a linux kernel as a user space process, giving a whole virtual linux system inside it. And it does have a "jail" mode for increased security (separation between virtual server and host).

Re:I suggest vserver

[WetCat]

For RAW you need NET_CAP_RAW, this can be blocked by main server, not by you, by not giving you that CAP...
You cannot change your address to anything but
the list of allowed for your vserver...

Re:I suggest vserver

[bozoman42]

One of the big drawbacks I've found is that vserver is rather Red Hat specific. And since I run Debian...

Re:I suggest vserver

Cool. Sounds good, I'll give it a try.

Re:I suggest vserver

Yep. Me too. After reading more about vserver I've found that it is way too RedHat specific to even be considered.

Shame really, it seems like a good project but (much like many MS projects) they didn't account for being able to work with other distributions.

Re:I suggest vserver

[ZaneMcAuley]

Run your firewall in shutdown mode, no process space, no nothing, just a firewall.

When is the BIOS firewall comming out?

Re:I suggest vserver

[neroz]

What is the overhead of vserver, compared to say UML?

Re:I suggest vserver

[WetCat]

Almost no overhead. It runs the same processes, having added and checked only one structure.
Programs in vserver runs the same speed as in main server.
In UML it's huge overhead of call translation.

Re:I suggest vserver

[jelle]

Actually, I run Debian (woody) and I've been running a pristine RedHat7.2 install in a vserver on it for a couple of weeks now. I'm running two distributions in parallel. No more upgrading of distributions, just install new ones additionally. I can always still use the old version (as long as they all accept a common 2.4 kernel)

howto? Simple, install redhat7.2 on an empty disk, and copy all the files including permissions to /vservers/01 (or mount the disk there).

The vserver sources are easy to deb-make (man deb-make) (tip: "RPM_BUILD_ROOT=$(DESTDIR)" in the Makefile).

"vserver 01 start" to boot rh72, and "vserver 01 enter" to enter it as root. edit the ListenAddress in /etc/ssh/sshd_config of your debian to only bind to one IP instead of 0.0.0.0, and then you can start an ssh in the rh72 vserver and there you are, as if you had an extra computer running rh72.

(did I mention the whole thing is diskless remote boot too?)

Re:I suggest vserver

[c-dub]

I agree, vserver is an interesting project. I have looked at porting vserver to the LSM interface, and other than lack of time, much of the porting would be trivial. If anyone is interested in tackling such a port, check out http://lsm.immunix.org for LSM project and mailing list info and chime in ;-)

thanks,
-chris

nsa linux (selinux)

http://www.nsa.gov/selinux/

adds some intresting security features, but doesnt support x so i didnt install it on my workcomputer.

Also adds the question do we trust the NSA even if the source is avalible

Re:nsa linux (selinux)

[Wudbaer]

Also adds the question do we trust the NSA even if the source is avalible

By this you render the famed "Thousand eyes see more than two eyes" key argument for open source invalid, you know...

Re:nsa linux (selinux)

[Abreu]

Any Open source proyect with more than n lines of code is for almost all practical purposes equally suceptible to backdoors if you dont trust the provider.

Where n is a number that varies depending on the computer language used, the coding styles enforced, the number of people reading the code, etc, etc, etc...

Re:nsa linux (selinux)

[delysid-x]

"Also adds the question do we trust the NSA even if the source is avalible"

And who says the binaries installed are compiled from the exact source code supplied?

Step 1

Buy a Mac. ;-)

Current Project with PF_KEY

[mrphish697]

I'm currently using OpenBSD in a work-related project. It's quite good, if not well documented.

Re:Current Project with PF_KEY

>>I'm currently using OpenBSD in a work-related project. It's quite good, if not well documented.

Not well documented?
I guess you havn't read the faq then?
http://www.openbsd.org/faq/index.html

or even the man pages
http://www.openbsd.org/cgi-bin/man.cgi
which btw are some of the best written and concise man pages around.

Re:Current Project with PF_KEY

[CoolVibe]

Also, if you're condemned to Solaris, like me, then Pappillon is another option.

Bastille

[pauly_thumbs]

I seem to remember kernel patches happening in Bastille Linux... but then again in these autumnal years .... i remember things that never happened more and more....

LSM has been included in 2.5.27

[daserver]

The Linux Security Model has been included in the upcomming 2.6

Re:LSM has been included in 2.5.27

[RTFA+Man]

Try the Openwall kernel patches too. They make the stack non-executable, preventing a whole class of buffer overrun attacks. The general page has more info, too.

Re:LSM has been included in 2.5.27

[c-dub]

LSM in full is not in 2.5.27. The LSM patch has begun being merged into mainline 2.5, however the merge will take some time. At this point much of the core functionality has not been merged.

thanks,
-chris

Reason

I was thinking about Microsoft's current activities with .net set tops, xboxes, palladium and so forth and it occured to me.

Microsoft sees a transition from stand alone pcs to portable and set top computers designed as multifunction multimedia/communication stations. Its plan is to be the only option as far as MPAA RIAA is concerned, the only software / hardware with full DRM security. I saw Linux should embrace DRM because if they don't even computer geeks like me won't buy machines running linux that won't play broadcasted digital content(cable, internet, etc) because it won't authorize.

Sorry, random thoughts.

I could, but I can't...

Anybody tried them and can share his experience with us?

I have a lot to contribute to this, but since I'm a hot chick, I guess nobody's interested! :)

Re:I could, but I can't...

[stoolpigeon]

Dude,

We know you are a 45 year old man who sits in his cube and giggles quietly every time he wonders what others would think if they new he ordered his under-wear from Fredericks.

Don't try to pull the wool over our eyes.

.

Re:I could, but I can't...

Yep, that about sums it up.

Small thing...

[Jetifi]

Linux Security module is what adds hooks into the kernel for security. LIDS uses the LSM hooks, and so does SELinux, and (I think?) others. But LIDS != LSM.

Re:Small thing...

[kylus]

Yeah there are other components that use the LSM hooks aside from SELinux and LIDS. There's Domain Type Enforcement (I believe).

Back to the original question I've used LIDS, SELinux, and GRSecurity and I've found them all to have their strengths and their weaknesses. The common problem with all of them is there is usually something you forget to configure properly the first time which can really be a pain to fix. SELinux and GRSecurity both solved this by adding a toggle mode and a /proc entry respectively to change the enforcement of their code.

With SELinux, the major advantage is that you gain a VERY flexible architecture you can use to create nearly any type of Mandatory Access policy you need. The specifications of the system make it able to use policies based on Type Enforcement (putting the bitchy SCC patent issues aside for the moment...), Role-Based Access Control, or Multi-Level Security and likely a host of other things. The drawback is that creating a policy that covers the whole system is not a trivial thing...look at the example security policy included with the distribution (http://www.nsa.gov/selinux) and you'll see what I mean.

GRSecurity is not exactly related to SELinux; they do different things. I like GRSecurity because most of its options do not require a lot of extra configuration, they don't break any existing applications (those that do are clearly marked), and they add a lot of small protections without a great deal of overhead to the vanilla kernel. Plus their ACL system is quite well-developed and extremely secure.

Ultimately I think it comes down to figuring out what you need for your box and then going with the option that will provide it to you with the least amount of interference (unless you like fixing things, of course ;) ).

St. Jude Kernel IDS

[ActMatrix]

You might want to check out Saint Jude - a kernel intrusion detection and response system which detects and blocks 'anomalous' behavior (such as root exploits). The developer first presented it at Defcon 8 and it looked pretty cool. It's been in development for over a year - see its SourceForge page for more.

Stack Guard

[dusanv]

While we are at the topic of security I was wondering whether there are any similar products to StackGuard (www.immunix.org) available for a newer gcc? StackGuard is commercial and only works with older gcc's. If there were such a thing one could probably do a whole system recompile with it (a la Gentoo). That would beef up the security considerably. The Immunix FormatGuard also looks interesting.

D.

Re:Stack Guard

[Lord+Omlette]

Locate the routines in the C library that do not force you to explicitly specify the size of the buffer that you are copying (or autoallocate the buffer for you) and remove them. Dump any apps that don't recompile.

VC++ 7 comes with /Gs switch which kinda sorta does stack smash checking but it comes with caveats.

Re:Stack Guard

[mccrew]

> I was wondering whether there are any similar products to StackGuard

Um, how about libsafe?

-Steve

Re:Stack Guard

[dusanv]

Cool. It seems to do the right things. I'll try it. Thanks.

Re:Stack Guard

[Riddles]

A really great tool was developed by IBM, the stack-smashing protector. It is a lot like StackGuard, but adds a little more security. It supports gcc 2.95.2, 2.95.3, 3.0 and 3.0.4.

http://www.trl.ibm.com/projects/security/ssp/

Re:Stack Guard

[c-dub]

Current StackGuard 3.0 development is based on gcc 3.x, with a backport to the 2.96 gcc shipped with RH 7.3 for validation. The development is complete to lab/alpha release. As the kinks are worked out, we will attempt to merge StackGuard into gcc mainline.

Also, StackGuard is not commercial. It is fully GPL and available as a patch as well as an rpm from ftp://ftp.ibiblio.org/pub/linux/distributions/immu nix/7.0/i386/extras/

For more information, see http://immunix.org/stackguard.html

thanks,
-chris

Neat Security Trick

[CONTROL_ALT_F4]

I had a friend who ran all of his INET services through a VMWARE instance on his Linux box. He would get hit by a script kiddie, and then use the ROLLBACK feature to undo the damage. He would patch the hole on the virtual machine and start up the site as if nothing happened.

Re:Neat Security Trick

[dohcvtec]

How often would this happen? It's sort of a novel idea, say if you're just learning about the fundamentals of security and networking, but if you're frequently getting cracked by kiddies, maybe you should take a deeper look at what you're doing right and wrong.

Re:Neat Security Trick

In my opinion, while VMware is pretty good at isolation of real and virtual machine and have good features like "rollback", its performance is the most important reason to prevent it from being used as a real server or a security solution, especially for busy http and ftp sites.

On the other hand, "rollback" can't really prevent attacks. As far as security concerns, the only value of VMware I can see here is to make the recovery a bit easier :).

Re:Neat Security Trick

But... don't the VMware network services (kernal modules) run as root?

So, at least in theory, someone could break one of the virtual machines, then somehow gain access to one of the kernel modules... then... well, your whole host machine is compromised at that point.

Re:Neat Security Trick

sounds like a great way to learn about basic security, at least if you have enough time to analyze each breakin to learn what happened and how to fix it. if i ever get the time and equipment (and money!) to run my own honeypot/honeynet, i'll have to remember this trick - thanks!

Re:Neat Security Trick

[CONTROL_ALT_F4]

He was broken into twice, I remember one breakin used a bug in an older version WU-FTPD. He needed ftp services on the machine, so he ended up switching software to keep the kids out.

I have to admit that the security trick worked, and VMWare performed well for what he needed the box to do.

Re:Neat Security Trick

"yay, watch me get rooted..yay, watch me reboot.."
Pretty sad administration...

Re:Neat Security Trick

[kin13]

I agree, whats the difference between that, and just backing up your data, and if you use some thing like mondo ( Mondo ) you can restore data over NFS, and on a gigabit connection, is there really that big a difference from roll back ? other than a little time, but overall, i think that using VMware for security is backwards... wait until you get hacked to figure it out ? hmmm...

Re:It's a bit of a challenge, and one to be avoide

[Ark42]

"kernel were written in x86" ??

is x86 a language? You mean if the kernel were pure Assembly it would not have the problems it does because its written in C?

You know C was designed more or less as a "portable assembly language" for the PDPs. That is WHY it has the buffer-overflow type problems it does.

kernel problems?

Critical systems shouldnt be on the net! If there is something that you need to insure remains safe dont put it on a machine with an internet connection. The linux Kernel is as secure as it gets most of the patches you list are useful mostly against local exploits not remote. Linux has relatively few remote problems most bugs relate to local explots. Lock your door! Run a firewall (linux makes this sooo easy!) and encrypt, encrypt, encrypt! Anything under 512 bits isnt secure and I use 1024 just to be safe. Make sure you manage file permissions properly and change your password from time to time. Thats all I can say.

SElinux and MAC vs DAC,

[Nex6]

There is also SElinux,

Mandatory Access Control, is also a better security Model than
Discretionary Access Control, of witch is the current model of most network OS's "out of the Box"

With MAC you have policey's the control access to services,files anything and if "something' trys to access a services it must be part of the policey that tells it what it is aloud to do, if it trys something out side the policey it fails:

kind of like a firewall's deny by policey,

here is a link to some more info about it:
http://www.nsa.gov/selinux/docs.html

Nex6

Re:Bastille - No Kernel Patches

[RadioheadKid]

Bastille Linux is user space hardening (e.g. changing file permissions, disabling telnet and other vulnerable services, setting up IPTables and various other security features), no kernel patches as far as I remember.

Stop writing code!

[captain_craptacular]

It's obvious that the only answer to this question is for all kernel developers to stop all productive activities for one month in order to sit through long and boring security lectures in groups of 500. After this month linux will be fully compliant with the "trusted security initiative" and will be magically bug free. Until such time as another bug is discovered.

Re:Stop writing code!

Will they have sweaty speakers jumping around on stage yelling "security! security! security! security!"?

Snort

[Quantum+Singularity]

There's a program called Snort that does packet sniffing and intrusion detection, among other things. It's at snort.org.
That and good ol' P.G.P.

Re:Snort

How can this be deemed off-topic? It's completely relevant to the security of Linux systems!
Then again, this is Slashdot. I don't want bad karma. The Snort program is really good, and open-source. I thought it would be good. Well, at least I like it.
How about a little logic puzzle:

Re:It's a bit of a challenge, and one to be avoide

logically Microsoft's programmers are smarter than those in open source, simply because they're able to earn more money.

... and thus they are able to get loans to finance their brain transplant operations??!

Eh, yeah...

[Kligson]

Feature gaps like a fox!

Re:Eh, yeah...

[Kligson]

*Sigh* This was funny before the parent was modded into the troll-abyss.

ACLs

[Black+Parrot]

ACLs (access control lists) are a wonderful technology, but for non-trivial systems they become an administrative pain in the @ss. In principle you would set them up and forget about them, or at least let users maintain their own, but in practice users can't maintain their own, and they will pester you to death with requests for changes.

They also tend to drag the sysadmin into office politics. E.g., Secretary A is out on vacation and Secretary B calls you and says Secretary A did not set up her ACLs correctly and would you please give B access to certain of A's files. In addition to the annoyance of having to babysit the users, there's really no correct response to such a request.

ACLs would be great on a system where everyone is a power user. In practice that usually means your home system where you are the only user, so ACLs aren't very helpful anyway.

Conclusion: wonderful technology, hope I never see it again.

BTW, I speak from personal experience, having formerly managed VAXen with their wonderful ACL implementation. I don't object to ACLs on Linux, I just don't want them.

Re:ACLs

[WetCat]

BTW,it's theoretically proven that security provided by Discretory Access Control systems (in which ACL's and unix protection schemes belong to) is algoritmically unprovable - you cannot deduct that system is secure based on system and DAC rules.
That proof is possible if are using mandatory access control or may be other security means.
So DAC are not only pain in the ... - it's also a nonreliable means of security.

Re:ACLs

After my experience with LIDS, I thought it would be nice to get ACL-like permissions stuck into packaging information. Spending hours trying to derive the correct ACLs for a given package by watching it die horribly when it suddenly found it couldn't do 'x' was not much fun. I figure that if package maintainer could put some kind of ACL info into say, the spec file, ACLs would become much more palatable. Adding something that says 'I need to bind to ports 1024 and have write access to /var/lib/foo' doesn't seem like that hard of a task on a package basis. Trying to do it for the 10,20 or what-have-you privileged applications on a given platform is hard.

'course, it was just a sketch of an idea. The actual implementation, I suspect, is somewhat less trivial. Standardized permissions and what-not, for example.

Re: ACLs

[Black+Parrot]

> BTW,it's theoretically proven that security provided by Discretory Access Control systems (in which ACL's and unix protection schemes belong to) is algoritmically unprovable - you cannot deduct that system is secure based on system and DAC rules.

Thanks, I'd never heard that. Do you know whether government security certification levels take that into account?

Re:ACLs

[MrResistor]

From my (very limited) experience with ACLs on HP-UX I thought they were wonderful. You could totally ignore them and function just fine in every way that you can function in the default Linux permissions model. Basically, the only time you needed to deal with ACLs at all was when you wanted to specifically (dis)allow access for certain individuals. Doing that through groups is a pain, since then the user has to change groups to access certain stuff, etc.

ACLs made it really easy to give permission to only the people you wanted to, and you could totally ignore them if you didn't want to use them. I would be really happy about a similar implementation being a part of Linux and not just a patch.

Re:ACLs

They also tend to drag the sysadmin into office politics.

The horror of it! Sysadmins should be able to go an entire career without having to address the concerns of mere users.

Re:ACLs

Or forget Linux ACL hacks, and use a Mac OS 9.x (or older) webserver... never been rooted externally in history of the internet.

Re: ACLs

[WetCat]

Probably it's the reason that system that implement only DAC cannot be given more than class C in Orange Book.
For class B and A you have to have Mandatory Access control.

Re:ACLs

[ts0003]

The parent post in incomplete at best, and if viewed less charitably it is misleading.

1. The 1976 Harrison, Ruzzo and Ullman result (from "Protection in Operating Systems") pertains to "safety" in the access-matrix model. Inferences about security need to verify the implementation of the model as well.

2. The result only applies to a system where an infinite number of subjects and objects can be created. An implementation on a typical OS does not suffer from this limitation since resources of the host that are used for the digital representation are finite.

3. Their proof reduces a Turing machine to the access-matrix model, introducing a mapping between decidability and the leakage of a right in the access-matrix. Deciding whether a specific leak occurs is the equivalent, then, of solving the Halting problem. This proof, however, says nothing for a system where more specific knowledge of the system is used, where you *can* make stronger inferences. Look to the mono-operational system for a concrete, albeit impractical, example.

4. Their results hold for any model that uses an access-matrix, regardless of whether it is Discretionary or Mandatory.

Re:ACLs

[g4dget]

Let me second that. Having had to untangle ACLs as a system manager when converting file systems to UNIX, my observation is that they often don't do what users intend. Furthermore, systems I have used that have had ACLs may have passed various security certifications but were very easy to break into in practice because in real life, ACLs were never set up right.

The traditional UNIX user/group system requires some advance thought and effort in setting up groups for an organization. That leads to a more manageable set of possible permissions.

ACLs are an important check-list item for Linux because there are some people who swear by them. But I also hope that as a system manager, I will never have to deal with them again--I think they are much more trouble than they are worth in the real world.

Re:ACLs

[g4dget]

you could totally ignore them if you didn't want to use them

You can't "totally ignore them", in particular when it comes to system security. ACLs allow people to get additional access to files relative to standard UNIX permissions, and that is something that needs to be checked. With ACLs, not only do I have to check whether /etc/passwd is owned by root, I also have to check whether someone has snuck in and given themselves write access to it through ACLs.

I would be really happy about a similar implementation being a part of Linux and not just a patch.

It should probably be in the kernel, but I think it should not be enabled by default because it creates security holes and because the functionality just isn't needed for many applications. Desktop users of Linux often don't need a complex permission system at all, and neither do many server applications (dedicated web server, dedicated database server, etc.).

Where ACLs will be most useful will be for Linux clients accessing network file systems that have them. That's the reason why they should be in the kernel, but they should be enabled only for specific file systems. But in that case, ACLs are there for interoperability, not for additional security.

Re:ACLs

[WetCat]

1) I never said anything about access-matrix
Access matrix system do not have anything related to DAC or MAC, as you already said in your "4."
2) I didn't use 1976 Harrison, Ruzzo and Ullman result.

3) Main security problem with DAC system is that they can introduce troyans, because they generally allow changing rights between users without restrictions
MAC systems are not allowing troyans since changing rights between users is prohibited by rule system (role based etc...)

Re:ACLs

[Malor]

You know, I really hate the posts here that say "technology X doesn't suck, you're just using it wrong!"... but I'm forced, in this case, to say so.

In my experience, ACLs are a godsend. If done properly, they make extremely complex permissions structures simple and easy to maintain.

I have a system I use, under NT, that ends up assigning all the correct permissions in filesystems just by putting users in the correct groups. This takes some time to set up, but once the permissions are set correctly on the fileserver, you almost never have to touch them again... all permissions maintenance is abstracted into user maintenance tasks.

In the case of 'secretary A needs access to secretary B's files', that's not a failure of ACLs, that's a failure of policy. First, don't let users modify ACLs. Second, if your security policy is correctly implemented, then either Secretary A already has access to the files or doesn't, and will know better than to call you. If it's an emergency, then policies can be overridden by management, but that sort of thing is unavoidable and can happen in any system, ACLs or no.

And yes, there are cases where you do have to do quite a bit of security work to maintain ACLs, where new projects are being created on a fairly constant basis, but you'd have to do that work anyway, no matter what permissions systems you use. ACLs generally take a bit longer to set up but require much lower maintenance, so the bigger your filesystems get, the more time you save.

Basically, it strikes me that you're blaming a permissions system for organizational problems.

Re:ACLs

[ts0003]

1. While you did not introduce the notion of an access-matrix, you referenced a theoretic proof regarding the security of DAC. Acess Control models implicitly build on the access-matrix or a transformation of it.

2. It's true that you did not use the HRU result. If you could point to the work that you did base your claim on, it would be helpful. Alternatively, summarize the insight of the proof so we can understand the merit of your assertion.

3. Again, a statement you make borders on misleading. Your 3rd point is untrue. MAC forces labels and sensitivity designations. The actual policy is responsible for stating the information flow rules.

The trojan of your example can easily be transferred between processes with the same clearance belonging to different subjects.

Apart from that, MAC and DAC refer to *models*. Errors in *implementation* and configuration still abound, and a MAC system will not help in this case.

Re:ACLs

[oh]

There are other uses for ACL other then disallowing access. They can allow overlapping access.

Think of a webserver, that is developed by multiple teams. You wan't to give you co-ordination people access to everything under the document root, so they can fix up other peoples mistakes, but you wan't to limit each of your web development teams to their own section of the tree.

Most importantly, you really don't want to have to add your webdevelopers to every development team.

