| 1 |
13.06.2010 17:15, klondike пишет: |
| 2 |
> Well for now I have written a 12 page doc praying the goodness of |
| 3 |
> Gentoo Hardened. |
| 4 |
|
| 5 |
Well done, thank you! That's what I'm gonna show my coworkers when they |
| 6 |
ask me about what Hardened is. |
| 7 |
|
| 8 |
> Also ask for excuses because maybe the document has a few imprecisions |
| 9 |
> or white lies due to a bad understanding, feel free to outline them |
| 10 |
> to. |
| 11 |
|
| 12 |
I think GRKERNSEC_BRUTE deserves a bit more explaination, as long as in |
| 13 |
some (most?) cases it seems to be the single little trick that prevents |
| 14 |
preforked apps to be eventually owned with no regard to ASLR, especially |
| 15 |
on x86. |
| 16 |
|
| 17 |
Also, maybe a reader should be advised to develop a policy to |
| 18 |
autorestart preforked apps when the relevant records appear in the grsec |
| 19 |
log? They are "Segmentation fault" and "Illegal instruction". And maybe |
| 20 |
it deserves to be mentioned that SIGSEGV does not trigger the fork() |
| 21 |
delay, so the autorestart policy which takes frequent SIGSEGV log |
| 22 |
messages into account is a right thing. |
| 23 |
|
| 24 |
Btw, it's not "some delays" but the 30 seconds hardcoded in |
| 25 |
grsecurity/grsec_sig.c. |
Archives