I found LUKS recently through SUSE Linux 10.3,
and the other night a read an article in c't 2006/11.
I can't seriously appreciate the technical internals,
as I'm not too compentent there.
Anyway: Kudos to Clemens Fruhwirth!
But I am not really sure, whether I can trust, what I read in that article regarding the master key,
spefically that the master key can be read from the LUKS volume by the sys admin without any difficulties.
Does that really mean, that as soon as somebody gains control over my computer with a mounted LUKS encrypted (external) disc
and he also manages to gain root priviliges,
that he can retrieve the necessary information,
to mount that disc himself with LUKS-means again?!?
I mean without me passing the keys to him.
If that is seriously so,
I think I will have to find myself another disc encryption toolset,
as I cannot tolerate, that intruders can deal with my personal data without my explicit permission and support.
Whether those intruders have governmental permissions, I don't f...ing care.
I appreciate your serious comments.
J.
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
Hi,
sorry for not using english in the other post.
I've got an old SuSE 9.3 system that serves as a firewall/router/samba
for a small office.
I use ssh for maintenance.
Recently I learned that on other systems there is a /var/log/auth.log
that logs who is coming in.
This files doesn't exist on my system and I couldn't find an entry in
the 2 files in /etc/syslog-ng.
Could someone give me a hint how to set this auth.log up?
I have to admit that I'm not really hot with this setup stuff that goes
beyond yast.
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
Dear openSUSE developers or Experts!
In these days I am mostly engaged in the task of choosing a free and secure
Linux ditribution for our university. I prefer openSUSE but it's security is
unclean for me in some aspects. As far as i know, opesSUSE has compile time
and runtime userland protection agains memory related exploits (gcc / Fortify
Source), runtime SSP (gcc / -fstack-protector), and LSM based MAC framework
(AppArmor). But I wonder if you could tell me if:
-openSUSE 10.3 or older versions have all packages compiled as PIE or PIC to
utilize the ASLR capabilities of the 2.6.20 and newer Linux kernels? (Does
openSUSE 10.3 have an ASLR capability comparable to that of PaX?)
-openSUSE has W^X capabilities (similar to the capabilities provided by PaX or
ExecShield patches)? On which architectures and how extensively?
-openSUSE packages are linked with BIND_NOW option to make the -z relro
linking option even more effective?
-openSUSE systems have some extra chroot
restrictions, /dev/mem, /dev/kmem, /dev/port, /proc/<PID>/stat, /proc/<PID>maps,
Linux privileged I/O related or other security enhancements beyond to the
security of the vanilla Linux kernel?
Thank you for the invaluable information!
Best regards:
Nemeth, Tamas
IT administrator
University of West-Hungary, Sopron, Hungary
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
Hi Stefan,
ich fand deine Mail zwischen immerhin schon 7 autoreplies wo wer
verkündet, er wäre nicht da.
Das mit /bin/false ist nur eine halbe Lösung.
Ich habe es schon mal versucht, als ich wem einen DB-Port geben wollte
und da brach nach der Passworteingabe die Verbindung zusammen.
Wärend ich das grad schrieb, fällt mir auf, dass das doch eine Lösung in
meinem Fall sein könnte.
Gruß
Andreas
Stefan Nowy schrieb:
> Hallo!
>
> Andreas wrote:
>
>> kann ich in der config zum sshd lokalen Usern externen Zugriff verwehren?
>> Ich möchte jetzt noch verhindern, dass durch nachlässige Passworte
>> meiner lokalen user jemand fremdes sich den Zugriff erraten kann.
>>
>
> Vorschlag: in der /etc/passwords bei den bösen usern /bin/bash durch
> /bin/false ersetzen?
>
> Stefan
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
Hi,
kann ich in der config zum sshd lokalen Usern externen Zugriff verwehren?
Meine internen LAN User wollen nicht via ssh zugreifen. Den ssh-port
nutze nur ich.
Ich möchte jetzt noch verhindern, dass durch nachlässige Passworte
meiner lokalen user jemand fremdes sich den Zugriff erraten kann.
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
Hi,
meine altbewährte SuSE 9.3 hat keine /var/log/auth.log hab ich grad
etwas irritiert festgestellt.
Bis jetzt fiel mir das nie auf, weil ich nicht wusste, dass es die
gibt. =8-}
In /etc/syslog-ng sehe ich in den beiden config-Dateien auch keien Eintrag.
Könnt mich bitte wer erleuchten, was zu tun ist, damit hier auch so ein
auth.log geführt wird?
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
Hi there,
someone does DoS attacks from my server to servers in the internet. How
could I configure iptables to make DoS attacks impossible from my server
and how do I have to configure iptables to log all errors and warnings
to a external syslog server? I hope this is the right mailinglist for
such questions. I already searched the net, but I couldn't find the
needed answers. Thank you!
Regards, Johnny
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
I spent this day by reading some documentations and examining openSUSE 10.2,
and there is something, I don't understand:
Why are there PIE compileg packages in openSUSE, if the kernel doesn't do ASLR
on the program codes? Or does it do? (Am I correct if I say that PIE programs
are the ones recognized as "ET_DYN" by scanelf?)
Sorry but I forgot to send a copy of my previous mail to the list (I thought
it should happen automatically.)
2007. május 24. 17.22 dátummal ezt írta:
> On Thu, May 24, 2007 at 05:18:36PM +0200, Németh Tamás wrote:
> > Thank you for the quick answer!