Try doing that with user-group-other permissions

People have made a good point about ACL's biting people who don't know they are there, I think that the early Solaris versions would mark a file with an "a" instead of one of the permission bits if you did an "ls -l" so you could see instantly that there was an ACL you might have to check. Of course, that didn't work over NFS, and I don't know if they still do that. I know Tru64/Digital Unix/OSF doesn't.

Re:ACLs

[WWE-TicK]

If a file has an extended ACL, GNU's ls(1) would display a "+" sign along with the other file permission bits when you do an `ls -l'.

Re:ACLs

[WWE-TicK]

> With ACLs, not only do I have to check whether
> /etc/passwd is owned by root, I also have to check
> whether someone has snuck in and given themselves
> write access to it through ACLs.

In Linux this is easy enough to check because if a file has a non-trivial ACL, GNU's ls(1) will display a "+" sign along with the other permission bits when you do a `ls -l'.

Re:ACLs

[oh]

similar idea.

ACL's are dangerous if you don't know they are there. Imagine doing a ls -la over a directory and not seeing any files that were world writable, not knowing that there could be an ACL granting the nobody account Read, Write and Execute.

Re:ACLs

[g4dget]

You are missing the point. Of course, you could somehow check even if GNU ls did't do that. The point is: it's one more thing to go wrong. And it's not just that people need to pay attention--security audit tools need to deal with this, and they need to be configured to interpret the ACLs correctly.

ACLs just make things much more complex, in many cases unnecessarily so. And it certainly doesn't make things more secure.

Re:ACLs

[MrResistor]

That's exactly what I said. That's why I put the 'dis' in parentheses. Personally, I have only used them for allowing access, but I put the (dis) in there to avoid a response saying "You know you can use them to prevent access, too."

Re:It's a bit of a challenge, and one to be avoide

You probably wanted to be flamed, at least I hope to God for your sake you did this to intentionally draw flames, but I'm not going to flame.

Instead, I'm just going to state clearly and concisely: Look at the huge amounts of problems the security holes in Winblows has caused, and look at the problems the security holes in Linux has caused.

The proof is in the pudding, the actual track record of each OS, everything else is hypothetical bullshit.

Simple security improvements

[maxwell+demon]

There are a few security improvements which are easy to make:

• Do not connect the Linux box to the Internet.

  This way you'll be safe from DoS attacks, as well as other attacks from the net.

• Remove your floppy drive.

  Before the days of the net, floppies were the main way to spread virusses.

• Remove the power switch.

  All measures above only protect from the danger of remote people. But by removing the power button (and therefore the possibility to turn the computer on), even people who get physically to the computer can't do anything evil with it.

• Lock the computer away in a safe.

  All of the above measures could be circumvented with a simple screwdriver and other normal equipment. But by putting it into a good safe, you're safe from the average intruder.

Of course this has the disadvantage that you cannot use your computer anymore. But that's the price you have to pay for security...

Re:Simple security improvements

[Budgreen]

isn't this how M$ got NT certified?

all the above steps.. maybe not in that order :)

Re:Simple security improvements

Yeah, actually.

In a move worthy of IBM itself, Microsoft took out the disk drive, locked the machine in a safe, and then cut open the safe to remove the power button.

Then with the later release of WinME, they removed the internet connection.

HTH, HAND.

--me

Re:On the boxes?

YEAH! that's telling 'em. man you're right, users are so stupid. when will they learn that us sysadmins are SO smart that we deserve the reputation as pompous jerks who look down at them?

what i find disturbing is that there are STILL people like you out there, and someone's paying you to be a jerk.

Re:It's a bit of a challenge, and one to be avoide

[gwernol]

This is such an obvious troll. What a shame it got modded up. Just a few of the more glaring errors:

C, a language that provides no security features such as garbage collection

In what sense is garbage collection a security feature? That makes no sense.

It is a very sad fact, but logically Microsoft's programmers are smarter than those in open source, simply because they're able to earn more money

That's not true at all. As someone who makes their living programming I can tell you that there are plenty of dumb commercial programmers and plenty of smart open source programmers. And vice versa. If you really wanted to be "logical" you'll understand that money earnt is not the same as skill. Plenty of people do highly skilled work without payment - ever heard of a hobby?

go for an operating system controlled by one company, who knows what their code does, and how to fix it if it goes wrong. The only option, in that case, is Microsoft.

Er... or Apple?

Like I said, blatant troll.

Re:It's a bit of a challenge, and one to be avoide

[The+Rogue86]

"...It is a very sad fact, but logically Microsoft's programmers are smarter than those in open source, simply because they're able to earn more money..." Did you know that a McDonalds manager makes $26 an hour and a starting computer tech makes about $8. Who is smarter? The guy wearing the paper hat or the geek..... I'll just let you think about that one.

Best way... don't use it!

Microsoft has taken all the hard work out with Windows 2000! There is a cool GUI you can use to point-and-click your way to a safe and secure system. Now I don't have to keep up with recompiling the kernel, all I have to do is apply the occasional service pack.

Don't forget

People often forget that the things that make unix multiuser are great security tools. For example, for local security, people who should be able to run certain suid programs can be put in special groups, and then the admin can chown and chmod the executables appropriately.
Running applications in a chroot'ed environment is also helpful. A bit hard to setup, but once you do it, no problems.
Use tools such as iptables to restrict access. For instance, if you know that all your connections will come from *.host.com, change the rules accordingly.
Kernel patches are ugly. They try to get at the root of the problem, but they miss it completely.
The point is that vulnerable code is written by bad coders, who for some unknown reasons think that C is the best language in the universe. Clearly, they can't handle the power that C gives them and should use languages that provide memory handling for them.

Re:Don't forget

haha! what would you suggest they write BIND in? java? perl? rofl..

If you don't mind proprietary stuff...

[MajorBurrito]

... you can try PitBull from Argus Systems. It's a very good product and free for non-commercial use (I think). If you can live without the source to their module.

Remote exploits cant be avoided in any way.

[miffo.swe]

For every new protection that emerges there are people that can reverse it. Atleast if its usable. A totally safe system wont be a good tool to use since it will be locked down and hard to manage. To completely avoid remote exploits the only thing you can do is to turn all remote capabilities off or use an encryption that is too strong to break with a normal computer. The problem is that all this sucks much cpu cycles and renders the box rather slow. Use secure wan links and no connection to the internet whatsoever. As for servers go sandboxing with absolute minimal rights to memory and HD. Best would be to have completely walled off memory but current hardware or palladium doesnt allow this.

actually yes

[johnjones]

the major problem today is people useing tools

to this end you can use a mac
(big endian so defeats alot of stack smashing targeted at x86)

use bsd
(THE network stack -problems in MS TCP/IP stack have been solved years ago in BSD)

and dont run any silly daemons

http://www.

does a nice job of sorting out things config wise where most problems live

regards

John Jones

Re:actually yes

to this end you can use a mac
(big endian so defeats alot of stack smashing targeted at x86)

iirc, the fact that macs use PPC instead of x86 also defeats a lot of stack smashing targeted at x86

and palladium?

so if we're adding kernel hooks that enable access controls lists, does that mean that a few years down the road, when Palladium hits, the Linux kernel will be able to easily implement a "sandboxed" ACL in order to become the ultimate in computer security / DRM madness?

User Mode Linux

[RawCode]

Similar to the vserver idea is the concept of running another kernel of linux in 'User Mode Linux'. This allows you to run a virtual linux machine within you current install. This allows you to test kernel modules and patches in your vitrual system with out affecting the real system. This way, if your fake system gets rooted, the underlying system is ok.

Re:User Mode Linux

[WetCat]

I tried that - that solution gives more isolation between your virtual machine and main machine, but it's much slower than vserver patch.
I tried to use vserver patch for Mandrake 8.2 on
P1-200MMX with Apache, DNS, Mozilla, X and it worked perfectly.

Re:User Mode Linux

Is this more secure than vserver?

Grsecurity Patch & Debugging Your application

[unixmaster]

If you restrict strace in grsecurity you cant seem to be able to debug your application under gdb as normal user but root can still debug. Its a good idea to not to play with strace option if you are in a software engineering environment.

Other than that it works like a charm.

MicroBSD - A hardened BSD

You all talk about things like linux security, and SELinux and the patches that exist to enhance linux kernels, Then theres OpenBSD, yes reknowned for its secure by default stance. Well little known to most is a project called MicroBSD, which is actually a fork from OpenBSD, but with all the systems hardening and posix1 additions available currently! Though its young in existance, like 10 months, We have been using it on our boxes here for 6 months with no problems. I think their url is microbsd.net

Re:FUD alert!

[bgeiger]

Isn't this ingenious? Taking potshots at Linux by appearing to support it? ...clients are willing to reduce their servers' feature set, flexibility, and ease of maintainence by switching from Win2k...

I won't rehash the manyfold reasons you're wrong about those assertions (it's been discussed to death already), but I will point out that you're wrong, and you're just trolling. Knock it off.

Besides, while Linux's security is excellent, it can (and should) be improved. It's good, but by no means perfect. (It's much better than anything M$ can put out, though.)

use only trusted code

[Pegasus]

Bandaids like lsm, grsecurity & co will only help you cover to some extent the holes already there. I don't feel like this is the ideal solution ... The ideal solution is to write clean and bugfree code and use that. OpenBSD will probably get you there in the quickest way.

But on the other hand, you know what idealism is ...

Re:use only trusted code

[kaisyain]

Thanks for showing a complete lack of understanding of what Mandatory Access Controls are. OpenBSD can't get you anywhere close to what SELinux provides, regardless of how "trusted" the code is.

Re:use only trusted code

[cant_get_a_good_nick]

This is valid IF
1) All the code in OpenBSD is bugree. the recent OpenSSH hole shows this isn't the case. I'm pretty sure OpenSSH was fairly heavily audited too, and it still had a hole. The new permission separation code can help here, but OpenBSD still had a remote root exploit.

2) You NEVER have any code running thats not in the default install. Means no Apache (which had a quickly patched hole recently), no configuring your system, cause as soon as you do, you're running other code. eg. you can configure telnet to run when it wasn't running in the default install. You can misconfigure OpenBSD just as easily as any other UNIX, it just starts with safer defaults.

Code audits are like perimeter locks. It stops people from getting in. Security models are more like internal locks and safes. Once you get in, it limits what you can take. They aren't mutually exclusive.

Re:use only trusted code

[Jeld]

You seem to miss the point. Surely one should always use trusted code, i. e. either from reliable source or written and tested internally. The problem though is that despite every possible Q&A effort doesn't guarantee a 100% bug free code. OpenBSD is a very good example. The OpenBSD team's primary focus is security, but onsidering the sheer size of the code base there is always some piece of code that has been missed or never considered for proper testing. OpenBSD project source code ( and any fully featured OS for that matter ) comprises hundreds of megabytes of code and considering that number of people doing QA and looking for vulnerabilities is more or less of the same order it is virtually ( and practically ) impossible to guarantee complete security. That is why projects such as grsecurity appear. For example one of the things provided by such modules is a non-executable stack segment, which means that even is the user level code is vulnerable to stack overflows attacker will not be able to exploit it since kernel will not allow execution in stack memory range. Your comment about true source shows only that you have never tried to make secure a program of any significant size. Try to find the lates vulnerability in SSH without looking at the published proof of concept code and then you will gfet some idea as to what kind of effort is involved.

regarding grsecurity

[OpenMind(tm)]

There is something almost treasonous about a linux kernel hack whose documentation's primary format is msword+ppt. Particularly when the html links are broken.

Re:FUD alert!

nod...wink...wink ...and cost has nothing to do with this...

Re:It's a bit of a challenge, and one to be avoide

[jc42]

> go for an operating system controlled by one company, who knows what their code does, and how to fix it if it goes wrong. The only option, in that case, is Microsoft.

Er... or Apple?


Yeah. Or, for that matter, RedHat.

And with RedHat (or any of the other linux vendors), not only do they know what their code does, but there are also thousands of programmers scattered around the world who know a lot about it.

So if you have a problem, you don't have to beg and plead with a disinterested CS department of a giant corporation. You don't even have to deal with your vendor.

If it's a small problem, you can probably hire one or two of the linux hackers at your local college. For bigger projects that take experience, you can hire a few of the local linux professionals.

You'll be up and running in far less time than it takes to persuade Microsoft to support your needs.

ACL's in Red Hat Limbo beta

[Laven]

ACL support was added to the kernel in Red Hat Limbo beta which will likely become Red Hat 8.0. They also include the command line tools to manipulate the ACL's.

Read about it in the RELEASE-NOTES
ftp://videl.ics.hawaii.edu/mirrors/redhat/linux/be ta/limbo/en/os/i386/RELEASE-NOTES

Re:It's a bit of a challenge, and one to be avoide

[Coward+the+Anonymous]

Actually, the rule is usually the more you make, the more stupid you are.

Adding LIDS to a firewall... / SELinux

[dpilot]

I'd looked on and off at LIDS for a while, and one day decided to go for it. Brought it down to my desktop and began following instructions. The intent was to build the LIDS kernel and utilities on the desktop, and then scp them over to the firewall.

Except that LIDS seems to want to be built on the machine where it's going to be run. So what if your firewall doesn't have a compiler, build environment, etc?

Perhaps I should have RTFM further, but the available time ran out.

I've also read a little about SELinux, but there appears to be one common thing about all of these security enhancements: They make it possible to have tight enforcement of a security policy, but it appears that none of them ship any sort of policies. It would be nice to have a few to choose from, and begin learning. How about a policy that's very little more secure than the pre-LSM box, with a bunch of commented options to tighten down the screws. I guess I've seen some of that with GRSecurity.

But trying to evaluate and use any of these packages for a home system turns into a massive time-sink to do properly. WIBNI Bastille would add LSM to what they already do so well? (I know, join and do it, myself. Maybe when the big-time real world projects are in control.)

Re:Adding LIDS to a firewall... / SELinux

[Jetifi]

The SELinux tarball has sample polciies for a lot of stuff. There are more on the sourceforge site.

There's tools also (apol at http://www.tresys.com/selinux.html, and a Perl script I can't find at the moment by this guy ''Mark Westerman'', try searching the list archives) that help in the analysis of security policies.

Re:Adding LIDS to a firewall... / SELinux

[dubl-u]

Except that LIDS seems to want to be built on the machine where it's going to be run.

What sort of problem were you having?

But trying to evaluate and use any of these packages for a home system turns into a massive time-sink to do properly.

I'd agree. I devoted perhaps three days to installing and trying the major ones last year, and it was a pain.

Personally, I settled on LIDS, which, although it is a little squirrely, has worked happily for me. But for casual users these are not ready for prime time; every time I install a new daemon I need to set up a set of matching LIDS entries so that things work properly. This isn't much of a pain for me, but for novices it would probably make their eyeballs bleed.

MacOS far more secure than LINUX, proof is BugTraq

I say forget trying to patch up Linux, or OpenBSD and its exploitable SSH... try archetectures like the mac for trusted web servers taht are unbreakable based on historical evidence.

The MacOS running WebStar as a server has never been exploited.

In fact in the entire securityfocus (bugtraq) database history there has never been a Mac exploited over the internet remotely.

That is why the US Army gave up on MS IIS and got a Mac with WebStar.

I am not talking about BSD derived MacOS X (which already had a couple of exploits) I am talking about Mac OS 9 and earlier.

Why is is hack proof? These reasons :

1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT

2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stufff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root their is no false sense of security.

3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits.

4> Stack return address positioned in safer location than intel. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac places return address infornt of where the buffer would overrun. Much safer.

5 : Macs running Webstar have ability to only run CGI placed in correct lodirectoy cation and correctly file typed.

6> Macs never run code ever merely based on how a file is named. ",exe" suffixes mean nothing. For example the file type is 4 characters of user-invisible attributes, along wiht many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For ecxample file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable of creating an executable file. the file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually.. TOTAL security.

7> There are less macs, though there are huge cash prizes for craking into a MacOS based WebStar server. Less macs means less hacvker interest, butthere are millions of macs sold, and some of the most skilled programmers are well versed in systems level mac engineering and know of the cash prizes so its a moot point, but perhaps macs are never kracked because there appear to be less of them. (many macs pretend they are unix and give false headers to requests to keep up the illusion, ftp http, finger, etc).

8> MacOS source not available traditionally, except within apple, similar to Microsoft source availability to its summer interns and such, source is rare to MacOS. This makes it hard to look for programming mistakes, but I feel the restricted source access is not the main reasons the MacOS has never been remotely broken into and exploited.

Sure a fool can install freeware and shareware server tools and unsecure 3rd party addon tools for e-commerce, but a mac (MacOS 9) running WebStar is the most secure web server possible and webstar offers many services as is.

One 3rd party tool created the only known exploit backdoor in mac history and that was back in 1995 and is not, nor was, a widely used tool. I do not even know its name.

Other than that event ages ago, no mac web server has ever been rooted,defaced,owned,scanned,exploited, etc.

I think its quite amusing that there are over 200 or 300 known vulenerabilities in RedHat over the years and not one MacOS 9.x or older remote exploit hack.

Not one. And that includes Webstar and other web servers on the Mac.

--- too bad the linux community is so stubborn that they refuse to understand that the Mac has always been the most secure OS.

BugTraq concurs.

Re:Do we need complex acronyms? by poopbot

[xaymaca2020]

you sir, are an idiot. Funny, but still an idiot.

here's an idea

don't apply every single patch you find on the internet to your kernel.

grsecurity

[bozoman42]

It works marvellously when it works. Randomized pid, randomized sequence numbers, and soon to have ACL's that define resource limits on just about anything. Really powerful.

When it works.

I've been trying to run it on an SMP Xeon for a while now, and any time the machine exerts itself I have to go hit the big red button. And it's not really a machine I'd like to do "testing" on, so no, I won't help with debugging. What "testing" I've done so far has been nothing but infuriating.

Another few tidbits: all the security in grsec basically completely prevents any JVM from running at all. Ditto UML. (Though UML may also have issues with SMP. But now that I've removed a big variable in my equation of horror...)

Since Rusell Coker has package SELinux for Debian, I will definitely have to investigate that sometime in the near future. I think I'll rack some uptime first to bolster my self esteem. :)

SE Linux

[nzru.()]

actually http://www.nsa.gov/selinux is great for a kernel module, or even compiled into it itself. True linux has proven itself better than it's (non-exzistant) competitor from Redmond. But with this security addon it makes it on the top of it's field. I think this is why the NSA has given it it's name SELinux: Security _enhanced_ linux. To define that would denote that linux had a lot of security before, and now with this add-on is _enhanced_ in many ways. Too bad I haven't been able to find anyone who can audit the NSA's work and help verify it for obvious & hidden flaws. nzru

Re:Neat Security -- just stupid.. use a mac

Virtual machines are not perfect... they can be detected by the way they fragment memory and visible from ring 0 commands.

but I would say just use a mac server instead if you want security that is by far the most secure.

The MacOS running WebStar as a server has never been exploited.

In fact in the entire securityfocus (bugtraq) database history there has never been a Mac exploited over the internet remotely.

That is why the US Army gave up on MS IIS and got a Mac with WebStar.

I am not talking about BSD derived MacOS X (which already had a couple of exploits) I am talking about Mac OS 9 and earlier.

Why is is hack proof? These reasons :

1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT

2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stufff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root their is no false sense of security.

3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits.

4> Stack return address positioned in safer location than intel. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac places return address infornt of where the buffer would overrun. Much safer.

5 : Macs running Webstar have ability to only run CGI placed in correct lodirectoy cation and correctly file typed.

6> Macs never run code ever merely based on how a file is named. ",exe" suffixes mean nothing. For example the file type is 4 characters of user-invisible attributes, along wiht many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For ecxample file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable of creating an executable file. the file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually.. TOTAL security.

7> There are less macs, though there are huge cash prizes for craking into a MacOS based WebStar server. Less macs means less hacvker interest, butthere are millions of macs sold, and some of the most skilled programmers are well versed in systems level mac engineering and know of the cash prizes so its a moot point, but perhaps macs are never kracked because there appear to be less of them. (many macs pretend they are unix and give false headers to requests to keep up the illusion, ftp http, finger, etc).

8> MacOS source not available traditionally, except within apple, similar to Microsoft source availability to its summer interns and such, source is rare to MacOS. This makes it hard to look for programming mistakes, but I feel the restricted source access is not the main reasons the MacOS has never been remotely broken into and exploited.

Sure a fool can install freeware and shareware server tools and unsecure 3rd party addon tools for e-commerce, but a mac (MacOS 9) running WebStar is the most secure web server possible and webstar offers many services as is.

I think its quite amusing that there are over 200 or 300 known vulenerabilities in RedHat over the years and not one MacOS remote exploit hack.

not one ever.

Systrace for *bsd

[numatrix]

I'm suprised no one has pointed out systrace yet. Granted, it's not for linux, only OpenBSD and NetBSD at this point, but it seems to be a very promising move in the ACL world. As one other poster commented, the most difficult challenge with any heavily ACL'ed environment is configuring the ACL's and making sure you didn't miss something. It's an extremely tedious process that requires a lot of reloads until it's done right.

Systrace eliminates much (but not all) of that initial trial period with a method of analyzing processes and watching what permissions for what resources they need and generating ACL's based on 'normal' use. This interactive mode ~greatly~ simplifies the otherwise length process of configuring the kind of security modules being discussed.

Debian?

No Debian package... :(

Perfect Security Forever

Buy an abacus and a typewriter.

Re:Perfect Security Forever

Or use a Mac OS 9.x (or older) webserver... never been rooted in history of the internet.

Use a stylesheet

[KMSelf]

Sample here.

Re:Use a stylesheet

thanks for the tip, but i've already reinstalled 2k

LIDS does a good job

This past January-June, I worked on a project involving LIDS. I was responsible for all the setup/maintenance. Setup for LIDS is extremely easy. The difficult part is setting up the ACL's. For a complex system with many daemons running, this might be a difficult task. Fortunately, you can find plenty of people who make their ACL lists public, so you can see how to setup common things such as Sendmail, Apache, SSH, etc. With a good ACL list, your box will be as secure as it can get. With constant attacks on our LIDS box, no one ever got total control. The one time we let someone get root (for research purposes), that person was not able to do anything (even root can be made to not have certain accesses). I highly recomend LIDS to anyone looking for a more secure linux.

Re:Neat Security -- just stupid.. use a mac

[RzUpAnmsCwrds]

So why aren't we all using Mac OS for webservers? (excluding OS X)

- It's a major PITA to do any kind of remote management. While the lack of a command prompt may make it hard to hack, it also makes it nearly impossible to administer remotely (unless you resort to a VNC-like solution, in which case you are subject to all the flaws of that solution)

- Macs are expensive. Look at XServe. Look at comparable Linux servers. XServe is expensive.

- Lack of software: Mac OS wasn't traditionally a server OS, so many of the tools that we know and love in Linux and even Win32 are missing

- Mac OS 9 Sucks: Memory management, swap maangment, networking, etc. Mac OS 9 makes Windows 98 look like a reliable, stable system.

This is not to say that Mac OS doesn't have a place as a server. For applications where security is critical and remote access, cost, or performance isn't a priority, it's certainly a viable option. It's perfect for the Army: cost and performance are not issues (they have a $300 billion/year budget, and if it's too slow they can just invest in better hardware), but security is a MUST.

Isn't this annoying

I work in a small company, with a small server room. It has two RS-9000, one compaw tower, and one HP LH-somthing. The information isn't really worth stealing, and you would have to walk through the entire IS department to get the hardware out.

Yet, we got slapped by our corporate owner's internal audit for leaving the door open. We now have to keep it closed at all times. Unfortunately the IT department is so understaffed that everyone has reason to be in that room, we don't have the resources for a dedicated operator that can serve our development needs and the actuall day to day needs of the company.

So there is one key, where everyone knows where it is. This isn't protecting anything, ever. Sure physical security is important, but should you weigh the risk?

Re:Isn't this annoying

[emc]

Here is the solution to your problem.

Re:Isn't this annoying

and you would have to walk through the entire IS department to get the hardware out.

Would you stop me if I calmly walked out with a computer in a box while wearing a FedEx uniform? Honestly?

Re:Isn't this annoying

[Yottabyte84]

That link doesn't go to a product page.

LOMAC - Perl tainting for Linux

[Animats]

LOMAC has some promise. They have a good idea: there are two integrity levels, high and low. Everything that comes in from the net is at low level, and can't affect anything that is at high level. Level is carried around with files, processes, etc. This severely limits what can be done from the outside.

This has real potential for locked-down servers, kiosk systems, etc. It's a bit stringent for most desktops. But it's not too hard to use.

Re:LOMAC - Perl tainting for Linux

[c-dub]

Some effort has been put into porting LOMAC to both LSM and TrustedBSD. This effort has stalled out due to lack of funding. If anyone is interested, the LOMAC port to LSM should be simple to pick up. http://lsm.immunix.org has info on LSM and the mailing list. We are always looking for people to help.

thanks,
-chris

Not funny - Sad!!!!!!

[hughk]

Unfortunately this seems to have been the principle result of Microsoft's much vaunted house-keeping. Net result does not seem to be a reduction in the number of existing security bugs.

Re:Not funny - Sad!!!!!!

[felipeal]

Not sad - sarcastic (and hence funny :)

Re:Do we need complex acronyms? by poopbot

do you have that weird, queasy feeling in your stomach? wonder what it is? you've been trolled, fool....

Re:Linux Conspiracy by poopbot QWZX

[p_trinli]

By taking the time to respond to it, what does that make you?

Re:MicroBSD - A hardened BSD

You can find the site at MicroBSD>Net

Re:MacOS far more secure than LINUX, proof is BugT

[GooberToo]

1) Agreed

2) No Root users? Bzzz...every user is a root user. This means if/when exploits do happen, the ability for them to ALWAYS be fatal is ALWAYS there.

3) The #1 biggest reason why remote exploits will be rare. This, and only this, is the primary reason.

4) Moot issue since pascal strings minimize that vast majority of these issues to begin with.

6) Pretty much every real OS has this concept. Mac is hardly alone.

7) True, being a minority does help. Other OS's play header tricks too. On the other hand, this also means much fewer selections in available applications which mean odds are automatically reduced in the number of possible exploits. Basically, zero applications means zero odds of being exploited. I think you can follow the logic from there.

8) Security through obscurity can sometimes help but rarely is the solution. In fact, history proves that this often creates more problems than it fixes because fewer eyes ever see enough code to fix it before it becomes a problem.

Re:MicroBSD - A hardened BSD

You can find the Site at MicroBSD.Net

Re:Neat Security -- just stupid.. use a mac

Macs have astounding performance...

For example.. a stock Dual 1 Ghz G4 mac performs over TWICE as many RC5 keys per second as the fastest dual AMD MP motherboard.

And that mac is under 2999 dolalrs and comes with DVD-R burner (a 300 dollar value).

TWICE as many RC5s per second than an AMD, probably because Macs have huge L3 caches, and no AMD have a L3 cache.

Also Macs can read and write simultaneously to a cold page of ram faster than any AMD mother board can. Perhaps RC5 benefits from this as well.

Mac file system is fast too... very fast compared to most UNIX filesystems.

Anyone try Projectfiles.com's Linux Firewall?

[fudgefactor7]

http://projectfiles.com/firewall/ It looks simple...potentially a good thing. Anyone have experience with this yet?

security illusion

[g4dget]

With very few exceptions, adding more stuff to your kernel doesn't make it more secure. ACLs, for example, make it very easy to screw up in numerous ways.

One of the best ways to keep your system secure is to keep it simple: remove daemons, remove kernel modules, remove software you don't need, etc.

Re:security illusion

Moderation to the parent article just shows how inexperienced many people are when it comes to security.

just agree with him moron

he's saying that OBSD IS well documented if anything (you seemed to interpret the negative), that is in addition to his saying he thinks that it is "quite good"

Re:It's a bit of a challenge, and one to be avoide

What are you? A moron or something? Let me guess. The only reason you can possibly use a computer is because you have a mouse. This is such a bunch of bs. Security at Microsoft is like white shit. It doesn't exist until it's so old as to be un-needed. Personally, I believe in the right tool for the right job. MS or Unix(Linux), doesn't matter. I do what the customer wants. Security wise, I know better than to trust anything M$ does or says about security. Their track record speaks for itself. As far as Linux goes, no flames here, I like it, I started with it, but BSD makes my life easy, and you can't beat the security auditing that OpenBSD goes through. Not to mention; lately, OpenBSD runs better on antiquated hardware than Linux used to.. So much for keeping the kernel small and lightweight.

Goes post on MS newsgroup you asshole. Maybe you can find some dumbass to believe you long enough for you to get paid.

seems that EVERYTHING

at sourceforge has been in dev for years
Opensource is great, but takes way too much patience to get anything done...Linux is coming along great, but look how hold it is

Re:seems that EVERYTHING

[karlm]

Ehh... any idea how long most Mac or MS software is in development before it's made public? The main difference you see is that 1) most projects at Sourceforge are public even in the pre-pre-pre-alpha stage and 2) the realease-soon, release-often model looks like continuous change when compared to the snapshots you get every two years from MS. In reality, very few software projects, commercial or otherwise, ever declair themselves to be the pinacle of software completeness. Also, very few OSS projects ever officially cancel themselves, so you may see a lot of dormant projects that would have been canceled pre-beta at MS.

Re:Neat Security -- just stupid.. use a mac

LOL

XServe is a better compared to a Sun Netra T1 than a "linux server".

Most linux servers are junk. VA made some of the biggest piles of junk. Those 1st gen boxes? LOL. FullOn? BAH, garbage.
Penguin Computers? junk.
Compaq makes nice boxes, and they do run Linux.

debugging security patches

[Goodbyte]

I used to run lids and grsecurity, but now I feel that the acl system in grsecurity is more powerful that that in lids.

Grsecurity's non-acl options are awesome. No setup, and almost all programs work as before (execept some programs that nedd stack execution, but that is a piece of cace to fix.)

BUT (and here comes my main point) the acl system (both in grsecurity and form my earlier experience from lids) needs more debugging. LIDS once released a version where you couldn't run (almost) any program because of the LD_LIBRARY flags, and grsecurity give me kernel panic every now and then. No problem on my system, it gives me and excuse for poking in the kernel source, but I would never use the acl on a production system.

BSD is concerning itself with kernel security

[c13v3rm0nk3y]

I don't know the facts about Linux, specifically, but there is a push in the *BSD world for kernel security features to be incorporated as defaults.

The only one I recall off the top of my head is "non-executable stacks" to keep stack overflow attacks from being quite as easy. I'm sure it has other advantages, as well.

All this does is "raise the bar" for attackers. I'm assuming most of the Linux kernel security tweaks do the same.

Re:BSD is concerning itself with kernel security

[__past__]

One nice project is TrustedBSD, parts of which will appear in FreeBSD 5.0.

Re:BSD is concerning itself with kernel security

[cant_get_a_good_nick]

Linus used to refuse the non-executable stack patch. Scattered discussions make it seem he's opening to it. I see his point that it doesn't prevent all smashes, but it makes it harder. You might as well take what you can get.

Solaris has had this ability since 2.6, but you an bypass this. I'm not so sure you could do this with a remote exploit tho, it seems you may need soem code running locally, so it would help agaisnt remote exploits, but not local.

Re:BSD is concerning itself with kernel security

[c-dub]

> One nice project is TrustedBSD [trustedbsd.org], parts of which will appear in FreeBSD 5.0.

Yes, it's also interesting to note that the TrustedBSD code is moving towards a pluggable interface similar to LSM. In fact, SELinux (SEBSD) is being ported to TrustedBSD.

thanks,
-chris

Re:Neat Security -- just stupid.. use a mac

[1lus10n]

i'm going to make a point

weather you listen or not is up too you

number one reason a mack server has never been hacked ? what companies run them ? like the other poster said there internal memory management sucks. and yes for most people running a server PERFORMANCE MATTERS.
next is the interest level, what l33t hacker would be even the slightest bit interested in this ? i have not yet seen or heard anybody in the community talking about how 'hard' or 'interesting'a mac hack would be. because nobody who matters (big companies, banks etc..) run them.
and source being availible or not doesnt matter , it never has the problem with bugs being easier to find is offset by the speed a fix is availible. look at NT4 it has an estimated 65,000 bugs. nobody can find them because the source isn't there right? WRONG ! all it takes is some creative testing and reverse engineering and you can find them. conversly look at red-hat 300 known bugs right ? how many of them are patched ? 99% ? and of the ones that are not how easy are they to exploit ?
either way it comes down too one thing. intelligence of the admin. servers were nt and are not made for joe schmoe to run. PERIOD all these people who complain about how 'hard' it is too admin a unix server SHOULDNT be doing it in the first place.

oh and i'd also like too point out that unless a blackhat wants to go corporate he wont go for a cash prize because it puts the spotlight onto him. and that is a BAD THING (tm) when your are doing "illegal things"

non-executable stack?

Many platforms have little place to put code that is generated and executed at run-time except on the stack. Being able to generate and execute code at run-time is essential for good performance when dealing with closures or nested functions.

I quote from Usenix88:

There are, however, some architectures and/or operating systems that forbid a program to generate and execute code at runtime. We consider this restriction arbitrary and consider it poor hardware or software design. Implementations of programming languages such as FORTH, Lisp, or Smalltalk can benefit greatly from the ability to generate or modify code quickly at runtime.

Indeed there are ways to do closures without an executable stack, usually by modifying a stub that resides in the text segment of a binary, but it's much nastier.

