Archives

Categories

SE Linux in Lenny Status

SE Linux is almost ready to use in Lenny. Currently I am waiting on the packages libsepol1 version 2.0.30-2, policycoreutils 2.0.49-3, and selinux-policy-default version 0.0.20080702-4 to make their way to testing. The first two should get there soon, the policy will take a little longer as I just made a new upload today (to make […]

July 29th, 2008 | Tags: , | Category: Security | 4 comments - (Comments are closed)

Biba and BLP for Network Services

Michael Janke has written an interesting article about data flows in networks [1], he describes how data from the Internet should be considered to have low integrity (he refers to it as “untrusted”) and that as you get closer to the more important parts of the system it needs to be of higher integrity.

It […]

July 28th, 2008 | Tags: | Category: Security | 4 comments - (Comments are closed)

SE Linux Policy Loading

One of the most significant tasks performed by a SE Linux system is loading the “policy“. The policy is the set of rules which determine what actions are permitted by each domain.

When I first started using SE Linux (in 2001) the kernel knew where to find the policy file and would just read the […]

July 24th, 2008 | Tags: , | Category: Security | Comments are closed

New SE Linux Policy for Lenny

I have just uploaded new SE Linux policy packages for Debian/Unstable which will go into Lenny (provided that the FTP masters approve the new packages in time).

The big change is that there are no longer separate packages for strict and targeted policies. There is now a package named selinux-policy-default which has the features of […]

July 13th, 2008 | Tags: , | Category: Security | 5 comments - (Comments are closed)

Is a GPG pass-phrase Useful?

Does a GPG pass-phrase provide a real benefit to the majority of users?

It seems that there will be the following categories of attack which result in stealing the secret-key data:

User-space compromise of account (EG exploiting a bug in a web browser or IRC client). System compromise (EG compromising a local account and exploiting […]

July 9th, 2008 | Tags: | Category: Security | 9 comments - (Comments are closed)

Kernel Security vs Uptime

For best system security you want to apply kernel security patches ASAP. For an attacker gaining root access to a machine is often a two step process, the first step is to exploit a weakness in a non-root daemon or take over a user account, the second step is to compromise the kernel to gain […]

June 27th, 2008 | Tags: | Category: Ha, Security | 12 comments - (Comments are closed)

SE Linux Support in GPG

In May 2002 I had an idea for securing access to GNUPG [1]. What I did was to write SE Linux policy to only permit the gpg program to access the secret key (and other files in ~/.gnupg). This meant that the most trivial ways of stealing the secret key would be prevented. However an […]

June 6th, 2008 | Tags: , , , | Category: Security | 10 comments - (Comments are closed)

IPSEC is Pain

I’ve been trying to get ipsec to work correctly as a basic VPN between two CentOS 5 systems. I set up the ipsec devices according to the IPSEC section of the RHEL4 security guide [1] (which is the latest documentation available and it seems that nothing has changed since). The documentation is quite good, but […]

May 24th, 2008 | Category: Security | 15 comments - (Comments are closed)

Security Flaws in Free Software

I just wrote about the system administration issues related to the recent Debian SSL/SSH security flaw [1]. The next thing we need to consider is how we can change things to reduce the incidence of such problems.

The problem we just had was due to the most important part of the entropy supply for the […]

May 21st, 2008 | Tags: , , | Category: Security | 5 comments - (Comments are closed)

Debian SSH Problems

It has recently been announced that Debian had a serious bug in the OpenSSL code [1], the most visible affect of this is compromising SSH keys – but it can also affect VPN and HTTPS keys. Erich Schubert was one of the first people to point out the true horror of the problem, only 2^15 […]

May 18th, 2008 | Tags: , , | Category: Security | 14 comments - (Comments are closed)
« Newer Entries  
  Older Entries »