C2 vs Common Criteria [was: RE: Is this mail list dead?]

From owner-securedistros@nl.linux.org Mon Mar 12 23:45:21 2001 Received: by humbolt.nl.linux.org id ; Mon, 12 Mar 2001 23:44:07 +0100 Received: from metis1.microunity.com ([192.86.6.23]:44042 "EHLO metis.microunity.com") by humbolt.nl.linux.org with ESMTP id ; Mon, 12 Mar 2001 23:43:44 +0100 Received: from gaea.microunity.com (gaea.microunity.com [192.86.7.134]) by metis.microunity.com (8.8.8/8.8.8) with ESMTP id OAA13187 for ; Mon, 12 Mar 2001 14:43:41 -0800 (PST) Received: from arwin.microunity.com (arwin.microunity.com [192.86.7.81]) by gaea.microunity.com (8.8.8/8.8.8) with ESMTP id OAA22429 for ; Mon, 12 Mar 2001 14:43:39 -0800 (PST) Received: from localhost (vancleef@localhost) by arwin.microunity.com (8.11.2/8.9.1) with ESMTP id f2CMheG17018 for ; Mon, 12 Mar 2001 14:43:40 -0800 X-Authentication-Warning: arwin.microunity.com: vancleef owned process doing -bs Date: Mon, 12 Mar 2001 14:43:40 -0800 (PST) From: Bob Van Cleef To: Subject: Is this mail list dead? In-Reply-To: <200102090321.WAA00051@tisch.mail.mindspring.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Can someone tell me the status of this list? Other than a new book announcement in February, I have not seen any messages since last August. Checking the on-line archives at: http://mail.nl.linux.org/securedistros/ shows that nothing is flowing. Has the traffic moved to another mail list? Bob -- ><> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><> Bob Van Cleef, Member of Technical Staff (408) 734-8100 MicroUnity Systems Engineering, Inc. FAX (408) 734-8136 376 Martin Ave., Santa Clara, CA 95050 vancleef@microunity.com - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 00:20:14 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 00:18:58 +0100 Received: from wirex.com ([208.161.110.91]:3847 "EHLO mail.wirex.com") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 00:18:29 +0100 Received: from wirex.com (mithra.wirex.com [208.161.110.91]) by mail.wirex.com (Postfix) with ESMTP id 89AEC3EC1A for ; Mon, 12 Mar 2001 15:17:58 -0800 (PST) Message-ID: <3AAD5908.73A44E4C@wirex.com> Date: Mon, 12 Mar 2001 15:17:28 -0800 From: Crispin Cowan Organization: WireX Communications, Inc. X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.18-1_imnx_5_crispin i686) X-Accept-Language: en MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Bob Van Cleef wrote: > Can someone tell me the status of this list? Other than a new > book announcement in February, I have not seen any messages since > last August. It still seems to function, but the particpants no longer seem interested in the charger. It was supposed to be for cross-distro discussion of issues perinant to security-oriented Linux distributions. Since the list was founded, some of those distros have died, and the new ones to come along (e.g. SELinux) don't seem to have joined. And for the record, I'm not so impressed with a Linux Security book that manages not to mention StackGuard :-) Crispin -- Crispin Cowan, Ph.D. Chief Research Scientist, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 00:41:51 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 00:40:45 +0100 Received: from dsl081-032-181-lax1.dsl-isp.net ([64.81.32.181]:45324 "HELO ultraviolet.org") by humbolt.nl.linux.org with SMTP id ; Tue, 13 Mar 2001 00:40:23 +0100 Received: (qmail 24148 invoked by uid 500); 12 Mar 2001 23:40:25 -0000 Date: Mon, 12 Mar 2001 15:40:24 -0800 From: Tracy R Reed To: securedistros@nl.linux.org Cc: selinux@tycho.nsa.gov Subject: Re: Is this mail list dead? Message-ID: <20010312154024.J13139@ultraviolet.org> References: <3AAD5908.73A44E4C@wirex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AAD5908.73A44E4C@wirex.com>; from crispin@wirex.com on Mon, Mar 12, 2001 at 03:17:28PM -0800 Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Mon, Mar 12, 2001 at 03:17:28PM -0800, Crispin Cowan wrote: > It still seems to function, but the particpants no longer seem > interested in the charger. It was supposed to be for cross-distro > discussion of issues perinant to security-oriented Linux distributions. > Since the list was founded, some of those distros have died, and the new > ones to come along (e.g. SELinux) don't seem to have joined. Unfortunately, not many distros seem interested in security in general. It's giving Linux a bad name. I've cc'd the selinux guys on this as an invite for some of them to join the list. -- Tracy Reed http://www.ultraviolet.org - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 04:19:23 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 04:16:45 +0100 Received: from brutus.conectiva.com.br ([200.250.58.146]:37628 "HELO burns.conectiva") by humbolt.nl.linux.org with SMTP id ; Tue, 13 Mar 2001 04:16:09 +0100 Received: (qmail 26244 invoked by uid 0); 13 Mar 2001 03:15:17 -0000 Received: from dial10.ras.conectiva (HELO imladris.rielhome.conectiva) (root@10.0.8.10) by burns.conectiva with SMTP; 13 Mar 2001 03:15:17 -0000 Received: from localhost (IDENT:riel@localhost [127.0.0.1]) by imladris.rielhome.conectiva (8.11.1/8.11.1) with ESMTP id f2D33i416846; Tue, 13 Mar 2001 00:03:44 -0300 Date: Tue, 13 Mar 2001 00:03:44 -0300 (BRST) From: Rik van Riel X-Sender: riel@imladris.rielhome.conectiva To: securedistros@nl.linux.org cc: selinux@tycho.nsa.gov, andreas@conectiva.com.br Subject: Re: Is this mail list dead? In-Reply-To: <20010312154024.J13139@ultraviolet.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Mon, 12 Mar 2001, Tracy R Reed wrote: > Unfortunately, not many distros seem interested in security in > general. It's giving Linux a bad name. Unfortunately, indeed. I'll have to thank Andreas Hasenack for being stubborn and not allowing unneeded insecurities into our distro ... ;) - no services (except identd) in inetd.conf by default, inetd not running - OpenSSL / OpenSSH installed by default - apache's httpd.conf has ssl configured - FreeS/WAN in the kernel - apt-get w/ GPG signed packages (for easy and secure upgrading when a security hole is found) I hope other mainstream distro's will copy some of these things from Conectiva (though I guess the crypto stuff may be difficult for US companies) and make Linux as a whole more secure... Is there anything I've forgotten to mention, or are there other things needed to make Linux distro's more secure without impacting functionality or ease-of-use ? regards, Rik -- Virtual memory is like a game you can't win; However, without VM there's truly nothing to lose... http://www.surriel.com/ http://www.conectiva.com/ http://distro.conectiva.com.br/ - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 05:14:51 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 05:13:45 +0100 Received: from dsl081-032-181-lax1.dsl-isp.net ([64.81.32.181]:1543 "HELO ultraviolet.org") by humbolt.nl.linux.org with SMTP id ; Tue, 13 Mar 2001 05:13:26 +0100 Received: (qmail 31231 invoked by uid 500); 13 Mar 2001 04:13:51 -0000 Date: Mon, 12 Mar 2001 20:13:51 -0800 From: Tracy R Reed To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? Message-ID: <20010312201351.A30218@ultraviolet.org> References: <20010312154024.J13139@ultraviolet.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from riel@conectiva.com.br on Tue, Mar 13, 2001 at 12:03:44AM -0300 Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Tue, Mar 13, 2001 at 12:03:44AM -0300, Rik van Riel wrote: > Is there anything I've forgotten to mention, or are there > other things needed to make Linux distro's more secure without > impacting functionality or ease-of-use ? Is there really any reason to require programs to be run as root to bind to ports <1024 anymore? I was just discussing this with some friends after the regular LUG meeting at Denny's the other day. That's where the best LUG conversation happens. :) There used to be a good reason for it but nowadays it seems like an unnecessary liability. Fixing this is probably a very simple little patch. -- Tracy Reed http://www.ultraviolet.org - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 05:18:52 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 05:17:47 +0100 Received: from tisch.mail.mindspring.net ([207.69.200.157]:60715 "EHLO tisch.mail.mindspring.net") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 05:17:32 +0100 Received: from mindspring.com (pool-63.53.191.150.snfr.grid.net [63.53.191.150]) by tisch.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id XAA18799; Mon, 12 Mar 2001 23:17:14 -0500 (EST) Message-ID: <3AADA219.2C4BC605@mindspring.com> Date: Mon, 12 Mar 2001 20:29:13 -0800 From: Chris X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-15mdkfb i586) X-Accept-Language: en MIME-Version: 1.0 CC: securedistros@nl.linux.org, selinux@tycho.nsa.gov Subject: Re: Is this mail list dead? References: <3AAD5908.73A44E4C@wirex.com> <20010312154024.J13139@ultraviolet.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: unlisted-recipients:; (no To-header on input) Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Tracy R Reed wrote: > > On Mon, Mar 12, 2001 at 03:17:28PM -0800, Crispin Cowan wrote: > > It still seems to function, but the particpants no longer seem > > interested in the charger. It was supposed to be for cross-distro > > discussion of issues perinant to security-oriented Linux distributions. > > Since the list was founded, some of those distros have died, and the new > > ones to come along (e.g. SELinux) don't seem to have joined. > > Unfortunately, not many distros seem interested in security in general. > It's giving Linux a bad name. > > I've cc'd the selinux guys on this as an invite for some of them to join > the list. > > -- > Tracy Reed http://www.ultraviolet.org There are still some people reading and monitoring. I am just one who is interested in learning and have not had anything to add. kegwasher - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 05:40:56 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 05:39:52 +0100 Received: from [65.161.144.20] ([65.161.144.20]:37026 "EHLO zifnab.scheol.hm") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 05:39:36 +0100 Received: by zifnab.scheol.hm (Postfix, from userid 1000) id C47159382; Mon, 12 Mar 2001 21:37:16 -0700 (MST) Received: from localhost (localhost [127.0.0.1]) by zifnab.scheol.hm (Postfix) with ESMTP id 4DA3714 for ; Mon, 12 Mar 2001 21:37:16 -0700 (MST) Date: Mon, 12 Mar 2001 21:37:15 -0700 (MST) From: Coltrey Mather X-Sender: strad@zifnab.scheol.hm To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? In-Reply-To: <20010312201351.A30218@ultraviolet.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Mon, 12 Mar 2001, Tracy R Reed wrote: > Is there really any reason to require programs to be run as root to bind > to ports <1024 anymore? I was just discussing this with some friends after > the regular LUG meeting at Denny's the other day. That's where the best > LUG conversation happens. :) There used to be a good reason for it but > nowadays it seems like an unnecessary liability. Fixing this is probably a > very simple little patch. I think it would be better if there were an option to allow non-root access to certain ports (controlled by some file in /proc/sys/ perhaps?). I wouldn't want a malicious shell user on my system (I only use ssh for logins) to run a fake telnet server on port 23 to confuse other users and collect passwords. The potential for a malicious user to abuse trust that people have in standard system services is something to take into consideration for something like this. Perhaps in addition to just filtering by user, there should be a method to filter by application. e.g.: only a certain piece of software could bind to a port...'though I'm not sure if/how that could be implemented. (maybe have the kernel check the commandline of the process against a list of allowed commands in /proc/ somewhere.) One could also combine some sort of signature verification with this so the kernel can determine if the application has been modified. -- Coltrey Mather Ubergeek (use your imagination for the umlaut) - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 06:09:51 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 06:08:33 +0100 Received: from wirex.com ([208.161.110.91]:44814 "EHLO mail.wirex.com") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 06:08:13 +0100 Received: from wirex.com (mithra.wirex.com [208.161.110.91]) by mail.wirex.com (Postfix) with ESMTP id E30FD3EC1A for ; Mon, 12 Mar 2001 21:08:10 -0800 (PST) Message-ID: <3AADAB1C.3D45AAC3@wirex.com> Date: Mon, 12 Mar 2001 21:07:41 -0800 From: Crispin Cowan Organization: WireX Communications, Inc. X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.18-1_imnx_5_crispin i686) X-Accept-Language: en MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? References: <20010312154024.J13139@ultraviolet.org> <20010312201351.A30218@ultraviolet.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Tracy R Reed wrote: > Is there really any reason to require programs to be run as root to bind > to ports <1024 anymore? I was just discussing this with some friends after > the regular LUG meeting at Denny's the other day. That's where the best > LUG conversation happens. :) There used to be a good reason for it but > nowadays it seems like an unnecessary liability. Fixing this is probably a > very simple little patch. How else would you (say) enforce that only the Duly Authorized Mailserver is the one listening to example.com:25 ? If anyone can bind to port 25, then anyone can kick the authorized mail server over (go find some DoS) and start your own mail server. Repeat as necessary for various other important services that bind to well-known ports <1024. Did your Denny's study group :-) have a solution to this problem? NT doesn't enforce this restriction, but NT sucks anyway :-) Crispin -- Crispin Cowan, Ph.D. Chief Research Scientist, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 06:14:29 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 06:13:29 +0100 Received: from gw.lowendale.com.au ([203.26.242.120]:18252 "EHLO marina.lowendale.com.au") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 06:13:10 +0100 Received: from localhost (neale@localhost) by marina.lowendale.com.au (8.9.3/8.9.3/Debian/GNU) with ESMTP id QAA13993; Tue, 13 Mar 2001 16:18:43 +1100 Date: Tue, 13 Mar 2001 16:18:42 +1100 (EST) From: Neale Banks To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Mon, 12 Mar 2001, Coltrey Mather wrote: > On Mon, 12 Mar 2001, Tracy R Reed wrote: > > > Is there really any reason to require programs to be run as root to bind > > to ports <1024 anymore? I was just discussing this with some friends after > > the regular LUG meeting at Denny's the other day. That's where the best > > LUG conversation happens. :) There used to be a good reason for it but > > nowadays it seems like an unnecessary liability. Fixing this is probably a > > very simple little patch. > > I think it would be better if there were an option to allow non-root > access to certain ports (controlled by some file in /proc/sys/ perhaps?). So long as: 1) existing behavious remains default 2) only root can make this adjustment ;-) > I wouldn't want a malicious shell user on my system (I only use ssh for > logins) to run a fake telnet server on port 23 to confuse other users and > collect passwords. The potential for a malicious user to abuse trust that > people have in standard system services is something to take into > consideration for something like this. Good point. But it doesn't necessarily follow that root-user privs are required to enforce this. > Perhaps in addition to just filtering by user, there should be a method to > filter by application. e.g.: only a certain piece of software could bind > to a port...'though I'm not sure if/how that could be implemented. (maybe > have the kernel check the commandline of the process against a list of > allowed commands in /proc/ somewhere.) One could also combine some sort > of signature verification with this so the kernel can determine if the > application has been modified. "filter by application" could inded be a bit tricky - and security is often (always?) easier to maintain in "simple" systems. How about starting with "group" permissions? There's a few ways this could be implemented, starting with something really simple like membership of group 0 (or 1?) being sufficient for binding to a port. More elaborate schemes might do something like representing the TCP and UDP port-space in a virtual file system and allowing the nodes therein to have their permissions changed. On a more down-to-earth level, how many distro's can run out-of-the box without inetd? Or at least without portmapper? Regards, Neale. - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 06:42:00 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 06:40:49 +0100 Received: from alcove.wittsend.com ([130.205.0.20]:37524 "EHLO alcove.wittsend.com") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 06:40:14 +0100 Received: (from mhw@localhost) by alcove.wittsend.com (8.9.3/8.9.3) id AAA11208 for securedistros@nl.linux.org; Tue, 13 Mar 2001 00:39:53 -0500 Date: Tue, 13 Mar 2001 00:39:51 -0500 From: "Michael H. Warfield" To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? Message-ID: <20010313003951.A24053@alcove.wittsend.com> References: <20010312154024.J13139@ultraviolet.org> <20010312201351.A30218@ultraviolet.org> <3AADAB1C.3D45AAC3@wirex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.2i In-Reply-To: <3AADAB1C.3D45AAC3@wirex.com>; from crispin@wirex.com on Mon, Mar 12, 2001 at 09:07:41PM -0800 Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Mon, Mar 12, 2001 at 09:07:41PM -0800, Crispin Cowan wrote: > Tracy R Reed wrote: > > > Is there really any reason to require programs to be run as root to bind > > to ports <1024 anymore? I was just discussing this with some friends after > > the regular LUG meeting at Denny's the other day. That's where the best > > LUG conversation happens. :) There used to be a good reason for it but > > nowadays it seems like an unnecessary liability. Fixing this is probably a > > very simple little patch. > How else would you (say) enforce that only the Duly Authorized Mailserver is > the one listening to example.com:25 ? If anyone can bind to port 25, then > anyone can kick the authorized mail server over (go find some DoS) and start > your own mail server. Repeat as necessary for various other important > services that bind to well-known ports <1024. Capabilities specifically enabling an application to bind to a specific port? > Did your Denny's study group :-) have a solution to this problem? NT doesn't > enforce this restriction, but NT sucks anyway :-) > Crispin > -- > Crispin Cowan, Ph.D. > Chief Research Scientist, WireX Communications, Inc. http://wirex.com > Free Hardened Linux Distribution: http://immunix.org Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 06:50:38 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 06:49:24 +0100 Received: from brutus.conectiva.com.br ([200.250.58.146]:53491 "HELO burns.conectiva") by humbolt.nl.linux.org with SMTP id ; Tue, 13 Mar 2001 06:49:08 +0100 Received: (qmail 8518 invoked by uid 0); 13 Mar 2001 05:48:23 -0000 Received: from dial10.ras.conectiva (HELO imladris.rielhome.conectiva) (root@10.0.8.10) by burns.conectiva with SMTP; 13 Mar 2001 05:48:23 -0000 Received: from localhost (IDENT:riel@localhost [127.0.0.1]) by imladris.rielhome.conectiva (8.11.1/8.11.1) with ESMTP id f2D5n3417334; Tue, 13 Mar 2001 02:49:03 -0300 Date: Tue, 13 Mar 2001 02:49:03 -0300 (BRST) From: Rik van Riel X-Sender: riel@imladris.rielhome.conectiva To: securedistros@nl.linux.org cc: andreas@conectiva.com.br Subject: Re: Is this mail list dead? In-Reply-To: <20010312201351.A30218@ultraviolet.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Mon, 12 Mar 2001, Tracy R Reed wrote: > On Tue, Mar 13, 2001 at 12:03:44AM -0300, Rik van Riel wrote: > > Is there anything I've forgotten to mention, or are there > > other things needed to make Linux distro's more secure without > > impacting functionality or ease-of-use ? > > Is there really any reason to require programs to be run as root to > bind to ports <1024 anymore? No. I remember somebody mentioning a wrapper program to be able to load eg. named with just CAP_NET_BIND_SERVICE set and no root rights. This keeps the SUID part down to just this (small) wrapper program. Can anybody remember the name ?? Andreas, could we have this thing in Conectiva when we dig it up ? ;) regards, Rik -- Virtual memory is like a game you can't win; However, without VM there's truly nothing to lose... http://www.surriel.com/ http://www.conectiva.com/ http://distro.conectiva.com.br/ - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 07:01:13 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 06:59:59 +0100 Received: from wirex.com ([208.161.110.91]:47375 "EHLO mail.wirex.com") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 06:59:38 +0100 Received: from wirex.com (mithra.wirex.com [208.161.110.91]) by mail.wirex.com (Postfix) with ESMTP id ECA853EC1A for ; Mon, 12 Mar 2001 21:59:36 -0800 (PST) Message-ID: <3AADB72A.AFA5A548@wirex.com> Date: Mon, 12 Mar 2001 21:59:07 -0800 From: Crispin Cowan Organization: WireX Communications, Inc. X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.18-1_imnx_5_crispin i686) X-Accept-Language: en MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? References: <20010312154024.J13139@ultraviolet.org> <20010312201351.A30218@ultraviolet.org> <3AADAB1C.3D45AAC3@wirex.com> <20010313003951.A24053@alcove.wittsend.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list "Michael H. Warfield" wrote: > On Mon, Mar 12, 2001 at 09:07:41PM -0800, Crispin Cowan wrote: > > Tracy R Reed wrote: > > > Is there really any reason to require programs to be run as root to bind > > > to ports <1024 anymore? I was just discussing this with some friends after > > > the regular LUG meeting at Denny's the other day. That's where the best > > > LUG conversation happens. :) There used to be a good reason for it but > > > nowadays it seems like an unnecessary liability. Fixing this is probably a > > > very simple little patch. > > How else would you (say) enforce that only the Duly Authorized Mailserver is > > the one listening to example.com:25 ? If anyone can bind to port 25, then > > anyone can kick the authorized mail server over (go find some DoS) and start > > your own mail server. Repeat as necessary for various other important > > services that bind to well-known ports <1024. > > Capabilities specifically enabling an application to bind to > a specific port? Until you have a file system that supports extended attributes so as to store capability bits (i.e. "SUID privileged port bit" instead of "SUID root") then you need to require root to allow the application to set its own capabilities. This is an improvement over requiring root to bind to ports, but you still are depending on the program to correctly drop privs. Crispin -- Crispin Cowan, Ph.D. Chief Research Scientist, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 07:12:54 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 07:11:44 +0100 Received: from [203.94.251.28] ([203.94.251.28]:54020 "EHLO mail.linux-delhi.org") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 07:11:21 +0100 Received: (from raju@localhost) by mail.linux-delhi.org (8.9.3/8.9.3) id LAA02915; Tue, 13 Mar 2001 11:39:18 +0530 From: Raju Mathur Message-ID: <15021.47502.109676.172690@localhost.localdomain> Date: Tue, 13 Mar 2001 11:39:18 +0530 (IST) To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? In-Reply-To: References:

X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid Mime-Version: 1.0 (generated by tm-edit 1.5) Content-Type: text/plain; charset=US-ASCII Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Hi, Why would any non-system process /need/ to bind to a port below 1024? Or has this question already been answered? On a related note, IRIX (SGI) permits fine-grained access levels by giving specific low-level permissions to processes (through the CAP_* feature). One of the permissions is that of being able to bind to a port below 1024. This is possibly true of other Unixen too. Linux also seems to support this feature, though I don't see much discussion of its usage except for a few isolated posts and writeups at Bugtraq. Isn't this what should be used to grant capabilities to processes which need to run mainly with user privileges except for a few system-level access requirements? Sendmail comes to mind :-) More information in /usr/include/linux/capability.h, man setcap. Regards, -- Raju >>>>> "Neale" == Neale Banks writes: Neale> On Mon, 12 Mar 2001, Coltrey Mather wrote: >> On Mon, 12 Mar 2001, Tracy R Reed wrote: >> >> > Is there really any reason to require programs to be run as >> root to bind > to ports <1024 anymore? I was just discussing >> this with some friends after > the regular LUG meeting at >> Denny's the other day. That's where the best > LUG conversation >> happens. :) There used to be a good reason for it but > >> nowadays it seems like an unnecessary liability. Fixing this is >> probably a > very simple little patch. >> >> I think it would be better if there were an option to allow >> non-root access to certain ports (controlled by some file in >> /proc/sys/ perhaps?). Neale> So long as: Neale> 1) existing behavious remains default Neale> 2) only root can make this adjustment ;-) >> I wouldn't want a malicious shell user on my system (I only use >> ssh for logins) to run a fake telnet server on port 23 to >> confuse other users and collect passwords. The potential for a >> malicious user to abuse trust that people have in standard >> system services is something to take into consideration for >> something like this. Neale> Good point. But it doesn't necessarily follow that Neale> root-user privs are required to enforce this. >> Perhaps in addition to just filtering by user, there should be >> a method to filter by application. e.g.: only a certain piece >> of software could bind to a port...'though I'm not sure if/how >> that could be implemented. (maybe have the kernel check the >> commandline of the process against a list of allowed commands >> in /proc/ somewhere.) One could also combine some sort of >> signature verification with this so the kernel can determine if >> the application has been modified. Neale> "filter by application" could inded be a bit tricky - and Neale> security is often (always?) easier to maintain in "simple" Neale> systems. Neale> How about starting with "group" permissions? There's a few Neale> ways this could be implemented, starting with something Neale> really simple like membership of group 0 (or 1?) being Neale> sufficient for binding to a port. Neale> More elaborate schemes might do something like representing Neale> the TCP and UDP port-space in a virtual file system and Neale> allowing the nodes therein to have their permissions Neale> changed. Neale> On a more down-to-earth level, how many distro's can run Neale> out-of-the box without inetd? Or at least without Neale> portmapper? Neale> Regards, Neale. -- Raju Mathur raju@kandalaya.org http://kandalaya.org/ - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 07:38:04 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 07:36:49 +0100 Received: from dsl081-032-181-lax1.dsl-isp.net ([64.81.32.181]:15368 "HELO ultraviolet.org") by humbolt.nl.linux.org with SMTP id ; Tue, 13 Mar 2001 07:36:20 +0100 Received: (qmail 861 invoked by uid 500); 13 Mar 2001 06:36:47 -0000 Date: Mon, 12 Mar 2001 22:36:47 -0800 From: Tracy R Reed To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? Message-ID: <20010312223647.B30218@ultraviolet.org> References: <20010312154024.J13139@ultraviolet.org> <20010312201351.A30218@ultraviolet.org> <3AADAB1C.3D45AAC3@wirex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AADAB1C.3D45AAC3@wirex.com>; from crispin@wirex.com on Mon, Mar 12, 2001 at 09:07:41PM -0800 Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Mon, Mar 12, 2001 at 09:07:41PM -0800, Crispin Cowan wrote: > How else would you (say) enforce that only the Duly Authorized Mailserver is > the one listening to example.com:25 ? If anyone can bind to port 25, then > anyone can kick the authorized mail server over (go find some DoS) and start > your own mail server. Repeat as necessary for various other important > services that bind to well-known ports <1024. How do we prevent people from binding to the web proxy port? Or the MySQL port? Or any number of other services above 1024? We don't but this has never posed a problem. It has long been the custom to run telnet on port 23 but the side affect of root-owned processes has cost us an awful lot. I think it is time we changed that custom. The longer we wait the worse it will be. I suspect far more will be lost through root exploits than will be lost through rogue daemons. There are two answers: 1. Firewall off incoming traffic to unneeded ports. 2. Use public key crypto to verify that the host you are talking to really is the correct host. This is the *right* solution IMHO. We don't make nearly enough use of public key crypto for verifying identities. This is the very reason it exists: to prove that the service you are talking to is the correct one. If someone fired up their own ssh daemon on my port 22 incoming users would get a nastygram from their local ssh client when they connected. Of course telnet and rlogin don't implement this but nobody should be using those insecure protocols anyhow. :) -- Tracy Reed http://www.ultraviolet.org - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 07:40:35 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 07:39:28 +0100 Received: from dsl081-032-181-lax1.dsl-isp.net ([64.81.32.181]:16136 "HELO ultraviolet.org") by humbolt.nl.linux.org with SMTP id ; Tue, 13 Mar 2001 07:39:17 +0100 Received: (qmail 894 invoked by uid 500); 13 Mar 2001 06:39:44 -0000 Date: Mon, 12 Mar 2001 22:39:44 -0800 From: Tracy R Reed To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? Message-ID: <20010312223944.C30218@ultraviolet.org> References:

Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from neale@lowendale.com.au on Tue, Mar 13, 2001 at 04:18:42PM +1100 Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Tue, Mar 13, 2001 at 04:18:42PM +1100, Neale Banks wrote: > "filter by application" could inded be a bit tricky - and security is > often (always?) easier to maintain in "simple" systems. I really like LIDS (www.lids.org) because it allows you to give certain applications the ability to bind to a port. You could allow the duly authorized system daemons CAP_BIND (running as a normal user) but nothing else could bind to any port anywhere. > On a more down-to-earth level, how many distro's can run out-of-the box > without inetd? Or at least without portmapper? The vast majority *can* (and should) but none, to my knowledge, do. I had a few go-arounds via email with the folks at RedHat a month or so ago when that incredibly embarassing (and entirely RedHat's fault) worm came about a while back. They assured me that their next distribution would be running few daemons out of the box. -- Tracy Reed http://www.ultraviolet.org - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 07:43:37 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 07:42:30 +0100 Received: from dsl081-032-181-lax1.dsl-isp.net ([64.81.32.181]:4875 "HELO ultraviolet.org") by humbolt.nl.linux.org with SMTP id ; Tue, 13 Mar 2001 07:42:08 +0100 Received: (qmail 1687 invoked by uid 500); 13 Mar 2001 06:42:22 -0000 Date: Mon, 12 Mar 2001 22:42:22 -0800 From: Tracy R Reed To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? Message-ID: <20010312224222.D30218@ultraviolet.org> References: <20010312154024.J13139@ultraviolet.org> <20010312201351.A30218@ultraviolet.org> <3AADAB1C.3D45AAC3@wirex.com> <20010313003951.A24053@alcove.wittsend.com> <3AADB72A.AFA5A548@wirex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AADB72A.AFA5A548@wirex.com>; from crispin@wirex.com on Mon, Mar 12, 2001 at 09:59:07PM -0800 Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Mon, Mar 12, 2001 at 09:59:07PM -0800, Crispin Cowan wrote: > Until you have a file system that supports extended attributes so as to store > capability bits (i.e. "SUID privileged port bit" instead of "SUID root") then you > need to require root to allow the application to set its own capabilities. This > is an improvement over requiring root to bind to ports, but you still are > depending on the program to correctly drop privs. I've been playing with LIDS and I believe it does this perfectly and without filesystem support. -- Tracy Reed http://www.ultraviolet.org - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 07:44:46 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 07:43:29 +0100 Received: from dsl081-032-181-lax1.dsl-isp.net ([64.81.32.181]:9227 "HELO ultraviolet.org") by humbolt.nl.linux.org with SMTP id ; Tue, 13 Mar 2001 07:42:58 +0100 Received: (qmail 1920 invoked by uid 500); 13 Mar 2001 06:43:25 -0000 Date: Mon, 12 Mar 2001 22:43:25 -0800 From: Tracy R Reed To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? Message-ID: <20010312224325.E30218@ultraviolet.org> References:

<15021.47502.109676.172690@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15021.47502.109676.172690@localhost.localdomain>; from raju@linux-delhi.org on Tue, Mar 13, 2001 at 11:39:18AM +0530 Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Tue, Mar 13, 2001 at 11:39:18AM +0530, Raju Mathur wrote: > Why would any non-system process /need/ to bind to a port below 1024? > Or has this question already been answered? Just because it is a system process doesn't mean it has to run as root. That's why. > Isn't this what should be used to grant capabilities to processes > which need to run mainly with user privileges except for a few > system-level access requirements? Sendmail comes to mind :-) Yes. -- Tracy Reed http://www.ultraviolet.org - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 07:59:47 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 07:58:32 +0100 Received: from gw.lowendale.com.au ([203.26.242.120]:18509 "EHLO marina.lowendale.com.au") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 07:58:11 +0100 Received: from localhost (neale@localhost) by marina.lowendale.com.au (8.9.3/8.9.3/Debian/GNU) with ESMTP id SAA14127; Tue, 13 Mar 2001 18:03:47 +1100 Date: Tue, 13 Mar 2001 18:03:45 +1100 (EST) From: Neale Banks To: securedistros@nl.linux.org Subject: OT: www.lids.org (was:Re: Is this mail list dead?) In-Reply-To: <20010312223944.C30218@ultraviolet.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Mon, 12 Mar 2001, Tracy R Reed wrote: > I really like LIDS (www.lids.org) [snip] And the irony-of-the-week is that this site currently returns "Forbidden You don't have permission to access / on this server." Regards, Neale (who found this an amusing end to a dreary work-day). - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 08:08:50 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 08:07:32 +0100 Received: from dsl081-032-181-lax1.dsl-isp.net ([64.81.32.181]:46859 "HELO ultraviolet.org") by humbolt.nl.linux.org with SMTP id ; Tue, 13 Mar 2001 08:07:10 +0100 Received: (qmail 2293 invoked by uid 500); 13 Mar 2001 07:07:36 -0000 Date: Mon, 12 Mar 2001 23:07:36 -0800 From: Tracy R Reed To: securedistros@nl.linux.org Subject: Re: OT: www.lids.org (was:Re: Is this mail list dead?) Message-ID: <20010312230736.G30218@ultraviolet.org> References: <20010312223944.C30218@ultraviolet.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from neale@lowendale.com.au on Tue, Mar 13, 2001 at 06:03:45PM +1100 Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Tue, Mar 13, 2001 at 06:03:45PM +1100, Neale Banks wrote: > And the irony-of-the-week is that this site currently returns "Forbidden > You don't have permission to access / on this server." That's how secure it is! ;) -- Tracy Reed http://www.ultraviolet.org - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 08:10:31 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 08:09:25 +0100 Received: from brutus.conectiva.com.br ([200.250.58.146]:62711 "HELO burns.conectiva") by humbolt.nl.linux.org with SMTP id ; Tue, 13 Mar 2001 08:09:03 +0100 Received: (qmail 16135 invoked by uid 0); 13 Mar 2001 07:07:58 -0000 Received: from dial10.ras.conectiva (HELO imladris.rielhome.conectiva) (root@10.0.8.10) by burns.conectiva with SMTP; 13 Mar 2001 07:07:58 -0000 Received: from localhost (IDENT:riel@localhost [127.0.0.1]) by imladris.rielhome.conectiva (8.11.1/8.11.1) with ESMTP id f2D6Q5417492 for ; Tue, 13 Mar 2001 03:26:05 -0300 Date: Tue, 13 Mar 2001 03:26:05 -0300 (BRST) From: Rik van Riel X-Sender: riel@imladris.rielhome.conectiva To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? In-Reply-To: <3AADB72A.AFA5A548@wirex.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Mon, 12 Mar 2001, Crispin Cowan wrote: > Until you have a file system that supports extended attributes > so as to store capability bits I wonder if there's any development going on on this front ... AFAIK extended attributes _are_ planned for Linux 2.5, so it would be nice if there was code to store capabilities in them. (then again, even if the extended attributes won't work out, we should still use the capabilities, if even through a wrapper script or a layering filesystem) regards, Rik -- Virtual memory is like a game you can't win; However, without VM there's truly nothing to lose... http://www.surriel.com/ http://www.conectiva.com/ http://distro.conectiva.com.br/ - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 08:15:07 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 08:13:46 +0100 Received: from wirex.com ([208.161.110.91]:15121 "EHLO mail.wirex.com") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 08:13:09 +0100 Received: from wirex.com (mithra.wirex.com [208.161.110.91]) by mail.wirex.com (Postfix) with ESMTP id B2E183EC1A for ; Mon, 12 Mar 2001 23:13:06 -0800 (PST) Message-ID: <3AADC864.604A7FF6@wirex.com> Date: Mon, 12 Mar 2001 23:12:36 -0800 From: Crispin Cowan Organization: WireX Communications, Inc. X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.18-1_imnx_5_crispin i686) X-Accept-Language: en MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: OT: www.lids.org (was:Re: Is this mail list dead?) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Neale Banks wrote: > On Mon, 12 Mar 2001, Tracy R Reed wrote: > > > I really like LIDS (www.lids.org) [snip] > > And the irony-of-the-week is that this site currently returns "Forbidden > You don't have permission to access / on this server." Furthering the irony, near as I can tell LIDS took its application-oriented model from SubDomain http://immunix.org/subdomain.html Crispin -- Crispin Cowan, Ph.D. Chief Research Scientist, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 08:59:34 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 08:58:12 +0100 Received: from colombina.comedia.it ([213.246.1.10]:8021 "EHLO colombina.comedia.it") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 08:57:59 +0100 Received: by colombina.comedia.it (Postfix, from userid 506) id 26B7F508D; Tue, 13 Mar 2001 07:57:57 +0000 () Date: Tue, 13 Mar 2001 08:57:57 +0100 From: Luca Berra To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? Message-ID: <20010313085757.C28227@colombina.comedia.it> Mail-Followup-To: securedistros@nl.linux.org References: <20010312201351.A30218@ultraviolet.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from riel@conectiva.com.br on Tue, Mar 13, 2001 at 02:49:03AM -0300 X-Operating-System: Linux colombina.comedia.it 2.0.36 i586 Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Tue, Mar 13, 2001 at 02:49:03AM -0300, Rik van Riel wrote: > On Mon, 12 Mar 2001, Tracy R Reed wrote: > > On Tue, Mar 13, 2001 at 12:03:44AM -0300, Rik van Riel wrote: > > > Is there anything I've forgotten to mention, or are there > > > other things needed to make Linux distro's more secure without > > > impacting functionality or ease-of-use ? > > > > Is there really any reason to require programs to be run as root to > > bind to ports <1024 anymore? > > No. I remember somebody mentioning a wrapper program to be able > to load eg. named with just CAP_NET_BIND_SERVICE set and no root > rights. > > This keeps the SUID part down to just this (small) wrapper > program. Can anybody remember the name ?? Compartment http://www.suse.de/~marc/SuSE.html -- Luca Berra -- bluca@comedia.it Communication Media & Services S.r.l. /"\ \ / ASCII RIBBON CAMPAIGN X AGAINST HTML MAIL / \ - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 09:03:23 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 09:01:42 +0100 Received: from colombina.comedia.it ([213.246.1.10]:9045 "EHLO colombina.comedia.it") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 09:01:15 +0100 Received: by colombina.comedia.it (Postfix, from userid 506) id A73BC508D; Tue, 13 Mar 2001 08:01:13 +0000 () Date: Tue, 13 Mar 2001 09:01:13 +0100 From: Luca Berra To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? Message-ID: <20010313090113.D28227@colombina.comedia.it> Mail-Followup-To: securedistros@nl.linux.org References: <20010312154024.J13139@ultraviolet.org> <20010312201351.A30218@ultraviolet.org> <3AADAB1C.3D45AAC3@wirex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AADAB1C.3D45AAC3@wirex.com>; from crispin@wirex.com on Mon, Mar 12, 2001 at 09:07:41PM -0800 X-Operating-System: Linux colombina.comedia.it 2.0.36 i586 Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Mon, Mar 12, 2001 at 09:07:41PM -0800, Crispin Cowan wrote: > How else would you (say) enforce that only the Duly Authorized Mailserver is > the one listening to example.com:25 ? If anyone can bind to port 25, then > anyone can kick the authorized mail server over (go find some DoS) and start > your own mail server. Repeat as necessary for various other important > services that bind to well-known ports <1024. bah, there are a lot of services that start from port>1024 nowadays i believe the < 1024 thing was for the benefit of things like rlogin/rsh L. -- Luca Berra -- bluca@comedia.it Communication Media & Services S.r.l. /"\ \ / ASCII RIBBON CAMPAIGN X AGAINST HTML MAIL / \ - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 09:09:03 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 09:07:50 +0100 Received: from [205.238.41.26] ([205.238.41.26]:43261 "EHLO rheingold.nakedape.cc") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 09:07:31 +0100 Received: by rheingold.nakedape.cc (Postfix, from userid 500) id D32ED8DD; Tue, 13 Mar 2001 00:07:00 -0800 (PST) Date: Tue, 13 Mar 2001 00:07:00 -0800 From: Wil Cooley To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? Message-ID: <20010313000700.J25068@rheingold.nakedape.priv> Mail-Followup-To: Wil Cooley , securedistros@nl.linux.org References: <20010312201351.A30218@ultraviolet.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="9Q2l3mYpK16UQ/iv" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from securedistros@cowsgomoo.org on Mon, Mar 12, 2001 at 09:37:15PM -0700 X-Operating-System: Linux rheingold 2.4.2 X-Secret-Message: If you can't read the body of this message, you're using a broken mailer. X-WebTV-Stationery: Standard; BGColor=black; TextColor=black X-URL: http://nakedape.cc/~wcooley Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list --9Q2l3mYpK16UQ/iv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Thus spake Coltrey Mather: > I think it would be better if there were an option to allow non-root > access to certain ports (controlled by some file in /proc/sys/ > perhaps?). Didn't BSD have something like this, a net-devfs that allowed you to access INET sockets as regular files? Or am I perhaps just thinking of some GNU awk extensions? This seems like it would be a simpler interface--with files you can just set their perms-- 'chown www /dev/inet/eth0/port/80' (and you need something like devfsd to record such changes so they're not lost between boots). Wil --=20 W. Reilly Cooley wcooley@nakedape.cc Naked Ape Consulting http://nakedape.cc LNXS: Linux/GNU for servers, networks, and http://lnxs.org people who take care of them. *Now with integrated crypto!* irc.openprojects.net #lnxs The public demands certainties; it must be told definitely and a bit raucously that this is true and that is false. But there are no certaintie= s. -- H.L. Mencken, "Prejudice" --9Q2l3mYpK16UQ/iv Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6rdUkJpn3uYWUEaoRAldPAKCj8ENj9tgFVsNudiNaM+qUK8ztRwCcDb12 CBoZ7sQcb7t3KgKw/oFiHbg= =QN69 -----END PGP SIGNATURE----- --9Q2l3mYpK16UQ/iv-- - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 11:11:28 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 11:10:01 +0100 Received: from wirex.com ([208.161.110.91]:12037 "EHLO mail.wirex.com") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 11:09:44 +0100 Received: from wirex.com (mithra.wirex.com [208.161.110.91]) by mail.wirex.com (Postfix) with ESMTP id D291A3EC1A for ; Tue, 13 Mar 2001 02:09:41 -0800 (PST) Message-ID: <3AADF1C6.D5223178@wirex.com> Date: Tue, 13 Mar 2001 02:09:10 -0800 From: Crispin Cowan Organization: WireX Communications, Inc. X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.18-1_imnx_5_crispin i686) X-Accept-Language: en MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? References: <20010312154024.J13139@ultraviolet.org> <20010312201351.A30218@ultraviolet.org> <3AADAB1C.3D45AAC3@wirex.com> <20010313090113.D28227@colombina.comedia.it> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Luca Berra wrote: > On Mon, Mar 12, 2001 at 09:07:41PM -0800, Crispin Cowan wrote: > > How else would you (say) enforce that only the Duly Authorized Mailserver is > > the one listening to example.com:25 ? If anyone can bind to port 25, then > > anyone can kick the authorized mail server over (go find some DoS) and start > > your own mail server. Repeat as necessary for various other important > > services that bind to well-known ports <1024. > bah, there are a lot of services that start from port>1024 nowadays No there aren't. There are a lot of *servants* (peer-to-peer server/client applications) that use high ports. True *services* use well-defined ports below 1024, precisely so that they can be authoritative for that host. If there are true services using high ports, then they had *better* be using strong crypto authentication (as was earlier suggested). For reference, here's the port number assignments http://www.isi.edu/in-notes/iana/assignments/port-numbers > i believe the < 1024 thing was for the benefit of things like > rlogin/rsh Where "things like" means "services", then yes :-) Crispin -- Crispin Cowan, Ph.D. Chief Research Scientist, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 13:01:07 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 12:59:42 +0100 Received: from [203.94.254.119] ([203.94.254.119]:23300 "EHLO mail.linux-delhi.org") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 12:59:24 +0100 Received: (from raju@localhost) by mail.linux-delhi.org (8.9.3/8.9.3) id RAA01845; Tue, 13 Mar 2001 17:28:44 +0530 From: Raju Mathur Message-ID: <15022.2931.811500.729172@localhost.localdomain> Date: Tue, 13 Mar 2001 17:28:43 +0530 (IST) To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? In-Reply-To: <20010312224325.E30218@ultraviolet.org> References:

<15021.47502.109676.172690@localhost.localdomain> <20010312224325.E30218@ultraviolet.org> X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid Mime-Version: 1.0 (generated by tm-edit 1.5) Content-Type: text/plain; charset=US-ASCII Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Nono, you got the question wrong! What I meant was, why should an arbitrary user process need to bind to ports under 1024? I can understand processes providing WKS's needing to bind to 53/110/25/whatever, but why should a user-written deamon ever need to do that? If I write the next Gnutella or IRCd, I'll make sure that it runs on port > 1024, wouldn't I? Apart from that, I figured that the Linux CAP system seems at the moment to only provide system-level capabilities, not at process level as I first understood it to... I'd be glad to be told I'm wrong :) Regards, -- Raju >>>>> "Tracy" == Tracy R Reed writes: Tracy> On Tue, Mar 13, 2001 at 11:39:18AM +0530, Raju Mathur Tracy> wrote: >> Why would any non-system process /need/ to bind to a port below >> 1024? Or has this question already been answered? Tracy> Just because it is a system process doesn't mean it has to Tracy> run as root. That's why. >> Isn't this what should be used to grant capabilities to >> processes which need to run mainly with user privileges except >> for a few system-level access requirements? Sendmail comes to >> mind :-) Tracy> Yes. Tracy> -- Tracy Reed http://www.ultraviolet.org - Securedistros: A Tracy> common list for all secured Linux distributions Archive: Tracy> http://humbolt.nl.linux.org/lists/ -- Raju Mathur raju@kandalaya.org http://kandalaya.org/ - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 13:15:25 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 13:14:09 +0100 Received: from ecstasy.ksu.ru ([193.232.252.41]:56797 "EHLO ecstasy.ksu.ru") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 13:13:48 +0100 X-Pass-Through: Kazan State University network Received: from ksu.ru (ic29.soros.ksu.ru [194.85.244.129]) by ecstasy.ksu.ru (8.9.3/8.9.3) with ESMTP id PAA16940; Tue, 13 Mar 2001 15:03:01 +0300 (MSK) Message-ID: <3AAE0C68.1030404@ksu.ru> Date: Tue, 13 Mar 2001 15:02:48 +0300 From: Pedro Rosa User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2-9mdksmp i686; en-US; 0.8) Gecko/20010216 X-Accept-Language: en, ru MIME-Version: 1.0 To: Chris CC: securedistros@nl.linux.org, selinux@tycho.nsa.gov Subject: Re: Is this mail list dead? References: <3AAD5908.73A44E4C@wirex.com> <20010312154024.J13139@ultraviolet.org> <3AADA219.2C4BC605@mindspring.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Chris wrote: > Tracy R Reed wrote: > >> On Mon, Mar 12, 2001 at 03:17:28PM -0800, Crispin Cowan wrote: >> >>> It still seems to function, but the particpants no longer seem >>> interested in the charger. It was supposed to be for cross-distro >>> discussion of issues perinant to security-oriented Linux distributions. >>> Since the list was founded, some of those distros have died, and the new >>> ones to come along (e.g. SELinux) don't seem to have joined. >> >> Unfortunately, not many distros seem interested in security in general. >> It's giving Linux a bad name. > Frankly I consider that this is not a problem of Linux by itself. Distros are mostly a concept and a philosophy of use. And they try to be as broad as they can. However security is a specific and very particular task. One may try a few general ideas and produce a "secure" distro. But that cannot go far from a pilot test and no matter the way you cover the security problems you must consider it as a private and particular matter... I would say that securing Linux in a distro structure would be the same as forcing C2 to every Windows install.... Yeah try to use such an install... >> >> >> I've cc'd the selinux guys on this as an invite for some of them to join >> the list. >> >> -- >> Tracy Reed http://www.ultraviolet.org > > > There are still some people reading and monitoring. I am > just one who is interested in learning and have not had > anything to add. Yeap... But maybe people are waiting from the wrong side. Maybe the discussion should start in other way. Not about the distro but about such things as sfs, LIDS, SSH and similars. Not about creating a secure distro but speaking about security methods and approaches. Then it is probable that these lists get alive... Really I have seen lots of talks about this BS carrying the name of "secure linux". There cannot be such a thing in Nature, no matter the dreams of millions to see Linux overcome Redmond's MazDie (well, I also do have dreams about it). One thing that made me subscribe to selinux was the fact that NSA seems to approach the matter in the correct view. As they say (please correct me if not so) is the fact that selinux is just a pilot system. NOT a secure Linux distro. You may find approaches that may help you to secure your boxes or systems. But in the whole this system will barely be useful. > > kegwasher > > -- > You have received this message because you are subscribed to the selinux list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. > > - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 13:30:10 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 13:29:06 +0100 Received: from perninha.conectiva.com.br ([200.250.58.156]:39946 "EHLO postfix.conectiva.com.br") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 13:28:48 +0100 Received: from pandora.distro.conectiva (pandora.distro.conectiva [10.0.17.30]) by postfix.conectiva.com.br (Postfix) with ESMTP id C454D16B11; Tue, 13 Mar 2001 09:28:42 -0300 (EST) Received: (from andreas@localhost) by pandora.distro.conectiva (8.11.2/8.9.3) id f2DCQXF25348; Tue, 13 Mar 2001 09:26:33 -0300 Date: Tue, 13 Mar 2001 09:26:33 -0300 From: Andreas Hasenack To: Rik van Riel Cc: securedistros@nl.linux.org Subject: Re: Is this mail list dead? Message-ID: <20010313092633.E24848@conectiva.com.br> References: <20010312201351.A30218@ultraviolet.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from riel@conectiva.com.br on Tue, Mar 13, 2001 at 02:49:03AM -0300 Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Em Tue, Mar 13, 2001 at 02:49:03AM -0300, Rik van Riel escreveu: > On Mon, 12 Mar 2001, Tracy R Reed wrote: > > On Tue, Mar 13, 2001 at 12:03:44AM -0300, Rik van Riel wrote: > > > Is there anything I've forgotten to mention, or are there > > > other things needed to make Linux distro's more secure without > > > impacting functionality or ease-of-use ? > > > > Is there really any reason to require programs to be run as root to > > bind to ports <1024 anymore? > > No. I remember somebody mentioning a wrapper program to be able > to load eg. named with just CAP_NET_BIND_SERVICE set and no root > rights. Currently programs that do that have to rely on themselves to do it right, that is, bind to the port and drop root privileges. I think capabilities are really being forgotten. I can only remember of one program that uses them for security purposes, xntp, and from a specific distro. It only has the CAP_SYS_TIME capability or something like that so that it only has privileges to change the system clock. I'll use it now, of course, for CL7.0. > This keeps the SUID part down to just this (small) wrapper > program. Can anybody remember the name ?? I don't, I'm sorry. > > Andreas, could we have this thing in Conectiva when we dig it > up ? ;) Sure. But I would rather prefer to have more programs using capabilities, even if only to find bugs in the capability feature... :) libcap is already in the distro, let's start linking stuff to it! :) - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 14:23:02 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 14:21:42 +0100 Received: from limousin.fr.clara.net ([212.43.194.10]:64524 "EHLO mail.fr.clara.net") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 14:21:07 +0100 Received: by mail.fr.clara.net (Postfix, from userid 5000) id 65542DA82; Tue, 13 Mar 2001 14:20:31 +0100 (CET) References: <20010312201351.A30218@ultraviolet.org> <20010313092633.E24848@conectiva.com.br> In-Reply-To: <20010313092633.E24848@conectiva.com.br> From: jedi@claranet.fr To: securedistros@nl.linux.org Cc: Rik van Riel Subject: Re: Is this mail list dead? Date: Tue, 13 Mar 2001 13:20:31 GMT Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit X-Sender: jedi@claranet.fr Message-Id: <20010313132031.65542DA82@mail.fr.clara.net> Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Andreas Hasenack �crit: > Sure. But I would rather prefer to have more programs using capabilities, > even if only to find bugs in the capability feature... :) PureFTPd ( http://www.pureftpd.org ) and ProFTPd ( http://www.proftpd.org ) also use capabilities. -- -=- Frank DENIS aka Jedi/Sector One -=- "If Bill Gates had a dime for every time a Windows box crashed... ... Oh, wait a minute, he already does." - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 15:47:50 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 15:45:56 +0100 Received: from colombina.comedia.it ([213.246.1.10]:6745 "EHLO colombina.comedia.it") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 15:45:20 +0100 Received: by colombina.comedia.it (Postfix, from userid 506) id 21FAF508D; Tue, 13 Mar 2001 14:45:13 +0000 () Date: Tue, 13 Mar 2001 15:45:13 +0100 From: Luca Berra To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? Message-ID: <20010313154513.A30545@colombina.comedia.it> Mail-Followup-To: securedistros@nl.linux.org References: <20010312154024.J13139@ultraviolet.org> <20010312201351.A30218@ultraviolet.org> <3AADAB1C.3D45AAC3@wirex.com> <20010313090113.D28227@colombina.comedia.it> <3AADF1C6.D5223178@wirex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AADF1C6.D5223178@wirex.com>; from crispin@wirex.com on Tue, Mar 13, 2001 at 02:09:10AM -0800 X-Operating-System: Linux colombina.comedia.it 2.0.36 i586 Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Tue, Mar 13, 2001 at 02:09:10AM -0800, Crispin Cowan wrote: > > bah, there are a lot of services that start from port>1024 nowadays > > No there aren't. There are a lot of *servants* (peer-to-peer server/client > applications) that use high ports. True *services* use well-defined ports below > 1024, precisely so that they can be authoritative for that host. If there are > true services using high ports, then they had *better* be using strong crypto > authentication (as was earlier suggested). For reference, here's the port number > assignments http://www.isi.edu/in-notes/iana/assignments/port-numbers i was thinking of radius, all databases, all backup software.. but maybe they are servants. > > > i believe the < 1024 thing was for the benefit of things like > > rlogin/rsh > > Where "things like" means "services", then yes :-) i mean that the client to these services may be trusted if it comes from a port < 1024 from a "known" host. i don't believe this security model has any chance nowadays. L. -- Luca Berra -- bluca@comedia.it Communication Media & Services S.r.l. /"\ \ / ASCII RIBBON CAMPAIGN X AGAINST HTML MAIL / \ - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 17:39:24 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 17:38:10 +0100 Received: from neon-gw.transmeta.com ([209.10.217.66]:19727 "EHLO neon-gw.transmeta.com") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 17:37:22 +0100 Received: (from root@localhost) by neon-gw.transmeta.com (8.9.3/8.9.3) id IAA06018 for ; Tue, 13 Mar 2001 08:37:10 -0800 Received: from mailhost.transmeta.com(10.1.1.15) by neon-gw.transmeta.com via smap (V2.1) id xma006007; Tue, 13 Mar 01 08:36:46 -0800 Received: from transmeta.com (morgan-home.transmeta.com [10.8.21.6]) by deepthought.transmeta.com (8.9.3/8.9.3) with ESMTP id IAA04812 for ; Tue, 13 Mar 2001 08:36:54 -0800 (PST) Message-ID: <3AAE4CA6.734223F8@transmeta.com> Date: Tue, 13 Mar 2001 08:36:54 -0800 From: Andrew Morgan Organization: Transmeta Corp. X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.16-3 i586) X-Accept-Language: en MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Rik van Riel wrote: > > On Mon, 12 Mar 2001, Crispin Cowan wrote: > > > Until you have a file system that supports extended attributes > > so as to store capability bits > > I wonder if there's any development going on on this front ... > > AFAIK extended attributes _are_ planned for Linux 2.5, so it > would be nice if there was code to store capabilities in them. http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2-fcap/ Cheers Andrew > > (then again, even if the extended attributes won't work out, we > should still use the capabilities, if even through a wrapper > script or a layering filesystem) > > regards, > > Rik > -- > Virtual memory is like a game you can't win; > However, without VM there's truly nothing to lose... > > http://www.surriel.com/ > http://www.conectiva.com/ http://distro.conectiva.com.br/ > > - > Securedistros: A common list for all secured Linux distributions > Archive: http://humbolt.nl.linux.org/lists/ - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Tue Mar 13 20:59:47 2001 Received: by humbolt.nl.linux.org id ; Tue, 13 Mar 2001 20:58:31 +0100 Received: from deliverator.sgi.com ([204.94.214.10]:39983 "EHLO deliverator.sgi.com") by humbolt.nl.linux.org with ESMTP id ; Tue, 13 Mar 2001 20:58:05 +0100 Received: from cthulhu.engr.sgi.com (gate3-relay.engr.sgi.com [130.62.1.234]) by deliverator.sgi.com (980309.SGI.8.8.8-aspam-6.2/980310.SGI-aspam) via ESMTP id LAA02740; Tue, 13 Mar 2001 11:56:49 -0800 (PST) mail_from (casey@sgi.com) Received: from sgi.com (sgigate.sgi.com [198.29.75.75]) by cthulhu.engr.sgi.com (SGI-8.9.3/8.9.3) with ESMTP id LAA39694; Tue, 13 Mar 2001 11:57:58 -0800 (PST) Message-ID: <3AAE7BC5.50DA0CB@sgi.com> Date: Tue, 13 Mar 2001 11:57:57 -0800 From: Casey Schaufler Organization: Silicon Graphics X-Mailer: Mozilla 4.76C-SGI [en] (X11; I; IRIX 6.5-casey-root-4DMH IP32) X-Accept-Language: en MIME-Version: 1.0 To: Pedro Rosa CC: Chris , securedistros@nl.linux.org, selinux@tycho.nsa.gov Subject: Re: Is this mail list dead? References: <3AAD5908.73A44E4C@wirex.com> <20010312154024.J13139@ultraviolet.org> <3AADA219.2C4BC605@mindspring.com> <3AAE0C68.1030404@ksu.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Pedro Rosa wrote: > I would say that securing Linux in a distro structure would be the same > as forcing C2 to every Windows install.... Yeah try to use such an > install... Every commercial OS today has a C2 option. The lack of a C2 version of Linux has been a serious inhibitor to adoption in the marketplace. I would guess you're refering to the first NT evaluation, which supported no networking and no removable media. Building a C2 (CAPP in Common Criteria jargon) Linux distribution is easier than getting corporate marketing types to see the value. Say, I bet I know what You do! -- Casey Schaufler Manager, Trust Technology, SGI casey@sgi.com voice: 650.933.1634 casey_p@pager.sgi.com Pager: 888.220.0607 - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Wed Mar 14 12:49:49 2001 Received: by humbolt.nl.linux.org id ; Wed, 14 Mar 2001 12:48:39 +0100 Received: from ecstasy.ksu.ru ([193.232.252.41]:668 "EHLO ecstasy.ksu.ru") by humbolt.nl.linux.org with ESMTP id ; Wed, 14 Mar 2001 12:48:17 +0100 X-Pass-Through: Kazan State University network Received: from ksu.ru (ic29.soros.ksu.ru [194.85.244.129]) by ecstasy.ksu.ru (8.9.3/8.9.3) with ESMTP id OAA08754; Wed, 14 Mar 2001 14:36:02 +0300 (MSK) Message-ID: <3AAF579E.8070306@ksu.ru> Date: Wed, 14 Mar 2001 14:35:58 +0300 From: Pedro Rosa User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2-9mdksmp i686; en-US; 0.8) Gecko/20010216 X-Accept-Language: en, ru MIME-Version: 1.0 CC: Chris , securedistros@nl.linux.org, selinux Subject: Re: Is this mail list dead? References: <3AAD5908.73A44E4C@wirex.com> <20010312154024.J13139@ultraviolet.org> <3AADA219.2C4BC605@mindspring.com> <3AAE0C68.1030404@ksu.ru> <3AAE7BC5.50DA0CB@sgi.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit To: unlisted-recipients:; (no To-header on input) Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Casey Schaufler wrote: > Pedro Rosa wrote: > >> I would say that securing Linux in a distro structure would be the same >> as forcing C2 to every Windows install.... Yeah try to use such an >> install... > > > Every commercial OS today has a C2 option. The lack > of a C2 version of Linux has been a serious inhibitor > to adoption in the marketplace. I would guess you're > refering to the first NT evaluation, which supported > no networking and no removable media. Building a C2 > (CAPP in Common Criteria jargon) Linux distribution > is easier than getting corporate marketing types to > see the value. Say, I bet I know what You do! > Well, first you may know that NT does not have C2 implemented from start. However its implementation is not an easy thing and it enters in conflict with many third-party programs. Even such things like Internet Explorer or MS Office cannot live under a C2 environment. However you may try a good effort to implement a middle solution, depending on your user's requirements and an evaluation of all security issues that come from easing the rules of the game. You are right about the fact that Linux does not have a C2 implementation. However is this thing needed? Frankly I had a moment where I needed a hard secured NT with C2 enforced to the maximum possible. Due to stability issues and a few serious security holes in the system, I had to drop out the project. Later, I took Linux for a try in the same task. By taking the same requirements, I managed to produce a box quite near to the one I tried with NT. I should say I didn't follow C2 in this case, I just went for what was required to be secured and created a solution to manage it. Interesting to note that for nearly 1,5 year there was no break in. This is not fully a virtue of the security implemented in the system (well the thing is quite weaker than C2) but it does not allow a break in in the first try. The lack of C2 on Linux sounds like a serious drawback. But how many commercial organisations do implement this thing? I wonder that even those who do really need it, barely realise that they have to seriously configure Windows for such task... Anyway, I would defend the existence of C2. And I do think that things similar to C2 should be implemented on Linux (yes, it will be very hard to do this). But not as to give Linux a slogan "It's C2 certified!" but to answer particular requirements of users that do really need such stuff. Not everyone needs such certifications. and note that their implementation carries costs. Costs may be on performance (very high ones), flexibility and even stability. This last one may even turn a C2 implementation into 0 as it was my case... A few system files broke after a crash, and the whole thing was completly accessible to anyone who just pressed "Enter" in the login. Ektanoor - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Thu Mar 15 05:28:27 2001 Received: by humbolt.nl.linux.org id ; Thu, 15 Mar 2001 05:27:09 +0100 Received: from femail12.sdc1.sfba.home.com ([24.0.95.108]:3712 "EHLO femail12.sdc1.sfba.home.com") by humbolt.nl.linux.org with ESMTP id ; Thu, 15 Mar 2001 05:26:55 +0100 Received: from estephan1 ([24.7.124.245]) by femail12.sdc1.sfba.home.com (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010315042652.QXXI2254.femail12.sdc1.sfba.home.com@estephan1> for ; Wed, 14 Mar 2001 20:26:52 -0800 From: "Edgar Stephan" To: Subject: auth 8ed82802 subscribe securedistros edstephan@home.com Date: Wed, 14 Mar 2001 23:27:23 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Disposition-Notification-To: "Edgar Stephan" Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list auth 8ed82802 subscribe securedistros edstephan@home.com - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Thu Mar 15 23:20:14 2001 Received: by humbolt.nl.linux.org id ; Thu, 15 Mar 2001 23:18:19 +0100 Received: from perninha.conectiva.com.br ([200.250.58.156]:40208 "EHLO postfix.conectiva.com.br") by humbolt.nl.linux.org with ESMTP id ; Thu, 15 Mar 2001 23:17:53 +0100 Received: from pandora.distro.conectiva (pandora.distro.conectiva [10.0.17.30]) by postfix.conectiva.com.br (Postfix) with ESMTP id 0BEA116B1F for ; Thu, 15 Mar 2001 19:12:38 -0300 (EST) Received: (from andreas@localhost) by pandora.distro.conectiva (8.11.2/8.9.3) id f2ECksp03123 for securedistros@nl.linux.org; Wed, 14 Mar 2001 09:46:54 -0300 Date: Wed, 14 Mar 2001 09:46:54 -0300 From: Andreas Hasenack To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? Message-ID: <20010314094654.C2696@conectiva.com.br> References: <3AAD5908.73A44E4C@wirex.com> <20010312154024.J13139@ultraviolet.org> <3AADA219.2C4BC605@mindspring.com> <3AAE0C68.1030404@ksu.ru> <3AAE7BC5.50DA0CB@sgi.com> <3AAF579E.8070306@ksu.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.14i In-Reply-To: <3AAF579E.8070306@ksu.ru>; from Pedro.Rosa@ksu.ru on Wed, Mar 14, 2001 at 02:35:58PM +0300 Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Em Wed, Mar 14, 2001 at 02:35:58PM +0300, Pedro Rosa escreveu: > The lack of C2 on Linux sounds like a serious drawback. But how many I'm just curious. What would it cost to have linux "tested" against C2? I mean, supposing everything is in place and it's just a bureocratic-thing that is missing, what would it cost to have this compliance tested? > to do this). But not as to give Linux a slogan "It's C2 certified!" but > to answer particular requirements of users that do really need such > stuff. Not everyone needs such certifications. and note that their That's how linux evolved. User's needs. - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Fri Mar 16 00:17:44 2001 Received: by humbolt.nl.linux.org id ; Fri, 16 Mar 2001 00:16:32 +0100 Received: from sgi.SGI.COM ([192.48.153.1]:31337 "EHLO sgi.com") by humbolt.nl.linux.org with ESMTP id ; Fri, 16 Mar 2001 00:16:02 +0100 Received: from cthulhu.engr.sgi.com (cthulhu.engr.sgi.com [192.26.80.2]) by sgi.com (980327.SGI.8.8.8-aspam/980304.SGI-aspam: SGI does not authorize the use of its proprietary systems or networks for unsolicited or bulk email from the Internet.) via ESMTP id PAA00240 for ; Thu, 15 Mar 2001 15:15:51 -0800 (PST) mail_from (casey@sgi.com) Received: from sgi.com (sgigate.sgi.com [198.29.75.75]) by cthulhu.engr.sgi.com (SGI-8.9.3/8.9.3) with ESMTP id PAA83125 for ; Thu, 15 Mar 2001 15:15:45 -0800 (PST) Message-ID: <3AB14D20.35589C7F@sgi.com> Date: Thu, 15 Mar 2001 15:15:44 -0800 From: Casey Schaufler Organization: Silicon Graphics X-Mailer: Mozilla 4.76C-SGI [en] (X11; I; IRIX 6.5-casey-root-4DMH IP32) X-Accept-Language: en MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? References: <3AAD5908.73A44E4C@wirex.com> <20010312154024.J13139@ultraviolet.org> <3AADA219.2C4BC605@mindspring.com> <3AAE0C68.1030404@ksu.ru> <3AAE7BC5.50DA0CB@sgi.com> <3AAF579E.8070306@ksu.ru> <20010314094654.C2696@conectiva.com.br> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Andreas Hasenack wrote: > I'm just curious. > What would it cost to have linux "tested" against C2? US$350,000 if the evaluation documents are already written, US$800,000 additional if not. Give or take US$300,000 depending on the laboratory used. > I mean, supposing > everything is in place and it's just a bureocratic-thing that is missing, > what would it cost to have this compliance tested? Not everything's in place yet. On the other hand, it's not too far off. -- Casey Schaufler Manager, Trust Technology, SGI casey@sgi.com voice: 650.933.1634 casey_p@pager.sgi.com Pager: 888.220.0607 - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Fri Mar 16 00:20:34 2001 Received: by humbolt.nl.linux.org id ; Fri, 16 Mar 2001 00:19:31 +0100 Received: from code.and.org ([63.113.167.33]:15577 "EHLO mail.and.org") by humbolt.nl.linux.org with ESMTP id ; Fri, 16 Mar 2001 00:19:09 +0100 Received: from james by mail.and.org with local (Exim 3.12 #1) id 14dh1E-0008HF-00 for securedistros@nl.linux.org; Thu, 15 Mar 2001 18:18:56 -0500 To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? References: <20010312154024.J13139@ultraviolet.org> <20010312201351.A30218@ultraviolet.org> <3AADAB1C.3D45AAC3@wirex.com> <20010313090113.D28227@colombina.comedia.it> <3AADF1C6.D5223178@wirex.com> From: James Antill Content-Type: text/plain; charset=US-ASCII Date: 15 Mar 2001 18:18:55 -0500 In-Reply-To: Crispin Cowan's message of "Tue, 13 Mar 2001 02:09:10 -0800" Message-ID: Lines: 36 User-Agent: Gnus/5.0807 (Gnus v5.8.7) XEmacs/21.1 (Capitol Reef) MIME-Version: 1.0 Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Crispin Cowan writes: > No there aren't. There are a lot of *servants* (peer-to-peer server/client > applications) that use high ports. True *services* use well-defined ports below > 1024, precisely so that they can be authoritative for that host. If there are > true services using high ports, then they had *better* be using strong crypto > authentication (as was earlier suggested). For reference, here's the port number > assignments http://www.isi.edu/in-notes/iana/assignments/port-numbers Lookup MySQL, oracle has one at 66 but a whole bunch over 1024. Postgres is listed as 5432 on my machine, but isn't listed above. More than a few proxies are on "webcache" (list as in both debian and RH-7.0, but listed as "http-alt" at the above site) aka. 8080. > > i believe the < 1024 thing was for the benefit of things like > > rlogin/rsh It was a nice idea, for a bunch of things ... but it didn't scale. Pity portmapper was such a buggy POS really (and a little too late). > Where "things like" means "services", then yes :-) Lets take an example that I'm pretty familiar with... If you have a MUD hosting box, then all the muds are going to be on difference user accounts ... and all going to be above 1024. Each of these are services, and shouldn't interfer with each other. This problem is usually just hacked around by buy more equipment and having each daemon on a seperate machine, which is a major MS solution to the problem. -- # James Antill -- james@and.org :0: * ^From: .*james@and\.org /dev/null - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Fri Mar 16 13:35:29 2001 Received: by humbolt.nl.linux.org id ; Fri, 16 Mar 2001 13:33:57 +0100 Received: from perninha.conectiva.com.br ([200.250.58.156]:23827 "EHLO postfix.conectiva.com.br") by humbolt.nl.linux.org with ESMTP id ; Fri, 16 Mar 2001 13:33:24 +0100 Received: from burns.conectiva (burns.conectiva [10.0.0.4]) by postfix.conectiva.com.br (Postfix) with SMTP id 8D43A16B4D for ; Fri, 16 Mar 2001 09:33:20 -0300 (EST) Received: (qmail 31093 invoked by uid 0); 16 Mar 2001 12:32:39 -0000 Received: from dial16.ras.conectiva (HELO imladris.rielhome.conectiva) (root@10.0.8.16) by burns.conectiva with SMTP; 16 Mar 2001 12:32:39 -0000 Received: from localhost (IDENT:riel@localhost [127.0.0.1]) by imladris.rielhome.conectiva (8.11.1/8.11.1) with ESMTP id f2GCUc608809 for ; Fri, 16 Mar 2001 09:30:38 -0300 Date: Fri, 16 Mar 2001 09:30:38 -0300 (BRST) From: Rik van Riel X-Sender: riel@imladris.rielhome.conectiva To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? In-Reply-To: <3AB14D20.35589C7F@sgi.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Thu, 15 Mar 2001, Casey Schaufler wrote: > > I mean, supposing > > everything is in place and it's just a bureocratic-thing that is missing, > > what would it cost to have this compliance tested? > > Not everything's in place yet. On the other hand, it's not > too far off. If the C2 stuff isn't too intrusive, maybe we could even try to convince Linus to get the (few?) kernel parts of it into the kernel... Rik -- Virtual memory is like a game you can't win; However, without VM there's truly nothing to lose... http://www.surriel.com/ http://www.conectiva.com/ http://distro.conectiva.com.br/ - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Fri Mar 16 15:51:58 2001 Received: by humbolt.nl.linux.org id ; Fri, 16 Mar 2001 15:50:45 +0100 Received: from ecstasy.ksu.ru ([193.232.252.41]:60344 "EHLO ecstasy.ksu.ru") by humbolt.nl.linux.org with ESMTP id ; Fri, 16 Mar 2001 15:50:27 +0100 X-Pass-Through: Kazan State University network Received: from ksu.ru (ic29.soros.ksu.ru [194.85.244.129]) by ecstasy.ksu.ru (8.9.3/8.9.3) with ESMTP id RAA07321 for ; Fri, 16 Mar 2001 17:42:11 +0300 (MSK) Message-ID: <3AB22644.9090202@ksu.ru> Date: Fri, 16 Mar 2001 17:42:12 +0300 From: Pedro Rosa User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2-9mdksmp i686; en-US; 0.8) Gecko/20010216 X-Accept-Language: en, ru MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Rik van Riel wrote: > > If the C2 stuff isn't too intrusive, maybe we could even > try to convince Linus to get the (few?) kernel parts of it > into the kernel... I believe this is the point of what we SHOULDN'T do. Enforcing such things like C2 into the kernel from start, can give a huge cost in performance and may hinder other security schemes. C2 is one and only one of the possible security schemes one may consider for his tasks. And, by itself, C2 is quite costy to be implemented (time, performance, stability and money are the factors). Frankly, I would apply C2 only and exclusively in a very few cases. A C2 implementation should be something like how we see LIDS, FreeSWAN and other systems now - a patch. And give sysadmins/users the right to choose what they need. Don't think that such thing becomes only valuable once Linus implements it as a main kernel feature. I do prefer its relative "marginalisation" as this will force people to concentrate their efforts in the specificities of the task. It is preferable to figth incompatibilities rather than security breaches. When a security tool becomes too broad for use and development, it will have a bigger chance to be attacked, broken or bugged. Setting C2 at the level of the main kernel development will surely give ground to such danger. And then don't be admired that someone suddenly says "it's not a bug but a feature"... > > > Rik > -- > > Ektanoor - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Fri Mar 16 16:30:14 2001 Received: by humbolt.nl.linux.org id ; Fri, 16 Mar 2001 16:29:01 +0100 Received: from beach.sctc.com ([192.55.214.50]:59627 "EHLO beach.sctc.com") by humbolt.nl.linux.org with ESMTP id ; Fri, 16 Mar 2001 16:28:08 +0100 Received: from beach.sctc.com (root@localhost) by beach.sctc.com with ESMTP id f2GFSuL03409 for ; Fri, 16 Mar 2001 09:28:56 -0600 (CST) Received: from sphinx.sctc.com (sphinx.sctc.com [172.17.192.3]) by beach.sctc.com with ESMTP id f2GFSuH03405 for ; Fri, 16 Mar 2001 09:28:56 -0600 (CST) Received: from stpntmx03.sctc.com (stpntmx03.sctc.com [172.17.65.203]) by sphinx.sctc.com (8.8.8+Sun/8.7.3) with ESMTP id JAA27554 for ; Fri, 16 Mar 2001 09:29:46 -0600 (CST) Received: by stpntmx03.sctc.com with Internet Mail Service (5.5.2653.19) id ; Fri, 16 Mar 2001 09:29:48 -0600 Message-ID: From: "Dowd, Alan" To: "'securedistros@nl.linux.org'" Subject: C2 vs Common Criteria [was: RE: Is this mail list dead?] Date: Fri, 16 Mar 2001 09:29:39 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0AE2D.EA130410" Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0AE2D.EA130410 Content-Type: text/plain; charset="iso-8859-1" Folks, Let's get one thing clear -- C2 is dead! This was a designation for a combination of security features and development assurance processes that were put forth in the Orange Book (DOD 5200.28-STD) in 1983. It is history! The current international standard for security functionality and development assurance is the Common Criteria v 2.1. This is a much different beast and a much different certification process. The basic documentation for the security specifications, assurance measures, and certification methodology runs to 1000+ pages. There are vendors who provide courses just to teach novices how to READ the specs. For comparison, the entire specification of C2 (Controlled access protection) runs to 3 pages in the December 1985 edition of the Orange Book. By its very nature, the open Linux we all know cannot be certified under the Common Criteria -- the CC requires just too much formalized product management. At best, a distribution vendor such as Mandrake could produce a relatively frozen distribution that could be certified. But this would require that the end user not modify the evaluated code base if s/he wanted to preserve the evaluated rating. For more information about the Common Criteria, point your browser at the web site(s) for the U.S. Scheme (oversight agency) at: http://niap.nist.gov/ (NIAP) http://csrc.nist.gov/cc/ (NIST) http://www.radium.ncsc.mil/tpep/ (NSA) For information about U.S. sponsored Protection Profiles, point your browser at: http://www.iatf.net/protection_profiles/profiles.cfm Please excuse the US-centric nature of the links; this is where I work and these are the links I use. And, yes, I have performed development and evaluation of products using both the Rainbow Series (Orange Book, C2) and Common Criteria. Regards, Al Dowd (who still has his complete set of the Rainbow Series) > -----Original Message----- > From: Rik van Riel [mailto:riel@conectiva.com.br] > Sent: Friday, March 16, 2001 6:31 AM > To: securedistros@nl.linux.org > Subject: Re: Is this mail list dead? > > > On Thu, 15 Mar 2001, Casey Schaufler wrote: > > > > I mean, supposing > > > everything is in place and it's just a bureocratic-thing > that is missing, > > > what would it cost to have this compliance tested? > > > > Not everything's in place yet. On the other hand, it's not > > too far off. > > If the C2 stuff isn't too intrusive, maybe we could even > try to convince Linus to get the (few?) kernel parts of it > into the kernel... > > Rik > -- ------_=_NextPart_001_01C0AE2D.EA130410 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable C2 vs Common Criteria [was: RE: Is this mail list dead?]

Folks,

Let's get one thing clear -- C2 is dead! This was a = designation for a combination of security features and development = assurance processes that were put forth in the Orange Book (DOD = 5200.28-STD) in 1983. It is history!

The current international standard for security = functionality and development assurance is the Common Criteria v 2.1. = This is a much different beast and a much different certification = process. The basic documentation for the security specifications, = assurance measures, and certification methodology runs to 1000+ pages. = There are vendors who provide courses just to teach novices how to READ = the specs. For comparison, the entire specification of C2 (Controlled = access protection) runs to 3 pages in the December 1985 edition of the = Orange Book.

By its very nature, the open Linux we all know cannot = be certified under the Common Criteria -- the CC requires just too much = formalized product management. At best, a distribution vendor such as = Mandrake could produce a relatively frozen distribution that could be = certified. But this would require that the end user not modify the = evaluated code base if s/he wanted to preserve the evaluated = rating.

For more information about the Common Criteria, point = your browser at the web site(s) for the U.S. Scheme (oversight agency) = at:

        http://niap.nist.gov/ (NIAP)
        http://csrc.nist.gov/cc/ (NIST)
        http://www.radium.ncsc.mil/tpep/ (NSA)

For information about U.S. sponsored Protection = Profiles, point your browser at:

http://www.iatf.net/protection_profiles/profiles.cfm

Please excuse the US-centric nature of the links; = this is where I work and these are the links I use. And, yes, I have = performed development and evaluation of products using both the Rainbow = Series (Orange Book, C2) and Common Criteria.

Regards,
Al Dowd = (who still has his complete set of the Rainbow Series)

> -----Original Message-----
> From: Rik van Riel [mailto:riel@conectiva.com.br]<= /FONT>
> Sent: Friday, March 16, 2001 6:31 AM
> To: securedistros@nl.linux.org
> Subject: Re: Is this mail list dead?
>
>
> On Thu, 15 Mar 2001, Casey Schaufler = wrote:
>
> > > I mean, supposing
> > > everything is in place and it's just = a bureocratic-thing
> that is missing,
> > > what would it cost to have this = compliance tested?
> >
> > Not everything's in place yet. On the = other hand, it's not
> > too far off.
>
> If the C2 stuff isn't too intrusive, maybe we = could even
> try to convince Linus to get the (few?) kernel = parts of it
> into the kernel...
>
> Rik
> --

