On Mit, Dez 05, 2001 at 08:43:01 +1000, [EMAIL PROTECTED] wrote: > I am just a little confused now on the libsafe / openwall / dietlibc > stuff. Is it recommended to do all 3?
don't install stuff you don't understand what it does. go step by step and understand what these do. libsafe is a preloader lib and can be deactivated fast and painless, e.g. something doesn't work. openwall is a kernel patch for proactive security in the kernel. dietlibc is a glibc replacement. not yet stable for production use. > From what I can see, there doesn't seem to be an openwall patch yet > for 2.4 kernels and dietlibc seems to be providing a cut-down libc to > create smaller binaries by statically linking etc. openwall isn't yet available for 2.4. last time i checked, the non-exec-stack patch was obviously not so easy to port it to 2.4. on the lids homepage is a link for a LIDS, openwall, stealth and kerneli patch that's integrated into one. i use this one on 2.2. dietlibc does securing of insecure functions like gets() into something more secure (which is by design not so easy), but it could break things. > I was just going to install libsafe and LIDS. Are you recommending > more? i could recommend you host based, network based intrusion detection systems, proactively deactivating security risks, hardening scripts, conceptual planing, automatic upgrading and on and on..... there are a lot of scripts, patches and programs to thing more secure. the only thing i recommend is to read a lot of background stuff, stay up-to-date and test things out. > When you mentioned that you were going to set up a computer with LIDS > and hand-out root passwords to everybody for a challenge to try and > crack it; What will you have installed on this computer? Will it be > LIDS and libsafe for the protection or more? LIDS will protect my kernel from root. libsafe does protect normal user daemons from root. from this point, i don't need libsafe. basically, it will be a minimum debian with full root access for everybody. i'll protect the basic things, but the system will run from an encrypted loopback image, so i can reset the whole machine in seconds.
