Mailinglist Archive: opensuse-security (22 mails)

< Previous Next >
Re: [opensuse-security] SUSE kernel security features vs vanilla

Am Samstag, 25. März 2017, 11:40:22 CEST schrieb Marcus Meissner:
On Sat, Mar 25, 2017 at 11:00:18AM +0100, Malte Gell wrote:
Am 21.03.2017 um 06:45 schrieb Marcus Meissner:
On Tue, Mar 21, 2017 at 04:31:36AM +0100, Malte Gell wrote:
Just out of curiousity,
do SUSE kernel have security specific patches / features, the
kernel does not have?

Not specifically, no.

Well, actually there is a little detail - network rules in AppArmor ;-)
This patch is included in the (open)SUSE kernel since years for
historical reasons (and also in the Ubuntu kernel because most upstream
developers work for Canonical).

The Ubuntu kernel has some more AppArmor features (dbus, ptrace, signal,
mount rules) which will go upstream in one of the next kernel releases.
(I don't know in which version exactly.)

By the way, does SUSE have user supplied statistics, maybe for
enterprise products about hacked servers? That would be interesting
to see, what security holes real life hackers mostly use to break
into systems. Well, as far as customers are willing to give such
data back to the distributor....

None of our customers do report this back to us as far as I am aware.

If you ask me to guess, most intrusions come from unsafe third party
apps, exploits of unpatched systems or trivial passwords. :/

My experience from maintaining some web and mail servers shows exactly
two typical reasons:
- outdated CMS with known security issues because customers don't want
to update for various reasons [1]. Also known as ETOLDYOUSO ;-)
On the positive side, I now have some nice PHP shells ;-) -
unfortunately not trustworthy because of where the code comes from.
Funnily, most attackers have those shells password-protected to make
sure nobody else can use them ("hey, _I_ hacked this website!")
- stolen mail passwords abused to send spam (I doubt this is caused by
cracked trivial passwords - my guess is that windows trojans send the
mail password to their master together with the addressbook)

IIRC I never had successful attacks on something installed from the
distribution (kernel, apache, PHP etc.) even after a release went EOL
(again, see [1]). I'm not really surprised about that - why should
someone waste time on a kernel hack if the CMS has the front door wide
open? ;-)

Please don't misread this as "you never need to patch the OS" - I'm just
saying that other attacks are more common IMHO.

Oh, and make sure to enforce key-only SSH logins. The number of login
attemps with guessed passwords and usernames is insane.


Christian Boltz

PS: If stolen mail passwords get abused, I have a nice cure - I change
the password of that account instantly (of course) and replace it
with a more secure password, for example
nN2Z59EA/sbE2Cp+cRpt196J/3Iq1pwq/3KGDCWk [2]
People *love* to hear their new password on the phone *eg*

[1] time, money, customer-specific code that is incompatible with the
new version etc. - or a wild mix of these reasons

[2] having a little script to generate secure random passwords helps a
lot, and no, I didn't use the above example password anywhere ;-)
If it isn't broken dont fix it.
[Winston Graeme in opensuse]

To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >