On Thu, 24 Jun 2004 19:20:51 +0900, Patcharee Basu <yoo@xxxxxxxxx> said:
1. Does USAGI do all the security patches of linux kernel 2.4.21<before
today>? I found the last modified date of usagi stable is January 2004.
Well... USAGI is basically a networking-only patch on top of a specific kernel
release. As such, if the kernel that's being patched wasn't already also
patched against the security issue, the USAGI patch won't fix it.
So for instance, if a security issue was fixed in 2.4.25, then any USAGI patch
based on a pre-2.4.25 would still have problems, while any USAGI based on
2.4.25 or later will be covered.
2. If there is a vulnerability of kernel 2.4.x found in the future,
would USAGI deal with that?
Again, USAGI is networking support only.
If you're looking for actual *security* patches, you probably want to be
looking at the Linux Security Module (LSM) stuff and SELinux. Note the
following:
a) SELinux isn't a trivial install - currently the best starting point is
Fedora Core 2 and some hand-tweaking. You *really* want to be on a 2.6.7
kernel for this...
b) There is really *nothing*, repeat *nothing*, that can be done to prevent or
protect against security issues in the kernel caused by bugs, other than
writing bug-free code. And there's no good way to deal with a known bug other
than applying an appropriate patch.
Please advise, since I am a newbie in both USAGI and security.
(Putting on my security guru hat for the moment...)
Currently, I'd call the kernel that's in the Fedora Core development tree as
the most secure Linux kernel installable by mere mortals, due to the fact that
it contains both the SELinux stuff and RedHat's Exec-Shield stuff (yes, you can
harden it even more - but I don't consider the PaX/grsecurity stuff to be
something that mere mortals can do..)
However, *equally* important (if not even more so) is userspace security and
administrative security. You can have the most secure kernel, but the vast
majority of security issues are in programs, not in the kernel (and in fact,
SELinux addresses the enforcement of userspace security rather than securing
the kernel itself, for that reason).
The proper order of doing things to harden a Linux box:
1) *install the vendor patches*. You don't do this, you're screwed.
2) Harden the userspace. The Center for Internet Security has a fairly good
baseline Linux benchmark and guide (http://www.cisecurity.org). No, not
everything in that guide will apply to your system, and it doesn't include
everything you can do - but it's a good start for a newbie. Important note: Do
*NOT* expect a usable system to score a 10.0 - of all the CIS members, I've
heard of *ONE* production server that scored a 10.0 (done by a co-worker even
more paranoid than I am). A score of 8.5 to 9.0 on the Linux benchmark is
already well into "tweaked until it hurts"... (Disclaimer: I'm biased, as I
was a major contributor to the Linux and Solaris benchmarks).
If everybody did those 2 things, my life would be a lot simpler and the
hackers would have a lot more trouble.
If you get all that done and still want more to do, feel free to buzz me off-list, or
check the following resources:
SELinux - http://www.nsa.gov/selinux/
Multiple security mailing lists at SecurityFocus: http://www.securityfocus.com
Bugtraq is one of the premier lists, some of their others (forensics, incidents,
vuln-dev) may interest you too..
SANS - http://www.sans.org - security training, and lots of good stuff in
their Reading Room.