> >
> > 2007. május 24. 16.39 dátummal ezt írta:
> > > > -openSUSE 10.3 or older versions have all packages compiled as PIE or
> > > > PIC to utilize the ASLR capabilities of the 2.6.20 and newer Linux
> > > > kernels? (Does openSUSE 10.3 have an ASLR capability comparable to
> > > > that of PaX?)
> > >
> > > We have a selected set of packages (but not all) compiled as PIE since
> > > 10.1.
> >
> > Can I benefit from this by replacing your kernel by some PaX patched one?
>
> If PAX allows it, yes.
>
> > > The kernel has various parts of ASLR:
> > >
> > > - MMAP and Stack location: is in the kernel since 10.1
> > >
> > > - PIE binaries location: is not in the mainline kernel yet, so we do
> > > not have it.
> > >
> > > We are however working on bringing binary location randomization into
> > > the mainline kernel.
> >
> > Oh. Wikipedia
> > (http://en.wikipedia.org/wiki/Address_space_layout_randomization) states
> > that: "ASLR is enabled by default in the linux kernel since 2.6.20".
>
> ASLR has multiple parts ... since there are multiple parts of the address
> space. Binary, Heap, MMAP area, Stack, VDSO ...
> Only some of them are randomized (Stack, Heap with 2.6.13?16? and VDSO with
> 2.6.20).
>
> > But in the file
> > http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20 one can read
> > that:
> >
> > "commit 90cb28e8f76e57751ffe14abd09c2d53a6aea7c8
> > Author: Linus Torvalds <torvalds(a)woody.osdl.org>
> > Date: Sat Jan 6 13:28:21 2007 -0800
> >
> > Revert "[PATCH] binfmt_elf: randomize PIE binaries (2nd try)"
> >
> > This reverts commit 59287c0913cc9a6c75712a775f6c1c1ef418ef3b."
> >
> > (Your patch was refused? Was it a patch for binaries location?)
>
> This was a very simple patch I tried to get in for the Binary
> randomization. Unfortunately it cannot be done that easily.
>
>
> A czech developer is currently trying to get in a better one, and it
> already lives in the -mm tree.
>
> > > All AMD64 systems, all x86 systems with the "bigsmp" kernel if the
> > > hardware supports it, not sure about the other architectures (PPC,
> > > S390, IA64...).
> >
> > Do Intel EM64T processors running 64 bit openSUSE fall into this
> > category?
>
> Yes.
>
> > > http://en.opensuse.org/Security_Features has a summary.
> >
> > I've read that but I was hoping for some fundamental security
> > enhancements in openSUSE 10.3 which are undocumented yet.
>
> So far not, but until release there is still some time. We have however
> nothing planned.
>
> Ciao, Marcus
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
Heresy!!!
Actually, I've never tried Red Hat myself. No doubt it's nice. I guess I'm a kinda old-fashioned "one distro man" ;)
I'll be a SuSE man 'til the day I die (or the day *they* die). Of course, we appreciated the irony when, a day after we celebrated shutting down our last Novell file server, the Novell SuSE acquisition was announced! Ha!
Cheers,
--Maitreya
-----Original Message-----
From: Keith Roberts [mailto:keith@karsites.net]
Sent: Thursday, May 24, 2007 10:57 AM
To: opensuse-security(a)opensuse.org
Subject: Re: [opensuse-security] Security features of current openSUSE
versions?
You may like to try Fedora Core, sponsored by Red Hat:
http://fedoraproject.org/wiki/Overview
It has an option called SELinux which you might like.
http://fedoraproject.org/wiki/SELinux
Regards
Keith
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
SLES9 ships with a script that puts the system into the certified
configuration.
I don't know whether we have such a script for SLES10SP1, but it is
currently in evaluation, so such a script could not be final right now
anyway.
Crispin
Raekism wrote:
> This there a whitepaper on locking down a "certified" Suse configuration?
>
> Thanks,
> Rae
>
>
> On 5/21/07, *Crispin Cowan* <crispin(a)novell.com
> <mailto:crispin@novell.com>> wrote:
>
> Emily Ratliff wrote:
> > Crispin Cowan wrote:
> > > To be considered certified, it would have to be in the certified
> > configuration.
> > > Installing a new application with an open network port
> violates that
> > certification.
> >
> > This is only true if it opens a port < 1024 or runs as root. If
> it is
> > started as a non-root user, then a port can be opened. That's why
> > running a webserver on port 8080 does not violate the certified
> > configuration.
> >
> > I'm not arguing against your main point, but it is not quite as
> bad as
> > you state here.
> Thanks for clarifying. Its good to know that the certified
> configuration's restrictions make it less useless than I thought :-)
>
> Crispin
>
> --
> Crispin Cowan, Ph.D.
> http://crispincowan.com/~crispin/
> <http://crispincowan.com/%7Ecrispin/>
> Director of Software Engineering http://novell.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
> <mailto:opensuse-security+unsubscribe@opensuse.org>
> For additional commands, e-mail:
> opensuse-security+help(a)opensuse.org
> <mailto:opensuse-security+help@opensuse.org>
>
>
>
>
> --
> Be who you are and say what you feel, because those who mind don't
> matter and those who matter don't mind.
> - Dr. Seuss
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering http://novell.com
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org