openSUSE Security May 2007

security@lists.opensuse.org

39 participants
21 discussions

[opensuse-security] LUKS and its master key
by Jochen+opensuse-security＠Hayek.name 12 Dec '07

12 Dec '07

I found LUKS recently through SUSE Linux 10.3, and the other night a read an article in c't 2006/11. I can't seriously appreciate the technical internals, as I'm not too compentent there. Anyway: Kudos to Clemens Fruhwirth! But I am not really sure, whether I can trust, what I read in that article regarding the master key, spefically that the master key can be read from the LUKS volume by the sys admin without any difficulties. Does that really mean, that as soon as somebody gains control over my computer with a mounted LUKS encrypted (external) disc and he also manages to gain root priviliges, that he can retrieve the necessary information, to mount that disc himself with LUKS-means again?!? I mean without me passing the keys to him. If that is seriously so, I think I will have to find myself another disc encryption toolset, as I cannot tolerate, that intruders can deal with my personal data without my explicit permission and support. Whether those intruders have governmental permissions, I don't f...ing care. I appreciate your serious comments. J. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

6 11

[opensuse-security] Need help with SuSE 9.3 and /var/log/auth.log
by Andreas 31 May '07

31 May '07

Hi, sorry for not using english in the other post. I've got an old SuSE 9.3 system that serves as a firewall/router/samba for a small office. I use ssh for maintenance. Recently I learned that on other systems there is a /var/log/auth.log that logs who is coming in. This files doesn't exist on my system and I couldn't find an entry in the 2 files in /etc/syslog-ng. Could someone give me a hint how to set this auth.log up? I have to admit that I'm not really hot with this setup stuff that goes beyond yast. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

7 7

[opensuse-security] Security features of current openSUSE versions?
by Németh Tamás 30 May '07

30 May '07

Dear openSUSE developers or Experts! In these days I am mostly engaged in the task of choosing a free and secure Linux ditribution for our university. I prefer openSUSE but it's security is unclean for me in some aspects. As far as i know, opesSUSE has compile time and runtime userland protection agains memory related exploits (gcc / Fortify Source), runtime SSP (gcc / -fstack-protector), and LSM based MAC framework (AppArmor). But I wonder if you could tell me if: -openSUSE 10.3 or older versions have all packages compiled as PIE or PIC to utilize the ASLR capabilities of the 2.6.20 and newer Linux kernels? (Does openSUSE 10.3 have an ASLR capability comparable to that of PaX?) -openSUSE has W^X capabilities (similar to the capabilities provided by PaX or ExecShield patches)? On which architectures and how extensively? -openSUSE packages are linked with BIND_NOW option to make the -z relro linking option even more effective? -openSUSE systems have some extra chroot restrictions, /dev/mem, /dev/kmem, /dev/port, /proc/<PID>/stat, /proc/<PID>maps, Linux privileged I/O related or other security enhancements beyond to the security of the vanilla Linux kernel? Thank you for the invaluable information! Best regards: Nemeth, Tamas IT administrator University of West-Hungary, Sopron, Hungary --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

6 7

Re: [opensuse-security] Frage zu sshd
by Andreas 29 May '07

29 May '07

Hi Stefan, ich fand deine Mail zwischen immerhin schon 7 autoreplies wo wer verkündet, er wäre nicht da. Das mit /bin/false ist nur eine halbe Lösung. Ich habe es schon mal versucht, als ich wem einen DB-Port geben wollte und da brach nach der Passworteingabe die Verbindung zusammen. Wärend ich das grad schrieb, fällt mir auf, dass das doch eine Lösung in meinem Fall sein könnte. Gruß Andreas Stefan Nowy schrieb: > Hallo! > > Andreas wrote: > >> kann ich in der config zum sshd lokalen Usern externen Zugriff verwehren? >> Ich möchte jetzt noch verhindern, dass durch nachlässige Passworte >> meiner lokalen user jemand fremdes sich den Zugriff erraten kann. >> > > Vorschlag: in der /etc/passwords bei den bösen usern /bin/bash durch > /bin/false ersetzen? > > Stefan > > --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

3 2

[opensuse-security] Frage zu sshd
by Andreas 29 May '07

29 May '07

Hi, kann ich in der config zum sshd lokalen Usern externen Zugriff verwehren? Meine internen LAN User wollen nicht via ssh zugreifen. Den ssh-port nutze nur ich. Ich möchte jetzt noch verhindern, dass durch nachlässige Passworte meiner lokalen user jemand fremdes sich den Zugriff erraten kann. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

1 0

[opensuse-security] Hilfe meine SuSE 9.3 hat keine /var/log/auth.log
by Andreas 29 May '07

29 May '07

Hi, meine altbewährte SuSE 9.3 hat keine /var/log/auth.log hab ich grad etwas irritiert festgestellt. Bis jetzt fiel mir das nie auf, weil ich nicht wusste, dass es die gibt. =8-} In /etc/syslog-ng sehe ich in den beiden config-Dateien auch keien Eintrag. Könnt mich bitte wer erleuchten, was zu tun ist, damit hier auch so ein auth.log geführt wird? --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

1 0

[opensuse-security] DoS Attacks
by "J. Schröder" 28 May '07

28 May '07

Hi there, someone does DoS attacks from my server to servers in the internet. How could I configure iptables to make DoS attacks impossible from my server and how do I have to configure iptables to log all errors and warnings to a external syslog server? I hope this is the right mailinglist for such questions. I already searched the net, but I couldn't find the needed answers. Thank you! Regards, Johnny --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

7 6

Re: [opensuse-security] Security features of current openSUSE versions?
by Németh Tamás 25 May '07

