Re: Is LIDS a good idea?

To: Debian-user <debian-user@lists.debian.org>
Subject: Re: Is LIDS a good idea?
From: Mathias Gygax <mg@trash.net>
Date: Wed, 5 Dec 2001 12:31:40 +0100
Message-id: <[🔎] 20011205123139.D22679@chiba.dyndns.org>
Mail-followup-to: Debian-user <debian-user@lists.debian.org>
In-reply-to: <[🔎] 20011205204301.C19553@beast.home>; from mdevin@ozemail.com.au on Mit, Dez 05, 2001 at 08:43:01 +1000
References: <20011130113108.A2637@beast.home> <20011130141104.A5122@chiba.dyndns.org> <20011201153251.A1911@beast.home> <[🔎] 20011201143206.B14470@chiba.dyndns.org> <[🔎] 20011202084741.A12186@beast.home> <[🔎] 20011203142107.A11030@chiba.dyndns.org> <[🔎] 20011205204301.C19553@beast.home>

On Mit, Dez 05, 2001 at 08:43:01 +1000, mdevin@ozemail.com.au wrote:
> I am just a little confused now on the libsafe / openwall / dietlibc
> stuff.  Is it recommended to do all 3?  

don't install stuff you don't understand what it does. go step by step
and understand what these do.

libsafe is a preloader lib and can be deactivated fast and painless,
e.g. something doesn't work.

openwall is a kernel patch for proactive security in the kernel.

dietlibc is a glibc replacement. not yet stable for production use.

> From what I can see, there doesn't seem to be an openwall patch yet
> for 2.4 kernels and dietlibc seems to be providing a cut-down libc to
> create smaller binaries by statically linking etc.

openwall isn't yet available for 2.4. last time i checked, the
non-exec-stack patch was obviously not so easy to port it to 2.4.

on the lids homepage is a link for a LIDS, openwall, stealth and kerneli
patch that's integrated into one. i use this one on 2.2.

dietlibc does securing of insecure functions like gets() into something more
secure (which is by design not so easy), but it could break things.

> I was just going to install libsafe and LIDS.  Are you recommending
> more?

i could recommend you host based, network based intrusion detection
systems, proactively deactivating security risks, hardening scripts,
conceptual planing, automatic upgrading and on and on.....

there are a lot of scripts, patches and programs to thing more secure.

the only thing i recommend is to read a lot of background stuff, stay
up-to-date and test things out.

> When you mentioned that you were going to set up a computer with LIDS
> and hand-out root passwords to everybody for a challenge to try and
> crack it;  What will you have installed on this computer?  Will it be
> LIDS and libsafe for the protection or more?

LIDS will protect my kernel from root. libsafe does protect normal user
daemons from root. from this point, i don't need libsafe.

basically, it will be a minimum debian with full root access for
everybody. i'll protect the basic things, but the system will run from
an encrypted loopback image, so i can reset the whole machine in
seconds.

Reply to:

References:
- Re: Is LIDS a good idea?
  - From: Mathias Gygax <mg@trash.net>
- Re: Is LIDS a good idea?
  - From: mdevin@ozemail.com.au
- Re: Is LIDS a good idea?
  - From: Mathias Gygax <mg@trash.net>
- Re: Is LIDS a good idea?
  - From: mdevin@ozemail.com.au

Prev by Date: Character-mode clock
Next by Date: Changing location of Maildir with Courier
Previous by thread: Re: Is LIDS a good idea?
Next by thread: Re: Is LIDS a good idea?
Index(es):
- Date
- Thread