1 |
I have often considered and even tried a couple of times to setup a |
2 |
hardened box however I get confused between all the different options |
3 |
and all the different implications. What with Selinux Grsecurity 1/2 |
4 |
RSBAC PIE etc. etc. |
5 |
|
6 |
Also the kernel patching concerns me a bit, I would much rather not have |
7 |
to search around an battle to patch kernels my self if at all possible. |
8 |
I don't get to upgrade the kernel on my production servers very often |
9 |
since company policy is 0 downtime. |
10 |
|
11 |
Also Because these are production servers in use by 1000s of customers I |
12 |
would have to find a hardened kernel (or what ever) that would have as |
13 |
small an impact on the current workings and config of the systems |
14 |
involved. |
15 |
|
16 |
I have all my partitions formatted (and kernels built) with support for |
17 |
security labels, but that's as far as I've gotten. Also the idea of |
18 |
splitting up roots permissions into roles is an interesting prospect but |
19 |
I've yet to find decent documentation on how to implement/use POSIX |
20 |
ROLES |
21 |
|
22 |
-----Original Message----- |
23 |
From: Michael Liesenfelt [mailto:mliesenf@×××××××××.edu] |
24 |
Sent: Friday, January 20, 2006 9:46 PM |
25 |
To: gentoo-server@l.g.o |
26 |
Subject: Re: [gentoo-server] portscanning worm? / GRSecurity |
27 |
|
28 |
I definitely agree. |
29 |
|
30 |
xyon wrote: |
31 |
|
32 |
>down more tightly. I'd also recommend disabling loadable module support |
33 |
in |
34 |
>your kernel ;) |
35 |
> |
36 |
>Also, didn't that paper on the idle scan mention that more random IPIDs |
37 |
>would help prevent idle scans? GrSecurity has just the feature to take |
38 |
>care of this. You might want to check into using some of the GRSecurity |
39 |
>features in the kernel. :) |
40 |
> |
41 |
>HTH! |
42 |
> |
43 |
I decided to make all of my servers on hardened gentoo kernels without |
44 |
loadable module support. GRSecurity has a number of great features |
45 |
including /proc restrictions, memory randomization, trusted execution, |
46 |
and denial of server sockets to users. The trusted execution is a very |
47 |
powerful feature. "Untrusted users will not be able to execute any files |
48 |
|
49 |
that are not in root-owned directories writable only by root." |
50 |
|
51 |
Also, I think the Gentoo Infrastructure servers are all hardened boxes. |
52 |
|
53 |
-- |
54 |
Michael Liesenfelt |
55 |
University of Florida |
56 |
Innovative Nuclear Space Power and Propulsion Institute |
57 |
|
58 |
|
59 |
-- |
60 |
gentoo-server@g.o mailing list |