Am 21.03.2017 um 06:45 schrieb Marcus Meissner:

On Tue, Mar 21, 2017 at 04:31:36AM +0100, Malte Gell wrote:

...

Just out of curiousity, do SUSE kernel have security specific patches / features, the vanilla kernel does not have?

Not specifically, no.

Note that the mainline kernel especially in the last years is getting quite some new security features every release.

Yes. I just learned about the kernel self protection project. The kernel can be made much more secure just by using appropriate wise config setup. By the way, does SUSE have user supplied statistics, maybe for enterprise products about hacked servers? That would be interesting to see, what security holes real life hackers mostly use to break into systems. Well, as far as customers are willing to give such data back to the distributor.... regards Malte -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org

Hello, Am Samstag, 25. März 2017, 11:40:22 CEST schrieb Marcus Meissner:

On Sat, Mar 25, 2017 at 11:00:18AM +0100, Malte Gell wrote:

...

Am 21.03.2017 um 06:45 schrieb Marcus Meissner:

...

On Tue, Mar 21, 2017 at 04:31:36AM +0100, Malte Gell wrote:

...

Just out of curiousity, do SUSE kernel have security specific patches / features, the vanilla kernel does not have?

Not specifically, no.

Well, actually there is a little detail - network rules in AppArmor ;-) This patch is included in the (open)SUSE kernel since years for historical reasons (and also in the Ubuntu kernel because most upstream developers work for Canonical). The Ubuntu kernel has some more AppArmor features (dbus, ptrace, signal, mount rules) which will go upstream in one of the next kernel releases. (I don't know in which version exactly.)

...

By the way, does SUSE have user supplied statistics, maybe for enterprise products about hacked servers? That would be interesting to see, what security holes real life hackers mostly use to break into systems. Well, as far as customers are willing to give such data back to the distributor....

None of our customers do report this back to us as far as I am aware.

If you ask me to guess, most intrusions come from unsafe third party apps, exploits of unpatched systems or trivial passwords. :/

My experience from maintaining some web and mail servers shows exactly two typical reasons: - outdated CMS with known security issues because customers don't want to update for various reasons [1]. Also known as ETOLDYOUSO ;-) On the positive side, I now have some nice PHP shells ;-) - unfortunately not trustworthy because of where the code comes from. Funnily, most attackers have those shells password-protected to make sure nobody else can use them ("hey, _I_ hacked this website!") - stolen mail passwords abused to send spam (I doubt this is caused by cracked trivial passwords - my guess is that windows trojans send the mail password to their master together with the addressbook) IIRC I never had successful attacks on something installed from the distribution (kernel, apache, PHP etc.) even after a release went EOL (again, see [1]). I'm not really surprised about that - why should someone waste time on a kernel hack if the CMS has the front door wide open? ;-) Please don't misread this as "you never need to patch the OS" - I'm just saying that other attacks are more common IMHO. Oh, and make sure to enforce key-only SSH logins. The number of login attemps with guessed passwords and usernames is insane. Regards, Christian Boltz PS: If stolen mail passwords get abused, I have a nice cure - I change the password of that account instantly (of course) and replace it with a more secure password, for example nN2Z59EA/sbE2Cp+cRpt196J/3Iq1pwq/3KGDCWk [2] People *love* to hear their new password on the phone *eg* [1] time, money, customer-specific code that is incompatible with the new version etc. - or a wild mix of these reasons [2] having a little script to generate secure random passwords helps a lot, and no, I didn't use the above example password anywhere ;-) -- If it isn't broken dont fix it. [Winston Graeme in opensuse] -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org