On 10/20/01 2:10 PM Markus Gaugusch wrote: [...]
PS: once more openwall patches made my life easier :) The ptrace bug can't be exploited with available exploits, because pidof can't find the pid of suid binaries, that are hidden by the procps patch.
And this again brings me to a question that I already wanted to post to the list several times before: Why doesn't SuSE offer an already patched kernel / patched sources in the distribution, e.g. with the OpenWall or the GR-Security Patch ? This would make life easier for a lot of people, I think. I always use the kernel sources from .../people/mantel/next and the SuSE default configuration as starting point for my own kernels, but patching always went wrong because some parts of code is already patched by SuSE. So one would have to use the original sources but then the nice SuSE-enhancements are gone ;) Cheers Bjoern
And this again brings me to a question that I already wanted to post to the list several times before: Why doesn't SuSE offer an already patched kernel / patched sources in the distribution, e.g. with the OpenWall or the GR-Security Patch ? This would make life easier for a lot of people, I think. I always use the kernel sources from .../people/mantel/next and the SuSE default configuration as starting point for my own kernels, but patching always went wrong because some parts of code is already patched by SuSE. So one would have to use the original sources but then the nice SuSE-enhancements are gone ;)
... and why not ship SuSe with NSAs Security-Enhanced Linux as an add-on? it's a very good piece of work IMHO. anyway, i can't speak for the SuSE people but the problem with patches (and programs) is that new versions tend to pop-up every second day, the more serious problem is that secholes tend to pop-up every day. you simple can't keep a distro up-to-date, especially if it's delivered in a box so to speak. up-to-date manual patching is always the best way. /Thomas -- thomas@northernsecurity.net | www.northernsecurity.net PGP: 4315 81B3 9E7F DC00 63DC F1D8 1326 651B AADE 91FC (sourceCode == freeSpeech)
... and why not ship SuSe with NSAs Security-Enhanced Linux as an add-on? it's a very good piece of work IMHO.
The first thing that comes to my mind is do you even know what NSA SELinux is? If you did you wouldn't be asking SuSE to make it standard. It's very complex. Configuring the security templates/etc/etc is extremely non-trivial.
anyway, i can't speak for the SuSE people but the problem with patches (and programs) is that new versions tend to pop-up every second day, the more serious problem is that secholes tend to pop-up every day. you simple can't keep a distro up-to-date, especially if it's delivered in a box so to speak.
Uhhh? The actual number of exploitable security holes in the Linux kernel itself is quite low. There are more problems in various applications such as Sendmail, but realistically it's not to bad.
up-to-date manual patching is always the best way.
Yup. On all 1,000 machines. Better not make any mistakes. Manual is definetely the way to go (note: this is how apache.org got hacked into). Especially when it's a long weekend and you're not at work. Thankfully you do not have to do much regression testing with SuSE patches (unlike say Microsoft) and mostly automated install will be fine.
/Thomas
Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
On Sun, 21 Oct 2001, someone wrote:
And this again brings me to a question that I already wanted to post to the list several times before: Why doesn't SuSE offer an already patched kernel / patched sources in the distribution, e.g. with the OpenWall or the GR-Security Patch ? This would make life easier for a lot of people, I think. I always use the kernel sources from .../people/mantel/next and the SuSE default configuration as starting point for my own kernels, but patching always went wrong because some parts of code is already patched by SuSE. So one would have to use the original sources but then the nice SuSE-enhancements are gone ;)
on my dvd is a directory /unsorted/patches what are these patches the one applied by suse or some unsorted unrelated ones ? -- --- Engelbert Gruber ----=~ SSG Fintl,Gruber,Lassnig A6410 Telfs Untermarkt 9 Tel. ++43-5262-64727 ----=~
The first thing that comes to my mind is do you even know what NSA SELinux is? If you did you wouldn't be asking SuSE to make it standard. It's very complex. Configuring the security templates/etc/etc is extremely non-trivial.
