[huskerlug] Re: CERT Advisory
- From: "Jeff Ives" <jives2@xxxxxxx>
- To: <huskerlug@xxxxxxxxxxxxx>
- Date: Fri, 15 Aug 2003 00:26:34 -0500
Layered security is the only way. First cut off physical access, then =
cut
off remote interaction such as shells sessions anything where code can =
be
executed in a non controlled way...then tie up the ends with firewalls, =
file
system security, etc. And have a plan for when each and all fail.
-----Original Message-----
From: huskerlug-bounce@xxxxxxxxxxxxx =
[mailto:huskerlug-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve
Sent: Thursday, August 14, 2003 7:12 PM
To: huskerlug@xxxxxxxxxxxxx
Subject: [huskerlug] Re: CERT Advisory
> I know that cracking WinXX boxes is no trick at all - 7th =
graders=3D20=20
> have done it using scripts. But, do you think a "script-kiddy" =
has=3D20=20
> enough knowledge and ability to crack into a Linux distro, even =
with=3D20
> 'linux scripts'? =20
That's the thing with "script kiddies", most of them don't have a lot of =
knowledge. If someone writes an exploit for xyz os, anyone can run it. =
It=20
takes very little if any knowledge to execute the exploit. This is true =
whether it's an attack against windoze, linux, openbsd, etc.
One thing to note about the GNU compromise was that they offered shell
access=20
to many. It is a lot more difficult to secure a system from local =
attack=20
than remote attacks. Typically, kernel bugs tend to only be exploitable =
locally. In this case, it was the ptrace bug that led to the =
compromise.
Unfortunately, almost all OSes have proved to be quite "breakable" once =
an=20
intruder achieves local access. That is why it's important to limit =
access=20
to setuid/setgid root programs. Better yet, reduce the need for them =
all=20
together by using the built-in file system protections provided by *nix. =
=20
OpenBSD is doing an good job of this right now, and Owl GNU/*/Linux has =
a=20
shadow password implementation that requires no setuid root binaries to
allow=20
users to change their passwords, finger info, etc. =20
There are a lot of other precautions that can be taken as I'm sure most =
of
you=20
know (e.g. device permissions, /proc restrictions, remove lkm support, =
file=20
system restrictions, disable ptrace & rawio globally, statically compile =
privileged binaries, HIDS, etc). After all that is done, there are =
several=20
kernel hardening patches that can be considered.
--=20
Steve Bremer
RHCE,CCNA
--
Real Men don't make backups. They upload it via ftp and let the world=20
mirror it. -- Linus Torvalds
--
GnuPG Key fingerprint =3D 7F06 4D73 7963 BE96 5189 953A E285 CB2C BA03 =
2746
Available on key servers.
=20
----
Husker Linux Users Group mailing list
To unsubscribe, send a message to huskerlug-request@xxxxxxxxxxxxx with a
subject of UNSUBSCRIBE
----
Husker Linux Users Group mailing list
To unsubscribe, send a message to huskerlug-request@xxxxxxxxxxxxx
with a subject of UNSUBSCRIBE
- Follow-Ups:
- [huskerlug] Re: CERT Advisory
- From: Steve
- References:
- [huskerlug] Re: CERT Advisory
- From: Steve
Other related posts:
- » [huskerlug] CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- [huskerlug] Re: CERT Advisory
- From: Steve
- [huskerlug] Re: CERT Advisory
- From: Steve