Better would be to use other existing tools for buffer overruns IMHO.

Re:non-executable stack?

Nah, just make the security-critical programs have non-executable stacks and stick to using smalltalk for safe things.

LIDS != LSM

[Great_Geek]

It seems to me LSM (Linux Security Module) is the former SELinux (Security Enhanced Linux) from NSA. The LIDS (Linux IDS) is totally independent. The news is that LSM has been accepted into the development kernel tree.

Re:LIDS != LSM

[James+Morris]

Not quite. LSM is a generic security hook framework which SELinux has now been ported to. LSM arose after SELinux was presented at the 2001 Kernel Summit, where Linus basically said that these types of security mechanisms should be pluggable. LSM itself is actually based on the Immunix security scaffolding.

Re:LIDS != LSM

[c-dub]

As James pointed out, LSM is not SELinux either. LSM is a framework which allows pluggable kernel modules to implement security models. SELinux is an example of a security model that is pluggable into the LSM framework. As is LIDS. LSM as a project has greatly benefitted from security projects like SELinux and LIDS being ported to the LSM interface, because they have helped define and augment the interface.

thanks,
-chris

The BIG ONE, missed by most...

[The_Guv'na]

Think... What is the single most unreliable "trusted" element of your security setup? Your staff.

Be nice to your PFY(s) people! :)

Ali

Re:The BIG ONE, missed by most...

[reverius]

Oh! So -that- is what that Radiohead guy is mumbling about in that song! All I ever heard was "Karma police, Arrest this man, He something something something, He something like a something, He's like a something radio".

It makes a lot more sense now :)

Re:The BIG ONE, missed by most...

Karma police,
arrest this man,
he talks in maths,
he buzzes like a fridge,
he's like a detuned,
radio

Karma police,
arrest this girl,
her hitler hairdo,
is making me feel ill and,
we have crashed her party

This is what you get,
This is what you get,
when you mess with us

Apparently it was some sort of collection of inside jokes from a party the band members went to, which I don't think they every attempted to explain...

Re:Neat Security -- just stupid.. use a mac

And -- I'm sorry to break you the news. But I used to work at an ISP whose pages where served in a WebStar... Till somebody erased all the clients' pages twice... And then I put an RedHat/Apache/Intel in its place. Worked like a charm...

Re:MacOS far more secure than LINUX, proof is BugT

Nice troll.

Re:It's a bit of a challenge, and one to be avoide

In what sense is garbage collection a security feature? That makes no sense.

I'm sorry I can't give a better reference, but search google for "virtual machine halting problem". Vaguely, if a virtual machine does not have garbage collection, proving that some code is "safe" (in the sense "will not dump core") is tantamount to solving the halting problem. So GC is relevant to the security of VMs. For java, at least, this form of security is most important for applets running on the client side. For C, garbage collection would be useful simply to discourage use of static fixed-size buffers by encouraging the use of lots of dynamic memory management. But that's an issue of practical code habits, not computer science.

The less you know, the more money you make.

[cpeterso]

1. time = money
2. knowledge = power
3. power = work / time
4. knowledge = work / money
5. knowledge * money = work
6. money = work / knowledge
7. therefore, as knowledge --> 0, money --> infinity!

QED

I am surprised noone's mentioned it yet

[Salsaman]

www.kerneli.org

Mod parent as either off-topic or troll please.

EOF

Dear Troll...

You must feel kinda silly now that the recent OpenSSH ChallengeResponse bug can root a default OpenBSD remotely in seconds...

Re:Dear Troll...

not really. Look at the security history of Linux.
It's only second to Windows.

I would use Immunix

[MrLinuxHead]

I don't consider myself a full-on security guru, but from my experience, Immunix has a very good track record. Crispin Cowen has published many white papers concerning the stackguard compiler and how it will prevent buffer overflow attacks. Combine this with FormatGuard, and a resonable price ($100, free for non-commercial use. Check it out at http://wirex.com/Products/Immunix/purchase.html.

Don't forget to use Bastille to harden it after you install. Or you could do it manually, than you will need to remove SUID crap, use CHATTR to make your critical conf files immutible, and many, many other tricks. You can read about it http://www.bastille-linux.org/. Hope that helps.

chflags/chattr

[chrysalis]

All these add-ons are nice, but you can easily have a very hardened server without installing nor patching anything. Linux, *BSD and probably other operating systems have extended fs attributes for ages.

With standard commands like chflags (BSD) or chattr (Linux), you can mark files and directories read-only (immutable) or append-only.

The point is that once you have a working system, and if you have local access to the console, you can set proper attributes to all your files.

You then have the concept of "security levels". Once your box is in multi-user mode, the "security level" can increase, and a lot of thing will be refused by the kernel : changing firewall rules, access to kmem, to raw devices, etc. and changing extended attributes.

So even if an attacker gets root access on your box, he won't be able to alter anything except some ever changing files (something that can be solved by using an NFS mount) . And the append-only log files are really nasty, because he won't be able to hide what he's doing. Patch your favorite shells to always log history files to an append-only file to get even more fun.

On a properly configured box (that you have console access on), you must be able to run "rm -rf /" as root, and your system must still be up and running. No need for any integrity checker.

Re:chflags/chattr

[niftyzero]

What stops an attacker with root privs from removing the attributes?

Re:chflags/chattr

[someonehasmyname]

in FreeBSD you have a "kernel security level" man securelevel

The kernel runs with four different levels of security. Any super-user process can raise the security level, but no process can lower it. The security levels are:

-1 Permanently insecure mode - always run the system in level 0 mode. This is the default initial value.

0 Insecure mode - immutable and append-only flags may be turned off. All devices may be read or written subject to their permissions.

1 Secure mode - the system immutable and system append-only flags may not be turned off; disks for mounted filesystems, /dev/mem, and /dev/kmem may not be opened for writing; kernel modules (see kld(4)) may not be loaded or unloaded.

2 Highly secure mode - same as secure mode, plus disks may not be opened for writing (except by mount(2)) whether mounted or not. This level precludes tampering with filesystems by unmounting them, but also inhibits running newfs(8) while the system is multi-user. In addition, kernel time changes are restricted to less than or equal to one second. Attempts to change the time by more than this will log the message ``Time adjustment clamped to +1 second''.

3 Network secure mode - same as highly secure mode, plus IP packet filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and dummynet(4) configuration cannot be adjusted.

Re:chflags/chattr

[doorbot.com]

What stops an attacker with root privs from removing the attributes?

I may have misunderstood chrysalis, but the attributes can only be changed in single user mode. So you absolutely have to have local console access to set (or change) the attributes. But at that point you've got physical security issues which outweigh any sort of ACL/attribute-based protections you have.

Re:chflags/chattr

[c-dub]

> in FreeBSD you have a "kernel security level" man securelevel

Work is underway porting BSD secure levels to LSM. Secure levels is a nice compromise between a potentially difficult to configure security model like SELinux and a weak/useless one like chroot.

thanks,
-chris

All of these solutions work, but...

[Erpo]

...their existance points at a deeper problem. The linux security model is based off of the unix security model which basically expected users to do two things:
1. Log in through a text mode terminal.
and
2. Run programs (i.e. use cpu time and memory).

Since the demands of computer users began to expand beyond those original expectations (graphical interface, selective access to administrative abilities, etc...) the solution has always been to write a suid program that simply snags root priveleges and tries not to let the user do anything bad while it's running. Sure, it works, and linux-based systems have come a long long way, but the fundamental problem remains: to the OS, a user is a user is a user (except root). The linux security model hasn't expanded to meet new challenges, it's been circumvented by suid programs and as a result instead of a single point of possible penetration (a problem with the kernel) there are hundreds of possible ways to take over the system and hundreds of programs that must be maintained in order to keep the system secure.

Yes, chroot is an absolutely beautiful solution in many cases. No, I'm not saying linux is terribly insecure. What I am saying is that a new philosophy needs to be employed in designing security models: if a program has to become root (or the equivalent) to perform its function, something is wrong with the security model. It seems to me that this kind of thinking, combined with an elegant system to keep track of who is allowed to do what, would do wonders for the maintainability and usability of linux based OSs.

Re:All of these solutions work, but...

[moogla]

The way this gets resolved (at least it in a perfect world) is that new devices that users can touch get created so you can do things that normally would require root access. /dev/fb based Xservers replace the run-as-root Xserver,etc.

then again, this sort of comes out as kernel patch to create these new interfaces.

Sigh

Re:Neat Security -- just stupid.. use a mac

Like we all buy computers to leave them around running RC5 code... A single cpu AMD will smoke your dually G4 at mpeg encoding by 70%, and that will cost you less than $800.

Policy creation

[Jetifi]

One of the biggest problems with SELinux is the non-trivial effort involved in creating policies. It took me a couple of nights just to get to grips with the concepts...

There's a real need for some sort of tool that just builds and manages simple policies for daemons, apps & utilities. Problem is, that sort of thing is best built upon a sound model of the policy. apol (http://www.tresys.com/selinux.html) has something, and there's work going on at IBM (Alphaworks?) and at MITRE, all of it very cool stuff, but it's a) geared towards analysis, and b) proprietary.

Re:Bastille - No Kernel Patches

[ITO]

Bastille linux is a hoax.
It doesn't secure anyting at all.

Security != Security?

[FreeUser]

Patching the Linux kernel (grsecurity, etc.) and implimenting ACLs is one level of security enhancement one can emply.

Userspace hardening (e.g. Bastille) is another.

Virtual servers sounds like an interesting approach as well (virtual servers running a grsecured, hardenend system anyone?)

But, security for things like web services do not end with kernel patches or even userspace hardening utilities.

As [...] noted here, the 'security' of Slashdot's moderation system has been shot to hell (astroturfers of various ilks, most commonly but not exclusively Microsoft paid lackeys, and outright trolls are posting at +2 and being granted moderator priveleges on a daily basis). As to whether the above troll you reference was moderated up by trolls, Microsoft Astroturfers, or a combination is anyone's guess.

The fix is obviously for the slashdot editors to begin creating a web of trust in a similar fashion to how GPG/PGP keys are managed (complete with revokation if that trust is abused). Initially only the slashdot moderators and some well known friends of theirs would be in the ring of trust, then gradually others (based upon posting content, relationships, what have you). This would at least allow the Astroturfers and trolls to have their moderation and/or +2 posting priveleges removed when they do occasionally slip through.

In the meantime, until such an approach is taken, I'm afraid the astroturfers and trolls will continue to abuse the moderation system for the foreseeable future. Numerical benchmarks such as karma simply do not cut it when trying to filter for quality of content, discussion, moderation, and meta-moderation.

Slashdot security in a discussion of security now rates a -3 Offtopic?

So, by pointing out that security for a web server doesn't stop at kernel patches, and pointing to a real world example to underscore that point (this very site), the comment is somehow now offtopic? I think this thread makes the aforementinoed example even more pointed than it already was.

Or is self-criticism now a taboo subject on this forum? Remarkable.

Re:Neat Security -- just stupid.. use a mac

[Zenki]

Erasing pages is one thing.

But turning your linux machine into a staging point for going after other targets is another, more serious problem.