------_=_NextPart_001_01C0AE2D.EA130410-- - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Fri Mar 16 17:33:26 2001 Received: by humbolt.nl.linux.org id ; Fri, 16 Mar 2001 17:32:08 +0100 Received: from deliverator.sgi.com ([204.94.214.10]:17926 "EHLO deliverator.sgi.com") by humbolt.nl.linux.org with ESMTP id ; Fri, 16 Mar 2001 17:31:36 +0100 Received: from cthulhu.engr.sgi.com (gate3-relay.engr.sgi.com [130.62.1.234]) by deliverator.sgi.com (980309.SGI.8.8.8-aspam-6.2/980310.SGI-aspam) via ESMTP id IAA04028 for ; Fri, 16 Mar 2001 08:30:10 -0800 (PST) mail_from (casey@sgi.com) Received: from sgi.com (sgigate.sgi.com [198.29.75.75]) by cthulhu.engr.sgi.com (SGI-8.9.3/8.9.3) with ESMTP id IAA48368 for ; Fri, 16 Mar 2001 08:31:05 -0800 (PST) Message-ID: <3AB23FC6.5A3CC01F@sgi.com> Date: Fri, 16 Mar 2001 08:31:02 -0800 From: Casey Schaufler Organization: Silicon Graphics X-Mailer: Mozilla 4.76C-SGI [en] (X11; I; IRIX 6.5-casey-root-4DMH IP32) X-Accept-Language: en MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Rik van Riel wrote: > If the C2 stuff isn't too intrusive, maybe we could even > try to convince Linus to get the (few?) kernel parts of it > into the kernel... All part of Casey's Evil Plan For World Domination(tm). -- Casey Schaufler Manager, Trust Technology, SGI casey@sgi.com voice: 650.933.1634 casey_p@pager.sgi.com Pager: 888.220.0607 - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Fri Mar 16 18:11:03 2001 Received: by humbolt.nl.linux.org id ; Fri, 16 Mar 2001 18:00:36 +0100 Received: from imladris.infradead.org ([194.205.184.45]:8715 "EHLO infradead.org") by humbolt.nl.linux.org with ESMTP id ; Fri, 16 Mar 2001 17:52:48 +0100 Received: from pneumatic-tube.sgi.com ([204.94.214.22]) by infradead.org with esmtp (Exim 3.20 #2) id 14dxQa-0007jS-00 for securedistros@nl.linux.org; Fri, 16 Mar 2001 16:50:12 +0000 Received: from cthulhu.engr.sgi.com (gate3-relay.engr.sgi.com [130.62.1.234]) by pneumatic-tube.sgi.com (980327.SGI.8.8.8-aspam/980310.SGI-aspam) via ESMTP id IAA03482 for ; Fri, 16 Mar 2001 08:55:02 -0800 (PST) mail_from (casey@sgi.com) Received: from sgi.com (sgigate.sgi.com [198.29.75.75]) by cthulhu.engr.sgi.com (SGI-8.9.3/8.9.3) with ESMTP id IAA87213 for ; Fri, 16 Mar 2001 08:45:08 -0800 (PST) Message-ID: <3AB24312.3F873E74@sgi.com> Date: Fri, 16 Mar 2001 08:45:06 -0800 From: Casey Schaufler Organization: Silicon Graphics X-Mailer: Mozilla 4.76C-SGI [en] (X11; I; IRIX 6.5-casey-root-4DMH IP32) X-Accept-Language: en MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? References: <3AB22644.9090202@ksu.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Pedro Rosa wrote: > Enforcing such > things like C2 into the kernel from start, can give a huge cost in > performance and may hinder other security schemes. What makes you think that meeting the C2 (CAPP in CCese) requirements is going to have a "huge cost" in performance? What makes you think it will hinder other security schemes? I've been building C2 and B1 systems since the 80's and although I've seen bad implementations have performance impact, I've also seen good ones that do not. > C2 is one and only > one of the possible security schemes one may consider for his tasks. True. > And, by itself, C2 is quite costy to be implemented (time, performance, > stability and money are the factors). The kernel bit (security audit trail) is not so bad. What are your stability issues? > Frankly, I would apply C2 only and > exclusively in a very few cases. C2 provides basic system functionality. UserIDs, Descretionary Access Control (e.g. mode bits) are things U2X users don't even think about. > A C2 implementation should be something like how we see LIDS, FreeSWAN > and other systems now - a patch. And give sysadmins/users the right to > choose what they need. Don't think that such thing becomes only > valuable once Linus implements it as a main kernel feature. In Irix audit is a module you can choose at installation time. On Linux, we expect to make it available as a loadable module. Or, if you prefer, you can compile any trace of it out. Any pervasive kernel facility, and audit will be, no question about that, that you try to maintain on the side gets broken every time someone changes anything. I have years of experiance on this, and can show you the scars. > I do prefer > its relative "marginalisation" as this will force people to concentrate > their efforts in the specificities of the task. It is preferable to > figth incompatibilities rather than security breaches. When a security > tool becomes too broad for use and development, it will have a bigger > chance to be attacked, broken or bugged. Setting C2 at the level of the > main kernel development will surely give ground to such danger. I do not find this argument at all compelling -- Casey Schaufler Manager, Trust Technology, SGI casey@sgi.com voice: 650.933.1634 casey_p@pager.sgi.com Pager: 888.220.0607 - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Fri Mar 16 18:14:25 2001 Received: by humbolt.nl.linux.org id ; Fri, 16 Mar 2001 18:03:31 +0100 Received: from sgi.SGI.COM ([192.48.153.1]:43557 "EHLO sgi.com") by humbolt.nl.linux.org with ESMTP id ; Fri, 16 Mar 2001 17:58:41 +0100 Received: from cthulhu.engr.sgi.com (cthulhu.engr.sgi.com [192.26.80.2]) by sgi.com (980327.SGI.8.8.8-aspam/980304.SGI-aspam: SGI does not authorize the use of its proprietary systems or networks for unsolicited or bulk email from the Internet.) via ESMTP id IAA00942 for ; Fri, 16 Mar 2001 08:57:56 -0800 (PST) mail_from (casey@sgi.com) Received: from sgi.com (sgigate.sgi.com [198.29.75.75]) by cthulhu.engr.sgi.com (SGI-8.9.3/8.9.3) with ESMTP id IAA76629 for ; Fri, 16 Mar 2001 08:57:52 -0800 (PST) Message-ID: <3AB2460D.962AA90B@sgi.com> Date: Fri, 16 Mar 2001 08:57:49 -0800 From: Casey Schaufler Organization: Silicon Graphics X-Mailer: Mozilla 4.76C-SGI [en] (X11; I; IRIX 6.5-casey-root-4DMH IP32) X-Accept-Language: en MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: C2 vs Common Criteria [was: RE: Is this mail list dead?] References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list > "Dowd, Alan" wrote: > Let's get one thing clear -- C2 is dead! Yes, but in lives on in the hearts of those of us who have given of ourselves to make it's short life meaningful. The NSA has produced a Common Criteria Protection Profile, the Controlled Access Protection Profile (CAPP) which replaces C2. All US requirements for C2 have been replaced by CAPP. I'm old, and use C2 when I mean CAPP sometimes. > By its very nature, the open Linux we all know cannot be certified > under the Common Criteria -- the CC requires just too much formalized > product management. At best, a distribution vendor such as Mandrake > could produce a relatively frozen distribution that could be > certified. But this would require that the end user not modify the > evaluated code base if s/he wanted to preserve the evaluated rating. Goodness gracious, that's an old whine. They said the exact same thing about U2X in the early eighties. Sun is still trying to convince people that "It's too hard!". If God had meant us to compute securely, He'd have given us more prime numbers! > For more information about the Common Criteria, point your browser at > the web site(s) for the U.S. Scheme (oversight agency) at: > > http://niap.nist.gov/ (NIAP) > http://csrc.nist.gov/cc/ (NIST) > http://www.radium.ncsc.mil/tpep/ (NSA) > > For information about U.S. sponsored Protection Profiles, point your > browser at: > > http://www.iatf.net/protection_profiles/profiles.cfm I recommend all these links. Lots of fun, and good bedtime reading. -- Casey Schaufler Manager, Trust Technology, SGI casey@sgi.com voice: 650.933.1634 casey_p@pager.sgi.com Pager: 888.220.0607 - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Fri Mar 16 22:12:07 2001 Received: by humbolt.nl.linux.org id ; Fri, 16 Mar 2001 22:10:41 +0100 Received: from hilbert.umkc.edu ([134.193.4.60]:21519 "HELO tesla.umkc.edu") by humbolt.nl.linux.org with SMTP id ; Fri, 16 Mar 2001 22:10:14 +0100 Received: (qmail 53065 invoked from network); 16 Mar 2001 21:09:02 -0000 Received: from nicol1.umkc.edu (HELO kasey.umkc.edu) (david@134.193.4.62) by hilbert.umkc.edu with SMTP; 16 Mar 2001 21:09:02 -0000 Message-ID: <3AB280EF.370B7959@kasey.umkc.edu> Date: Fri, 16 Mar 2001 15:09:03 -0600 From: "David L. Nicol" Organization: University of Missouri - Kansas City supercomputing infrastructure X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.4.0 i586) X-Accept-Language: en MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? References: <3AB22644.9090202@ksu.ru> <3AB24312.3F873E74@sgi.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Casey Schaufler wrote: > Any pervasive kernel facility, and audit will be, no > question about that, that you try to maintain on the side > gets broken every time someone changes anything. I have years > of experiance on this, and can show you the scars. Adding a standard framework for providing audit data seems like it would be a small patch and might be accepted into Standard Kernel Has L.T. said specifically that he is against including a framework for making audit info available? "BSD Process Accounting" has been there quite a while; what more, if you don't mind repeating what can surely be found with an hour of RTFMing, would be requiered, that BSD-PA does not provide, to have a C2-compliant audit trail? - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Fri Mar 16 23:03:31 2001 Received: by humbolt.nl.linux.org id ; Fri, 16 Mar 2001 23:01:26 +0100 Received: from ecstasy.ksu.ru ([193.232.252.41]:56774 "EHLO ecstasy.ksu.ru") by humbolt.nl.linux.org with ESMTP id ; Fri, 16 Mar 2001 23:00:47 +0100 X-Pass-Through: Kazan State University network Received: from ksu.ru (ic29.soros.ksu.ru [194.85.244.129]) by ecstasy.ksu.ru (8.9.3/8.9.3) with ESMTP id AAA20287 for ; Sat, 17 Mar 2001 00:55:15 +0300 (MSK) Message-ID: <3AB28BB6.1040303@ksu.ru> Date: Sat, 17 Mar 2001 00:55:02 +0300 From: Pedro Rosa User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2-9mdksmp i686; en-US; 0.8) Gecko/20010216 X-Accept-Language: en, ru MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? References: <3AB22644.9090202@ksu.ru> <3AB24312.3F873E74@sgi.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Casey Schaufler wrote: > Pedro Rosa wrote: > >> Enforcing such >> things like C2 into the kernel from start, can give a huge cost in >> performance and may hinder other security schemes. > > > What makes you think that meeting the C2 (CAPP in CCese) > requirements is going to have a "huge cost" in performance? > What makes you think it will hinder other security schemes? > I've been building C2 and B1 systems since the 80's and > although I've seen bad implementations have performance > impact, I've also seen good ones that do not. Note that Linux is not a OS with a very limited set of purposes. Don't tell me that attempts to enforce a security scheme at core bottom will not hinder such sections like real-time or clusters. So I think it is too risky to put two things in one boat. Yes, the position of C2 out of the core-bottom may hinder Linux, for the fact that it will never have a 99,99% secured architecture. However, I'm pretty convinced that 99,99% of its users wouldn't need such requirement. For such ultra-security there should be other OSes (OpenBSD for example). On what concerns hindering other security systems, I consider the psychologic point of view. I cannot consider C2 as a scheme "for all cases". As an example among many. Well some people prefer to use "crack traps" rather than thinking about applying C2 to every user's brain... In fact this point is still the biggest security breach of all. And no matter how many threats and rays you spend on users, 99% of security breaches are caused by them... Now why I am talking about this? Well, I saw a near C2 implementation. The level of security was extrapolated to the impossible because there was a series of rules and possiblities that were inter-exclusive. The system was a monster and people felt like working in something worse than the Gulag (and, oh damn, Democracy is now working here... So people were talking the Hell about it) So the concept was completely changed. Now people can do nearly all they may want from the system. With a very small set of restrictions. To observe that people don't pass the limits a few monitors and "traps" were set. They are mostly set to check for attempts on setting trojans, viruses or break-ins. Why this thing had started from C2? Because someone read about C2, about the C2 implementations, about one thing that is "C2 compatible"... So let's go on C2! Why? Because it is there from start and everyone speaks about it... Why to break the head with other schemes, protocols, methods? But it is amazing how this highly american protocol can turn a whole network into a fascist concentration camp (it only lacked the admins in Waffen SS uniforms). Well, the fault is not exactly on the protocol itself... > >> And, by itself, C2 is quite costy to be implemented (time, performance, >> stability and money are the factors). > > > The kernel bit (security audit trail) is not so bad. > What are your stability issues? Well in theory none. In practic, I'm pretty sure that it will take not less than a year for an implementation to work out. That's pretty well seen on kernel development timelines. > >> Frankly, I would apply C2 only and >> exclusively in a very few cases. > > > C2 provides basic system functionality. UserIDs, Descretionary > Access Control (e.g. mode bits) are things U2X users don't > even think about. Correct. But there are many cases when this basic things are not even needed. For example in my own machine... Why do I need C2 on my own machine? > >> A C2 implementation should be something like how we see LIDS, FreeSWAN >> and other systems now - a patch. And give sysadmins/users the right to >> choose what they need. Don't think that such thing becomes only >> valuable once Linus implements it as a main kernel feature. > > > In Irix audit is a module you can choose at installation time. > On Linux, we expect to make it available as a loadable module. > Or, if you prefer, you can compile any trace of it out. Even a module gives a load on other pieces of the kernel. And note that we are speaking not about a device but about a concept that affects several sections of the kernel (file systems for example). You cannot implement such a protocol just by adding a module. > > > Any pervasive kernel facility, and audit will be, no > question about that, that you try to maintain on the side > gets broken every time someone changes anything. I have years > of experiance on this, and can show you the scars. Correct. And I think I see your scars. But I believe that the case of good security demands a case of speciality. Adding something about security to the main developer trend is nothing more than prestige. Security should remain private and "specialized" to be security with a big "S". And sincerly, I prefer the way Linus has dealed with this lately. Some people consider that ACls should be "NT-like" or "Novell-like". Sincerly I think the problem does not end here but surely I would use "Novell-like" ACLs among these two. They are more primitive, basic, but much more flexible for use. And answer for 99,999999999999999999% of my requirements. Really, some things should be kept simple... > >> I do prefer >> its relative "marginalisation" as this will force people to concentrate >> their efforts in the specificities of the task. It is preferable to >> figth incompatibilities rather than security breaches. When a security >> tool becomes too broad for use and development, it will have a bigger >> chance to be attacked, broken or bugged. Setting C2 at the level of the >> main kernel development will surely give ground to such danger. > > > I do not find this argument at all compelling > You see, i am not talking that C2 does not rule, it's bad or needs Dirol to have good looking. What I am trying to tell is that, making it a "main trend", may hinder security tasks for which the protocol was never supposed to solve, but which people think it may work... And sorry, I can't see security as a Coca-Cola can. I surely shoot the first that shows me such a thing... That was one of the reasons why I sent nearly 3 years of professional experience with one little program into the recycle bin (and completely wiped the recycle-bin with all its infrastructure)... Ektanoor - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Fri Mar 16 23:24:46 2001 Received: by humbolt.nl.linux.org id ; Fri, 16 Mar 2001 23:23:41 +0100 Received: from dsl081-032-181.lax1.dsl.speakeasy.net ([64.81.32.181]:16651 "HELO ultraviolet.org") by humbolt.nl.linux.org with SMTP id ; Fri, 16 Mar 2001 23:23:27 +0100 Received: (qmail 29644 invoked by uid 500); 16 Mar 2001 22:23:48 -0000 Date: Fri, 16 Mar 2001 14:23:48 -0800 From: Tracy R Reed To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? Message-ID: <20010316142348.B27137@ultraviolet.org> References: <3AB22644.9090202@ksu.ru> <3AB24312.3F873E74@sgi.com> <3AB28BB6.1040303@ksu.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AB28BB6.1040303@ksu.ru>; from Pedro.Rosa@ksu.ru on Sat, Mar 17, 2001 at 12:55:02AM +0300 Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Sat, Mar 17, 2001 at 12:55:02AM +0300, Pedro Rosa wrote: > Note that Linux is not a OS with a very limited set of purposes. Don't > tell me that attempts to enforce a security scheme at core bottom will > not hinder such sections like real-time or clusters. So I think it is > too risky to put two things in one boat. If it can be made a compile time option what have we got to lose? A LOT more people will consider using these new features if they are part of the kernel and visible in the make config. Linux is getting a horrible reputation for security which can affect its adoption rate. We should be doing everything possible to change that. -- Tracy Reed http://www.ultraviolet.org - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Fri Mar 16 23:41:43 2001 Received: by humbolt.nl.linux.org id ; Fri, 16 Mar 2001 23:40:39 +0100 Received: from ecstasy.ksu.ru ([193.232.252.41]:56263 "EHLO ecstasy.ksu.ru") by humbolt.nl.linux.org with ESMTP id ; Fri, 16 Mar 2001 23:40:08 +0100 X-Pass-Through: Kazan State University network Received: from ksu.ru (ic29.soros.ksu.ru [194.85.244.129]) by ecstasy.ksu.ru (8.9.3/8.9.3) with ESMTP id BAA21334 for ; Sat, 17 Mar 2001 01:38:37 +0300 (MSK) Message-ID: <3AB295EB.9000209@ksu.ru> Date: Sat, 17 Mar 2001 01:38:35 +0300 From: Pedro Rosa User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2-9mdksmp i686; en-US; 0.8) Gecko/20010216 X-Accept-Language: en, ru MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: C2 vs Common Criteria [was: RE: Is this mail list dead?] References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Dowd, Alan wrote: > By its very nature, the open Linux we all know cannot be certified > under the Common Criteria -- the CC requires just too much formalized > product management. At best, a distribution vendor such as Mandrake > could produce a relatively frozen distribution that could be > certified. But this would require that the end user not modify the > evaluated code base if s/he wanted to preserve the evaluated rating. > A typical Mandrake distribution would barely be accepted for such thing as it is broad-user centered. Mandrake has lots of conceptual features that even go against some good traditionalisms of linux in this sphere. Besides, in my experience, I noted that Mandrake is quite hard to be controlled. Anyway, I think that the Mandrake team has some chances to be nearer to produce a security-tight distro than others. But this can be done only if some mechanisms that ease user's life would be sacrificed for the sake of security. This mainly concerns the mess of the script structure that boots Mandrake. There are cases when you may jump to the shell by breaking the work of these scripts. Besides there are a few flaws on how linux loads on the typical RedHat's architecture (which Mandrake copies). Frankly the load process seriously needs a supervision if you have a critical task and you don't trust your neighbor. You need to check out Lilo (or Grub) to set a few restrictions. "init 1", depending on the distros produced lately, frequently loads without requiring passwd, so you have to check out this. There is a conceptual failure on how bash works, specially if you don't want user to interrupt the login process. On "init 5" it is good to have "reboot" right on the login window if you trust the user. But there are cases we don't trust even the power button to them... Returning to the booting process I would note that it is frequent to see the box killed by some "insignificant" daemon that doesn't load. Yes, Mandrake can be able to produce a secure linux for users. But they will need to produce a conception of security and only after this to start such distro. But only for a segment of the market. Really I don't need a super-secure-fortified Mandrake for my common everyday tasks. Ektanoor - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Sat Mar 17 00:11:37 2001 Received: by humbolt.nl.linux.org id ; Sat, 17 Mar 2001 00:10:30 +0100 Received: from ecstasy.ksu.ru ([193.232.252.41]:32712 "EHLO ecstasy.ksu.ru") by humbolt.nl.linux.org with ESMTP id ; Sat, 17 Mar 2001 00:10:06 +0100 X-Pass-Through: Kazan State University network Received: from ksu.ru (ic29.soros.ksu.ru [194.85.244.129]) by ecstasy.ksu.ru (8.9.3/8.9.3) with ESMTP id CAA21956 for ; Sat, 17 Mar 2001 02:08:48 +0300 (MSK) Message-ID: <3AB29CFF.4010805@ksu.ru> Date: Sat, 17 Mar 2001 02:08:47 +0300 From: Pedro Rosa User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2-9mdksmp i686; en-US; 0.8) Gecko/20010216 X-Accept-Language: en, ru MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? References: <3AB22644.9090202@ksu.ru> <3AB24312.3F873E74@sgi.com> <3AB280EF.370B7959@kasey.umkc.edu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list David L. Nicol wrote: > > Adding a standard framework for providing audit data seems like > it would be a small patch and might be accepted into Standard Kernel > > Has L.T. said specifically that he is against including a framework > for making audit info available? "BSD Process Accounting" has been > there quite a while; what more, if you don't mind repeating what > can surely be found with an hour of RTFMing, would be requiered, that > BSD-PA does not provide, to have a C2-compliant audit trail? Well, BSD-PA is far from being a desirable and stable system. One of the problems is that it does not report everything that happened on the machine. When a linux is heavily loaded by some process, BSD-PA starts getting amnesic. Besides, as any account system, it gives some overload on the machine and in some cases this gets quite undesirable for the user. And there are a few cases of serious crashes that surely can be blamed on the behaviour of BSD-PA, specially if a heavy cascade of processes is formed in short-time. The postmortem study of the logs and the state of the disks point to the fact that BSD sometimes gets in a run condition and freezes everything. This was observed in 2.2 kernels. How's the state of affairs on 2.4 I can't say yet. > Ektanoor - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Sat Mar 17 00:42:00 2001 Received: by humbolt.nl.linux.org id ; Sat, 17 Mar 2001 00:40:47 +0100 Received: from ecstasy.ksu.ru ([193.232.252.41]:18377 "EHLO ecstasy.ksu.ru") by humbolt.nl.linux.org with ESMTP id ; Sat, 17 Mar 2001 00:40:17 +0100 X-Pass-Through: Kazan State University network Received: from ksu.ru (ic29.soros.ksu.ru [194.85.244.129]) by ecstasy.ksu.ru (8.9.3/8.9.3) with ESMTP id CAA22534 for ; Sat, 17 Mar 2001 02:33:55 +0300 (MSK) Message-ID: <3AB2A2E2.8020606@ksu.ru> Date: Sat, 17 Mar 2001 02:33:54 +0300 From: Pedro Rosa User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2-9mdksmp i686; en-US; 0.8) Gecko/20010216 X-Accept-Language: en, ru MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? References: <3AB22644.9090202@ksu.ru> <3AB24312.3F873E74@sgi.com> <3AB28BB6.1040303@ksu.ru> <20010316142348.B27137@ultraviolet.