Re: Linux Distribution Recomendation

From: Peter Busser (peter_at_devbox.adamantix.org)
Date: 03/11/04

  • Next message: Mike: "Re: mysql.sock"
    Date: Thu, 11 Mar 2004 10:16:24 +0100
    To: security-basics@securityfocus.com
    
    

    Hi!

    > all distro uses the same sw
    > - same kernel or tweekd ( broken )
    > - same gcc/glibc
    > - same bash
    > - same sendmail
    > - same dns
    > - same apache
    > - same ipchains/iptables
    > - same mysql ....
    > - same blah-blah ..
    >
    > ---> one distro is NOT more secure than another

    That is definitely not true, not all distributions are created equal. There is
    a big difference in security between different distributions. Adamantix
    provides:

    - A kernel patch to make buffer exploits harder (PaX).
    - A C/C++ compiler patch which makes stack exploits harder (SSP aka ProPolice).
    - A kernel patch with improved access control (RSBAC)
    - Almost all binaries have been recompiled for ASLR (Address Space Layout
      Randomisation, where binaries, libraries, stack and heap are located at
      randomised addresses in the process memory).

    The combination of PaX and a proper RSBAC security policy can protect against
    ALL arbitrary code injection and execution. Most remote exploits depend on the
    ability to introduce and execute new code. There are ways around it, but they
    require more sophistication, more effort and have a lower chance of success.

    With a proper RSBAC security policy, even root cannot destroy the system
    anymore. In other words, root is no longer God on the system. A well designed
    policy could make the Linux kernel the weakest link.

    Your assumptions are wrong, therefore your conclusion is wrong too.

    > -- it solely depends on the user's ability to know
    > how to make it equally or better secure than the other
    >
    > and i'd still pick slackware ... if its my choice

    Well, sure, use whatever you like best.

    > > The vision behind Adamantix is to improve the overall security features of
    > sounds like what nsa linux and trustix used to claim ?? along with the
    > other secure linux ??

    I don't know what they used to claim. Trustix is now a closed for-pay only
    distribution it seems (correct me if wrong). And SELinux is just a kernel
    patch. Adamantix provides RSBAC, which does everything SELinux does but more.
    People who used both RSBAC and SELinux say that RSBAC is easier to use. But it
    lacks good documentation though.

    Groetjes,
    Peter Busser

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------


  • Next message: Mike: "Re: mysql.sock"

    Relevant Pages

    • rsbac 1.2.3 jail security problems
      ... Amon Ott has released a security bugfix for RSBAC 1.2.3. ... -Free Open Source Linux kernel security extension ...
      (Bugtraq)
    • Re: rsbac -- perfect solution
      ... >> are running a linux server of any sort, why would you NOT apply rsbac? ... I'll grant that MAC is important for very high ... > security environments but neither of us do. ...
      (comp.security.unix)
    • Re: a good start to do hardening
      ... ]> Can anyone tell me a good way to start to do hardening on my Linux ... ]4) Download the Openwall kernel patch: http://www.openwall.com/linux/ ... ]6) chroot all non-inetd services ... Security is not some little formula, it is trying to see what you can do ...
      (comp.security.unix)
    • Re: rsbac -- perfect solution
      ... > are running a linux server of any sort, why would you NOT apply rsbac? ... security environments but neither of us do. ...
      (comp.security.unix)
    • Re: Security Patches to the Linux Kernel
      ... Security Patches to the Linux Kernel ... > I would be interested in learning what other peoples experiences with ... My preference goes for RSBAC for its power and the fact that you don't have ...
      (Focus-Linux)