 |
Some notes on security on a Linux systemSome of my security patches (not all have been published on my website) have been integrated in someone elses security patches. For 2.2.x, see www.maganation.com/~kaladix For 2.4.x, see www.getrewted.net I've written a patch against linux-2.[2.18|4.1]/kernel/fork.c to have the linux-kernel generate random PIDs instead of the n+1 method as it's doing now. Follow this link to get to the download-location: /Linux/kernel_patches.php There is a also a FAQ 21/02/2001: Beware: I did not dare to test it :o) USE AT YOUR OWN RISK! Please let me now if it worked or not. 26/02/2001: I took the time to compile it, and found that it doesn't even compile :o) The fix is rather simple and anyone with a little C-experience can fix it. At the moment I'm enhancing the patch with code which prevents re-usage of a PID to soon. ??/03/2001: Fixed the patch. It is now available for 2.2.19. I've tested it on a Dec Alpha.
audio-entropyd retrieves random values from a soundcard and adds them to the entropy-pool of the /dev/random-device. video-entropyd retrieves random values from a video4linux device and adds them to the entropy-pool of the /dev/random-device. The defaultsize of the entropy-pool is about 4KB. By changing line 263 of /usr/src/linux/drivers/char/random.c from #define POOLWORDS 128 /* Power of 2 - note that this is 32-bit words */to #define POOLWORDS 2048 /* Power of 2 - note that this is 32-bit words */this entropy-pool is enlarged to about 64KB. This is a good thing. Note: Linux kernel >= 2.4.x has /proc-entries for controlling the entropy-poolsize. Install the following:
In the file net/core/utils.c, replace the functions net_random() and net_srandom() with the following code:
unsigned long net_random(void)
{
unsigned long dummy;
get_random_bytes(&dummy, sizeof(dummy));
return dummy;
}
void net_srandom(unsigned long entropy)
{
add_mouse_randomness((__u32)entropy);
}
and (in the top of net/core/utils.c) add the following:
#include linux/random.hThis replaces the stupid multiplication-routine with a more decent random-value generator. The randomness of the values returned by net_random() don't seem to be that important, but when you're main-target is absolute security all matters. This code is also included in the random-PID patch mentioned at the top of this page. Test the quality of your RNG once in a while. How? With the tool you can find here (quality tester) and here (entropy tester). Put the following script in the crontab-file of the user root, and the entropy-pool will get 2048 fresh bytes of almost random data! #!/bin/sh cd /root /bin/rm -f "Hotbits?nbytes=2048&fmt=bin" /usr/bin/wget "http://www.fourmilab.ch/cgi-bin/uncgi/Hotbits?nbytes=2048&fmt=bin" /bin/dd if="Hotbits?nbytes=2048&fmt=bin" of=/dev/random /bin/rm -f "Hotbits?nbytes=2048&fmt=bin"At the moment, there seems to be a quota of 10KB/24h per IP-address. So you could run this script 5 times a day (or build a hotbitsgenerator device yourself).
| ||||||||
| ||||||||