1 |
13.06.2010 17:15, klondike пишет: |
2 |
> Well for now I have written a 12 page doc praying the goodness of |
3 |
> Gentoo Hardened. |
4 |
|
5 |
Well done, thank you! That's what I'm gonna show my coworkers when they |
6 |
ask me about what Hardened is. |
7 |
|
8 |
> Also ask for excuses because maybe the document has a few imprecisions |
9 |
> or white lies due to a bad understanding, feel free to outline them |
10 |
> to. |
11 |
|
12 |
I think GRKERNSEC_BRUTE deserves a bit more explaination, as long as in |
13 |
some (most?) cases it seems to be the single little trick that prevents |
14 |
preforked apps to be eventually owned with no regard to ASLR, especially |
15 |
on x86. |
16 |
|
17 |
Also, maybe a reader should be advised to develop a policy to |
18 |
autorestart preforked apps when the relevant records appear in the grsec |
19 |
log? They are "Segmentation fault" and "Illegal instruction". And maybe |
20 |
it deserves to be mentioned that SIGSEGV does not trigger the fork() |
21 |
delay, so the autorestart policy which takes frequent SIGSEGV log |
22 |
messages into account is a right thing. |
23 |
|
24 |
Btw, it's not "some delays" but the 30 seconds hardcoded in |
25 |
grsecurity/grsec_sig.c. |