| 1 |
On 14/02/06, Ow Mun Heng <Ow.Mun.Heng@×××.com> wrote: |
| 2 |
|
| 3 |
> Ah.. Mr. Millar. I have seen your name before. In those exact same BUgs |
| 4 |
> I have see the patches and I am going to see if I can duplicate it. (I |
| 5 |
> have downgraded the original server from a hardened sources to vanilla |
| 6 |
> sources just because of this "feature" |
| 7 |
|
| 8 |
Yes, it's apparently a problem with the kill/killall application. |
| 9 |
Perhaps the fix would be best applied there in the longer term. But |
| 10 |
the kernel-side patch in question definitely resolves the issue. |
| 11 |
|
| 12 |
> ps : hardenend-sources config sample anyone? |
| 13 |
> |
| 14 |
|
| 15 |
Here's a simple ".config" from one of my boxes which is fairly typical |
| 16 |
of the sort of configuration I'd use (remember not to select PAGEEXEC |
| 17 |
as the default if you're using P4/Xeon though; SEGMEXEC is the better |
| 18 |
option there). Note that this example has exec logging enabled which |
| 19 |
can make a lot of noise. However, because sysctl funtionality is |
| 20 |
enabled you can disable that at boot with sysctl.conf or in |
| 21 |
/etc/conf.d/local.start. Here's an example snippet: |
| 22 |
|
| 23 |
# Uncomment when building gentoo in a chroot |
| 24 |
# kernel.grsecurity.chroot_caps = 0 |
| 25 |
# kernel.grsecurity.chroot_deny_chmod = 0 |
| 26 |
|
| 27 |
# Disable exec logging by default |
| 28 |
kernel.grsecurity.exec_logging = 0 |
| 29 |
|
| 30 |
# Uncomment to prevent modules from being loaded/unloaded |
| 31 |
# kernel.grsecurity.disable_modules = 1 |
| 32 |
|
| 33 |
# Uncomment this to lock down grsec options (advisable) |
| 34 |
# kernel.grsecurity.grsec_lock = 1 |
| 35 |
|
| 36 |
Incidentally, I'm currently looking at refining the default |
| 37 |
syslog-ng.conf policy which is provided in the hardened case. It's |
| 38 |
based on debian's logging policy with selinux/grsec/pax specific |
| 39 |
logging hooks. However, it has a few flaws (ends up duplicating |
| 40 |
messages between separate logs unnecessarily for example). I'll |
| 41 |
probably file a bug on that once I'm satisfied with the revision. |
| 42 |
|
| 43 |
Regards, |
| 44 |
|
| 45 |
--Kerin |
Archives