1 |
(Hi I posted this before in the "portscanning worm?" thread but thought |
2 |
that people might not have seen it there cause I've not had any |
3 |
comments/replys?) |
4 |
|
5 |
|
6 |
|
7 |
I have often considered and even tried a couple of times to setup a |
8 |
hardened box however I get confused between all the different options |
9 |
and all the different implications. What with Selinux Grsecurity 1/2 |
10 |
RSBAC PIE etc. etc. |
11 |
|
12 |
|
13 |
|
14 |
Also the kernel patching concerns me a bit, I would much rather not have |
15 |
to search around an battle to patch kernels my self if at all possible. |
16 |
|
17 |
I don't get to upgrade the kernel on my production servers very often |
18 |
since company policy is 0 downtime. |
19 |
|
20 |
|
21 |
|
22 |
Also Because these are production servers in use by 1000s of customers I |
23 |
would have to find a hardened kernel (or what ever) that would have as |
24 |
small an impact on the current workings and config of the systems |
25 |
involved. |
26 |
|
27 |
|
28 |
|
29 |
I have all my partitions formatted (and kernels built) with support for |
30 |
security labels, but that's as far as I've gotten. Also the idea of |
31 |
splitting up roots permissions into roles is an interesting prospect but |
32 |
I've yet to find decent documentation on how to implement/use POSIX |
33 |
ROLES |