Some notes on security on a Linux system


Some of my security patches (not all have been published on my website) have been integrated in someone elses security patches.
For 2.2.x, see www.maganation.com/~kaladix
For 2.4.x, see www.getrewted.net


I've written a patch against linux-2.[2.18|4.1]/kernel/fork.c to have the linux-kernel generate random PIDs instead of the n+1 method as it's doing now.
Follow this link to get to the download-location: /Linux/kernel_patches.php
There is a also a FAQ
21/02/2001: Beware: I did not dare to test it :o) USE AT YOUR OWN RISK! Please let me now if it worked or not.
26/02/2001: I took the time to compile it, and found that it doesn't even compile :o) The fix is rather simple and anyone with a little C-experience can fix it. At the moment I'm enhancing the patch with code which prevents re-usage of a PID to soon.
??/03/2001: Fixed the patch. It is now available for 2.2.19. I've tested it on a Dec Alpha.



audio-entropyd retrieves random values from a soundcard and adds them to the entropy-pool of the /dev/random-device.
video-entropyd retrieves random values from a video4linux device and adds them to the entropy-pool of the /dev/random-device.

The defaultsize of the entropy-pool is about 4KB. By changing line 263 of /usr/src/linux/drivers/char/random.c from
#define POOLWORDS 128    /* Power of 2 - note that this is 32-bit words */
to
#define POOLWORDS 2048    /* Power of 2 - note that this is 32-bit words */
this entropy-pool is enlarged to about 64KB. This is a good thing.
Note: Linux kernel >= 2.4.x has /proc-entries for controlling the entropy-poolsize.


Install the following:
In the file net/core/utils.c, replace the functions net_random() and net_srandom() with the following code:
unsigned long net_random(void)
{
	unsigned long dummy;

	get_random_bytes(&dummy, sizeof(dummy));

	return dummy;
}

void net_srandom(unsigned long entropy)
{
	add_mouse_randomness((__u32)entropy);
}
and (in the top of net/core/utils.c) add the following:
#include linux/random.h
This replaces the stupid multiplication-routine with a more decent random-value generator. The randomness of the values returned by net_random() don't seem to be that important, but when you're main-target is absolute security all matters.
This code is also included in the random-PID patch mentioned at the top of this page.


Test the quality of your RNG once in a while. How? With the tool you can find
here (quality tester) and here (entropy tester).


Put the following script in the crontab-file of the user root, and the entropy-pool will get 2048 fresh bytes of almost random data!
#!/bin/sh

cd /root
/bin/rm -f "Hotbits?nbytes=2048&fmt=bin"
/usr/bin/wget "http://www.fourmilab.ch/cgi-bin/uncgi/Hotbits?nbytes=2048&fmt=bin"
/bin/dd if="Hotbits?nbytes=2048&fmt=bin" of=/dev/random
/bin/rm -f "Hotbits?nbytes=2048&fmt=bin"
At the moment, there seems to be a quota of 10KB/24h per IP-address. So you could run this script 5 times a day (or build a hotbitsgenerator device yourself).


feedback