On Fri, 24 Oct 2003 10:50, Bernd Eckenfels wrote:
> In article <[EMAIL PROTECTED]> you wrote:
> > I discovered I could 'su -' to root in the excluded ttys. Do you think
> > this is normal behaviour or does my system need re-configuration ?
>
> This is the intended normal behaviour. Idea behind it
On Sat, 25 Oct 2003 02:40, Joe Moore wrote:
> >> So there was a bug in the PAM code so that it ignored an invalid
> >> /etc/passwd field. Why would the next bug not ignore some other
> >> /etc/passwd field (like the user's chosen shell)?
> >
> > You are correct, the next time a problem is discover
On Sat, 25 Oct 2003 02:46, Joe Moore wrote:
> > To create a file in /bin you need root access. Therefore to create
> > /bin/.rhosts you need more access than such a file will grant. There
> > is no point in such an attack. Why would someone create /bin/.rhosts
> > when they can create /root/.r
On Tue, 28 Oct 2003 18:12, Tom Goulet (UID0) wrote:
> I'm curious what a malicious user could do with access to the
> framebuffer device via the device file. Could a malicious
> user see anything other than what's on his or her virtual console or X
> session?
A malicious user who logs in via ssh
On Tue, 25 Nov 2003 19:51, Chema <[EMAIL PROTECTED]> wrote:
> Making /usr read-only is not for that kind of security. It will keep your
> data safe from corruption (soft one, anyway: a disk crash will take
> anything with it ;-). Besides, you can get a better performance formating
> it with ext2,
On Wed, 26 Nov 2003 07:45, Chema <[EMAIL PROTECTED]> wrote:
> RC> Why would you get better performance? If you mount noatime then
> RC> there's no writes to a file system that is accessed in a read-only
> RC> fashion and there should not be any performance issue.
>
> Hum, ¿are you talking only abo
On Thu, 27 Nov 2003 04:51, Matt Zimmerman <[EMAIL PROTECTED]> wrote:
> Big money does not imply big security. Large corporations with lots of
> money to spend on security are compromised all the time. Obviously, they
> aren't as forthcoming about it as Debian due to monetary concerns, but even
>
On Wed, 26 Nov 2003 14:24, Bernd Eckenfels
<[EMAIL PROTECTED]> wrote:
> > I am talking about any file system. When only reading from a file system
> > there should not be any performance difference when comparing a RO mount
> > vs a NOATIME mount. If there is a difference then it's a bug in the
hat can
be found on http://www.coker.com.au/uml/ .
Feel free to ask me if you have any queries about how to do this properly.
Russell Coker
[EMAIL PROTECTED]
On Sat, 29 Nov 2003 05:10, "Martin G.H. Minkler" <[EMAIL PROTECTED]> wrote:
> A little OT, but http://www.adamantix.org 's distro provides everything
> and more SELinux has to offer while IMHO being a little easier to handle.
Adamantix is not Debian. The people subscribed to this list are here fo
On Sat, 29 Nov 2003 11:46, Forrest L Norvell <[EMAIL PROTECTED]> wrote:
> > > un libselinux-dev(no description
> > > available) ii libselinux1 1.2-1.1 SELinux
> > > shared libraries un libselinux1-dev (no
> > > description ava
On Sat, 29 Nov 2003 20:05, Martin Pitt <[EMAIL PROTECTED]> wrote:
> > Conflicts with almost every other kernel patch, including the patches in
> > the default kernel source. No-one has the skill and interest necessary
> > to make it work with a default Debian kernel.
>
> It may be the hardest thin
On Sun, 30 Nov 2003 14:53, Colin Walters <[EMAIL PROTECTED]> wrote:
> On Sat, 2003-11-29 at 22:47, David Spreen wrote:
> > of their programs. the system could use a db of installed-package
> > resources. Therefore we would need to create a common language that
> > could be translated to any acl-for
On Sun, 30 Nov 2003 15:32, Colin Walters <[EMAIL PROTECTED]> wrote:
> However, this is not such a bad idea, if you don't try to be too formal
> about it. If maintainers shipped English descriptions (say,
> README.Security) of what the security implications of their programs
> were, it could be ver
On Sun, 30 Nov 2003 22:33, Martin Pitt <[EMAIL PROTECTED]> wrote:
> On 2003-11-29 21:08 +1100, Russell Coker wrote:
> > It's not a question of how difficult it is to get the grsec patch to
> > apply and work correctly on a Debian kernel. It's a question of whether
On Mon, 1 Dec 2003 04:27, Andreas Barth <[EMAIL PROTECTED]> wrote:
> Is it possible for me as a package maintainer to specifiy the needed
> rights for "my" programms in a way that as much systems as possible
> can use these without the need for a sysadmin to change anything? Or
> would each LSM-bas
On Mon, 1 Dec 2003 05:10, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell Coker wrote:
> > It's a pity that the developers of other security systems didn't get
> > involved, it would be good to have a choice
On Mon, 1 Dec 2003 07:43, Andreas Barth <[EMAIL PROTECTED]> wrote:
> > There will be support in RPM for packages that contain SE Linux policy.
> > For Debian such support will come later (if at all) as the plan is to
> > centrally manage all policy for free software, and it's not difficult to
> >
On Mon, 1 Dec 2003 07:46, Andreas Barth <[EMAIL PROTECTED]> wrote:
> * Russell Coker ([EMAIL PROTECTED]) [031130 21:40]:
> > On Mon, 1 Dec 2003 05:10, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> > > On Sun, Nov 30, 2003 at 11:24:43PM +1100, Russell C
On Tue, 2 Dec 2003 08:48, Andreas Barth <[EMAIL PROTECTED]> wrote:
> * Russell Coker ([EMAIL PROTECTED]) [031201 05:10]:
> > On Mon, 1 Dec 2003 07:43, Andreas Barth <[EMAIL PROTECTED]> wrote:
> > > What about the gettys? I'm asking this because I wrote the init
On Tue, 2 Dec 2003 18:32, Peter Palfrader <[EMAIL PROTECTED]> wrote:
> > There is currently no uucp policy (it seems that no SE Linux users are
> > using it).
>
> I have one, but it does only allow what I need for uucp, which is
> certainly just a small subset of possible uucp uses.
I've attached
On Wed, 3 Dec 2003 00:56, Peter Palfrader <[EMAIL PROTECTED]> wrote:
> > I've attached a modified version, please check it out. I've changed some
> > of the things to do it in the recommended manner (eg the
> > system_crond_entry() macro), and removed some things.
> >
> > The part for running ssh
On Mon, 8 Dec 2003 19:16, "Domonkos Czinke" <[EMAIL PROTECTED]>
wrote:
> I recommend using the chattr program. You should set them immutable
> chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow. Man chattr.
In a stock Linux kernel the permissions required to "chattr -i" a file are
exactly
On Fri, 19 Dec 2003 08:02, martin f krafft <[EMAIL PROTECTED]> wrote:
> I would be very interested, Russel, to hear your opinion about the
> claim that the LSM hooks are dangerous in terms of root kit
> exploits. Do you agree? If not, then please tell us what LSM
> precautions take care to prevent
On Fri, 19 Dec 2003 20:18, Henrique de Moraes Holschuh <[EMAIL PROTECTED]> wrote:
> On Fri, 19 Dec 2003, Russell Coker wrote:
> > In terms of LSM protection against this, if you use SE Linux then all
> > aspects of file access and module loading are controlled by the polic
On Mon, 22 Dec 2003 19:45, Marcel Weber <[EMAIL PROTECTED]> wrote:
> s. keeling wrote:
> > gpg: Signature made Sun Dec 21 17:14:28 2003 MST using DSA key ID
> > 946886AE gpg: Good signature from "Trey Sizemore <[EMAIL PROTECTED]>"
> > gpg: WARNING: This key is not certified with a trusted signature
On Mon, 22 Dec 2003 20:02, Marcel Weber <[EMAIL PROTECTED]> wrote:
> Russell Coker wrote:
> > Signing a key you don't know is not a good idea, it's easy to
> > accidentally upload a key...
> >
> > There is a gpg option "lsign" which can be us
This discussion has some minor relevance to debian-isp, but nothing to do with
debian-security. Let's move the discussion to debian-isp.
On Wed, 24 Dec 2003 00:25, Dale Amon <[EMAIL PROTECTED]> wrote:
> I've been noticing loads of mails like this lately:
>
> emery atrocious larval drippy elate
On Sun, 4 Jan 2004 07:53, martin f krafft <[EMAIL PROTECTED]> wrote:
> also sprach Russell Coker <[EMAIL PROTECTED]> [2003.12.19.0229 +0100]:
> > In terms of LSM protection against this, if you use SE Linux then
> > all aspects of file access and module loading are contr
On Wed, 21 Jan 2004 11:28, Markus Schabel <[EMAIL PROTECTED]> wrote:
> hello folks!
>
> can you tell me what the following means in an apache error.log and
> where it comes from? I've searched through all other apache log files
> but didn't find something that could generate this.
> (sure, the serv
On Sun, 25 Jan 2004 20:49, "Raffaele D'Elia" <[EMAIL PROTECTED]>
wrote:
> checks for new mail in a maibox via pop3;
If you use IMAP it should be possible for you to ask the server to notify you
when new mail is received. This should give you a faster response if the
server correctly implements
On Sun, 15 Feb 2004 05:31, Wade Richards <[EMAIL PROTECTED]> wrote:
> Every once in a while I get a bunch of errors because some process tried
> to access my CDROM, triggering automount when there's no disk in the
> drive.
SE Linux can audit all interesting actions, exec, read, write, create,
sig
On Wed, 18 Feb 2004 23:30, Kristopher Matthews <[EMAIL PROTECTED]> wrote:
> > This is a security nightmare. I would *not* recommend doing any such
> > thing in a user filesystem.
>
> You're making the assumption that he LIKES his users. :)
It's not a matter of whether the admin likes his users, it
On Wed, 18 Feb 2004 23:59, Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]>
wrote:
> On Wed, Feb 18, 2004 at 11:05:30AM +0100, Richard Atterer wrote:
> > Waah, SCARY!
> >
> > Users can create hard links to arbitrary files in that directory, e.g.
> > links to other users' private files or to
On Thu, 19 Feb 2004 00:23, Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]>
wrote:
> On Wed, Feb 18, 2004 at 11:50:27PM +1100, Russell Coker wrote:
> > If you are going to change such things then you need to use the -uid or
> > -gid options to find (depending on whether you
On Thu, 19 Feb 2004 09:12, Michael Stone <[EMAIL PROTECTED]> wrote:
> On Wed, Feb 18, 2004 at 11:50:27PM +1100, Russell Coker wrote:
> >The other way of doing it properly is to write a program that open's each
> >file, calls fstat() to check the UID/GID, then uses fchow
On Wed, 10 Mar 2004 08:58, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> [ Sorry, I'm not sure if this list is right place to ask this, but
> I can't remember better one ]
The NSA mailing list is another option, but this one is OK.
> I'm trying to backport SELinux tools and libraries from unst
On Wed, 10 Mar 2004 21:26, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> > There have been some changes to the way libxattr works. From memory I
> > think that you needed an extra -l option on the link command line when
> > compiling with old libc6. I can't remember whether it was linking the
>
On Thu, 11 Mar 2004 08:22, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> On Wed, Mar 10, 2004 at 01:29:16PM +0100, Milan P. Stanic wrote:
> > That is. I just rebuilt policycoreutils and pam with libselinux1
> > which is linked with libattr and it was smooth.
> > Now I have to backport coreutils an
On Thu, 11 Mar 2004 20:40, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> On Thu, Mar 11, 2004 at 09:02:50AM +1100, Russell Coker wrote:
> > > If someone needs them I can put it on the net or post somewhere, or
> > > maybe help if the help is needed.
On Thu, 11 Mar 2004 22:14, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> On Thu, Mar 11, 2004 at 09:42:52PM +1100, Russell Coker wrote:
> > If you copy all files related to a package intact then you don't have to
> > make such changes.
> >
> > I
On Fri, 12 Mar 2004 06:25, Norbert Tretkowski <[EMAIL PROTECTED]> wrote:
> * Milan P. Stanic wrote:
> > Can I put in version something like libselinux1_1.6-0.1-bp.mps_i386.deb
> > instead of libselinux1_1.6-0.1_i386.deb?
>
> Well, if 1.6-0.1 will be in our next stable release, your backport
> will
On Sat, 20 Mar 2004 05:14, Phillip Hofmeister <[EMAIL PROTECTED]> wrote:
> On another note, The GRSecurity/SELinux patches mitigate a lot of kernel
> vulnerabilities and userland vulnerabilities. If you are running your
> own kernel you may wish to look at them.
Nothing protects you against kerne
On Tue, 23 Mar 2004 08:19, Florian Weimer <[EMAIL PROTECTED]> wrote:
> No, it's another example for a package which heavily deviates from
> upstream (AFAIK, upstream is defunct) and is now developed by the
> GNU/Linux distributions (and each variant has a slightly different
> features). Despite th
On Wed, 24 Mar 2004 22:22, Michael Stone <[EMAIL PROTECTED]> wrote:
> The best you could do would be to attach different certificates to
> different ports, but that would be extremely cumbersome and probably
> would lead to confusion.
What if you had http://www.company1.com/ redirect to
https://w
On Thu, 1 Apr 2004 17:59, [EMAIL PROTECTED] (Michael Becker) wrote:
> If you just want a kernel, with almost everything in there belonging
> to security, have a look at WOLK (Working OverLoaded Kernel)
> at http://sourceforge.net/projects/wolk
It appears that WOLK is not in Debian. I would guess
On Sat, 10 Apr 2004 04:22, [EMAIL PROTECTED] wrote:
> Is there anything ordinary that can cause passwords to be changed? I tried
> to log in last night and sshd wouldn't accept either my user's password or
> my root password. When I got physical access this morning, I couldn't log
> into the consol
On Mon, 12 Apr 2004 10:00, Joe Bouchard <[EMAIL PROTECTED]> wrote:
> In a meeting at work (I'm part of the IT group at a large corporation)
> someone mentioned a particular kind of network hardware which would stop
> working correctly after a while.
Here are some ways that network issues can slow
On Thu, 15 Apr 2004 02:01, Jeff Coppock <[EMAIL PROTECTED]> wrote:
> I'm having trouble with getting entries here to work. I have the
> following /var/log/auth.log messages that I want to filter out of
> logcheck (version 1.2.16, sarge):
>
> CRON[15302]: (pam_unix) session opened for user root by
On Tue, 20 Apr 2004 07:50, Jan Minar <[EMAIL PROTECTED]> wrote:
> It seems like they should be 660, not 600, as I suggested (wall(1) and
> talkd(1) would break otherwise, probably).
What prevents wall from sending those escape sequences?
--
http://www.coker.com.au/selinux/ My NSA Security Enha
On Sat, 5 Jun 2004 08:52, Michael Stone <[EMAIL PROTECTED]> wrote:
> >So, adding handling for SPF RRs in one's MTA yields significant
> >advantages today, despite the technology being new, because _all_ of the
> >forgemail claiming to be from aol.com, msn.com, hotmail.com, pobox.com,
> >etc. can be
On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor <[EMAIL PROTECTED]> wrote:
> We are allowing all emails from whitelits.
Who is "we" in this context? Individual users or mailing list administrators?
> For unknown sender, automated confirmation request is send. If
For mailing lists this can be achieved
On Fri, 11 Jun 2004 06:03, Alain Tesio <[EMAIL PROTECTED]> wrote:
> On Thu, 10 Jun 2004 18:58:33 +1000
>
> Russell Coker <[EMAIL PROTECTED]> wrote:
> > For mailing lists this can be achieved by making the list
> > subscriber-only. For individual accounts such beh
On Fri, 11 Jun 2004 19:29, Dale Amon <[EMAIL PROTECTED]> wrote:
> On Fri, Jun 11, 2004 at 10:45:44AM +1000, Russell Coker wrote:
> > It is anti-social for every idiot on the net to think that they are
> > important enough to require a subscription from everyone who wants t
On Fri, 11 Jun 2004 21:38, Dale Amon <[EMAIL PROTECTED]> wrote:
> That said, those who can afford it will hire human
> operators to act as email gatekeepers; those who can't
> will use whatever a salesman can convince them is
> affordable and works. Whether we like it or not will
> not figure into
On Fri, 11 Jun 2004 22:34, Patrick Maheral <[EMAIL PROTECTED]> wrote:
> It seems that most people here don't like CR systems, and I'd have to
> agree with that consensus.
>
> I'm just wondering what is the general feeling about using hashcash and
> other header signatures systems.
Currently you ca
On Fri, 11 Jun 2004 23:43, [EMAIL PROTECTED] (Rens Houben) wrote:
> In other news for Fri, Jun 11, 2004 at 11:24:05PM +1000, Russell Coker has
been seen typing:
> > Besides, with an army of Windows Zombies you could generate those
> > signatures anyway...
>
> Why both
On Sat, 12 Jun 2004 04:22, "s. keeling" <[EMAIL PROTECTED]> wrote:
> Incoming from Rick Moen:
> > Quoting Russell Coker ([EMAIL PROTECTED]):
> > > Some of the anti-spam people are very enthusiastic about their work. I
> > > wouldn't be surprised
On Mon, 14 Jun 2004 16:39, Adrian 'Dagurashibanipal' von Bidder
<[EMAIL PROTECTED]> wrote:
> Also you may want to look at the rfc-ignorant.org ones, but reading
> nanae I got the impression that they are more trouble than they're
> worth.
This thread inspired me to fiddle with my anti-spam settin
On Tue, 15 Jun 2004 04:56, andrew lattis <[EMAIL PROTECTED]> wrote:
> currently i've got an ever growing password list in a plain text file
> stored on an encrypted loopback fs, this is getting cumbersome...
>
> figaro's password manager (package fpm) looks nice and uses blowfish to
> encrypt data
On Tue, 15 Jun 2004 17:24, Rudy Gevaert <[EMAIL PROTECTED]> wrote:
> Would it be possible to run that program trough e.g. perl/php/... ?
>
> A use could ftp the executable and write a php script that execute it.
Does PHP allow executing arbitary binaries?
If the user can install CGI-BIN scripts t
On Tue, 15 Jun 2004 18:46, Alberto Gonzalez Iniesta <[EMAIL PROTECTED]> wrote:
> Some of the applications I run use kwallet, that seems similar to what
> Russell Cooker described for OS X.
No. kwallet can be ptraced, this allows a hostile program to get access to
all it's data with ease.
Of cou
On Sat, 3 Jul 2004 10:28, LOGAN Jim <[EMAIL PROTECTED]> wrote:
> WHO R U FUCKIN' BASTARD ?
> I HATE THE BLOODY MOTHER FUCKERS LIKE U !
> I DON' T LIKE YOUR DAMN' VIRUS , SON OF A BITCH ! ...I' LL GET
> YOUR BLOODY SKIN ! WOLVERINE
Does your mother know you talk like that?
The debi
On Sun, 25 Jul 2004 02:43, hanasaki <[EMAIL PROTECTED]> wrote:
> The idea is to run bind, http and other servers in a jail. I am just
> getting started and know little about it, for now. I was hoping that
> there were Debian packages that already provided the jail(s) to run
> these services in.
On Mon, 26 Jul 2004 02:57, John Richard Moser <[EMAIL PROTECTED]> wrote:
> I'm interested in discussing the viability of PaX on Debian. I'd like
> to discuss the changes to the base system that would be made, the costs
> in terms of overhead and compatibility, the gains in terms of security,
> and
On Mon, 26 Jul 2004 07:06, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> On Sun, Jul 25, 2004 at 11:02:54AM +1000, Russell Coker wrote:
> > On Sun, 25 Jul 2004 02:43, hanasaki <[EMAIL PROTECTED]> wrote:
> > > The idea is to run bind, http and other ser
On Mon, 26 Jul 2004 13:48, John Richard Moser <[EMAIL PROTECTED]> wrote:
> | Before we can even start thinking about PaX on Debian we need to find a
> | maintainer for the kernel patch who will package new versions of the
> | patch which apply to the Debian kernel source tree. We have had a few
>
The start scripts for some daemons do "su - user" or use
"start-stop-daemon -c" to launch the daemon, postgresql is one example.
During the time between the daemon launch and it closing it's file handles and
calling setsid(2) (which some daemons don't do because they are buggy) any
other code ru
On Mon, 26 Jul 2004 22:43, "Milan P. Stanic" <[EMAIL PROTECTED]> wrote:
> > If so when will the patch be submitted to Linus?
>
> Who knows? These days patches doesn't get accepted so easy :-(
The SE Linux patches get accepted easily enough. Most of the 2.6.x kernels
have had SE Linux changes in
On Mon, 26 Jul 2004 22:54, [EMAIL PROTECTED] wrote:
> I have a machine that has been the unfortunate victime of SuckIT
> r00tkit. As this exploit relies on writing to /dev/kmem, I was thinking
> of making /dev/mem and /dev/kmem unwriteable. I have heard this breaks X
> and some gdb functions, but d
On Mon, 26 Jul 2004 23:38, [EMAIL PROTECTED] wrote:
> > > I have a machine that has been the unfortunate victime of SuckIT
> > > r00tkit. As this exploit relies on writing to /dev/kmem, I was thinking
> > > of making /dev/mem and /dev/kmem unwriteable. I have heard this breaks
> > > X and some gdb
On Tue, 27 Jul 2004 00:23, Michael Stone <[EMAIL PROTECTED]> wrote:
> On Mon, Jul 26, 2004 at 11:38:33PM +1000, [EMAIL PROTECTED] wrote:
> >/dev/kmem unusable. That, he says, will break lilo (I can't use GRUB as
> >it doesn't support booting off RAID devices properly)
>
> Hmm. Seems to work here.
On Tue, 27 Jul 2004 07:48, Andrew Pimlott <[EMAIL PROTECTED]> wrote:
> > During the time between the daemon launch and it closing it's file
> > handles and calling setsid(2) (which some daemons don't do because they
> > are buggy) any other code running in the same UID could take over the
> > proce
On Mon, 23 Aug 2004 09:34, Geoff <[EMAIL PROTECTED]> wrote:
> There is an elaborate system to maintain quality in new Debian
> developers (which seems like a good idea to me). Why not have some sort
> of system for ensuring the quality in continuing DD?
> If a DD didn't meet the criteria they would
On Mon, 23 Aug 2004 13:07, Thomas Bushnell BSG <[EMAIL PROTECTED]> wrote:
> Russell Coker <[EMAIL PROTECTED]> writes:
> > Removing developers who don't meet certain criteria (EG no package
> > uploads for 6 months) from active status makes a lot of sense.
On Mon, 23 Aug 2004 14:46, Bron Gondwana <[EMAIL PROTECTED]> wrote:
> > Removing developers who don't meet certain criteria (EG no package
> > uploads for 6 months) from active status makes a lot of sense. Anyone
> > care to propose a GR?
>
> This doesn't work. The problem is basically:
>
> a) wh
On Mon, 23 Aug 2004 13:30, Thomas Bushnell BSG <[EMAIL PROTECTED]> wrote:
> Russell Coker <[EMAIL PROTECTED]> writes:
> > Removing from active status seems appropriate to me.
>
> But that's a totally different subject. If you want to remove Debian
> developers f
On Mon, 20 Sep 2004 06:15, martin f krafft <[EMAIL PROTECTED]> wrote:
> I want to add another point to this discussion. While we cannot
> prevent malicious maintainers from installing to the archives or
> poisoning the buildds, requiring all binaries to be remade on the
> buildds would rule out the
On Sun, 26 Sep 2004 07:22, Lorenzo Hernandez Garcia-Hierro <[EMAIL PROTECTED]>
wrote:
> - openssh (i'm working on the patches that bring SecurID Token use
> features, and others from independent hackers)
Most of the features you list are things that are difficult to get into
Debian/main. But to
On Mon, 27 Sep 2004 00:39, Lorenzo Hernandez Garcia-Hierro <[EMAIL PROTECTED]>
wrote:
> > Most of the features you list are things that are difficult to get into
> > Debian/main.
>
> Not too really difficult, it depends on how it gets developed:
> http://www.debian-hardened.org/wiki/index.php/CVS_
On Mon, 18 Oct 2004 07:08, Rick Moen <[EMAIL PROTECTED]> wrote:
> Quoting Jason Lunz ([EMAIL PROTECTED]):
> > The entire neighbor cache was completely rewritten recently, and I
> > believe it was prompted by exactly this sort of situation.
>
> Just wanted to mention: That "neigbour table overflow"
On Sun, 24 Oct 2004 19:24, Jan LÃhr <[EMAIL PROTECTED]> wrote:
> > Yes, and that is one of the core points in my suggestion that you look
> > at SELinux or a similar mandatory access control based security module.
>
> SELinux is overkill in some ways. A system adminstrator, not being able to
> hand
On Monday 24 January 2005 19:10, "Markus Schabel" <[EMAIL PROTECTED]>
wrote:
> I've setup a server with selinux enabled, using the packages from Russel
> Coker (http://www.coker.com.au/selinux/) but they are a bit outdated, at
> least there are more current packages in debian/testing available
> (
On Monday 07 February 2005 14:43, Alvin Oga <[EMAIL PROTECTED]>
wrote:
> > No, you make an image, reinstall, and if you have time (ie. you normally
> > dont) then you can start the forensics.
>
> yes about making an image ... i assume you mean
> - take the box down,
> - i hate taking the box d
On Sunday 16 January 2005 13:04, hanasaki <[EMAIL PROTECTED]> wrote:
> so what do you recommend for security?
>
> also what about rsbac? where does this fit in?
RSBAC is not based on the LSM interface so it won't go into the standard
kernel.org kernel tree. It's a patch that has to be applied t
On Sunday 16 January 2005 13:26, Alvin Oga <[EMAIL PROTECTED]>
wrote:
> suse ( sorry), seems to ship with SELinux enabled... and sometimes causes
> problems that i have to go in and turn it all off ( good again ? )
> - i haven't figured which SELinux options work and which don't
Best to join #se
On Wednesday 27 April 2005 21:16, Marcell Metzner <[EMAIL PROTECTED]>
wrote:
> I have seen this using SE Linux or RSBAC.
> This 2 are the best I have seen till now.
One limitation of SE Linux in this regard is due to the design of the LSM
interface.
The LSM interface does not get called until a
On Tuesday 25 November 2008 16:53, Rolf Kutz <[EMAIL PROTECTED]> wrote:
> >Whenever you are able to read a file, it has to exist in unencrypted
> >form. Let's say you have an editor or viewer that has builtin-in
> >decryption. It will read the encrypted file, and decrypt it. to be able
> >to work o
On Tuesday 25 November 2008 22:29, "Aneurin Price" <[EMAIL PROTECTED]>
wrote:
> Based on my experience, I would not personally recommend XFS to anyone who
> cannot guarantee that their system will absolutely never crash or suffer
> power failure. XFS's failure modes seem pretty disastrous. Then ag
On Monday 01 December 2008 22:45, "Chip Panarchy" <[EMAIL PROTECTED]>
wrote:
> My distribution has been specialised to suite the requirements of your
> everyday (and not so everyday!) pen-tester and white/grey hat hackers.
>
> My sobriquet for this distribution is: HackBuntu.
Why not just have a
On Sunday 07 December 2008 16:11, "Reed Young" <[EMAIL PROTECTED]> wrote:
> For any set of packages one finds so useful that they're like their own
> distribution, I think the labor would be better spent -- more useful to the
> community I mean, maybe not as fun for you -- in extending / improving
On Monday 08 December 2008 21:40, Tom Allison <[EMAIL PROTECTED]> wrote:
> Is there some means by which you can build a super set of packages as a
> package? I think there is, but I'm not sure how it works.
>
> The idea would be to select a "Package" which would then select a large
> list of packa
Every message that you send to supp...@mitacs.com will be resent to debian-
security. Every message you send to postmaster or abuse will be ignored.
Please everyone, configure your mail servers to block all mail from
85.125.218.18 and all mail with @mitacs.com in the From: field.
If you really
On Sat, 29 Jan 2011, Simon Brandmair wrote:
> I just started looking into SELinux. I am wondering if there is a way to
> have wildcards in avc rules like:
> auditallow source_t target_t : * * ;
> which audits all access from source_t to target_t.
>
> Or do I have to add all classes objects to the
On Wed, 16 Nov 2011, Ritesh Raj Sarraf wrote:
> On 11/16/2011 11:15 AM, Mike Christie wrote:
> > Hey Ritesh,
> >
> > Does Debian have some sort of security list? I asked some red hat people
> > and they thought removing the check for "root" and just checking for
> > UID=0 would be ok. They were n
On Fri, 30 Dec 2011, Taz wrote:
> Hello, we've got various debian servers, about 15, with different
> versions. All of them have been attacked today and granted root
> access.
> Can anybody help? We can give ssh access to attacked machine, it seems
> to be serious ssh vulnerability.
http://blog.s
On Fri, 30 Dec 2011, Laurentiu Pancescu wrote:
> I would like to harden a web server setup using SELinux. How good is the
> support for SELinux on Squeeze? Are the instructions on the Debian Wiki
> [1] up to date for Squeeze? I tried this last time on Lenny, and DHCP
> couldn't work back then due
On Sat, 31 Dec 2011, Laurentiu Pancescu wrote:
> is there any difference between i386 and amd64 as to how much protection
> SELinux is able to provide? Earlier, stuff like NX was only available on
> 64-bit processors; are there still such differences?
There has never been any difference in SE Lin
On Fri, 30 Dec 2011, Taz wrote:
> of course, i've double changed all password and regenerated ssh keys.
Are the SSH and PAM settings doing what you think? I suggest carefully
examining the contents of /etc to see what has been changed from the default.
A new sshd vulnerability that allows remo
On Sat, 31 Dec 2011, Holger Levsen wrote:
> On Freitag, 30. Dezember 2011, Russell Coker wrote:
> > I can't imagine what the benefit would be in using "official" packages
> > that I created and uploaded to Debian over using "unofficial" packages
> >
101 - 200 of 221 matches
Mail list logo
