Some notes on security on a Linux system

Some of my security patches (not all have been published on my website) have been integrated in someone elses security patches.
For 2.2.x, see
For 2.4.x, see

I've written a patch against linux-2.[2.18|4.1]/kernel/fork.c to have the linux-kernel generate random PIDs instead of the n+1 method as it's doing now.
Follow this link to get to the download-location: /Linux/kernel_patches.php
There is a also a FAQ
21/02/2001: Beware: I did not dare to test it :o) USE AT YOUR OWN RISK! Please let me now if it worked or not.
26/02/2001: I took the time to compile it, and found that it doesn't even compile :o) The fix is rather simple and anyone with a little C-experience can fix it. At the moment I'm enhancing the patch with code which prevents re-usage of a PID to soon.
??/03/2001: Fixed the patch. It is now available for 2.2.19. I've tested it on a Dec Alpha.

audio-entropyd retrieves random values from a soundcard and adds them to the entropy-pool of the /dev/random-device.
video-entropyd retrieves random values from a video4linux device and adds them to the entropy-pool of the /dev/random-device.

The defaultsize of the entropy-pool is about 4KB. By changing line 263 of /usr/src/linux/drivers/char/random.c from
#define POOLWORDS 128    /* Power of 2 - note that this is 32-bit words */
#define POOLWORDS 2048    /* Power of 2 - note that this is 32-bit words */
this entropy-pool is enlarged to about 64KB. This is a good thing.
Note: Linux kernel >= 2.4.x has /proc-entries for controlling the entropy-poolsize.

Install the following:
In the file net/core/utils.c, replace the functions net_random() and net_srandom() with the following code:
unsigned long net_random(void)
	unsigned long dummy;

	get_random_bytes(&dummy, sizeof(dummy));

	return dummy;

void net_srandom(unsigned long entropy)
and (in the top of net/core/utils.c) add the following:
#include linux/random.h
This replaces the stupid multiplication-routine with a more decent random-value generator. The randomness of the values returned by net_random() don't seem to be that important, but when you're main-target is absolute security all matters.
This code is also included in the random-PID patch mentioned at the top of this page.

Test the quality of your RNG once in a while. How? With the tool you can find
here (quality tester) and here (entropy tester).

Put the following script in the crontab-file of the user root, and the entropy-pool will get 2048 fresh bytes of almost random data!

cd /root
/bin/rm -f "Hotbits?nbytes=2048&fmt=bin"
/usr/bin/wget ""
/bin/dd if="Hotbits?nbytes=2048&fmt=bin" of=/dev/random
/bin/rm -f "Hotbits?nbytes=2048&fmt=bin"
At the moment, there seems to be a quota of 10KB/24h per IP-address. So you could run this script 5 times a day (or build a hotbitsgenerator device yourself).