Yes i know what SELinux is and i'm using it on one of my machines. You're correct that it's non-trivial to configure, but as i said supply it as an add-on, not as a default package. If someone thinks they will benefit from using SELinux then they'll install it and read the docs, if he/she thinks it sucks they won't install it. it's a matter of choice.
Uhhh? The actual number of exploitable security holes in the Linux kernel itself is quite low. There are more problems in various applications such as Sendmail, but realistically it's not to bad.
yes, but why not patch everything while you're at it?
Yup. On all 1,000 machines. Better not make any mistakes. Manual is definetely the way to go (note: this is how apache.org got hacked into). Especially when it's a long weekend and you're not at work. Thankfully you do not have to do much regression testing with SuSE patches (unlike say Microsoft) and mostly automated install will be fine.
if you want to use automatic updating: great, that's your choice. i prefer manual updates since i'm a control freak. it's takes longer time then automatic updating but at least i know when something doesn't work, which packages i've installed and so on and so forth. /Thomas -- thomas@northernsecurity.net | www.northernsecurity.net PGP: 4315 81B3 9E7F DC00 63DC F1D8 1326 651B AADE 91FC (sourceCode == freeSpeech)
Yes i know what SELinux is and i'm using it on one of my machines. You're correct that it's non-trivial to configure, but as i said supply it as an add-on, not as a default package. If someone thinks they will benefit from using SELinux then they'll install it and read the docs, if he/she thinks it sucks they won't install it. it's a matter of choice.
Kind of hard, they'd have to build twice as many kernels, test them, etc. You'd have to have a LOT of customers screaming for it before they do that. If people were serious about security they'd keep their systems up to date, let alone taking the time to learn SELinux.
yes, but why not patch everything while you're at it?
? you can't use security patches until the problem is discovered, solved and tested. Or do you mean add on security patches? Some guy ported solar designers security patches to 2.4 and introduced a root hack. Ooops.
if you want to use automatic updating: great, that's your choice. i prefer manual updates since i'm a control freak. it's takes longer time then automatic updating but at least i know when something doesn't work, which packages i've installed and so on and so forth.
Uh. you do with a good automated system as well.
/Thomas
Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
On Tuesday 23 October 2001 01:27, Kurt Seifried wrote:
Kind of hard, they'd have to build twice as many kernels, test them, etc. You'd have to have a LOT of customers screaming for it before they do that. If people were serious about security they'd keep their systems up to date, let alone taking the time to learn SELinux.
since SELinux can be compiled to SuSE 7.2 they (SuSE) don't need to build twice as many kernels, the NSA and SELinux users are doing it for them so to speak. check the SEL mailing-list. sure there's couple of compilation problems, but users have that problem with KDE2 as well. i agree, it's a higher priority to keep your system up to date then using SEL in a everyday enviroment. but SEL is a good option to increase the system security level. about the customer "problem": how many customers screamed for Kbear?
Uh. you do with a good automated system as well.
like everything else, it's a matter of taste. /Thomas -- thomas@northernsecurity.net | www.northernsecurity.net PGP: 4315 81B3 9E7F DC00 63DC F1D8 1326 651B AADE 91FC (sourceCode == freeSpeech)
since SELinux can be compiled to SuSE 7.2 they (SuSE) don't need to build twice as many kernels, the NSA and SELinux users are doing it for them so to speak. check the SEL mailing-list.
Kernels with and without. You can't force SELinux into SuSE without a shitload of testing (at least I hope this would be SuSE's reaction =).
sure there's couple of compilation problems, but users have that problem with KDE2 as well.
difference between kde2 and kernel. kde2 a bit buggy, ok. kernel a bit buggy, not ok.
i agree, it's a higher priority to keep your system up to date then using SEL in a everyday enviroment. but SEL is a good option to increase the system security level.
Assuming people can learn to use it correctly which I highly doubt based on what I see happening/feedback Iget from people with respect to lasg.
/Thomas
Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
participants (4)
-
Björn Engels -
engelbert.gruber@ssg.co.at -
Kurt Seifried -
Thomas Sjogren