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Tracy R Reed wrote: > On Sat, Mar 17, 2001 at 12:55:02AM +0300, Pedro Rosa wrote: > >> Note that Linux is not a OS with a very limited set of purposes. Don't >> tell me that attempts to enforce a security scheme at core bottom will >> not hinder such sections like real-time or clusters. So I think it is >> too risky to put two things in one boat. > > > If it can be made a compile time option what have we got to lose? A LOT > more people will consider using these new features if they are part of the > kernel and visible in the make config. Linux is getting a horrible > reputation for security which can affect its adoption rate. We should be > doing everything possible to change that. > Cool. I AGREE Linux is getting an horrible reputation.But I would prefer a solution a-la OpenBSD rather than seeing a dubious security scheme being implemented as a major feature all over the kernel and getting into all distros. Note: I have NOTHING against C2 or its successor. What I consider erroneous is to implement C2 inside the main trend. That will surely give birth to distros and builds on which security is WRONG from the very start. Because people will concentrate their ideas and efforts in one single conception. And their requirements may be quite far from what C2 really offers them. And if this happens we may forget about any possible "reputations". There will be one only... I am speaking about this because I did see a completely stupid C2 implementation. And one of the actors of the comedy is me... In fact I even directed the second act... That was a lesson: NEVER use a common security conception just because it's right on your desk... Or someone likes it... Anyway, I think that, with the present way things are added to the kernel, we will not get anything good. I believe security should keep out of the main kernel makings (only a very small "supporting" set should be in it). But the traditional "patching" methods are getting too square and too straight to produce a good "secured" kernel version. I believe this is where the real security conceptions should start to see the kernel... Ektanoor - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Sat Mar 17 00:46:44 2001 Received: by humbolt.nl.linux.org id ; Sat, 17 Mar 2001 00:45:34 +0100 Received: from pneumatic-tube.sgi.com ([204.94.214.22]:9333 "EHLO pneumatic-tube.sgi.com") by humbolt.nl.linux.org with ESMTP id ; Sat, 17 Mar 2001 00:45:06 +0100 Received: from cthulhu.engr.sgi.com (gate3-relay.engr.sgi.com [130.62.1.234]) by pneumatic-tube.sgi.com (980327.SGI.8.8.8-aspam/980310.SGI-aspam) via ESMTP id PAA08058 for ; Fri, 16 Mar 2001 15:54:58 -0800 (PST) mail_from (casey@sgi.com) Received: from sgi.com (sgigate.sgi.com [198.29.75.75]) by cthulhu.engr.sgi.com (SGI-8.9.3/8.9.3) with ESMTP id PAA96777 for ; Fri, 16 Mar 2001 15:45:04 -0800 (PST) Message-ID: <3AB2A57C.A9385B39@sgi.com> Date: Fri, 16 Mar 2001 15:45:00 -0800 From: Casey Schaufler Organization: Silicon Graphics X-Mailer: Mozilla 4.76C-SGI [en] (X11; I; IRIX 6.5-casey-root-4DMH IP32) X-Accept-Language: en MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Linux at C2 - was Re: Is this mail list dead? References: <3AB22644.9090202@ksu.ru> <3AB24312.3F873E74@sgi.com> <3AB28BB6.1040303@ksu.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Pedro Rosa wrote: > Note that Linux is not a OS with a very limited set of purposes. Don't > tell me that attempts to enforce a security scheme at core bottom will > not hinder such sections like real-time or clusters. So I think it is > too risky to put two things in one boat. Your concerns are unfounded. Even though you've asked me not to, I'll point out that Irix does all you've mentioned. > Yes, the position of C2 out of the core-bottom may hinder Linux, for the > fact that it will never have a 99,99% secured architecture. What do you mean by a "secured architecture"? > However, I'm > pretty convinced that 99,99% of its users wouldn't need such > requirement. For such ultra-security there should be other OSes (OpenBSD > for example). Firstly, you're making up your statistics on the fly. Heck, that's true of 80% of statistics. Second, calling C2 ultra-security is like calling TGIFriday's Fine Dining. > On what concerns hindering other security systems, I consider the > psychologic point of view. I cannot consider C2 as a scheme "for all > cases". OKay, you're right. > As an example among many. Well some people prefer to use "crack > traps" rather than thinking about applying C2 to every user's brain... Yup. Many such people would be happy with no access controls at all. > In fact this point is still the biggest security breach of all. And no > matter how many threats and rays you spend on users, 99% of security > breaches are caused by them... Those pesky users. > Now why I am talking about this? Well, I saw a near C2 implementation. > The level of security was extrapolated to the impossible because there > was a series of rules and possiblities that were inter-exclusive. The > system was a monster and people felt like working in something worse > than the Gulag (and, oh damn, Democracy is now working here... So people > were talking the Hell about it) So the concept was completely changed. Like the Gould C2 system back in '86. Feature and criteria creep kill that one. > > What are your stability issues? > > Well in theory none. In practic, I'm pretty sure that it will take not > less than a year for an implementation to work out. That's pretty well > seen on kernel development timelines. Yes, it's software. > For example in my own machine... Why do I need C2 on my own > machine? You probably don't. > ... You cannot > implement such a protocol just by adding a module. Maybe You couldn't, but I've done it on three seperate occasions. Fear not. We're only here to help! -- Casey Schaufler Manager, Trust Technology, SGI casey@sgi.com voice: 650.933.1634 casey_p@pager.sgi.com Pager: 888.220.0607 - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Sat Mar 17 02:38:35 2001 Received: by humbolt.nl.linux.org id ; Sat, 17 Mar 2001 02:37:21 +0100 Received: from sgi.SGI.COM ([192.48.153.1]:6258 "EHLO sgi.com") by humbolt.nl.linux.org with ESMTP id ; Sat, 17 Mar 2001 02:36:48 +0100 Received: from cthulhu.engr.sgi.com (cthulhu.engr.sgi.com [192.26.80.2]) by sgi.com (980327.SGI.8.8.8-aspam/980304.SGI-aspam: SGI does not authorize the use of its proprietary systems or networks for unsolicited or bulk email from the Internet.) via ESMTP id RAA01389 for ; Fri, 16 Mar 2001 17:36:40 -0800 (PST) mail_from (law@sgi.com) Received: from ishtar.corp.sgi.com (ishtar.corp.sgi.com [192.111.23.229]) by cthulhu.engr.sgi.com (SGI-8.9.3/8.9.3) with ESMTP id RAA84853 for ; Fri, 16 Mar 2001 17:36:39 -0800 (PST) Received: from sgi.com (xena.corp.sgi.com [192.111.23.234]) by ishtar.corp.sgi.com (8.11.2/8.11.2/SuSE Linux 8.11.1-0.5) with ESMTP id f2H1YvW11814; Fri, 16 Mar 2001 17:34:58 -0800 Message-ID: <3AB2BF40.C56E1F39@sgi.com> Date: Fri, 16 Mar 2001 17:34:56 -0800 From: LA Walsh Organization: Trust Technology, SGI X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.4.2 i686) X-Accept-Language: en, fr MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: C2 vs Common Criteria [was: RE: Is this mail list dead?] References: <3AB295EB.9000209@ksu.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Pedro Rosa wrote: > Yes, Mandrake can be able to produce a secure linux for users. But they > will need to produce a conception of security and only after this to > start such distro. But only for a segment of the market. Really I don't > need a super-secure-fortified Mandrake for my common everyday tasks. --- Being secure, and being certified as secure are very different things. The first involves assertions and reasons, the second involves meeting various requirement, testing and 3rd party evaluation that the requirements are met. Take a look at the Common Criteria CAPP definition mentioned in an earlier post. On a CAPP-level trusted system, I think you can get by with plaintext password storage in /etc/shadow (still only readable by root). Secure = I've made my system a complex enough puzzle put off most people. Trusted = evaluated assertions of levels of trust of a given OS and need not involve any 'puzzles' -- which make trusted systems 'boring' for most people -- there is no puzzle to be solved or if there is, it's been evaluated (3rd party verified) to be trusted for a given environment. CAPP, I believe, is specified to provide trust in a non-hostile environment -- i.e. no outside ethernet connections. I don't remember, off hand, the environment LSPP is aimed for. -l -- L A Walsh | Trust Technology, Core Linux, SGI law@sgi.com | Voice: (650) 933-5338 - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Sat Mar 17 03:32:42 2001 Received: by humbolt.nl.linux.org id ; Sat, 17 Mar 2001 03:31:37 +0100 Received: from wirex.com ([208.161.110.91]:8723 "EHLO mail.wirex.com") by humbolt.nl.linux.org with ESMTP id ; Sat, 17 Mar 2001 03:31:22 +0100 Received: from wirex.com (mithra.wirex.com [208.161.110.91]) by mail.wirex.com (Postfix) with ESMTP id BAC283EC1F for ; Fri, 16 Mar 2001 18:31:09 -0800 (PST) Message-ID: <3AB2CC4A.511D4BE9@wirex.com> Date: Fri, 16 Mar 2001 18:30:35 -0800 From: Crispin Cowan Organization: WireX Communications, Inc. X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.18-1_imnx_5_crispin i686) X-Accept-Language: en MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: C2 vs Common Criteria [was: RE: Is this mail list dead?] References: <3AB295EB.9000209@ksu.ru> <3AB2BF40.C56E1F39@sgi.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list LA Walsh wrote: > Secure = I've made my system a complex enough puzzle put off most > people. I have a problem with that one. The above spec. describes security through obscurity. Here's my take: Secure: system architected such that only proper presentation of authentication and authorization credentials permits access, and forging said credentials requires solving intractable problems (e.g. factoring 1000 bit primes). Apparently Secure: no method is *known* to allow an attacker to violate security. Obscurity makes it hard to find such means to violate security, so obscurity enhances Apparent Security(tm:-) Trusted: no method is known to allow an attacker to violate security, and some fairly qualified people have looked really hard, and documented the places they looked. "Trusted", as in, "some folks trust this thing because they checked it out real good." :-) Crispin -- Crispin Cowan, Ph.D. Chief Research Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Sat Mar 17 04:01:56 2001 Received: by humbolt.nl.linux.org id ; Sat, 17 Mar 2001 04:00:12 +0100 Received: from dsl081-032-181.lax1.dsl.speakeasy.net ([64.81.32.181]:10766 "HELO ultraviolet.org") by humbolt.nl.linux.org with SMTP id ; Sat, 17 Mar 2001 03:59:25 +0100 Received: (qmail 7554 invoked by uid 500); 17 Mar 2001 02:59:50 -0000 Date: Fri, 16 Mar 2001 18:59:50 -0800 From: Tracy R Reed To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? Message-ID: <20010316185950.A6251@ultraviolet.org> References: <3AB22644.9090202@ksu.ru> <3AB24312.3F873E74@sgi.com> <3AB28BB6.1040303@ksu.ru> <20010316142348.B27137@ultraviolet.org> <3AB2A2E2.8020606@ksu.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AB2A2E2.8020606@ksu.ru>; from Pedro.Rosa@ksu.ru on Sat, Mar 17, 2001 at 02:33:54AM +0300 Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Sat, Mar 17, 2001 at 02:33:54AM +0300, Pedro Rosa wrote: > Cool. I AGREE Linux is getting an horrible reputation.But I would prefer > a solution a-la OpenBSD rather than seeing a dubious security scheme > being implemented as a major feature all over the kernel and getting > into all distros. Note: I have NOTHING against C2 or its successor. What How is a solution a-la OpenBSD going to make Linux any more secure? We can't just use OpenBSD in situations where we need security. EVERY computer needs security. From computers at the Pentagon to computers in your bedroom. Unless you meant that Linux should be audited as well as OpenBSD. That's a great idea but it's a lot of work and Linux evolves way too quickly. Software in general desperately needs a way to prevent inevitable implementation bugs from becoming major security holes. As long as new software is being written new bugs will continue to appear. We need a system to help mitigate that risk. How is SE Linux (assuming it continues to mature and becomes suitable to the task) a dubious security scheme? > I consider erroneous is to implement C2 inside the main trend. That will > surely give birth to distros and builds on which security is WRONG from > the very start. Because people will concentrate their ideas and efforts C2 security is wrong? How so? > I am speaking about this because I did see a completely stupid C2 > implementation. And one of the actors of the comedy is me... In fact I > even directed the second act... That was a lesson: NEVER use a common > security conception just because it's right on your desk... Or someone > likes it... I don't understand. You implemented C2 stupidly? Why? > Anyway, I think that, with the present way things are added to the > kernel, we will not get anything good. I believe security should keep > out of the main kernel makings (only a very small "supporting" set > should be in it). But the traditional "patching" methods are getting too > square and too straight to produce a good "secured" kernel version. I > believe this is where the real security conceptions should start to see > the kernel... I strongly disagree. The kernel desperately needs security. People don't have to use it or compile it in. But it must be there. I'd love to see more support in hardware for security too but industry and the general public don't seem to care much about security so I don't anticipate that happening any time soon. -- Tracy Reed http://www.ultraviolet.org - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Sat Mar 17 06:32:38 2001 Received: by humbolt.nl.linux.org id ; Sat, 17 Mar 2001 06:31:04 +0100 Received: from ecstasy.ksu.ru ([193.232.252.41]:13519 "EHLO ecstasy.ksu.ru") by humbolt.nl.linux.org with ESMTP id ; Sat, 17 Mar 2001 06:30:05 +0100 X-Pass-Through: Kazan State University network Received: from ksu.ru (ic29.soros.ksu.ru [194.85.244.129]) by ecstasy.ksu.ru (8.9.3/8.9.3) with ESMTP id IAA28818 for ; Sat, 17 Mar 2001 08:29:13 +0300 (MSK) Message-ID: <3AB2F61E.6070603@ksu.ru> Date: Sat, 17 Mar 2001 08:29:02 +0300 From: Pedro Rosa User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2-9mdksmp i686; en-US; 0.8) Gecko/20010216 X-Accept-Language: en, ru MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: Linux at C2 - was Re: Is this mail list dead? References: <3AB22644.9090202@ksu.ru> <3AB24312.3F873E74@sgi.com> <3AB28BB6.1040303@ksu.ru> <3AB2A57C.A9385B39@sgi.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Casey Schaufler wrote: > Pedro Rosa wrote: > >> Note that Linux is not a OS with a very limited set of purposes. Don't >> tell me that attempts to enforce a security scheme at core bottom will >> not hinder such sections like real-time or clusters. So I think it is >> too risky to put two things in one boat. > > > Your concerns are unfounded. Even though you've asked me > not to, I'll point out that Irix does all you've mentioned. Cool. Where is Irix? Am I seeing Irix? Have I heard about Irix? Well I have seen AIX. Solaris, a little bit of SCO, a little of Xenix, several BSDs and lots of Linuxes. Irix I haven't seen nearer 2 kilometers... I don't wanna say it's bad (in fact I have heard great things about it). But if you are talking about something similar to AIX then I would note this: It's great, it's fabulous, it's very good. But also it's monolithic, it's impossibly complex, it's inflexible, it's stuck in two PPC boxes and doesn't move outta that place because it's incompatible with everything else. And the worse is the support. It is easier to turn the two boxes to Linux rather than waiting the eternity to have the chance to upgrade the stuff. But this is more a legal problem on how IBM sells this stuff and how you may have chances to pay for the upgrade (we are a budget organisation). > > > >> Yes, the position of C2 out of the core-bottom may hinder Linux, for the >> fact that it will never have a 99,99% secured architecture. > > > What do you mean by a "secured architecture"? I mean that being out of the main development will give a conceptual weakness to Linux that probably will never be solved. So we will hardly expect that the inners of the kernel may answer to the C2 requirements. > > >> However, I'm >> pretty convinced that 99,99% of its users wouldn't need such >> requirement. For such ultra-security there should be other OSes (OpenBSD >> for example). > > > Firstly, you're making up your statistics on the fly. Heck, > that's true of 80% of statistics. No I'm not saying things on the fly. If you talk about the corporate environment then you will probably be right. But don't forget the general user, the middle man, the small enterpeneur. And don't forget that the World does not start in New England and ends in Alaska. In other places around the world there are tons of people who less need such thing (well, there are also tons of those who BADLY need it). It it is not 99,99%. But surely it is also not 80%. More than 90% is a sure level. Even those who are dead confidential, prefer to have things set apart, in a iron closed room, with guards and dogs around. And they rarely trust their dearest secrets to the dust box... > > > Second, calling C2 ultra-security is like calling TGIFriday's > Fine Dining. It's ultra-security out of a corporate environment, with "keep-out" yellow signs, machine guns and velure gloves (ok I _exagerated_). It's stupid ultra-security for the general user as he may get convinced that having "C2 compatibility" will save him from Earthquakes, Floods and Fires. And give him a safe heaven against Grey Governements, the Smoking Man and Maulder's corporation (cool I _exagerated_ again). But what if he has to break his head to configure the whole stuff? Or forgets to read the HOWTO/INFO/FAQ/RTFM? > >> As an example among many. Well some people prefer to use "crack >> traps" rather than thinking about applying C2 to every user's brain... > > > Yup. Many such people would be happy with no > access controls at all. Correct. Some do seriously ask to kill even the traditional *NIX restrictions. > > >> In fact this point is still the biggest security breach of all. And no >> matter how many threats and rays you spend on users, 99% of security >> breaches are caused by them... > > > Those pesky users. Pesky but real. Here we have a manythousandsofusersnetwork on Linux. 99,9999999999999999999999999999999999999999999% of cases (the number is NO JOKE) were and are caused by some jerk "gifting" his/her password to the "best friend" or "neighbor". It's extraordinary that every other break in attempt starts exclusively from this point. First one gets other's login. Then he starts breaking in... > > >> Now why I am talking about this? Well, I saw a near C2 implementation. >> The level of security was extrapolated to the impossible because there >> was a series of rules and possiblities that were inter-exclusive. The >> system was a monster and people felt like working in something worse >> than the Gulag (and, oh damn, Democracy is now working here... So people >> were talking the Hell about it) So the concept was completely changed. > > > Like the Gould C2 system back in '86. Feature and > criteria creep kill that one. Why do we need to go that way back? There's a much more recent sad example of it. Well the thing cannot be 100% C2, but it tries hard to follow it. Till now I have nightmares on how it broke... > >> ... You cannot >> implement such a protocol just by adding a module. > > > Maybe You couldn't, but I've done it on three seperate > occasions. > > Fear not. We're only here to help! > Well I would really like to see such an implementation in Real-Life(TM)... Fear not. We are only here to KKND... For a better Future... - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Sat Mar 17 07:12:02 2001 Received: by humbolt.nl.linux.org id ; Sat, 17 Mar 2001 07:10:43 +0100 Received: from ecstasy.ksu.ru ([193.232.252.41]:61903 "EHLO ecstasy.ksu.ru") by humbolt.nl.linux.org with ESMTP id ; Sat, 17 Mar 2001 07:10:19 +0100 X-Pass-Through: Kazan State University network Received: from ksu.ru (ic29.soros.ksu.ru [194.85.244.129]) by ecstasy.ksu.ru (8.9.3/8.9.3) with ESMTP id JAA29396 for ; Sat, 17 Mar 2001 09:01:23 +0300 (MSK) Message-ID: <3AB2FDB2.5000905@ksu.ru> Date: Sat, 17 Mar 2001 09:01:22 +0300 From: Pedro Rosa User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2-9mdksmp i686; en-US; 0.8) Gecko/20010216 X-Accept-Language: en, ru MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? References: <3AB22644.9090202@ksu.ru> <3AB24312.3F873E74@sgi.com> <3AB28BB6.1040303@ksu.ru> <20010316142348.B27137@ultraviolet.org> <3AB2A2E2.8020606@ksu.ru> <20010316185950.A6251@ultraviolet.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Tracy R Reed wrote: > On Sat, Mar 17, 2001 at 02:33:54AM +0300, Pedro Rosa wrote: > >> Cool. I AGREE Linux is getting an horrible reputation.But I would prefer >> a solution a-la OpenBSD rather than seeing a dubious security scheme >> being implemented as a major feature all over the kernel and getting >> into all distros. Note: I have NOTHING against C2 or its successor. What > > > How is a solution a-la OpenBSD going to make Linux any more secure? We > can't just use OpenBSD in situations where we need security. EVERY > computer needs security. From computers at the Pentagon to computers in > your bedroom. Unless you meant that Linux should be audited as well as > OpenBSD. That's a great idea but it's a lot of work and Linux evolves way > too quickly. Software in general desperately needs a way to prevent > inevitable implementation bugs from becoming major security holes. As long > as new software is being written new bugs will continue to appear. We need > a system to help mitigate that risk. How is SE Linux (assuming it > continues to mature and becomes suitable to the task) a dubious security > scheme? Oooooooh God!.. Why are you putting the Pentagon and my bedroom in the same line? Yes Pentagon may need security. However, inside my bedroom my computer will not need any security. To get into my bedroom one first should pass through the door or the window. If he does that then it will be hardly possible that he will have time to see what my comp is made of... Believe me. He has a 99% chance of seeing a roaring Neanderthal for the very first time in his life (and probably the very last one)... One what concerns OpenBSD. I don't mean a concrete realisation of OpenBSD structure in Linux but more a "security-oriented" distro. > >> I consider erroneous is to implement C2 inside the main trend. That will >> surely give birth to distros and builds on which security is WRONG from >> the very start. Because people will concentrate their ideas and efforts > > > C2 security is wrong? How so? I didn't say that... Make a difference between the concept and its possible uses. As i said before, I don't see anything wrong with C2 ideas (well, when I worked closely with it I did saw a few points I didn't like, but that's another story). > > >> I am speaking about this because I did see a completely stupid C2 >> implementation. And one of the actors of the comedy is me... In fact I >> even directed the second act... That was a lesson: NEVER use a common >> security conception just because it's right on your desk... Or someone >> likes it... > > > I don't understand. You implemented C2 stupidly? Why? Ok, maybe I'm damn dumb bad in English... I'll try to say in other words. One gets the prospect "It's C2 compatible!". He tries to use it and fails. He passes the job to me and says: "It's C2 compatible!" and shows you the prospect. And you try for a few weeks to do what the other guy already knows is not possible... He just wanted to be sure... > >> Anyway, I think that, with the present way things are added to the >> kernel, we will not get anything good. I believe security should keep >> out of the main kernel makings (only a very small "supporting" set >> should be in it). But the traditional "patching" methods are getting too >> square and too straight to produce a good "secured" kernel version. I >> believe this is where the real security conceptions should start to see >> the kernel... > > > I strongly disagree. The kernel desperately needs security. People don't > have to use it or compile it in. But it must be there. I'd love to see > more support in hardware for security too but industry and the general > public don't seem to care much about se The Kernel DOESN'T need security. It's people who need it. And the kernel should only give a few primitive anchors to allow the use of different ideas, protocols and implementations. According and strictly according to users needs. And security brainstormers should keep in mind that they shouldn't work for the idea but for the people, the people and only the people. And if Linux doesn't answer the requirements, to choose an OS they may answer them (M$ MazDies outta da train!). Without remorses. Security is much more important than all feelings the cute li'll Tux may give you. - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Sat Mar 17 10:35:38 2001 Received: by humbolt.nl.linux.org id ; Sat, 17 Mar 2001 10:34:32 +0100 Received: from quechua.inka.de ([212.227.14.2]:28514 "EHLO mail.inka.de") by humbolt.nl.linux.org with ESMTP id ; Sat, 17 Mar 2001 10:34:12 +0100 Received: from dungeon.inka.de by mail.inka.de with uucp (rmailwrap 0.4) id 14eD6B-0001X2-00; Sat, 17 Mar 2001 10:34:11 +0100 Received: by dungeon.inka.de (Postfix, from userid 1000) id AD59EB7802; Sat, 17 Mar 2001 10:22:28 +0100 (CET) Date: Sat, 17 Mar 2001 10:22:28 +0100 To: securedistros@nl.linux.org Subject: nsa code ? Message-ID: <20010317102228.B13887@dungeon.inka.de> References: <3AB295EB.9000209@ksu.ru> <3AB2BF40.C56E1F39@sgi.com> <3AB2CC4A.511D4BE9@wirex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AB2CC4A.511D4BE9@wirex.com>; from crispin@wirex.com on Fri, Mar 16, 2001 at 06:30:35PM -0800 From: aj@dungeon.inka.de (Andreas Jellinghaus) Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list what do people here think about the nsa secure linux ? is anyone integrating this into a linux distribution ? why not ? regards, andreas - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Sat Mar 17 13:02:59 2001 Received: by humbolt.nl.linux.org id ; Sat, 17 Mar 2001 13:01:52 +0100 Received: from ecstasy.ksu.ru ([193.232.252.41]:59353 "EHLO ecstasy.ksu.ru") by humbolt.nl.linux.org with ESMTP id ; Sat, 17 Mar 2001 13:01:06 +0100 X-Pass-Through: Kazan State University network Received: from ksu.ru (ic29.soros.ksu.ru [194.85.244.129]) by ecstasy.ksu.ru (8.9.3/8.9.3) with ESMTP id OAA08397 for ; Sat, 17 Mar 2001 14:49:28 +0300 (MSK) Message-ID: <3AB34F46.50805@ksu.ru> Date: Sat, 17 Mar 2001 14:49:26 +0300 From: Pedro Rosa User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2-9mdksmp i686; en-US; 0.8) Gecko/20010216 X-Accept-Language: en, ru MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: C2 vs Common Criteria [was: RE: Is this mail list dead?] References: <3AB295EB.9000209@ksu.ru> <3AB2BF40.C56E1F39@sgi.