[gentoo-security] hardened-sources-2.6.x results.

[gentoo-security] hardened-sources-2.6.x results.

[Ned Ludd]

[-- Attachment #1: Type: text/plain, Size: 1422 bytes --]

hardened-dev-sources-2.6 is available for "testing"

Here is what you can get for the rock bottom 
bargain price of zero dollars and zero cents.

* linux-2.6.4
  (the kernel of course)

* grsec-core-2.0
  (vanilla snapshot from last night)

* grsec extras
  (the ability to audit text relocations)

* pax-status
  (displays runtime pax flags in /proc/#pid/status)

* selinux-hooks 
  (these allow selinux to hook directly into pax for policy enforcement)

* selinux-ipaddr 
  (this allows selinux to track ip address via policy or something)

* netdev-rand-core
  (framework that allows net devices to seed to the entropy pool)

* netdev-rand-drivers
 (drivers that actually do the entropy seeding)

I'd like to thank cluckj from irc.freenode.net/#gentoo-hardened for
testing almost every iteration of this while I was putting it together
last night. (thanks bud). I'd also like to thank albeiro as well for 
porting the netdev-rand stuff and accepting to become the maintainer of
those patches. Oh and of course I'd like to thank the usual list of
suspects..

Other than that happy bug hunting. If something does not work join the
hardened channel and pick a random nick and blame them cuz I'll plead
the 5th :)

Oh wait one more thing.. If you really care about security you probably
should stick with 2.4.x

-peace

-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux Developer

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

[gentoo-security] Re: [gentoo-hardened] hardened-sources-2.6.x results.

[Ned Ludd]

[-- Attachment #1: Type: text/plain, Size: 949 bytes --]

On Wed, 2004-03-17 at 12:46, Michael Atighetchi wrote:
> On Mon, Mar 15, 2004 at 08:20:31PM -0500, Ned Ludd wrote:
> > hardened-dev-sources-2.6 is available for "testing"
> > 
> 
> <snip>
> 
> > Oh wait one more thing.. If you really care about security you probably
> > should stick with 2.4.x
> > 
> 
> Could you explain more why you think 2.6 is "less" secure thatn 2.4 ?

I'm not saying that 2.6.x is less secure in anyway. 2.6.x has been out 
all of what a few months? And the security patches even less time. So
without proper security regression tests done for 2.6.x yet I'll stick 
with recommending that it not be used for production environments yet.
2.4.x on the other hand has been audited by many sets of eyes where
2.6.x has probably been reviewed by a few.

Auditing and regression testing is welcome.

-peace

> 
> Michael
> 
> 
> > -peace
> > 
-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux Developer

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

[gentoo-security] Re: [gentoo-hardened] hardened-sources-2.6.x results.

[Ned Ludd]

[-- Attachment #1: Type: text/plain, Size: 2192 bytes --]

On Wed, 2004-03-17 at 13:44, Michael Atighetchi wrote:
> On Wed, Mar 17, 2004 at 01:08:56PM -0500, Ned Ludd wrote:
> > On Wed, 2004-03-17 at 12:46, Michael Atighetchi wrote:
> > > On Mon, Mar 15, 2004 at 08:20:31PM -0500, Ned Ludd wrote:
> > > > hardened-dev-sources-2.6 is available for "testing"
> > > > 
> > > 
> > > <snip>
> > > 
> > > > Oh wait one more thing.. If you really care about security you probably
> > > > should stick with 2.4.x
> > > > 
> > > 
> > > Could you explain more why you think 2.6 is "less" secure thatn 2.4 ?
> > 
> > I'm not saying that 2.6.x is less secure in anyway. 2.6.x has been out 
> > all of what a few months? And the security patches even less time. So
> > without proper security regression tests done for 2.6.x yet I'll stick 
> > with recommending that it not be used for production environments yet.
> > 2.4.x on the other hand has been audited by many sets of eyes where
> > 2.6.x has probably been reviewed by a few.
> > 
> > Auditing and regression testing is welcome.
> > 
> I see. We starting using a 2.4 gentoo linux distribution a couple of
> months ago, and had good luck with it. However, we ran into install
> difficulties with the 2.6 live cd, which were painfull but we worked
> around them. 
> 
> However, we currently face an issue with stdout redirection. We start
> our java processes via a .sh script and redirect stdout/stderr to a file via
>  > file.txt 2>&1 . By changing from 2.4 to 2.6 we noticed that
>  file.txt gets created when the .sh script starts up, up it does not
>  get any content for a while (about 6 minutes and about 100k of
>  log), after which the whole file shows up. It looks like a buffering
>  problem of sort.
> 
>  We are using 
>  Linux dcaf 2.6.4-rc2-mm1 #2 Mon Mar 15 17:33:02 EST 2004 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
>  with the following fs
>  /dev/hda3 on / type ext3 (rw,noatime)
> 
>  Any clues ?

nope I sure don't.. 
Anybody else with a cluestick have an idea?

> 
> Michael
> 
> 
> > -peace
> > 
> > > 
> > > Michael
> > > 
> > > 
> > > > -peace
> > > > 
-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux Developer

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

Re: [gentoo-security] Re: [gentoo-hardened] hardened-sources-2.6.x results.

[GCS]

[-- Attachment #1: Type: text/plain, Size: 985 bytes --]

On Wed, Mar 17, 2004 at 02:05:10PM -0500, Ned Ludd <solar@gentoo.org> wrote:
> On Wed, 2004-03-17 at 13:44, Michael Atighetchi wrote:
> > On Wed, Mar 17, 2004 at 01:08:56PM -0500, Ned Ludd wrote:
> > I see. We starting using a 2.4 gentoo linux distribution a couple of
> > months ago, and had good luck with it. However, we ran into install
> > difficulties with the 2.6 live cd, which were painfull but we worked
> > around them. 
> > 
> > However, we currently face an issue with stdout redirection. We start
> > our java processes via a .sh script and redirect stdout/stderr to a file via
> >  > file.txt 2>&1 . By changing from 2.4 to 2.6 we noticed that
> >  file.txt gets created when the .sh script starts up, up it does not
> >  get any content for a while (about 6 minutes and about 100k of
> >  log), after which the whole file shows up. It looks like a buffering
> >  problem of sort.
 Maybe some sort of 'sync' shows up content sooner?
Cheers,
Laszlo/GCS

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-security] Re: [gentoo-hardened] hardened-sources-2.6.x results.

[Jonathan Rogers]

On Wed, 2004-03-17 at 13:44, Michael Atighetchi wrote:
> I see. We starting using a 2.4 gentoo linux distribution a couple of
> months ago, and had good luck with it. However, we ran into install
> difficulties with the 2.6 live cd, which were painfull but we worked
> around them. 
> 
> However, we currently face an issue with stdout redirection. We start
> our java processes via a .sh script and redirect stdout/stderr to a file via
>  > file.txt 2>&1 . By changing from 2.4 to 2.6 we noticed that
>  file.txt gets created when the .sh script starts up, up it does not
>  get any content for a while (about 6 minutes and about 100k of
>  log), after which the whole file shows up. It looks like a buffering
>  problem of sort.
> 
>  We are using 
>  Linux dcaf 2.6.4-rc2-mm1 #2 Mon Mar 15 17:33:02 EST 2004 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
>  with the following fs
>  /dev/hda3 on / type ext3 (rw,noatime)
> 
>  Any clues ?

Was the kernel the only difference? It sounds more like a a difference 
in the size of the userspace buffer, which is managed by Glibc, although 
a 100k default buffer is mighty big.

Jonathan Rogers

--
gentoo-security@gentoo.org mailing list