The only reason one would consider using a pre-Mac OS X server is
1) Without memory protection, a random buffer overrun attack may lock up the computer, a better situation than just crashing the app and letting the system go on.
2) If the attacker does manage to subvert the program, it's impossible to start up a remote command shell.
3) If the attacker does manage to get a remote command shell going, it's impossible to find command-line applications installed on the Mac that will allow downloading of files and the installation of backdoored programs.
4) Making a compromised Mac a dead end deal, ie. nothing much else can be done.

Issues with webpages being deleted can be easily worked around with a good backup/replication/etc. Hell, have the webpages served off a read only AppleShare that's connected to the actual webserver, the attacker won't be able to alter your web data.

Segregate the data, manage each.

[jmanning2k]

I know you're all too lazy to read the entire release notes, so jump directly to the source of these tools. RedHat's release notes say:

This beta contains a kernel providing EA and ACL support for the ext3 filesystem based on the patches and user-level tools from http://acl.bestbits.at/

So, check them out directly. They have more information than the RELEASE-NOTES, and some useful examples.

Re:Segregate the data, manage each.

[jmanning2k]

I hate replying to my own comments, but I missed the obvious.

This means these tools are available to users of distributions other than RedHat.

Perhaps they've made some enhancements specific to RedHat - better integration with other toolsets perhaps, but there's no reason you couldn't use it on Debian, Gentoo, etc...

Re:Bastille - No Kernel Patches

[pgilman]

" Bastille linux is a hoax.
It doesn't secure anyt[h]ing at all."

don't just make an assertion, back it up. unsupported claims are pointless.

you may have a point to make, but you didn't make it here; you didn't teach us anything.

Re:Bastille - No Kernel Patches

[mkettler]

I wouldn't say it secures *nothing*. In fact, I'd say it secures a lot of things many people don't even think about. But you are right, it's not as strong in the "prevent the buffer overflows" category, and most of the things it does a good admin would do by hand anyway.

It's got some pretty good file permission changes that work very well for server environments. And yes, file permissions really do matter. Even on the simplest level it will ask you to remove SUID permissions from ping, dump, traceroute, at, etc. I know for sure there's been at least one local user -> root user exploit for dump that would be foiled if it were non-suid. There was even one this year for at which allowed the same privilege elevation on RedHat versions prior to 7.2:

http://rhn.redhat.com/errata/RHSA-2002-015.html

Of course, a good admin should go through and audit which files are SUID him or herself and kill off ones which aren't used by non-root users. But this makes it a bit easier.

And yes, removing the SUID bits does make fewer commands available to non-root users, but let's face it, do non-root users really need to be able to run traceroutes and backups from your webserver?

Re:Neat Security -- just stupid.. use a mac

Old Macs make lousy servers. MacOS 9 does not have protected memory or preemptive multitasking. Threading in MacOS 9 is horribly inefficient. MacOS 9 has no priviledge separation. If someone accesses the system, they are root. You say this means no false sense of security. Well, you clearly have a false sense of security.

1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT

Macs have AppleScript which allows a script to do basically anything a shell could. If someone breaks in, they need only activate an AppleEvent to download some trojan code and execute that trojan code.

3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes.

This is an excellent point, but buffer overflows can occur with arrays and other data structures. Furthermore, while the OS may use Pascal strings, applications that run on top of the OS can use any type of string they choose.

5 : Macs running Webstar have ability to only run CGI placed in correct lodirectoy cation and correctly file typed.

Where is this enforced? If Webstar is enforcing this, once someone breaks into the system, it will make no difference. The intruder is already root.

6> Macs never run code ever merely based on how a file is named. ",exe" suffixes mean nothing.

It is a trivial matter to change a file type.

Re:It's a bit of a challenge, and one to be avoide

[dubl-u]

Generally, the guy your beating on needs to be whacked. But this makes sense:

C, a language that provides no security features such as garbage collection

In what sense is garbage collection a security feature? That makes no sense.

It's not garbage collection as much as direct memory access and management. In C, it's very easy to accidentally write something that allows for the execution of arbitrary code. In Java, it's very hard.

This is similar to the way one should write banking code. For most of the programmers, there should be no way to add money to an account or remove money from an account. Instead, you just give them an API that allows transfers. That way you eliminate a whole class of possible errors.

The OP's confusion probably comes from the fact, that once you remove free(), garbage collection is the common solution.

Try learning from other distributions

Owl is something that I admire and would even run if it wasn't based around RPM. They've managed to create a system that could probably be run without any suid programs.

Even chfn and passwd work, since they have split /etc/shadow into a tree, and each user has its own fragment that is only writable by that user. There's a bit of glibc/nsswitch magic to use that tree instead of the usual flat file, and the rest of the system just works as before.

There are other "duh, why didn't I think of that" changes, too. Think about it - why do syslogd and klogd keep root after starting? klogd needs to open a socket from the kernel. After that, does it need root? Nope. syslogd needs to be able to open logs and sometimes bind to a privileged port. Guess what, a user called 'syslogd' can open log files owned by syslogd, and it can drop root after it grabs that port. Owl also chroots klogd into a jail to keep it out of trouble once it starts.

I look forward to seeing this kind of cluefulness in other distributions, since it's obviously correct.

Wow...thought this post looked familiar

[charnov]

I wonder if this person works for StarNine?

Same post, different topic...

Re:grsecurity - fnk kernel tree

[Cef]

You may want to look at the fnk (or cipherfunk) kernel tree (no this is not carried on kernel.org). The link at freshmeat for cipherfunk kernels has connections for downloading and so on. His kernel tree contains the GRSecurity patches, a fair number of other patches (eg: FreeS/WAN), and any fixes he's made to get the lot running.

Basically this guys motivation is security and stability. He puts the whole lot through a barrage of tests, and makes sure things work, or at least determines if there is a problem and makes note of it.

Kernel hacks for security

[Real+World+Linux+Sec]

There are a number of easy hacks to the Linux kernel to increase security:

1. Add a sys call to disable insmod to prevent crackers from inserting Trojans and Root Kit obscuring modules.

2. Disable processes from listening on high ports (above 1023, except possibly socks, NFS, or X if you're crazy to allow these on a server). It would be trivial to add this to the kernel.

3. Disable other than low numbered processes from listening on ports, if all of your servers start at boot time and don't need restarting.

4. Prevent creation of symlinks in dirs (such as /tmp) with the sticky bit on unless they point to files owned by the creator. This reduces popular symlink attacks. It might be possible to block all symlinks here with most servers' mix of processes.

5. Disable fchdir() and mknod() to prevent root's common way to break out of a chroot() jail. (Disabling /proc, /dev/mem and /dev/kmem, etc. also will be needed but those aren't kernel mods.)

Keeping up-to-date w.r.t. security patches, running different servers on different systems to limit damage from an intrusion, using a good Adaptive Firewall and IDS, etc. will go a long way to conventional security as will using the LIDS, WireX's SubDomain, or NSA-enhanced kernels.

Those worrying about a NSA-planted bug in their kernel need only put a non-NSA Linux based Firewall in front to detect unexpected packets.

These and other ideas are from my book.

SELinux is the solution for the paranoid

[defile]

Some kind fellow was running an SELinux box with a guest root account.

The account was powerless. SELinux is a paranoid sys admin's dream. You have to specifically grant ifconfig permission to see properties on each interface. Ping needs raw sockets access granted for each interface it wants to send pings over. etc.

Use a non-x86 architecture

It is stupid, but it means that even if someone does have an exploitable buffer overflow, their easily available rootkits are unlikely to do anything useful.

There was an example a couple of years ago where a Mac running Linux was left up in a default install with a "crack me" contest. (The prize being the Mac. After a couple of days they also handed out the root password.) After much effort and publicity (it got a lot because the contest mocked a parallel Microsoft stunt to test Windows 2000), the machine was eventually broken into, by someone using a well-known buffer overflow that had been public when it was first set up. Even though there were standard rootkits to exploit it, they were all x86 based, and wouldn't work until someone rewrote the necessary assembly code for the Mac.

In other words, using non-x86 hardware raises the bar. A lot.

Safer ACL's

[aashenfe]

Here is an Idea for easier security management through ACL's.

Add a file system capability mask. This would be similar to the Group and Other file permissions, but would block those permissions.

For instance droping the "rw" capability from the "other" and "group" masks would cause this proccess, and all it's children to be denied access to files that it doesn't own (services should not be run as root of course), but still access files owned by it's user or files/directories explicitly given access vi ACL's. This way a user could grant access to everyone for his/her directory, but system process couldn't be coerced into reading that directory, or any directory. An admin would have to explicitly grant access for a system service. The whole /bin and /usr file systems would automaticly be traversable, but directory listings,file reads, and file writes would be impossible for such a proccess.

Is there any project doing this? Is this even a good idea?

LIDS

LIDS is a great second defense. It comes into play when some cracker manages to get on your machine. If you set up the rules correctly, they won't be able to install their rootkits or will be easier to spot.

The only problems with LIDS is setting it up. Since every Linux distribution writes files to different areas. If you declair a directory as readonly or append only and a program wants to delete a file, you might have problems.

If you have a webserver or a machine in production that is contect to the internet, LIDS can be a good investment (time that is, it's free)

LIDS problem

[dpilot]

>What sort of problem were you having?

As I walked through the instructions, at some step or other it became apparent that the LIDS build process was wanting to modify the machine it was currently running on, or at least it sure looked that way. Since the build machine wasn't the target machine, I immediately stopped, and haven't ever had time to fiddle with it, again.

I'll also have to check out the sample SELinux security policies another responder mentioned. That is, once I get that increasingly rare commodity called "time" again. The dishwasher went on the fritz tonight and leaked, so after a little work tonight, tomorrow night will be repair, then some bin and paint in the basement ceiling after that. Then back to the scheduled home projects backing up.

Re:LIDS problem

[dubl-u]

As I walked through the instructions, at some step or other it became apparent that the LIDS build process was wanting to modify the machine it was currently running on, or at least it sure looked that way. Since the build machine wasn't the target machine, I immediately stopped, and haven't ever had time to fiddle with it, again.

I just looked at my old source (LIDS 1.1.0) and you're absolutely right; the default instructions modify the box you're on. The easiest way to get it to work easily would have been to to all building on one box and then NFS-mount the stuff to the router so you could do a "make install". Or you could just copy the new kernel, tools, and configuration files over by hand.

Still, hopefully this will all be moot soon; hopefully the LSM version should be much less of a pain.

RBAC vs MAC vs DAC

[axxackall]

Of course MAC is better than DAC. Because it's more secure. But it's still primitive.

RBAC is the most adequate solution to manage security of collaborative environment. Read more here:

"The principal motivation behind RBAC is the desire to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure.". Briefly, it's like a RDF graph: you have subjects and privelegies mapped to each other (M:M) using roles, which, in other relationships, hierarchically describe users.

They have some example for Linux. I've tried its concepts in few applications and found really it very naturally and intuitevely reflects security requirements in commercial systems. Oracle and NT security models have something similar, although NT domains are not nested while in Oracle the role graqph is not really hierarchical (acyclic though).

I've read about NSA SElinux and found they show a very good progress, but it's just a beginning. I believe that RBAC eventually will come to Linux (and to BSD after that?). Nothing is impossible in Linux (and in BSD, lol).

Re:It's a bit of a challenge, and one to be avoide

NOO! Microsoft definitely does not know what thier code does.

Not every likes to hear it, but...

[MQBS]

OpenBSD not only has more security, but you can leave it out for longer without having to remotely upgrade. Ever remotely patched/installed a kernel? It's quite, quite annoying. Why is it you can do this? Less holes AND more highly integrated code... plus, once you add in that the memory allocation routines in OpenBSD are quite extraordinary (try running X at a high resolution in linux, then run the exact same thing in openbsd... you'll see the difference in magnitudes ^_^), so its harder to overload your memory. Just a thought.

HP Secure OS for Linux

[ranald]

Try this. Go to http://www.hp.com/security/products/linux/eval/ and get it. Or wait for version 2.0 prob. this fall. Set up "compartments". Run applications in compartments, by default nothing is allowed except local console on reserved sys compartment. Communication between compartments is only allowed by explicit rule sets (IP, port, file access, etc). Network interfaces are compartmentalized. Compartments are chrooted, no raw sockets, no telnet, lots of other goodies. Includes default setup for Apache, Tomcat and other stuff.

Re:MacOS far more secure than LINUX, proof is BugT

[sxe_p06]

Yes, but my linux box, can handle much more traffic than your Mac box. sorry buddy, in the real world, macs just don't cut it.

--p06

Absolutely necessary

[octogen]

At least an authorizations/privilege security model instead of the anyone/root distinction is absolutely necessary.

The problem is, that many daemons (like Sendmail and such) override *all* security - of course, this is absolutely unnecessary.
For example, on Argus enhanced systems you run Sendmail with the pv_asn_port privilege instead of root privileges.
If someone manages to hack Sendmail, then the attacker can do nothing else than just open port 25, while on other OSs (even OpenBSD) the attacker gains root privileges.
Sendmail does not need root privileges to run, so why should we give Sendmail root privileges?

One key to more security is the 'principle of least privilege'. Modern Unix Operating Systems like Trusted Solaris show, that it is possible to implement fine-grained privilege control in Unix kernels.

Just securing a few dozens of applications (that's what the OpenBSD project calls OS security?) is not enough.
What if I need to run some other application?

An Operating System should be able to protect data even in the case, that an application gets hacked.

Our real problem is 'root' - it should never be used for any kind of server application (daemon), but only for system administration by an authorized user. There should not be any permanent processes running as root.

LIDS, the grsec patch, NSA's sample implementation of MAC and such things are steps into the right direction.

irony

[Pros_n_Cons]

A totally paranoid OS is rejected by paranoid people. ITs also funny how people say how nuts you are to run NSA linux while recommending installing LIDS (built by China).

People can be so entertaining at times :)

Re:Neat Security -- just stupid.. use a mac

Not EXTERNALLY. All the points about why no mac in HISTORY has been remotely exploited is because of those original points.... no way to get executable code into the machine.... at least historically.

Re:MacOS far more secure than LINUX, proof is BugT

If you want ,speed,and do not care about security run
Apache on a mac, because Apple demonstrated 20 months ago that the mac ran apache in a benchmark far faster than any other computer similar
in cost.

The Mac OS running Open Transport, based on open protocols, and bilevel protocol stack declaration order is amazing. It avoids lots of famous TCPIP hacks and it also allows end-to-end file transfer from ram to ram without copying a single data byte! (only pointers to buffers are passed end-to-end in the most ideal situations) There are also papers that discuss proper tuning of open-transactions vs queued transactions and how to get the most astounding hits per second from dynamic webstar content.

Re:Use a non-x86 architecture - HA! Mac Linux BAD

It does not raise the bar.. all intel stack exploits for LINUX can be trivially rewritten into PowerPC, and tutoraials have been written.

1> There is no command line shell to allow redirection. No shell, no shell exploits or redirection of scripting.

2> Everyhing is 'root' at all times so programmers do not get lazy and fantacize about the existance of a more secure root to help protect them. The Webstar server, and other servers, as most mac programs, is written knowing that security is is important and that the code is running at root. Truthfully, PowerPC apps run at user-level, and Gary Davidian's birthdate needs to be passed in a register to gain true supervisor level, but no normal benefit is gained on a mac from running in the microkernel space or debugger-nub space.

3> Macintoshes do not suffer from stack exploits based on buffer overruns of C style strings. The mac uses Pascal style strings, instead of slow null-terminated strings in most all aspects of the entire operating system and in most users code. ANSI-C libraries are traditionally shunned. Pascal style strings are not only faster, they prevent the vast majority of buffer overrun problems.

4> Macintoshes do not EVER exucute code from file that are simple data files, no matter how the file is named or no matter how the file suffix is generated or set. Macintoshes use dual fork files, and text files and data files traditionally cannot easily become executables, and firthemore would typically need to have their 4-byte FILE-TYPE set to a value to even begin to allow a hackers file to be blessed for execution. Webstar and other tools do not typically allow any hacker or rougue tool to set file types by accident or on purpose. On a wintel system a text file saved with a .exe extension can be executed!

5> Source to mac os (pre os X) is not typically available outside apple corp. This is not a valid argument for security, (obscurity) but the appologists for the copious amount of linux redhat exploits use this as one reason for the many bugtraq exploits coverred.

6> The Mac OS weservers running Webstar do not automatically allow errantly saved files from executing out of the CGI bin merely because they are stored there.

7> The Mac OS has other good multi-homing multi-domain tools that run on it for robust free email (SIMS), DNS (QuickDNS Pro), FTP (Rumpus) and all have nice user interfaces to configure them and though these commercial tools may not be technically as secure as Webstar itself is, or the MacOS, I prefer them over running any open source tools on FreeBSD,NetBSD,OpenBSD,Linux, etc. Free is only free if you value your tech support at 0 dollars an hour sometimes. Plus, these other non Webstar related tools seem to have mostlty unblemished histories, unlike BIND.

8> People on the mac tend to use scripting languages based on Applescript rather than perl for os level dynamic work and protecting against some minor perl problems, or unix scripting (no command line on a mac, thankfully). I cannot attest to java as being swell, but the fact is many mac people tend to do dynamic content in straight C. Happlily Webstar includes a rich variety of trusted dynamic content assist tools.

9> Stack return address positioned in safer location than intel. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac places return address infornt of where the buffer would overrun. Much safer.

In fact in the entire securityfocus (bugtraq) database history there has never been a Mac exploited over the internet remotely.

A rare set of documentation tutorials and exercises on rewriting all buffer LINUX exploits from INTEL to PowerPC was published less than a year ago. The priceless hacker tutorials were by a linux fanatic : Christopher A Shepherd, 3036 Foxhill Circle #102, Apopka, FL 32703 and he wrote the tutorials in a context against BSD-Mach Mac OSX.
He was motivated by Phrack issue 49 (an intel article).

The Ruskies will still hack into your systems !

[Taco+Cowboy]

Believe it or not, I do lock the computer room door.

But the Ruskies still hack into my systems !

Looks like the do know some (undocumented ?!)BACKDOORS of Linux systems.

Where to find the info on those (undocumented ?!) backdoors in Linux ?

I am interested to know !

RSBAC

[cyrun]

Check out Ruleset Based Access Control: www.rsbac.org.

Citing from their page: Key features:

• Open Source (GPL) Linux kernel security extension
• Independent of governments and big companies
• Several well-known and new security models, e.g. MAC, ACL and RC
• Control over individual user and program network accesses
• Any combination of models possible
• Easily extensible: write your own model for runtime registration
• Support for current kernels
• Stable for production use

Will NSA stops the Ruskies ?

[Taco+Cowboy]

Will NSA's Security Enhanced Linux stops the Ruskies from hacking into my systems?

I'm tired of searching high and low for security tips, applying patches and such, and still having the Ruskies prying open my systems with no problem.

Methinks there's a list of "undocumented Linux vulnerabilities" out there, and the Ruskies (amongst the others) are using it to hack Linux systems.

If there's such a list, I'd like to take a look at them. I'd like to close all those holes.

Anyone has the list ?

May I borrow it, please ?

NFS (Re:ACLs)

[osolemirnix]

The ACL implementations of all the major Unix vendors (Sun, HP, SGI, IBM, DEC/Compaq etc.) are unfortunately completely incompatible with each other despite a POSIX draft (and I won't even mention Windows ACLs). In addition the commands/library calls to use/change ACLs all have different names and options.

So unless you have a completely homogenous network there is currently no way to my knowledge that you can use ACLs across machines via NFS.

As already mentioned, ACLs give users working in groups more flexibility to share file access, rather than having the admin create a new group for each new permutation. They don't really enhance security.

Re:NFS (Re:ACLs)

[g4dget]

You assumed, but I didn't say anything specifically either about NFS or about using POSIX APIs to implement ACLs on networked file systems.

Obviously, in order to be useful for a networked file system, the ACL APIs you need to support on the client are those required by the network file system used by the server. Those can be different from the ACL APIs either used by the local file system or by the server's file system. Take a look, for example, at what AFS does (I'm not endorsing it, merely pointing out what it does).

Mod down already ?

Oy vay, mod down oredi ?

Oy vay, mod down oredi ?

Oy vay, mod down oredi ?!

Not specific to FreeBSD

[chrysalis]

This is not specific to FreeBSD. Every BSD variant has this feature for ages AFAIK.

can check out Medusa

[phanki]

Medusa http://medusa.fornax.sk/English/project.shtml
is a set of patches that help you secure your Tux kernel. I donot have an indepth knowledge of the workings, but there was an article in LinukJournal http://www.linuxjournal.com/article.php?sid=3811
I think this might help

Re:MacOS far more secure than LINUX, proof is BugT

Incorrect -- There are fewer explots for MAC OS[anything] because frankly the security community couldn't care much less about how may ways you can exploit all of the three MACs connected to the internet :-)

SecMod

I have to mention there is a product called SecMod, a loadable kernel module for Linux. It requires no changes in the software or kernel. Just insmod secmod.o and you can start configuring rule chains, very much in ipchains/iptables style. It's available for 2.2.x and 2.4.x kernels.

For testing we have a Red Hat 6.0 based demo server running various services with known and unknown security holes: sshd 1.5, qpopper, wu-ftpd 2.6, Apache, BIND 8, and so on. These are original unpatched services, no firewalls, the only extra thing there is SecMod. The module has been configured to "sandbox" these services, and has done well enough to protect it for over two years from daily compromise attempts. We also offer free user accounts on the server for anyone who wishes to try local exploits too.

Creating the rule chains to configure the module is quite simple. The most common way is of course to define rules saying "this daemon program can't read any file except this and that, it can't execute anything but that, and can't do any syscalls except those, and can only write to this file. If it tries anything else, deny it and add an entry to syslog.". This has proven an effective protection against security vulnerabilities.

You can do many other things with these rules, for instance define ones saying "no-one is allowed to read these files (even root), except the file owner and users in group X", or "no-one can read this file with other program than 'pico'"... It's also possible to easily define chroot operations to be done in wanted circumstances, in other words "when user Z runs this program, create a chroot jail here".

For anyone interested there's more information available on www.secmod.com. The demo site address is demo1.secmod.com. --Jouko Pynnonen , Online Solutions Ltd, Finland

forgot to mention this...

[jelle]

for those actually following this as a guideline (if anybody): I forgot to mention: make a /etc/vservers/01.conf and you need IP aliasing support in the kernel (and of course a kernel with the vservers/ctx patch).