| 1 |
(Hi I posted this before in the "portscanning worm?" thread but thought |
| 2 |
that people might not have seen it there cause I've not had any |
| 3 |
comments/replys?) |
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
I have often considered and even tried a couple of times to setup a |
| 8 |
hardened box however I get confused between all the different options |
| 9 |
and all the different implications. What with Selinux Grsecurity 1/2 |
| 10 |
RSBAC PIE etc. etc. |
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
Also the kernel patching concerns me a bit, I would much rather not have |
| 15 |
to search around an battle to patch kernels my self if at all possible. |
| 16 |
|
| 17 |
I don't get to upgrade the kernel on my production servers very often |
| 18 |
since company policy is 0 downtime. |
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
Also Because these are production servers in use by 1000s of customers I |
| 23 |
would have to find a hardened kernel (or what ever) that would have as |
| 24 |
small an impact on the current workings and config of the systems |
| 25 |
involved. |
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
I have all my partitions formatted (and kernels built) with support for |
| 30 |
security labels, but that's as far as I've gotten. Also the idea of |
| 31 |
splitting up roots permissions into roles is an interesting prospect but |
| 32 |
I've yet to find decent documentation on how to implement/use POSIX |
| 33 |
ROLES |
Archives