Re: Is LIDS a good idea?
On Mit, Dez 05, 2001 at 08:43:01 +1000, mdevin@ozemail.com.au wrote:
> I am just a little confused now on the libsafe / openwall / dietlibc
> stuff. Is it recommended to do all 3?
don't install stuff you don't understand what it does. go step by step
and understand what these do.
libsafe is a preloader lib and can be deactivated fast and painless,
e.g. something doesn't work.
openwall is a kernel patch for proactive security in the kernel.
dietlibc is a glibc replacement. not yet stable for production use.
> From what I can see, there doesn't seem to be an openwall patch yet
> for 2.4 kernels and dietlibc seems to be providing a cut-down libc to
> create smaller binaries by statically linking etc.
openwall isn't yet available for 2.4. last time i checked, the
non-exec-stack patch was obviously not so easy to port it to 2.4.
on the lids homepage is a link for a LIDS, openwall, stealth and kerneli
patch that's integrated into one. i use this one on 2.2.
dietlibc does securing of insecure functions like gets() into something more
secure (which is by design not so easy), but it could break things.
> I was just going to install libsafe and LIDS. Are you recommending
> more?
i could recommend you host based, network based intrusion detection
systems, proactively deactivating security risks, hardening scripts,
conceptual planing, automatic upgrading and on and on.....
there are a lot of scripts, patches and programs to thing more secure.
the only thing i recommend is to read a lot of background stuff, stay
up-to-date and test things out.
> When you mentioned that you were going to set up a computer with LIDS
> and hand-out root passwords to everybody for a challenge to try and
> crack it; What will you have installed on this computer? Will it be
> LIDS and libsafe for the protection or more?
LIDS will protect my kernel from root. libsafe does protect normal user
daemons from root. from this point, i don't need libsafe.
basically, it will be a minimum debian with full root access for
everybody. i'll protect the basic things, but the system will run from
an encrypted loopback image, so i can reset the whole machine in
seconds.
Reply to: