| 1 |
I have often considered and even tried a couple of times to setup a |
| 2 |
hardened box however I get confused between all the different options |
| 3 |
and all the different implications. What with Selinux Grsecurity 1/2 |
| 4 |
RSBAC PIE etc. etc. |
| 5 |
|
| 6 |
Also the kernel patching concerns me a bit, I would much rather not have |
| 7 |
to search around an battle to patch kernels my self if at all possible. |
| 8 |
I don't get to upgrade the kernel on my production servers very often |
| 9 |
since company policy is 0 downtime. |
| 10 |
|
| 11 |
Also Because these are production servers in use by 1000s of customers I |
| 12 |
would have to find a hardened kernel (or what ever) that would have as |
| 13 |
small an impact on the current workings and config of the systems |
| 14 |
involved. |
| 15 |
|
| 16 |
I have all my partitions formatted (and kernels built) with support for |
| 17 |
security labels, but that's as far as I've gotten. Also the idea of |
| 18 |
splitting up roots permissions into roles is an interesting prospect but |
| 19 |
I've yet to find decent documentation on how to implement/use POSIX |
| 20 |
ROLES |
| 21 |
|
| 22 |
-----Original Message----- |
| 23 |
From: Michael Liesenfelt [mailto:mliesenf@×××××××××.edu] |
| 24 |
Sent: Friday, January 20, 2006 9:46 PM |
| 25 |
To: gentoo-server@l.g.o |
| 26 |
Subject: Re: [gentoo-server] portscanning worm? / GRSecurity |
| 27 |
|
| 28 |
I definitely agree. |
| 29 |
|
| 30 |
xyon wrote: |
| 31 |
|
| 32 |
>down more tightly. I'd also recommend disabling loadable module support |
| 33 |
in |
| 34 |
>your kernel ;) |
| 35 |
> |
| 36 |
>Also, didn't that paper on the idle scan mention that more random IPIDs |
| 37 |
>would help prevent idle scans? GrSecurity has just the feature to take |
| 38 |
>care of this. You might want to check into using some of the GRSecurity |
| 39 |
>features in the kernel. :) |
| 40 |
> |
| 41 |
>HTH! |
| 42 |
> |
| 43 |
I decided to make all of my servers on hardened gentoo kernels without |
| 44 |
loadable module support. GRSecurity has a number of great features |
| 45 |
including /proc restrictions, memory randomization, trusted execution, |
| 46 |
and denial of server sockets to users. The trusted execution is a very |
| 47 |
powerful feature. "Untrusted users will not be able to execute any files |
| 48 |
|
| 49 |
that are not in root-owned directories writable only by root." |
| 50 |
|
| 51 |
Also, I think the Gentoo Infrastructure servers are all hardened boxes. |
| 52 |
|
| 53 |
-- |
| 54 |
Michael Liesenfelt |
| 55 |
University of Florida |
| 56 |
Innovative Nuclear Space Power and Propulsion Institute |
| 57 |
|
| 58 |
|
| 59 |
-- |
| 60 |
gentoo-server@g.o mailing list |
Archives