Internet Productivity Suite: Open Source Security - Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more!
Detecting Physical Security Compromises
The first thing to always note is when your machine was rebooted. Since Linux is a robust and stable OS, the only times your machine should reboot is when you take it down for OS upgrades, hardware swapping, or the like. If your machine has rebooted without you doing it, that may be a sign that an intruder has compromised it. Many of the ways that your machine can be compromised require the intruder to reboot or power off your machine.
Check for signs of tampering on the case and computer area. Although many intruders clean traces of their presence out of logs, it's a good idea to check through them all and note any discrepancy.
It is also a good idea to store log data at a secure location, such as a dedicated log server within your well-protected network. Once a machine has been compromised, log data becomes of little use as it most likely has also been modified by the intruder.
The syslog daemon can be configured to automatically send log data to a central syslog server, but this is typically sent unencrypted, allowing an intruder to view data as it is being transferred. This may reveal information about your network that is not intended to be public. There are syslog daemons available that encrypt the data as it is being sent.
Also be aware that faking syslog messages is easy -- with an exploit program having been published. Syslog even accepts net log entries claiming to come from the local host without indicating their true origin.
Excerpt from LinuxSecurity HowTO:
/howtos
By: Dave Wreski (
LinuxSecurity.com Feature Extras:
Vincenzo Ciaglia Speaks Security 2004 - Vincenzo Ciaglia of Linux Netwosix talks about this year of Linux Security. A full immersion in the world of Linux Security from many sides and points of view.
Mass deploying Osiris - Osiris is a centralized file-integrity program that uses a client/server architecture to check for changes on a system. A central server maintains the file-integrity database and configuration for a client and at a specified time, sends the configuration file over to the client, runs a scan and sends the results back to the server to compare any changes. Those changes are then sent via email, if configured, to a system admin or group of people. The communication is all done over an encrypted communication channel.
AIDE and CHKROOTKIT -Network security is continuing to be a big problem for companies and home users. The problem can be resolved with an accurate security analysis. In this article I show how to approach security using aide and chkrootkit.
Bulletproof Virus Protection - Protect your network from costly security breaches with Guardian Digital’s multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. Click to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Debian | ||
| Debian: zgv arbitrary code execution fix | ||
| 14th, December, 2004
Several vulnerabilities have been discovered in zgv, an SVGAlib graphics viewer for the i386 architecture. advisories/debian/debian-zgv-arbitrary-code-execution-fix |
||
| Debian: atari800 local root exploit fix | ||
| 14th, December, 2004
Adam Zabrocki discovered multiple buffer overflows in atari800, an Atari emulator. In order to directly access graphics hardware, one of the affected programs is installed setuid root. A local attacker could exploit this vulnerability to gain root privileges. advisories/debian/debian-atari800-local-root-exploit-fix |
||
| Fedora | ||
| Fedora: MyODBC-2.50.39-18.2 update | ||
| 10th, December, 2004
This update fixes a problem that occurs when the user's locale setting selects a decimal point other than ".". advisories/fedora/fedora-myodbc-25039-182-update-00-00-00-117469 |
||
| Fedora: MyODBC-2.50.39-19.1 update | ||
| 10th, December, 2004
This update fixes a problem that occurs when the user's locale setting selects a decimal point other than ".". advisories/fedora/fedora-myodbc-25039-191-update-00-00-00-117470 |
||
| Fedora: mikmod-3.1.6-30.2 update | ||
| 13th, December, 2004
This moves 'mikmod' back to the main package. It was incorrectly in the mikmod-devel package. advisories/fedora/fedora-mikmod-316-302-update-00-00-00-117476 |
||
| Fedora: gstreamer-0.8.7-4.FC3.0 update | ||
| 14th, December, 2004
This update adds multilib support to GStreamer; this fixes several issues people had on multilib architectures such as x86_64. It's been fairly well tested but please do not hesitate to report any issues. advisories/fedora/fedora-gstreamer-087-4fc30-update-12-17-22-117494 |
||
| Fedora: grep-2.5.1-31.2 update | ||
| 14th, December, 2004
This update improves performance when processing UTF-8 input. advisories/fedora/fedora-grep-251-312-update-12-18-26-117495 |
||
| Fedora: flim-1.14.7-0.FC2 update | ||
| 15th, December, 2004
Update to 1.14.7 release, which also fixes CAN-2004-0422. advisories/fedora/fedora-flim-1147-0fc2-update-17-43-41-117518 |
||
| Fedora: kdelibs-3.2.2-10.FC2 update | ||
| 15th, December, 2004
apply the patch to fix Konqueror Window Injection Vulnerability #142510 CAN-2004-1158, Thanks to KDE security team advisories/fedora/fedora-kdelibs-322-10fc2-update-17-44-39-117519 |
||
| Fedora: kdebase-3.2.2-8.FC2 update | ||
| 15th, December, 2004
apply the patch to fix Konqueror Window Injection Vulnerability #142510 CAN-2004-1158, Thanks to KDE security team advisories/fedora/fedora-kdebase-322-8fc2-update-17-45-32-117520 |
||
| Fedora: kdelibs-3.3.1-2.4.FC3 update | ||
| 15th, December, 2004
apply the patch to fix Konqueror Window Injection Vulnerability #142510 CAN-2004-1158, Thanks to KDE security team advisories/fedora/fedora-kdelibs-331-24fc3-update-17-47-10-117521 |
||
| Fedora: kdebase-3.3.1-4.3.FC3 update | ||
| 15th, December, 2004
apply the patch to fix Konqueror Window Injection Vulnerability #142510 CAN-2004-1158, Thanks to KDE security team advisories/fedora/fedora-kdebase-331-43fc3-update-17-48-53-117522 |
||
| Fedora: selinux-policy-targeted-1.17.30-2.51 update | ||
| 16th, December, 2004
Fix problems with winbind, nscd, apache and others. advisories/fedora/fedora-selinux-policy-targeted-11730-251-update-09-27-25-117525 |
||
| Fedora: xcdroast-0.98a15-8 update | ||
| 16th, December, 2004
fixed frozen progress bars with patch from Didier Heyden (bug #134334) advisories/fedora/fedora-xcdroast-098a15-8-update-11-03-00-117529 |
||
| Fedora: udev-039-10.FC3.6 update | ||
| 16th, December, 2004
fixed a case where reading /proc/ide/hd?/media returns EIO (bug rh#142713) and added simple dvb rules advisories/fedora/fedora-udev-039-10fc36-update-11-04-25-117530 |
||
| Gentoo | ||
| Gentoo: PHProjekt setup.php vulnerability | ||
| 10th, December, 2004
PHProjekt contains a vulnerability in the setup procedure allowing remote users without admin rights to change the configuration. |
||
| Gentoo: nfs-utils Multiple remote vulnerabilities | ||
| 13th, December, 2004
Multiple vulnerabilities have been discovered in nfs-utils that could lead to a Denial of Service, or the execution of arbitrary code. |
||
| Gentoo | ||
| Gentoo: ncpfs Buffer overflow in ncplogin and ncpmap | ||
| 15th, December, 2004
ncpfs is vulnerable to a buffer overflow that could lead to local execution of arbitrary code with elevated privileges. |
||
| Gentoo: vim, gVim Vulnerable options in modelines | ||
| 15th, December, 2004
Several vulnerabilities related to the use of options in modelines have been found and fixed in Vim. They could potentially result in a local user escalating privileges. |
||
| Mandrake | ||
| Mandrake: evolution various bugs fix | ||
| 14th, December, 2004
This update provides Evolution 2.0.3 which fixes a number of bugs found in the previous version of Evolution, including the possibility to lose mail when Evolution sends an email message, that fails to send, but Evolution doesn't realize it has failed. |
||
| Mandrake: mdkonline provide new features | ||
| 14th, December, 2004
This is a major update of mandrakeonline which fixes several issues and adds more features such as a text wizard for servers without Xwindow capabilities, support for server products, corporate and MNF for instance, errors displaying and md5sum file checks. |
||
| Mandrake: iproute2 temporary file vulnerability | ||
| 14th, December, 2004
Herbert Xu discovered that iproute can accept spoofed messages sent via the kernel netlink interface by other users on the local machine. This could lead to a local Denial of Service attack. |