25 May '07

I spent this day by reading some documentations and examining openSUSE 10.2, and there is something, I don't understand: Why are there PIE compileg packages in openSUSE, if the kernel doesn't do ASLR on the program codes? Or does it do? (Am I correct if I say that PIE programs are the ones recognized as "ET_DYN" by scanelf?) Sorry but I forgot to send a copy of my previous mail to the list (I thought it should happen automatically.) 2007. május 24. 17.22 dátummal ezt írta: > On Thu, May 24, 2007 at 05:18:36PM +0200, Németh Tamás wrote: > > Thank you for the quick answer! > > > > 2007. május 24. 16.39 dátummal ezt írta: > > > > -openSUSE 10.3 or older versions have all packages compiled as PIE or > > > > PIC to utilize the ASLR capabilities of the 2.6.20 and newer Linux > > > > kernels? (Does openSUSE 10.3 have an ASLR capability comparable to > > > > that of PaX?) > > > > > > We have a selected set of packages (but not all) compiled as PIE since > > > 10.1. > > > > Can I benefit from this by replacing your kernel by some PaX patched one? > > If PAX allows it, yes. > > > > The kernel has various parts of ASLR: > > > > > > - MMAP and Stack location: is in the kernel since 10.1 > > > > > > - PIE binaries location: is not in the mainline kernel yet, so we do > > > not have it. > > > > > > We are however working on bringing binary location randomization into > > > the mainline kernel. > > > > Oh. Wikipedia > > (http://en.wikipedia.org/wiki/Address_space_layout_randomization) states > > that: "ASLR is enabled by default in the linux kernel since 2.6.20". > > ASLR has multiple parts ... since there are multiple parts of the address > space. Binary, Heap, MMAP area, Stack, VDSO ... > Only some of them are randomized (Stack, Heap with 2.6.13?16? and VDSO with > 2.6.20). > > > But in the file > > http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20 one can read > > that: > > > > "commit 90cb28e8f76e57751ffe14abd09c2d53a6aea7c8 > > Author: Linus Torvalds <torvalds(a)woody.osdl.org> > > Date: Sat Jan 6 13:28:21 2007 -0800 > > > > Revert "[PATCH] binfmt_elf: randomize PIE binaries (2nd try)" > > > > This reverts commit 59287c0913cc9a6c75712a775f6c1c1ef418ef3b." > > > > (Your patch was refused? Was it a patch for binaries location?) > > This was a very simple patch I tried to get in for the Binary > randomization. Unfortunately it cannot be done that easily. > > > A czech developer is currently trying to get in a better one, and it > already lives in the -mm tree. > > > > All AMD64 systems, all x86 systems with the "bigsmp" kernel if the > > > hardware supports it, not sure about the other architectures (PPC, > > > S390, IA64...). > > > > Do Intel EM64T processors running 64 bit openSUSE fall into this > > category? > > Yes. > > > > http://en.opensuse.org/Security_Features has a summary. > > > > I've read that but I was hoping for some fundamental security > > enhancements in openSUSE 10.3 which are undocumented yet. > > So far not, but until release there is still some time. We have however > nothing planned. > > Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

2 1

RE: [opensuse-security] Security features of current openSUSE versions?
by Maitreya Maziarz 24 May '07

24 May '07

Heresy!!! Actually, I've never tried Red Hat myself. No doubt it's nice. I guess I'm a kinda old-fashioned "one distro man" ;) I'll be a SuSE man 'til the day I die (or the day *they* die). Of course, we appreciated the irony when, a day after we celebrated shutting down our last Novell file server, the Novell SuSE acquisition was announced! Ha! Cheers, --Maitreya -----Original Message----- From: Keith Roberts [mailto:keith@karsites.net] Sent: Thursday, May 24, 2007 10:57 AM To: opensuse-security(a)opensuse.org Subject: Re: [opensuse-security] Security features of current openSUSE versions? You may like to try Fedora Core, sponsored by Red Hat: http://fedoraproject.org/wiki/Overview It has an option called SELinux which you might like. http://fedoraproject.org/wiki/SELinux Regards Keith --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

1 0

Re: [opensuse-security] EAL 3 and 4 rated versions.
by Crispin Cowan 21 May '07

21 May '07

SLES9 ships with a script that puts the system into the certified configuration. I don't know whether we have such a script for SLES10SP1, but it is currently in evaluation, so such a script could not be final right now anyway. Crispin Raekism wrote: > This there a whitepaper on locking down a "certified" Suse configuration? > > Thanks, > Rae > > > On 5/21/07, *Crispin Cowan* <crispin(a)novell.com > <mailto:crispin@novell.com>> wrote: > > Emily Ratliff wrote: > > Crispin Cowan wrote: > > > To be considered certified, it would have to be in the certified > > configuration. > > > Installing a new application with an open network port > violates that > > certification. > > > > This is only true if it opens a port < 1024 or runs as root. If > it is > > started as a non-root user, then a port can be opened. That's why > > running a webserver on port 8080 does not violate the certified > > configuration. > > > > I'm not arguing against your main point, but it is not quite as > bad as > > you state here. > Thanks for clarifying. Its good to know that the certified > configuration's restrictions make it less useless than I thought :-) > > Crispin > > -- > Crispin Cowan, Ph.D. > http://crispincowan.com/~crispin/ > <http://crispincowan.com/%7Ecrispin/> > Director of Software Engineering http://novell.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org > <mailto:opensuse-security+unsubscribe@opensuse.org> > For additional commands, e-mail: > opensuse-security+help(a)opensuse.org > <mailto:opensuse-security+help@opensuse.org> > > > > > -- > Be who you are and say what you feel, because those who mind don't > matter and those who matter don't mind. > - Dr. Seuss -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

1 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security May 2007