SUSE kernel security features vs vanilla

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SUSE kernel security features vs vanilla

Malte Gell-3
Just out of curiousity,
do SUSE kernel have security specific patches / features, the vanilla
kernel does not have?

regards
m
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SUSE kernel security features vs vanilla

Marcus Meissner
On Tue, Mar 21, 2017 at 04:31:36AM +0100, Malte Gell wrote:
> Just out of curiousity,
> do SUSE kernel have security specific patches / features, the vanilla
> kernel does not have?

Not specifically, no.

Note that the mainline kernel especially in the last years is getting
quite some new security features every release.

Ciao, Marcus
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SUSE kernel security features vs vanilla

Malte Gell-3
Am 21.03.2017 um 06:45 schrieb Marcus Meissner:
> On Tue, Mar 21, 2017 at 04:31:36AM +0100, Malte Gell wrote:
>> Just out of curiousity,
>> do SUSE kernel have security specific patches / features, the vanilla
>> kernel does not have?
>
> Not specifically, no.
>
> Note that the mainline kernel especially in the last years is getting
> quite some new security features every release.

Yes. I just learned about the kernel self protection project.
The kernel can be made much more secure just by using appropriate wise
config setup.

By the way, does SUSE have user supplied statistics, maybe for
enterprise products about hacked servers? That would be interesting to
see, what security holes real life hackers mostly use to break into
systems. Well, as far as customers are willing to give such data back to
the distributor....

regards
Malte

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SUSE kernel security features vs vanilla

Marcus Meissner
On Sat, Mar 25, 2017 at 11:00:18AM +0100, Malte Gell wrote:

> Am 21.03.2017 um 06:45 schrieb Marcus Meissner:
> > On Tue, Mar 21, 2017 at 04:31:36AM +0100, Malte Gell wrote:
> >> Just out of curiousity,
> >> do SUSE kernel have security specific patches / features, the vanilla
> >> kernel does not have?
> >
> > Not specifically, no.
> >
> > Note that the mainline kernel especially in the last years is getting
> > quite some new security features every release.
>
> Yes. I just learned about the kernel self protection project.
> The kernel can be made much more secure just by using appropriate wise
> config setup.

And as this is in the upstream kernel we benefit from it :)
 
> By the way, does SUSE have user supplied statistics, maybe for
> enterprise products about hacked servers? That would be interesting to
> see, what security holes real life hackers mostly use to break into
> systems. Well, as far as customers are willing to give such data back to
> the distributor....

None of our customers do report this back to us as far as I am aware.

If you ask me to guess, most intrusions come from unsafe third party apps,
exploits of unpatched systems or trivial passwords. :/

Ciao, Marcus
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SUSE kernel security features vs vanilla

Christian Boltz-7
Hello,

Am Samstag, 25. März 2017, 11:40:22 CEST schrieb Marcus Meissner:
> On Sat, Mar 25, 2017 at 11:00:18AM +0100, Malte Gell wrote:
> > Am 21.03.2017 um 06:45 schrieb Marcus Meissner:
> > > On Tue, Mar 21, 2017 at 04:31:36AM +0100, Malte Gell wrote:
> > >> Just out of curiousity,
> > >> do SUSE kernel have security specific patches / features, the
> > >> vanilla
> > >> kernel does not have?
> > >
> > > Not specifically, no.

Well, actually there is a little detail - network rules in AppArmor ;-)
This patch is included in the (open)SUSE kernel since years for
historical reasons (and also in the Ubuntu kernel because most upstream
developers work for Canonical).

The Ubuntu kernel has some more AppArmor features (dbus, ptrace, signal,
mount rules) which will go upstream in one of the next kernel releases.
(I don't know in which version exactly.)

> > By the way, does SUSE have user supplied statistics, maybe for
> > enterprise products about hacked servers? That would be interesting
> > to see, what security holes real life hackers mostly use to break
> > into systems. Well, as far as customers are willing to give such
> > data back to the distributor....
>
> None of our customers do report this back to us as far as I am aware.
>
> If you ask me to guess, most intrusions come from unsafe third party
> apps, exploits of unpatched systems or trivial passwords. :/

My experience from maintaining some web and mail servers shows exactly
two typical reasons:
- outdated CMS with known security issues because customers don't want
  to update for various reasons [1]. Also known as ETOLDYOUSO ;-)
  On the positive side, I now have some nice PHP shells ;-) -
  unfortunately not trustworthy because of where the code comes from.
  Funnily, most attackers have those shells password-protected to make
  sure nobody else can use them ("hey, _I_ hacked this website!")
- stolen mail passwords abused to send spam (I doubt this is caused by
  cracked trivial passwords - my guess is that windows trojans send the
  mail password to their master together with the addressbook)

IIRC I never had successful attacks on something installed from the
distribution (kernel, apache, PHP etc.) even after a release went EOL
(again, see [1]). I'm not really surprised about that - why should
someone waste time on a kernel hack if the CMS has the front door wide
open? ;-)

Please don't misread this as "you never need to patch the OS" - I'm just
saying that other attacks are more common IMHO.

Oh, and make sure to enforce key-only SSH logins. The number of login
attemps with guessed passwords and usernames is insane.


Regards,

Christian Boltz

PS: If stolen mail passwords get abused, I have a nice cure - I change
    the password of that account instantly (of course) and replace it
    with a more secure password, for example
        nN2Z59EA/sbE2Cp+cRpt196J/3Iq1pwq/3KGDCWk   [2]
    People *love* to hear their new password on the phone *eg*

[1]  time, money, customer-specific code that is incompatible with the
    new version etc. - or a wild mix of these reasons

[2] having a little script to generate secure random passwords helps a
    lot, and no, I didn't use the above example password anywhere ;-)
--
If it isn't broken dont fix it.
[Winston Graeme in opensuse]

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]