[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: wish list
On Mon, 7 Jun 1999, scooby sir wrote:
W>Well,
W> If i were to contribute suggestions for a secure distro of linux,
W>it would be this:
W> i) Ship it with the international linux patch installed
W> www.kerneli.org
W> ii) Install the non-executable stack patch
this is not a real solution.. this is a joke. there are many ways, how to
override this protection and this makes me to label it as
'security by obscurity'.
W> iii) ssh and tripwire are a must
W>The problem is that to have a truly secure machine(linux or non linux)
W>you must watch lists like bugtraq, and install patches as soon as
W>vulnerabilities are discovered. You can develop an extreemly secure
W>machine, but 6 months later if no updates were applied the machine it
W>could be wide open. The fact is you cant make sys admins update their
W>machines.
W>
W> Matt Olevano
This is not always true. We made some Linux kernel changes named Medusa
(http://fornax.elf.stuba.sk/medusa), which are designed to improve security
of Linux without any knowledge about broken programs and new ways how to
get priviledged access. It consist of some kernel changes (as low number of
them as possible) and user-space daemon, which answers some questions of
kernel (of course, communication have been heavily optimised and we can
proudly say it doesn't waste the cpu so much). every process and every file
have bitmap of 'virtual subsystems' where they belong. If process haven't write
permission to some file, it will get -EPERM even when running as 'root'.
medusa supports linux capabilities of course and can trace (and disable)
any system call, all kinds of access to a filesystem, interprocess comunication
(signals, ...) and can perform some actions on processes, which are
'untrusted'.
configuration file of user-space daemon is a simple programming language,
based on C syntax, which is pre-compiled when the daemon is started. it can
perform any securing policy you want - nicest example we made is a
configuration file, which does this:
when the application runs locally, it have normal unix permissions.
when it tries to open the inet socket, it is marked as 'restricted'.
restricted applications can see only part of filesystem, other
restricted processes and have write access to a few, really FEW
files in system (/dev/tty for example). they have limited
'capabilities' and cannot reboot system, change runlevel or kill
the security daemon.
if you run '/bin/pshacker', which is a copy of normal 'ps', then if
you are local user, you will see all processes (local and "network").
if you are remote user, it will run '/usr/games/trek' instead.
'local' and 'remote' doesn't mean anything more than the fact, that application
was created from the process, which had something to do with inet sockets
sometime. so it doesn't depend on fact that he used some known or unknown
exploit or if it was connection out or in.
there are many other securing policies usable too. for example, we can run
sendmail in it's private virtual subsystem, being able only to READ it's
configuration and with READ/WRITE access ONLY to a selected set of directories
or files.
noone will be able to create new account, shutdown system, insert module or
re-format partition using the security hole in sendmail. the worsest thing
he can do is to wipe mailboxes of the users.
there are two known bugs of this system: the first is somewhere in locking
and will be fixed within a few days. the second is an absence of english
documentation, which will be fixed in the future - when i'll find someone
who speaks english better than me. this is also the reason, why Medusa wasn't
announced in linux-kernel newsgroup.
bye,
Milan Pikula
--
Milan Pikula, WWW. Finger me for Geek Code.
http://fornax.elf.stuba.sk/~www, www@fornax.elf.stuba.sk
.. dajte mi pewnu linku a pohnem zemegulow ..
-
Securedistros: A common list for all secured Linux distributions
Archive: http://humbolt.nl.linux.org/lists/
- References:
- wish list
- From: "scooby sir" <scooby@tupac.com>