OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
william_at_elan.net
Date: Fri Feb 07 2003 - 15:08:30 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Canary patch is too simple, just adding no canary into to compile flags I
    can do myself I usually do a lot more changes to kernel I compile then
    that and in fact compiled kernel 2.4 on immunix system even 1.5 years ago
    and several times since. But that just creates standard kernel, but on 2.2
    when I compile new kernel (which I just did on Monday for 2.23, before
    that for 2.21 and 2.20) I would download it, apply patch from
    subdomain-openwall-2.2.18.diff, deal with its rejects (there were 10
    files with various complexity rejects, mostly from fs subdirectory) apply
    additional patches (mostly to networking code, modifications to tulip
    driver, some changes to amount of buffer space and new vlan code) and
    change some parameters so that for example > 255 httpd processes could ran.
    After all is done, I get completely compatible 2.2 code with lots of
    needed features but it would run with all the immunix security extensions
    and with subdomain (immunix_md5 and subdomain are compiled separatly).

    I wanted to get the same for 2.4 kernel and Crispin yesterday provided
    me with access to non-public beta directory where I downloaded
    kernel-source-2.4.18-18_imnx_2.i386, which I was hoping would contain
    the above immunix patch already applied to it. But instead it looks like
    code from standard linux-2.4 kernel tree but with unfortunetly broken
    Makefiles (they removed security directory which immunix used for its
    security configs but some makefiles remained the same), it took like an
    hour to get all the makefiles fixed as from the start even "make
    depend" and "make menuconfig" resulted in errors. I'm still looking today
    to see if this was all worth it, so far I can not find immunix security
    changes in the kernel, so I'm puzzled why wirex distribution had
    broken makefiles otherwise. If there are no security changes and its just
    standard 2.4 kernel more or less, than it would not be worth it for me.

    Now I can still try to apply 2.2 subdomain-openwall patch to 2.4 kernel, I
    tried it once before and if I remember right, it produced rejects in
    assembler call handling parts, which I did not want to bother with. I can
    deal with many c-code rejects, but assember requires too mucht time to
    really get into what is going on extra time for this code hacking is a
    problem for me. I might still try it though if wirex did not do it
    already...

    P.S. To nero - I do appreciate you email with instructions to the list.
    Obviously the help here is for somebody who has not been working with
    linux from 1997 and with sunos, ultrix, dec osf & other unices from 1990,
    but from your email I saw mention of grsecurity and I'v not been aware of it.
    So I'm taking a look now to see if using that will indeed be good enough
    for me rather then trying to adapt subdomain-openwall patch to 2.4.

    On Fri, 7 Feb 2003, nero one wrote:

    > i dunno .. maybe i'm waaay off .. but .. why not just use the canary patch? :)
    >
    > apply, recompile, voila.
    >
    > I've noticed that I can do mostly anything with immunix that I can using distros such as redhat.
    > Immunix is great because you get that added level of security due to the compiler security
    > optimizations (shameless plug). The immunix staff seems like they have tons of work to do and
    > sometimes can't support some of the freakier things you might want to do with your box, so you
    > might find yourself having to compile stuff yourself, etc.
    >
    > i'm using immunix, freeswan, netdev entropy and a few other custom kernel mods with 2.4 and
    > compile everything on many servers i've built from source.
    >
    > Immunix staff (or anyone), please correct me if i'm misleading William here ..
    >
    > anyhow, here's what i'd do:
    >
    > # Let's start off with a few variables to begin with.
    > # this is where all the directories will sit.
    >
    > BASE=/root/install
    > TARS=$BASE/tars
    > MAKE=$BASE/Makefiles
    > CONFS=$BASE/confs
    > CRON=$BASE/cron
    > PATCH=$BASE/patches
    > RPMS=$BASE/rpms
    > SCRPT=$BASE/scripts
    > SRC=$BASE/source
    > SYS=$BASE/sysconfig
    > INITD=$BASE/init.d
    > XINET=$BASE/xinetd.d
    > LOG=$BASE/logrotate.d
    > PAM=$BASE/pam.d
    > PREFIX=/usr
    >
    > # this is the version information for whatever we need to install.
    >
    > KERNEL_VER="2.4.18"
    >
    >
    > # kernel config
    > # are you -sure- you want to do this?
    >
    > if [ "$KERNEL" == "Y" ]; then
    >
    > # copy over the kernel and untar.
    >
    > cp -f $TARS/linux-$KERNEL_VER.tar.gz /usr/src;
    > cd /usr/src;
    > tar zxvf /usr/src/linux-$KERNEL_VER.tar.gz;
    > mv -f /usr/src/linux /usr/src/linux-$KERNEL_VER;
    > rm -r /usr/src/linux-$KERNEL_VER.tar.gz;
    > cd /usr/src/linux-$KERNEL_VER;
    >
    > # Mr. Proper, anyone?
    >
    > make mrproper;
    >
    > # copy over the canary patch (ESSENTIAL to get immunix working with 2.4)
    >
    > cp -f $PATCH/canary-2.4.1.patch /usr/src/linux-$KERNEL_VER;
    >
    > # got Firewall?(tm)
    >
    > if [ "$IPTABLES" == "Y" ]; then
    >
    > cd $TARS/;
    > tar zxvf $TARS/iptables-1.2.7.tar.gz;
    > cd $TARS/iptables-1.2.7;
    > cp -f $MAKE/Makefile-iptables $TARS/iptables-1.2.7/Makefile;
    > make KERNEL_DIR=/usr/src/linux-$KERNEL_VER;
    > make install KERNEL_DIR=/usr/src/linux-$KERNEL_VER;
    > cp -f $INITD/iptables /etc/init.d
    > chkconfig --add iptables;
    > chkconfig --level 35 iptables on;
    > cp -f $SYS/iptables /etc/sysconfig;
    > rm -rf $TARS/iptables-1.2.7;
    >
    > # copy over a firewall script to wherever. make sure to run this
    > # once you're all done compiling and so on.
    >
    > cp -f $SCRPT/rc.firewall.sh /etc/sysconfig/iptables;
    >
    > fi
    >
    > # ok, here's the canary patch that immunix needs so that you can get 2.4 going.
    > # it'll probably complain about on diff not being able to be applied in Makefile
    > # so just do it manually if this is the case.
    >
    > cd /usr/src/linux-$KERNEL_VER;
    > patch -p1 < canary-2.4.1.patch;
    >
    > # install GRSecurity.
    >
    > if [ "$GRSEC" == "Y" ]; then
    >
    > cp -f $PATCH/grsecurity-1.9.4-$KERNEL_VER.patch /usr/src/linux-$KERNEL_VER;
    > patch -p1 < grsecurity-1.9.4-$KERNEL_VER.patch;
    >
    > fi
    >
    > if [ "$WHATEVER" == "Y" ]; then
    >
    > echo "you get the idea ....
    >
    > fi
    >
    > # only make oldconfig if you've copied over an existing .config file.
    >
    > make oldconfig && make dep && make bzImage;
    >
    > cp -f /usr/src/linux-$KERNEL_VER/arch/i386/boot/bzImage /boot/vmlinux-2.4.18-1_imnx;
    > cp -f /usr/src/linux-$KERNEL_VER/System.map /boot/System.map-2.4.18-1_imnx;
    > rm -f /boot/vmlinuz && rm -f /boot/System.map;
    > ln -s /boot/vmlinux-$KERNEL_VER-1_imnx /boot/vmlinuz;
    > ln -s /boot/System.map-$KERNEL_VER-1_imnx /boot/System.map;
    >
    > # copy over your desired lilo.conf file
    >
    > cp -f $CONFS/lilo.conf /etc/lilo.conf;
    > /sbin/lilo;
    > fi
    >
    > --- williamelan.net wrote: > I'm wondering how support for 2.4 kernel is coming and if there
    > is a
    > > "beta" patch available.
    > > This is really becoming an issue for me as my primary use for immunix is
    > > in firewall server through which passes over 100Mb of traffic and where
    > > security is of most importance. Now I'm starting to redesign firewall
    > > system with setup of vlans (instead of using individual ports and subnets
    > > and separation of traffic at L2 switch which as some know is no longer
    > > super safe considering some tools hackers have used). The problem is that
    > > latest vlan support is only avaialble with 2.4 kernels (especially ISL)
    > > and while I found eariler patch for 2.18 kernel with 802.1Q VLANs that
    > > would mean changing vlan config on cisco from ISL to 802.1Q and ISL is
    > > works better with all cisco network. Besides that 2.4 offers support for
    > > iptables and more secure apprach to user-level monitoring programs and
    > > better support QoS, so I'd really really like to upgrade to 2.4 and would
    > > prefer not to do it with immunix rather then going with another distribution.
    > >
    > > ----
    > > William Leibzon
    > > Elan Communications
    > > williamelan.net
    > >
    > > _______________________________________________
    > > Immunix-users mailing list
    > > Immunix-usersmail.wirex.com
    > > http://mail.wirex.com/mailman/listinfo/immunix-users
    >
    > __________________________________________________
    > Do You Yahoo!?
    > Everything you'll ever need on one web page
    > from News and Sport to Email and Music Charts
    > http://uk.my.yahoo.com
    > _______________________________________________
    > Immunix-users mailing list
    > Immunix-usersmail.wirex.com
    > http://mail.wirex.com/mailman/listinfo/immunix-users
    >

    _______________________________________________
    Immunix-users mailing list
    Immunix-usersmail.wirex.com
    http://mail.wirex.com/mailman/listinfo/immunix-users