||
| Mandrake: evolution various bugs fix | ||
| 14th, December, 2004
This update provides Evolution 2.0.3 which fixes a number of bugs found in the previous version of Evolution, including the possibility to lose mail when Evolution sends an email message, that fails to send, but Evolution doesn't realize it has failed. |
||
| Mandrake: libpng invalid zlib header problem fix | ||
| 14th, December, 2004
A problem in version 1.2.6 of the libpng library would cause libpng to write an invalid zlib header within the PNG datastream. This can cause some applications to display the images incorrectly. |
||
| Mandrake: postgresql temporary file vulnerability fix | ||
| 14th, December, 2004
The Trustix development team found insecure temporary file creation problems in a script included in the postgresql package. This could allow an attacker to trick a user into overwriting arbitrary files he has access to. |
||
| Mandrake: kde various bug fixes | ||
| 15th, December, 2004
A number of KDE-related packages are being released to address a number of bugs in these packages. Updated packages include kdenetwork (which fixes problems in kget, kopete, and krfb), kdepim (which fixes problems in kmail, knode, knotes, and kontact), kwallet (which fixes problems in kwalleditor and kcmlirc), and kdesdk (which fixes a problem in cervisia). |
||
| Mandrake: kdelibs & kdebase vulnerability fix | ||
| 15th, December, 2004
Daniel Fabian discovered a potential privacy issue in KDE. When creating a link to a remote file from various applications, including Konqueror, the resulting URL may contain the authentication credentials used to access that remote resource. This includes, but is not limited to, browsing SMB (Samba) shares. Upon further investigation, it was found that the SMB protocol handler also unnecessarily exposed authentication credentials (CAN-2004-1171). |
||
| OpenBSD: kernel heap overflow in IPsec | ||
| 14th, December, 2004
On systems running isakmpd(8) it is possible for a local user to cause kernel memory corruption and system panic by setting ipsec(4) credentials on a socket. Stopping isakmpd(8) does not prevent the memory corruption. |
||
| Red Hat: imlib security vulnerabilities fix | ||
| 10th, December, 2004
Updated imlib packages that fix several integer and buffer overflows are now available. advisories/red-hat/red-hat-imlib-security-vulnerabilities-fix-RHSA-2004-651-01 |
||
| Red Hat: ruby denial of service issue fix | ||
| 13th, December, 2004
An updated ruby package that fixes a denial of service issue for the CGI instance is now available. advisories/red-hat/red-hat-ruby-denial-of-service-issue-fix-RHSA-2004-635-01 |
||
| Red Hat | ||
| Red Hat: ncompress security issue and bug fix | ||
| 13th, December, 2004
An updated ncompress package that fixes a buffer overflow and problem in the handling of files larger than 2 GB is now available. advisories/red-hat/red-hat-ncompress-security-issue-and-bug-fix-RHSA-2004-536-01 |
||
| Red Hat: apache and mod_ssl security vulnerabilities fix | ||
| 13th, December, 2004
Updated apache and mod_ssl packages that fix various minor security issues and bugs in the Apache Web server are now available for Red Hat Enterprise Linux 2.1. advisories/red-hat/red-hat-apache-and-modssl-security-vulnerabilities-fix-RHSA-2004-600-01 |
||
| Red Hat: kernel security vulnerability fix | ||
| 13th, December, 2004
Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 2.1. This is the sixth regular update. advisories/red-hat/red-hat-kernel-security-vulnerability-fix-RHSA-2004-505-01 |
||
| Red Hat: Itanium security issues fix | ||
| 13th, December, 2004
Updated Itanium kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 2.1. This is the sixth regular update. advisories/red-hat/red-hat-itanium-security-issues-fix-RHSA-2004-504-01 |
||
| TurboLinux | ||
| TurboLinux: Security & Bugfix | ||
| 13th, December, 2004
Numerous issues in the Linux ELF binary loader. Issues relating to IDE DMA transfers which prevent installation on machines with SiS chipsets using the SiS 962/963 IDE controller. Null pointer dereferencing in the SG driver. |
||
