Medusa DS9 Security System

Medusa DS9

History and Concepts - the first thing you should read

Progress and plans - the actual state of project

README file from the current stable release

Change log of the latest stable release

Download area (or FTP link)

CVS repository

Mailing list archive - it's low traffic and all users are strongly suggested to subscribe

GPG key to verify your downloads.

E-mail to the authors




Trusted BSD




Openwall Project

Medusa 1.0 Kernel patch for Linux 2.4.26 (Tue Apr 20 10:28:34 CEST 2004)
  • Vaclav Lorenc has contributed a kernel patch for Linux 2.4.26, which is available for download here. You also need The Constable from CVS tree. Here are instructions how to get it:
    cvs login
    cvs co constable
  • Instructions how to compile the Constable:
    cd constable/libmcompiler
    cd ../constable
  • You need to have libefence installed. It can be found on or here. Or you may edit constable's Makefile and remove -lefence from LDFLAGS.
  • Medusa 1.0 Kernel patch for Linux 2.4.23 (Mon Dec 22 15:45:00 CET 2003)
  • Complete kernel patch for Linux 2.4.23 if available here. You also need The Constable from CVS tree.
  • Medusa on CVS (Fri Apr 4 15:57:12 CEST 2003)
  • Here are instructions how to get actual Medusa DS9 from CVS tree.
  • Medusa 1.0.0pre1 (Fri May 31 18:46:12 CEST 2002)
  • At the Download/New/ section you can get the working pre-release of newest Medusa, working on uniprocessor Linux. The new version is a complete rewrite, and contains huge amount of new features. The documentation, NetBSD port and SMP support will come soon. Oh, and the license is changed from GPL to dual GPL/BSD - choose what you like more. Stay tuned.
  • Here are the small installation instructions: download all 3 files; apply linux-kernelfix-2.4.18.diff.gz and medusads9-1.0.0_linux-2.4.18.diff.gz to clean linux 2.4.18 kernel; configure and compile the kernel and Constable; run it. There are some example configurations in the constable package for you to begin with. Ask questions on the mailing list.
  • OpenWeekend announce (Mon May 6 18:25:12 CEST 2002)
  • Open Weekend will be held on June 1., 2. at Prague, Czech Republic, with Amon Ott / RSBAC, Philippe Biondi / LIDS, and us, discussing our respective security systems.
  • Version 0.9.2 released (Tue Apr 16 13:12:04 CEST 2002)
  • contains patch for 2.4.18 kernel (which probably works on 2.4.19pre* too)
  • kernel patch splitted to (1) general kernel fixes, (2) medusa DS9
  • modified support for Linux capabilities to make them actually WORK
  • enable kernel to send signals regardless of security model (fixes ^C in some occasions)
  • disallowed sending SIGSTOP and SIGTSTP to constable (suggested by Libor Kratochvil)
  • fix of filesystem code for 2.4, to correct walking through mount-points
  • minor code cleanup
  • discontinued support for 2.2.x kernels. If you are willing to maintain the patch for 2.2, you're welcome
  • Patch for 2.4.16 is out, CVS started (Thu Nov 29 04:39:40 CET 2001)
  • We upgraded the patch for the newest 2.4 series kernel. Note that the current release of Medusa is still valid, we release the patch separately. Check the download area.
  • The future sources of Medusa, as well as the new constable and the documentation, are available on CVS from now.
  • Pre-release of the new Constable (Thu Nov 22 19:28:25 CET 2001)
  • The brand-new constable, featuring new configuration file syntax, better expression evaluation, self-configuration from the running kernel, backward compatibility to the current medusa kernel patches, RBAC module and many other improvements, is ready for the first tests at our download area. The documentation is only in slovak language at this time.
  • we seek for the volunteers to translate our current documentation and drafts from slovak to english and from english to any other languages. Contact us, please.
  • Version 0.9.0 released (Thu Nov 22 17:05:31 CET 2001)
  • changed the behaviour of FORK event, added START event
  • improved startup behaviour (by setting defaults to all processes on each restart of Constable)
  • prepared the source code for the new Constable
  • patches upgraded to linux 2.2.20 and 2.4.14 (warning: due to changes in 2.4.x kernels we no longer support overriding of the ptrace using OK in syscall tracing handler)
  • fixed vfsmount problem (kernel crashed without constable) and dual exec event problems.
  • Version 0.8.2 released (Tue Sep 18 20:12:52 CEST 2001)
  • fixed the bugs found in previous release
  • Version 0.8.1 stable released (Fri Aug 10 13:59:08 CEST 2001)
  • fixed the bugs found in alpha release
  • This version contains: Constable version 0.8, and VS monitor (kernel patch) for Linux 2.2.19 and 2.4.7.
  • You can download it as medusa-0.8.1.tar.gz (gpg signature) or medusa-0.8.1.tar.bz2 (gpg signature).
  • We are alive! (Fri Aug 3 18:13:59 CEST 2001)
    As you may notice from the new release of Medusa, we are really alive. You can read more on the new areas of the project web page, History and concepts, and Progress and plans.
    Version 0.8.1-alpha released (Fri Aug 3 18:13:59 CEST 2001)
  • improved code that handles privilege elevation during execve()
  • added several missing permission checks to System V IPC code
  • fixed some missing dputs() in VFS code
  • added linux 2.4.x kernels support. This code is not tested and should be considered as ALPHA quality.
  • Version 0.7.12 released (Fri Aug 18 08:49:20 CEST 2000)
  • Fixed compilation problem when syscall tracing is disabled
  • added filesystem capabilities support in Constable
  • kernel patches are in more unified format
  • added new sample configuration file
  • improved mini libc (Mlibc) Makefile
  • appropriate documentation changes
  • Version 0.7.11 released (Thu Aug 10 22:26:07 CEST 2000)
  • file hiding is now config option, not a separate patch
  • cleaned up System V IPC hooks
  • rewritten Linux capabilities support - read ChangeLog
  • fixed - MED_YES at 'for exec' does not skip noexec mount flag and 'x' permission checks
  • removed passing of filename, argc and argv to security daemon before exec
  • improved i386 entry.S offset generator (the kernel should now compile properly regardless of /usr/include/(linux|asm) symlinks)
  • init wrapper has been replaced by support in both kernel and constable: constable can be started instead of init; in this case it initializes itself and starts init. Patch in kernel enables you to use this feature without need to pass option "init=..." to the kernel at boot time.
  • finally we got rid of that nasty autoconf/automake.
  • Older messages...

    This page is designed for lynx.
    Hosted by terminus.
    Core design (c) 1999 Www, graphics art (c) 2000 salo.
    Accessed 234303 times since Mon Nov 29 16:42:49 CET 1999.