LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

August 2009

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS August 2009

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: kernel security
From:	Martin Flemming <[log in to unmask]>
Reply To:	Martin Flemming <[log in to unmask]>
Date:	Sat, 15 Aug 2009 17:15:03 +0200
Content-Type:	TEXT/PLAIN
Parts/Attachments:	TEXT/PLAIN (145 lines)

hi, little correction ..

> - if i install the rpm,i've got 2 mails for each host, i think one is enough  ... ;-)
> ( maybe something with the %triggerin option)
>
> if i execute the script by hand, i've got only one ...

indeed it triggers twice,
because i've got different kernels (smp and none-smp-kernel) on the 
machine ;-)


cheers,
 	martin


On Sat, 15 Aug 2009, Martin Flemming wrote:

> Hi, Troy !
>
> three little comments ...
>
> - if i install the rpm,i've got 2 mails for each host, i think one is enough 
> ... ;-)
> ( maybe something with the %triggerin option)
>
> if i execute the script by hand, i've got only one ...
>
> - the rpm sends  mails although everything is ok, is that wanted ?
>
> - it's easier to have a overview, if the hostname is in the subject
>   and  only for host with problems
>
>
> cheers & thanks for all the work
>
> 	martin
>
> On Fri, 14 Aug 2009, Troy Dawson wrote:
>
>>  Hi Stephan,
>>  I took yours and changed a few times and made my own.  I haven't put it
>>  into testing yet, but here is what I have.
>> 
>> http:  //home.fnal.gov/~dawson/test/SL_fix_bad_km.sh
>> http:  //home.fnal.gov/~dawson/test/SL_fix_bad_km-1.0-1.noarch.rpm
>> http:  //home.fnal.gov/~dawson/test/SL_fix_bad_km-1.0-1.src.rpm
>>
>>  Basically it goes through a list of modules.
>>  If the module is already loaded,
>>  it first tries to stop the service if it knows how (such as bluetooth and
>>  irda)
>>    If the modules is still loaded, it tries "modprobe -r"
>>    If the module is still loaded it tried "rmmod"
>>
>>  It then uses your find script, finds all the offending kernel modules, and
>>  moves them to a safe directory.  We do this instead of just removing them.
>>
>>  We have all the output going to an log file, and send a nice email, saying
>>  what we did, to root.
>>
>>  I'm sorry it's taken me so long to get this out, but there was various
>>  testing and talking along the way.
>>  Troy
>>
>>  Stephan Wiesand wrote:
>> >   Here's a stab at an SL_rpm to help mitigate the issue for the time
>> >   being:
>> > 
>> >   http://www-zeuthen.desy.de/~wiesand/ww/
>> > 
>> >   It will remove(!) the suspicious modules for all kernels on the system,
>> >   even those installed later on. It then checks whether one of them is
>> >   loaded, and sends mail to root if it is.
>> > 
>> >   Use at your own risk! Any bugs in the script, and this could 
>> >   irreparably
>> >   damage your OS installation. Comments very welcome.
>> > 
>> >   - Stephan
>> > 
>> > 
>> >   On Fri, 2009-08-14 at 15:40 +0200, Matthias Schroeder wrote:
>> > >   Troy Dawson wrote:
>> > > >   Stephan Wiesand wrote:
>> > > > >   On Fri, 2009-08-14 at 11:59 +0100, Dr Andrew C Aitchison wrote:
>> > > > > >   On Fri, 14 Aug 2009, Urs Beyerle wrote:
>> > > > > > >   I guess SL is affected like most other Linux distributions.
>> > > > > > > 
>> > > > > > >   I'm not 100% sure, but setting vm.mmap_min_addr to a value 
>> > > > > > >   above 0
>> > > > > > >   should prevent an exploit.
>> > > > > > > 
>> > > > > > >   # sysctl vm.mmap_min_addr=4096
>> > > > > >   The default on my SL53 machines appears to be 65536
>> > > > > >   so there may be no need to do this.
>> > > > > > 
>> > > > > >   And Stephan Wiesand <[log in to unmask]> replied:
>> > > > > > >   I successfully rooted a 32bit SL5 system with SELinux enabled
>> > > > > > >   and vm.mmap_min_addr=64k with the public exploit :-(
>> > > > > >   Did this machine have kernel-2.6.18-128.4.1.el5 and hence the 
>> > > > > >   fix for CVE-2009-1895 which allows a user to bypass 
>> > > > > >   mmap_min_addr - see
>> > > > >   Yes.
>> > > > > 
>> > > > > >   https://rhn.redhat.com/errata/RHSA-2009-1193.html  ? Though I 
>> > > > > >   did see that there are other ways of bypassing
>> > > > > >   vm.mmap_min_addr :-(
>> > > > >   Yes, and they work fine :-/
>> > > > > 
>> > > >   Has anyone with a TAM with RedHat reported this to them yet?
>> > >   You mean
>> > >   https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2692, right?
>> > > 
>> > > 
>> > > >   I'm pretty sure someone has, I just want to verify and get a bug 
>> > > >   tracking number.
>> > >   There is also an IT, you should be able to see it.
>> > > 
>> > >   Matthias
>> > > 
>> > > >   Troy
>> 
>>
>>  --
>>  __________________________________________________
>>  Troy Dawson  [log in to unmask]  (630)840-6468
>>  Fermilab  ComputingDivision/LCSI/CSI LMSS Group
>>  __________________________________________________
>> 
>
>

Gruss

        Martin Flemming


______________________________________________________
Martin Flemming
DESY / IT          office : Building 2b / 008a
Notkestr. 85       phone  : 040 - 8998 - 4667
22603 Hamburg      mail   : [log in to unmask]
______________________________________________________

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV