KBTAG: kben10000021
URL: http://www.securityportal.com/lskb/10000000/kben10000021.html
Date created: 17/04/2000
Date modified: 13/10/2000
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Linux kernel patches that enhance
security
Keywords: Kernel, Filesystem/ACLS,
Filesystem/Auditing, Kernel/Auditing
Implementation information:
Difficulty: medium to hard
Requirements: Linux kernel source, compiler,
reboot of machine
Time (approx.): minutes to hours
Comments: Use a test server
Related articles: kben10000073
There are a number of kernel patches for Linux that add capabilities that allow for various security enhancements. For various reasons these kernel patches have not been merged into the "official" kernel, and must be done by hand. There are also some utilities, like auditd, that allow you to use existing kernel facilities to log in a much more verbose fashion.
Secure Linux Kernel Patch
The Openwall Linux kernel patch is patch is a collection of security "hardening" features for the Linux kernel. In addition to the new features, some versions of the patch contain various security fixes. The "hardening" features of the patch, while not a complete method of protection, provide an extra layer of security against the easier ways to exploit certain classes of vulnerabilities and/or reduce the impact of those vulnerabilities. The patch can also add a little bit more privacy to the system by restricting access to parts of /proc so that users may not see what others are doing. You can get it from: http://www.openwall.com/linux/.
International kernel patch
This patch (over a megabyte in size!) adds a huge amount of strong crypto and related items. It includes several encryption algorithms that were AES candidates (including MARS from IBM). You can get it from: http://www.kerneli.org/.
Linux Intrusion Detection System (LIDS)
This patch adds a number of interesting capabilities, primarily aimed at attack detection. You can "lock" file mounts, firewall rules, and a variety of other interesting options are available. You can get it from: http://www.lids.org/.
auditd
auditd allows you to use the kernel logging facilities (a very powerful tool). You can log mail messages, system events and the normal items that syslog would cover, but in addition to this you can cover events such as specific users opening files, the execution of programs, of setuid programs, and so on. If you need a solid audit trail then this is the tool for you, you can get it at: ftp://ftp.hert.org/pub/linux/auditd/.
Fork Bomb Defuser
A loadable kernel module that allows you to control the maximum number of processes per user, and the maximum number of forks, very useful for shell servers with untrusted users. You can get it from: http://rexgrep.tripod.com/rexfbdmain.htm.
Medusa DS9
From the announcement:
Medusa DS9 is used to increase Linux's security. It consists of two major parts, Linux kernel changes and the user-space daemon. Kernel changes do the monitoring of syscalls, filesystem actions, and processes, and they implement the communication protocol. The security daemon communicates with the kernel using the character device to send and receive packets. It contains the whole logic and implements the concrete security policy. That means that Medusa can implement any model of data protection; it depends only on configuration file, which is in fact a program in the internal programming language, somewhat similar to C. http://medusa.fornax.sk/