Slashdot Mirror

← Back to Stories (view on slashdot.org)

Additional Security in the Linux Kernel?

Posted by Cliff on from the going-beyond-ugo dept.

nyx asks: "Recently, I was looking for some way to improve security on my linux boxes. I found few linux patches like grsecurity, LIDS (now also as Linux Security Module), Medusa DS9. I'm testing grsecurity (and it's ACLs) now and I'm quite satisfied with it, but I wonder, what are pros and cons of other solutions. Anybody tried them and can share his experience with us?"

6 of 300 comments (clear)

  1. St. Jude Kernel IDS by ActMatrix · · Score: 3, Interesting

    You might want to check out Saint Jude - a kernel intrusion detection and response system which detects and blocks 'anomalous' behavior (such as root exploits). The developer first presented it at Defcon 8 and it looked pretty cool. It's been in development for over a year - see its SourceForge page for more.

  2. Neat Security Trick by CONTROL_ALT_F4 · · Score: 5, Interesting

    I had a friend who ran all of his INET services through a VMWARE instance on his Linux box. He would get hit by a script kiddie, and then use the ROLLBACK feature to undo the damage. He would patch the hole on the virtual machine and start up the site as if nothing happened.

  3. Re:ACLs by WetCat · · Score: 5, Interesting

    BTW,it's theoretically proven that security provided by Discretory Access Control systems (in which ACL's and unix protection schemes belong to) is algoritmically unprovable - you cannot deduct that system is secure based on system and DAC rules.
    That proof is possible if are using mandatory access control or may be other security means.
    So DAC are not only pain in the ... - it's also a nonreliable means of security.

  4. ACL's in Red Hat Limbo beta by Laven · · Score: 5, Interesting
    ACL support was added to the kernel in Red Hat Limbo beta which will likely become Red Hat 8.0. They also include the command line tools to manipulate the ACL's.

    Read about it in the RELEASE-NOTES
    ftp://videl.ics.hawaii.edu/mirrors/redhat/linux/be ta/limbo/en/os/i386/RELEASE-NOTES

  5. Systrace for *bsd by numatrix · · Score: 3, Interesting

    I'm suprised no one has pointed out systrace yet. Granted, it's not for linux, only OpenBSD and NetBSD at this point, but it seems to be a very promising move in the ACL world. As one other poster commented, the most difficult challenge with any heavily ACL'ed environment is configuring the ACL's and making sure you didn't miss something. It's an extremely tedious process that requires a lot of reloads until it's done right.

    Systrace eliminates much (but not all) of that initial trial period with a method of analyzing processes and watching what permissions for what resources they need and generating ACL's based on 'normal' use. This interactive mode ~greatly~ simplifies the otherwise length process of configuring the kind of security modules being discussed.

  6. LOMAC - Perl tainting for Linux by Animats · · Score: 3, Interesting
    LOMAC has some promise. They have a good idea: there are two integrity levels, high and low. Everything that comes in from the net is at low level, and can't affect anything that is at high level. Level is carried around with files, processes, etc. This severely limits what can be done from the outside.

    This has real potential for locked-down servers, kiosk systems, etc. It's a bit stringent for most desktops. But it's not too hard to use.