![](https://seccdn.libravatar.org/avatar/bff0c215e01f23fcee6fe49e65fae458.jpg?s=120&d=mm&r=g)
On Wed, Feb 08, 2006 at 02:55:03PM +0200, HG wrote:
Hello!
I could not really find good information about the security features of the next 10.1 version from the Wiki. I'm personally very interested in 1) Easy access control systems (I do not know what these could be... but could be easier than current)
Thats a broad issue. We are using the traditional UNIX methods and replacing them ... well. What actually is the problem with the current one? Also AppArmor on top of the traditional UNIX way is possible.
2) Easy way of sandboxing servers, like limiting SFTP to some folder and it's subfolders.
Here the answer is AppArmor ;)
3) File and folder access auditing - very much needed feature in corporations!! A must have.
In SLES8 and SLES9 we included LAuS, a EAL/CAPP compliant audit system. For 10.1 and SLES 10 we include the upstream lightweight auditing framework, which is not yet EAL/CAPP compliant. (Its in the "audit" package.) However, some auditing capabilities are available already in this system.
4) Scanning tools, like NMAP and Nessus (nmap is available from Guru YaST repository, but Nessus is not from anywhere AFAIK - except manually from nessus.org, I guess)
nmap is on 10.1. nessus should be there too, but isn't on the CDs (Likely for space reasons.)
So, can somebody elaborate on these features and their future in (OSS) SUSE Linux?
Additionaly we have some lowlevel security things: - Continuing -D_FORTIFY_SOURCE=2 usage for all packages. glibc 2.4 protects more functions with this option. - glibc itself brings more consistency checks in its heap management, and start of pointer mangling of structs kept on the stack. - -fstack-protector use for critical libraries and binaries. (personally I do not consider that too important, the number of stack overflows is fortunately diminishing.) - Address space randomization enhancements: Unfortunately we have there only: - stack randomization (every platform, 10 bit) - mmap / shared library randomization on: i386 and amd64 in ia32 mode (with ulimit -s set), 10bit amd64 native (everytime), 19 bit (i think) Missing: - PIE randomization - Heap randomization - VDSO randomization Ciao, Marcus