Re: My own Firewall ??
> When you say you tried it, how did you test?
I probably made a premature comment. Nessus probings, for example, were
ok for me before trying this kernel. Maybe other friends with more
experience can say something. What specific tests are you referring to?
> Can you identify any specific, real world situation where it has helped?
> Has it caused problems with any software, or people, or whatever?
I just have a small personal debian server running a web and mail servers.
Most of the hacking attempts are directed to those. However, apache has
many security options (suphp, modsecurity, etc) and is chrooted. I don't
think the kernel had a lot to do with this. Apparently, it protects kernel
memory, stack overflows and /proc (see below for what is added to this
kernel). Other software programs installed appear to be OK. Of course,
this kernel-image disables any X servers and programs related to it.
There is a kernel source if you need to compile it. I cannot really say
it would or would not cause problems to some people. It did not cause any
for me. But again, I just run a small box.
> This isn't a question aimed at making problems for you, or insulting the
> people who are, no doubt, working very hard on the hardening project.
I think is great we have brothers and sisters interested on these things...
> I really want to know, because I don't have time (currently) to test it
> myself, but would happily deploy it to client sites if I could be sure
> it would actually achieve anything to improve matters.
Hardened Debian kernel sources information.
Maintainer: Lorenzo Hernández García-Hierro
- grSecurity 2.0.1
- CAN-2004-0109 fix.
- CAN-2004-0596 fix.
- TCP-stealth for 2.6.7.
- Net-dev-random for 2.6.7.
- Net-dev-random-drivers for 2.6.7.
- SELinux PaX hooks for 2.6.7.
- SELinux ipaddr patch.
- grSecurity doesn't depend on PaX at all and viceversa.
- SELinux updated headers.
- Added extra security options to SELinux.
- Openswan 2.3.0dr2 (improved IPSec stack).
- Fortuna CSRNG.
- BINFMT_ELF Loader Local Privilege Escalation Vulnerabilities.
> Also, I recall some months ago that some Debian hardening toolkit had
> made a miserable mess of the systems of a couple of people on the Debian
> lists, by going in and screwing around with various configuration files
> for them.
> IIRC, it was some sort of "education about security" package; is this
> the same project, or am I thinking of something else?
If you are referring to bastille, I think is a good program. Never had
any problems with it. Just a little thing here and there, like creating
some sort of directory it needed and the like. I believe some of the
options need to be carefully considered.
-JM. ?Estos días azules y este sol de la infancia ?(Antonio Machado-1939)