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list LA Walsh wrote: > Pedro Rosa wrote: > > > Take a look at the Common Criteria CAPP definition mentioned in > an earlier post. On a CAPP-level trusted system, I think you can get > by with plaintext password storage in /etc/shadow (still only readable by > root). Well I will surely study the CAPP but I believe the criteria you present as an example is flawed. The way you present this gives the system a status of being in the edge of Nothing. Note that many popular distros forget to give a propper and secured booting sequence. Some situations when you break this sequence may send you right into the shell with all privileges. That's very bad. But it will be horrible if such thing as shadow will be clear readable. The next boot, the cracker will not need anything more than just wipe his activities from the logs, which a professional will easily do. Now talking about C2's, CAPP's and similars. Your example is _exactly_ what I'm afraid of. Ok, we set a few "silver" and "gold" security mechanisms into the kernel. We may also add a "platinum" service. However implementations remain on the level of such silly things like your example or mine. What should a user expect? To have another Windows marvel roaming around? "Oh it's there but it's still not there but it surely will be there"... "No, no, no, it's not a bug or a feature or anomaly. It's the weather." Ok you may say that we the experts are here and exist to solve these problems. But what do you prefer? A clean road without rocks or thousands of angry users that feel someone played a very bad joke on them? Giving an illusion of security will give birth to the second case. For sure. And even the implementation of a primitive and simple C2 will surely give ground to such a thing. There is already a clear and very sad example of such illusion and its consequences. Well I think everyone knows who I'm referring about. I will only denote that my ideas don't come from IT magazines and coffee mug talks but from a few serious incidents with "C2 compatibilities". And one such case had me trying to do the dirty job of implementing C2 rules into one machine. This failed miserably because the architecture of the system was completely flawed. > > > Secure = I've made my system a complex enough puzzle put off most > people. Trusted = evaluated assertions of levels of trust of a given As another poster referred, this is "security through obscurity". Which is not security at all. In fact such approach needs only a non-standard and original mind to break in. Are they hard to find? No. Any guy with a "Holmes" intuition about the inners of the OS and the machine will be able to do it in minutes. I once saw how such minds break physical keys in tens of seconds just as they know "see" Assembler as we see this text (there was one case on which the break took less than 15 seconds, I give all guarantees that the cracker saw that program for the very first time). And these cases were exactly due to the fact that the original programmers approached the security problem through the point of "security through obscurity". Security should be established in straightforward protocols. One should pass through different steps to get the authorization to use the resources. And here, these steps should be more than just puzzles. One cannot allow systems calls or other things to be processed during login, one should encage different functions inside buffer limits that cannot be overpassed. Well it is a whole complex system. C2 is exactly one of the answers to this. But I cannot consider its implementation without looking at the building in the whole. I cannot speak about the implementation before I see what the user needs. I cannot see C2 in the kernel while many other things will only give it a status of "security through obscurity". This is a highly complex question to be just discussed in a "to be or not to be" mood... Frankly I would first look at other side of the question. I would study first users needs. Get a picture of the damn dirty world we live in. I would systematize this worldwide swamp. Then I would start discussing approaches and maybe choose solutions. Maybe some of them would be too good so they could be implemented in the kernel. Maybe. But there is a concept I believe that tells me to avoid broad approaches - "Security should be private". Ok we have a few glimpses of what users may need or not. The broad/family-scale user will surely need a minimalistic and simple security scheme. Enough to avoid some types of intrusions like trojans or worms. Some of these users may even cry for the removal of traditional security mechanisms (should we consider them, I think we should even if it is to consider they are lamers). Now we have middle-level users that may require a term between traditional *NIX and such things like C2. In any case they will highly require that the simplistic mechanisms will be secure enough to the level they are supposed to answer. In the mean time some may consider such security is not enough and require something stronger. Here I would not put "protocols" or "standards" in first place. These users are sometimes quite complex in their requirements. They may require that you build a stronghold in one section of the system and leave everything else untouched or even weakened. Yes, some experts may say "heresy!". But these cases are frequently met not inside one computer but all over one office, with rooms, doors, air conducts and people of different kinds. While some requirements are based on stupid lamerism, others are the complete mirror image of these. One may note that there are two kinds of companies that are hard to deal with: those where economists rule and those where engineers rule. Economists are the lamb herd. Stubborn, strightminded and thinking they know the world (well not all of them). Engineers are the wolfpack. They know who you are, they know what you do, they may even be from the same jungle you came from, and they have a good general knowledge about what a computer is or can be. The lambs may put very hard tasks to solve from the theoretical point of view (frequently they play the Mission Impossible). Wolves on the contrary would like to have that, that, that and that but stop on setting that. With the first group one should think not only on how to secure things from outside attacks but also how to avoid the inside lamers. With the second group general tasks will be easier but sometimes requirements are so damn specific that you take in one single task much more time then usual. Now we have the corporate users. But here they will need C2 and there are a lot of corporate fans here. But do they need it? Well, for some, I DON'T THINK SO... But let's think why... > > PS: Ok people I'm just trying to see if this "Is this mail list dead" question gets well dead... - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Sat Mar 17 21:05:54 2001 Received: by humbolt.nl.linux.org id ; Sat, 17 Mar 2001 21:04:26 +0100 Received: from smtp2.vol.cz ([195.250.128.42]:43273 "EHLO smtp2.vol.cz") by humbolt.nl.linux.org with ESMTP id ; Sat, 17 Mar 2001 21:04:06 +0100 Received: from bobanek (jihlavaa-9.dialup.vol.cz [212.20.123.10]) by smtp2.vol.cz (8.11.1/8.11.1) with ESMTP id f2HK45s90194 for ; Sat, 17 Mar 2001 21:04:05 +0100 (CET) Received: (qmail 470 invoked by uid 500); 17 Mar 2001 19:53:51 -0000 From: "Pavel Kankovsky" Date: Sat, 17 Mar 2001 20:53:51 +0100 (MET) To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? In-Reply-To: <20010314094654.C2696@conectiva.com.br> Message-ID: <20010317204001.101.0@bobanek.nowhere.cz> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Wed, 14 Mar 2001, Andreas Hasenack wrote: > What would it cost to have linux "tested" against C2? I mean, supposing > everything is in place and it's just a bureocratic-thing that is missing, > what would it cost to have this compliance tested? It would cost a lot of money (you have already seen some figures) and a lot of time: 1/2 year for the bare-bones system is a pretty optimistic estimate (unless they have made the process much faster recently)--and I assume most of the paperwork has already been done. And of course, most modifications to a certified system (can I hear anyone saying "service pack"?) would make the certificate void. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Sat Mar 17 21:11:50 2001 Received: by humbolt.nl.linux.org id ; Sat, 17 Mar 2001 21:10:05 +0100 Received: from perninha.conectiva.com.br ([200.250.58.156]:8459 "EHLO postfix.conectiva.com.br") by humbolt.nl.linux.org with ESMTP id ; Sat, 17 Mar 2001 21:09:29 +0100 Received: from burns.conectiva (burns.conectiva [10.0.0.4]) by postfix.conectiva.com.br (Postfix) with SMTP id 4416416B0E for ; Sat, 17 Mar 2001 17:09:26 -0300 (EST) Received: (qmail 20330 invoked by uid 0); 17 Mar 2001 20:08:44 -0000 Received: from dial15.ras.conectiva (HELO imladris.rielhome.conectiva) (root@10.0.8.15) by burns.conectiva with SMTP; 17 Mar 2001 20:08:44 -0000 Received: from localhost (IDENT:riel@localhost [127.0.0.1]) by imladris.rielhome.conectiva (8.11.1/8.11.1) with ESMTP id f2HHtf613347 for ; Sat, 17 Mar 2001 14:55:41 -0300 Date: Sat, 17 Mar 2001 14:55:41 -0300 (BRST) From: Rik van Riel X-Sender: riel@imladris.rielhome.conectiva To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? In-Reply-To: <3AB28BB6.1040303@ksu.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list On Sat, 17 Mar 2001, Pedro Rosa wrote: > Note that Linux is not a OS with a very limited set of purposes. Don't > tell me that attempts to enforce a security scheme at core bottom will > not hinder such sections like real-time or clusters. So I think it is > too risky to put two things in one boat. Better remove BSD accounting and filesystem quota support from the kernel, then. I don't see anybody except you talking about huge, unwieldy, everything-but-the-second-kitchen-sink security schemes. Now if you have _technical_ arguments for why adding things like audit trails (which can be easily compiled out) would make Linux a worse OS, please tell them. Don't forget the roman rule ... the one who says it cannot be done should never interrupt the one doing it. regards, Rik -- Virtual memory is like a game you can't win; However, without VM there's truly nothing to lose... http://www.surriel.com/ http://www.conectiva.com/ http://distro.conectiva.com.br/ - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Sat Mar 17 22:34:06 2001 Received: by humbolt.nl.linux.org id ; Sat, 17 Mar 2001 22:32:49 +0100 Received: from wirex.com ([208.161.110.91]:58634 "EHLO mail.wirex.com") by humbolt.nl.linux.org with ESMTP id ; Sat, 17 Mar 2001 22:32:19 +0100 Received: from wirex.com (mithra.wirex.com [208.161.110.91]) by mail.wirex.com (Postfix) with ESMTP id 299F13EC1F for ; Sat, 17 Mar 2001 13:32:17 -0800 (PST) Message-ID: <3AB3D7BB.5BCB9E1D@wirex.com> Date: Sat, 17 Mar 2001 13:31:40 -0800 From: Crispin Cowan Organization: WireX Communications, Inc. X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.18-1_imnx_5_crispin i686) X-Accept-Language: en MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Rik van Riel wrote: > Don't forget the roman rule ... the one who says it cannot > be done should never interrupt the one doing it. Well, kind of. Security is a negative proposition: "using this system, bad things cannot happen." So when one "doing it" proposes a design, a critic can validly point out failures in the design that can make it ineffective. My main concern with C2 for Linux is that it's simultaneously too restrictive to be useful, and too slack to provide effective security. Casy's claims not withstanding, it is my perception that the market has spoken loud and clear: C2 is *not* wanted by very many customers. There's a long trail of wreckage of companies who built orange book style secure systems, and then discovered to their regret that there was no market for such systems. The one who is "doing it" might be well advised to see whether anyone else cares :-) We know how to build systems that are useful, and we know how to build systems that are secure. The main challenge is to build systems that are both useful and secure. Crispin -- Crispin Cowan, Ph.D. Chief Research Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Sun Mar 18 00:45:30 2001 Received: by humbolt.nl.linux.org id ; Sun, 18 Mar 2001 00:44:20 +0100 Received: from wirex.com ([208.161.110.91]:47885 "EHLO mail.wirex.com") by humbolt.nl.linux.org with ESMTP id ; Sun, 18 Mar 2001 00:44:03 +0100 Received: from wirex.com (mithra.wirex.com [208.161.110.91]) by mail.wirex.com (Postfix) with ESMTP id 908A53EC1F; Sat, 17 Mar 2001 15:42:58 -0800 (PST) Message-ID: <3AB3F65D.547DB037@wirex.com> Date: Sat, 17 Mar 2001 15:42:22 -0800 From: Crispin Cowan Organization: WireX Communications, Inc. X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.18-1_imnx_5_crispin i686) X-Accept-Language: en MIME-Version: 1.0 To: securedistros@nl.linux.org Cc: immunix-users@immunix.org Subject: Re: nsa code ? References: <3AB295EB.9000209@ksu.ru> <3AB2BF40.C56E1F39@sgi.com> <3AB2CC4A.511D4BE9@wirex.com> <20010317102228.B13887@dungeon.inka.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Andreas Jellinghaus wrote: > what do people here think about the nsa secure linux ? > is anyone integrating this into a linux distribution ? > why not ? SELinux uses Type Enforcement, a form of Mandatory Access Control (MAC) that is more flexible than the hierarchical access control concepts suggested by the Orange Book. Type Enforcement employ a 2-way "domains & types" approach of (roughly) mapping subjects to Domains and objects to Types and then specifying which Domains can access which Types. This powerful abstraction allows the administrator a lot of expressiveness in specifying what users may do to each other's files. Immunix is not going to adopt SELinux. It's not that we don't like the work (it's fine) its that it is redundant with respect to our SubDomain technology http://immunix.org/subdomain.html In particular, SubDomain is a simplification of Type Enforcement, intended to facilitate hardening of server appliances. SubDomain dispenses with one of those levels of indirection, and associates a Domain of access (list of files & mode bits) directly with programs. So, e.g. the BIND program can only read DNS files, and can only execute the libraries it needs to run. This makes SubDomain unsuitable for protecting users from one another on a time share system. On the other hand, it makes SubDomain efficient at configuring and securing server appliances, which have a fixed set of purposes, and "security" means "no unexpected functionality" :-) While Type Enforcement is generally more powerful & expressive than SubDomain, there is one possible exception. SubDomain includes a facility to contain a sub-process element, e.g. a script executed by an Apache module. I don't know if TE, DTE, or SELinux have this capability. The only other sub-process security confinement implementation that I am aware of is JDK 2, but there quite possibly may be more. Go back far enough, and the notion of "process" starts to get muddy. SubDomain is (we think) more efficient. We've used it to wrap a large number of programs, most without any changes at all to the applications themselves. For performance testing, we wrapped a CGI/Perl script, executed it with mod_perl (a pathologically bad case for SubDomain) and measured it with Webstone. The observed overhead was between 1% and 2%. SubDomain was first published at the December USENIX LISA conference http://www.usenix.org/events/lisa2000/ and you can read the paper here http://immunix.org/subdomain.pdf Crispin -- Crispin Cowan, Ph.D. Chief Research Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Sun Mar 18 01:25:49 2001 Received: by humbolt.nl.linux.org id ; Sun, 18 Mar 2001 01:24:36 +0100 Received: from fep4-orange.clear.net.nz ([203.97.32.4]:27382 "EHLO fep4-orange.clear.net.nz") by humbolt.nl.linux.org with ESMTP id ; Sun, 18 Mar 2001 01:24:14 +0100 Received: from xander.localdomain (b002-m011-p011.acld.clear.net.nz [203.167.200.139]) by fep4-orange.clear.net.nz (1.5/1.7) with SMTP id MAA06781; Sun, 18 Mar 2001 12:24:09 +1200 (NZST) Content-Type: text/plain; charset="iso-8859-1" From: Muggins the Mad To: securedistros@nl.linux.org Subject: Re: nsa code ? Date: Sun, 18 Mar 2001 12:24:29 +1200 X-Mailer: KMail [version 1.2] References: <3AB2CC4A.511D4BE9@wirex.com> <20010317102228.B13887@dungeon.inka.de> In-Reply-To: <20010317102228.B13887@dungeon.inka.de> MIME-Version: 1.0 Message-Id: <01031812242900.05618@xander.localdomain> Content-Transfer-Encoding: 8bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 17 March 2001 22:22, you wrote: > what do people here think about the nsa secure linux ? I downloaded it last night and spent a few hours looking at it. If the implementation works as well as the design, then I think this is one of the most useful security additions I've seen. Having individual processes with their own permissions system is something I've been looking out for for a long time. The idea that you can configure netscape to only be able to read/write $HOME/.netscape and $HOME/downloads, for example, suddenly makes an attack using netscape bugs a whole lot harder to do. (I use netscape as an example only, securing sendmail, ftpd, and similar servives is equally good). > is anyone integrating this into a linux distribution ? > why not? Not that I'm aware of, although give it time. A decent security system (SE Linux, LIDS, and the like) will require quite a lot of changes to some of the "standard" UNIX tools. That much of a change requires not only a lot of programmer-hours to do, but a terrific amount of time testing and just figuring out how to put things together. There is also the fear of trusting something coming from the NSA. However, I think that if they *really* wanted to infiltrate Linux they'd just have a pet "freelance" developer working their way into some critical high-priority application. Me, I'd probably pick some binary-only application that large numbers of people use and "accidentally" leave a subtle bug that is exploitable. Netscape? Star Office? Nvidia video drivers anyone? - - Muggins - -- mugginsm@conformidel.com. GnuPG/PGP public key avaliable on request. Also seen at ICQ 8108509 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6tABCEuXPAaSIr2ARAqpWAJ4vWIOOTWwS5LGHXg/hEbr2GMXVUgCfUmh9 SFBCbpeN+Qh4TzsDZ54NzC0= =E1h5 -----END PGP SIGNATURE----- - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Sun Mar 18 11:18:35 2001 Received: by humbolt.nl.linux.org id ; Sun, 18 Mar 2001 11:17:13 +0100 Received: from elektron.elka.pw.edu.pl ([194.29.160.2]:51887 "EHLO elektron.elka.pw.edu.pl") by humbolt.nl.linux.org with ESMTP id ; Sun, 18 Mar 2001 11:16:53 +0100 Received: from elektron.elka.pw.edu.pl ([194.29.160.2]:44974 "EHLO elektron.elka.pw.edu.pl") by elektron.elka.pw.edu.pl with ESMTP id ; Sun, 18 Mar 2001 11:16:29 +0100 Date: Sun, 18 Mar 2001 11:16:19 +0100 (MET) From: Karol Konrad Kisielewski To: Subject: how to unsubscribe from this list Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Sun Mar 18 19:23:04 2001 Received: by humbolt.nl.linux.org id ; Sun, 18 Mar 2001 19:20:35 +0100 Received: from ecstasy.ksu.ru ([193.232.252.41]:24061 "EHLO ecstasy.ksu.ru") by humbolt.nl.linux.org with ESMTP id ; Sun, 18 Mar 2001 19:20:14 +0100 X-Pass-Through: Kazan State University network Received: from ksu.ru (ic29.soros.ksu.ru [194.85.244.129]) by ecstasy.ksu.ru (8.9.3/8.9.3) with ESMTP id VAA14785 for ; Sun, 18 Mar 2001 21:12:52 +0300 (MSK) X-Mozilla-Status: 0801 Message-ID: <3AB4F89B.2080104@ksu.ru> Date: Sun, 18 Mar 2001 21:04:11 +0300 From: Pedro Rosa User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2-9mdksmp i686; en-US; 0.8) Gecko/20010216 X-Accept-Language: en, ru MIME-Version: 1.0 To: securedistros@nl.linux.org Subject: Re: Is this mail list dead? References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: X-Orcpt: rfc822;securedistros-list Rik van Riel wrote: > On Sat, 17 Mar 2001, Pedro Rosa wrote: > >> Note that Linux is not a OS with a very limited set of purposes. Don't >> tell me that attempts to enforce a security scheme at core bottom will >> not hinder such sections like real-time or clusters. So I think it is >> too risky to put two things in one boat. > > > Better remove BSD accounting and filesystem quota support > from the kernel, then. Maybe it would be a good move. In fact this thing works badly... > > > I don't see anybody except you talking about huge, unwieldy, > everything-but-the-second-kitchen-sink security schemes. Ok Mr. van Riel better to care about your own kitchen and leave mine alone ok? I'm not speaking about any schemes or defending or supporting. And see if the sink is well cleaned before answering this. > > > Now if you have _technical_ arguments for why adding things > like audit trails (which can be easily compiled out) would > make Linux a worse OS, please tell them. Where am I saying that such things make Linux worse. Ok Mr. van Riel get the damn sink clean, get back, read all my posts and take the place where I'm saying such! What I'm against is to add high security schemes into the main development structure. That's WRONG! You first are creating an illusion of security to people and second you may be destroying the flexibility of development. Now Mr. Smart Technician tell me that this will not happen. You cannot build a perfect security profile from start. If you say you can then your level of speciality is the same as the sink you talk about. And if you even don't get this then get another job. You're knowledge is worser than a bodyguard.. > > > Don't forget the roman rule ... the one who says it cannot > be done should never interrupt the one doing it. Ooooooooh. I'm soooo bad. I'm sooooooo pesty. Am I stopping you from doing anything? Am I kicking you from your job, calling anonymously your wife or walking behind your kid??? What the Hell are you? How the damn Hell are you to talk to me in this way? What kind of security expert you are? Look at your own writing. It sounds like a threat letter in cheap vocabulary and without one single correct argument. > > > regards, Hope you have a good time with your sink soon... > > > Rik > -- > Virtual memory is like a game you can't win; > However, without VM there's truly nothing to lose... > > http://www.surriel.com/ > http://www.conectiva.com/ http://distro.conectiva.com.br/ > > - > Securedistros: A common list for all secured Linux distributions > Archive: http://humbolt.nl.linux.org/lists/ > > Ektanoor - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@nl.linux.org Sun Mar 18 19:23:56 2001 Received: by humbolt.nl.linux.org id ; Sun, 18 Mar 2001 19:21:03 +0100 Received: from ecstasy.ksu.ru ([193.232.252.41]:24061 "EHLO ecstasy.ksu.ru") by humbolt.nl.linux.org with ESMTP id ; Sun, 18 Mar 2001 19:20:19 +0100 X-Pass-Through: Kazan State University network Received: from ksu.ru (ic29.soros.ksu.ru [194.85.244.129]) by ecstasy.ksu.ru (8.9.3/8.9.3) with ESMTP id VAA14789; Sun, 18 Mar 2001 21:12:59 +0300 (MSK) X-Mozilla-Status: 0801 Message-ID: <3AAF5743.4080405@ksu.ru> Date: Wed, 14 Mar 2001 14:34:27 +0300 From: Pedro Rosa User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2-9mdksmp i686; en-US; 0.8) Gecko/20010216 X-Accept-Language: en, ru MIME-Version: 1.0 CC: Chris , securedistros@nl.linux.org Subject: Re: Is this mail list dead? References: <3AAD5908.73A44E4C@wirex.com> <20010312154024.J13139@ultraviolet.org> <3AADA219.2C4BC605@mindspring.com> <3AAE0C68.1030404@ksu.ru> <3AAE7BC5.50DA0CB@sgi.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit To: unlisted-recipients:; (no To-header on input) Sender: owner-securedistros@nl.linux.org Precedence: bulk Reply-To: securedistros@nl.linux.org Return-Path: