On Sze, November 26, 2008 03:02, 7v5w7go9ub0o wrote:
> I run the "old" hardened toolchain, grsecurity-enhanced hardened kernel,
> rbac control, and jails for anything that accesses the LAN/WAN.(heh... I
> even chroot and kill dhcpcd after 5 seconds). Avira has hundreds of
> Linux rootkit signatures
Hi!
On Tue, Nov 25, 2008 at 09:02:58PM -0500, 7v5w7go9ub0o wrote:
> I run the "old" hardened toolchain, grsecurity-enhanced hardened kernel,
> rbac control, and jails for anything that accesses the LAN/WAN.(heh... I
> even chroot and kill dhcpcd after 5 seconds). Avira has hundreds of Linux
> roo
Jan Klod wrote:
Suppose, I want to take some extra precautions and set up PaX&co and MAC on a
workstation with Xorg and other nice KDE apps (only some of which should be
granted access to files in folder X). I would like to read others opinion, if
I can get considerable security improvements or
Why are the bit root-suid applications a risk in the point of view of security?
The X server is a root-setuid binary that can't be assured from the
point of view of posix capabilities for example, the reason is clear
one process that has only CAP_SYS_RAWIO capability could make raw
writing in /dev/
On Tue, Nov 25, 2008 at 14:58, Jan Klod <[EMAIL PROTECTED]> wrote:
> Actually, that sound like there is practically no way to keep networked
> workstation really secure.
That's kind of outside the realm of this discussion. The difference
between the attack surface of a network interface versus th
Dear Jan,
On Ked, November 25, 2008 22:58, Jan Klod wrote:
> As a conclusion of what I have read this far I can state: hardened OS is
> useless for non-server. Would that be too much? Well, I think, in a "black
IMHO: not useless. Perfect security is non-existent. But there can be some
systems tha
On Tuesday 25 November 2008 19:58:42 RB wrote:
> KDE (and to a lesser extent X) pretty much nullifies most application
> isolation efforts you're going to make.
Actually, that sound like there is practically no way to keep networked
workstation really secure. Sure, is not trivial to gain root acc
On Tue, Nov 25, 2008 at 14:12, Jan Klod <[EMAIL PROTECTED]> wrote:
> On Tuesday 25 November 2008 19:58:42 RB wrote:
>> KDE (and to a lesser extent X) pretty much nullifies most application
>> isolation efforts you're going to make.
>
> Well, then I would like to ask your opinion about other availab
On Tuesday 25 November 2008 20:36:22 Javier Martínez wrote:
> to make a
> keylogger in x-window is easy if there is posibility to connect
> untrusted clients to it.
Please, I would like to see some more explanation about it! What do you mean
by it?
On Tuesday 25 November 2008 19:58:42 RB wrote:
> KDE (and to a lesser extent X) pretty much nullifies most application
> isolation efforts you're going to make.
Well, then I would like to ask your opinion about other available window
managers. Any better solutions in a direction "stupid and safe"
Hi!
On Tue, Nov 25, 2008 at 09:51:09PM +0100, Javier Martínez wrote:
> Benchmarks are very relative, one RSBAC system logging all
> READ/READ_OPEN requests made (granted or not) is something like a
> turtle. They depend how did you configure your system.
Yeah, that's true, I forget about RSBAC-li
Benchmarks are very relative, one RSBAC system logging all
READ/READ_OPEN requests made (granted or not) is something like a
turtle. They depend how did you configure your system.
> Also there is another question: has anyone made some benchmarks to see how
> much raw computing power (CPU+RAM acces
RSBAC permits network access control. Maybe you could do what you are
looking for with the RC model
2008/11/25 <[EMAIL PROTECTED]>:
> On Tue, Nov 25, 2008 at 05:13:03PM +0200, Jan Klod wrote:
>> Is there some known good way to make an effective whitelist of applications,
>> which are granted netw
Hi!
On Tue, Nov 25, 2008 at 06:39:26PM +0200, Jan Klod wrote:
> Could you post a list of apps, that need PaX lifted?
Most of this already done by portage when emerging apps, so you rarely
need to do this manually. Few examples come in my mind is operawrapper for
running complex Flash/Flex applica
He always could keep running X-window and his window manager (both) in
a chrooted environment, he just protect extremely /dev/mem. Maybe he
would not need /proc filesystem. If security is important why don't
keep running the Xserver isolated (in a virtualbox for example and
hardened with rsbac) and
On Tue, Nov 25, 2008 at 08:00, Jan Klod <[EMAIL PROTECTED]> wrote:
> Suppose, I want to take some extra precautions and set up PaX&co and MAC on a
> workstation with Xorg and other nice KDE apps (only some of which should be
> granted access to files in folder X). I would like to read others opinio
On Tuesday 25 November 2008 17:56:41 Alex Efros wrote:
> Hi!
>
> On Tue, Nov 25, 2008 at 05:00:45PM +0200, Jan Klod wrote:
> > Suppose, I want to take some extra precautions and set up PaX&co and MAC
> > on a workstation with Xorg and other nice KDE apps (only some of which
> > should be granted ac
On Tue, Nov 25, 2008 at 05:13:03PM +0200, Jan Klod wrote:
> Is there some known good way to make an effective whitelist of applications,
> which are granted network access?
More or less; both grsecurity's RBAC and SElinux support this, but on a per-user
basis, not per-application. Novell's AppAr
Is there some known good way to make an effective whitelist of applications,
which are granted network access?
By the way, there is another related question: I remember, I once started
googleearth as user1 and had firefox running as user2; really, googleearth
opened link into user2's firefox! S
Hi!
On Tue, Nov 25, 2008 at 05:00:45PM +0200, Jan Klod wrote:
> Suppose, I want to take some extra precautions and set up PaX&co and MAC on a
> workstation with Xorg and other nice KDE apps (only some of which should be
> granted access to files in folder X). I would like to read others opinion,
Suppose, I want to take some extra precautions and set up PaX&co and MAC on a
workstation with Xorg and other nice KDE apps (only some of which should be
granted access to files in folder X). I would like to read others opinion, if
I can get considerable security improvements or I will have to m
21 matches
Mail list logo
