Compiling a grsec kernel on a
laptop/workstation is a good way to add protection against wide classes
of attacks. However, while the options may be easy to choose on a
server, this may be difficult because a typical desktop needs more
privileges. Here are a few points:
Xorg (wants privileged I/O, unless you use KMS) conflicts with
PAX_NOEXEC and GRKERNSEC_IO
power management: applets to display the battery level want
(non-root) read permission on /sys, this will conflict with
GRKERNSEC_SYSFS_RESTRICT. You can enable SYSFS_DEPRECATED as a workaround.
power management: ACPI is required for a laptop (if you want to be
able to use suspend/resume, control fan speed, etc.)
power management: suspend/restore conflicts with some options
(PAX_MEMORY_UDEREF and PAX_KERNEXEC)
virtualization: PAX_KERNEXEC conflicts with kvm/vmx
If you have other points to add/corrections, just send them to me !
Now, another problem I have is that I must use the proprietary kernel.
Not that I really want to, but it is the only driver with proper support
for my graphics card (GT555M), since the nouveau driver has some
problems here: breaks suspend to ram/disk, sucks battery (I have 2h30 of
autonomy with nouveau, and about 5 with Nvidia …
To work, Suricata needs some rules. The package
"snort-rules-default" provides some rules for Snort, but since
Suricata is compatible these rules will work.
However, these rules have some problems: they are outdated (and updated
only very rarely), and they are not written for Suricata (and cannot use
the specific keywords). Emerging
Threats provides some
rules (both open source and Pro). We will now configure Oinkmaster and
Suricata to be able to automatically update the signatures.
a tool to help you manage your signatures. While it is primarily
designed for Snort, it also works for Suricata.
If you have installed Suricata using the default configuration, then
Oinkmaster should be installed (it is recommended by the package). If
The Digital Forensics Framework (DFF) is both a digital investigation
tool and a development platform.The framework is used by system
administrators, law enforcement examinors, digital
forensicsresearchers and > students, and security professionals
world-wide. Written in Python and C++,it exclusively uses Open Source technologies.
DFF combines an intuitive user interface with a modular and
DFF is a nice tool, combining Python and C++ (and PyQt) to provide
performances, be easy to extend and provide a nice GUI. It is GPLv2,
thanks to ArxSys.
If you like it, don’t hesitate to contact them on the IRC channel
(#digital-forensic on Freenode).
I have started to work on a Live CD for Open Source tools like Prelude
SIEM, and software like Suricata, Snort, OpenVAS to send alerts. The
goal is to easily test these tools, register new agents, get some alerts
and be able to correlate them etc. I also want to add some visualization
tools, so this CD could maybe become a reference for security alert
detection and report.
First, a few points on applications used:
Debian Live for
building the CD. It’s very easy, it’s based on Debian, and it allows
me to re-use some work I’ve done
is the key point: suricata, snort, syslog etc. will send alerts to
Prelude, which has a database, a correlator, a web interface
Standard useful tools: nmap, scapy, wireshark, p0f, etc.
This first version is based on Debian Lenny and arch x86. Everything is
based on packages (.debs) to make it easier to maintain, upgrade
versions or add patches: most of the time, I just have to rebuild
packages from squeeze or sid.
is a is a project developped by Jan Engelhardt to replace the old
patch-o-matic repository for the Linux kernel and iptables. Instead of
patching the kernel source, extensions are built as modules and thus
allow extending kernels without recompilation.
I have created a Debian
in two parts: xtables-addons-source (the sources of the kernel modules),
and xtables-addons-common (common files: shared libraries, man pages, binaries).
To install xtables-addons on Debian (sid only, but the package works on
Lenny after a rebuild), run the following commands:
It will automatically install the headers for your kernel, build the
modules, create a local package, and install it. What’s interesting is
that, unlike before (using p-o-m or kernel patches), there is no need
It adds new targets for iptables:
CHAOS: randomly use REJECT, DELUDE or TARPIT targets. This will fool
network scanners by returning random results
DELUDE: always reply to a SYN by a SYN-ACK. This will fool TCP
DHCPADDR: replace a MAC address from and to a VMware host
Prelude is a general-purpose hybrid intrusion detection system.
This package provides the Prelude Correlator, which is a powerful
correlation engine using Lua to write correlation rules.
The features currently include:
* Rapid identification of important security events, enabling the analyst to
assign task priorities
* Alert correlation originally from heterogeneous sensors deployed on the
* Real-time analysis of events received by the Prelude Manager
You can contribute ! If you use the correlation engine, please share
your correlation rules.
The idea behind FORTIFY_SOURCE is relatively simple: there are cases
where the compiler can know the size of a buffer (if it’s a fixed sized
buffer on the stack, as in the example, or if the buffer just came from
a malloc() function call). With a known buffer size, functions that
operate on the buffer can make sure the buffer will not overflow.
Ask gcc to make additional checks on format strings, to prevent attacks.
The following code, for ex:
will result in a warning:
[home ~/harden] DEB_BUILD_HARDENING=1 make
gcc bad.c -o bad
bad.c: In function ‘main’:
bad.c:10: warning: format not a string literal and no format arguments
Why is this code vulnerable ? Because the buffer (buf) could contain
format characters like %s, and the printf function will interpret these
characters to pop arguments from the stack, and can result in the
execution of arbitrary code.