User: Password:
|
|
Subscribe / Log in / New account

Use grsecurity on critical machines!

Use grsecurity on critical machines!

Posted Dec 12, 2003 14:58 UTC (Fri) by emk (subscriber, #1128)
Parent article: Lessons from the Debian compromise

The grsecurity patch to the Linux kernel does two highly useful things:

1) It breaks most exploits by heavily randomizing memory layouts, PIDs, and anything else it can find to randomize. It also makes quite a few things non-executable, even on Intel architectures.

2) It optionally allows you to set up advanced role-based ACLs, which allow you to ruthlessly strip privileges away from various processes on your server. In particular, you can drop unneeded capabilities from root processes, prevent fork/exec of all but a specified list of executables, and hide all but a tiny part of the filesystem.

If you use grsecurity in addition to your regular system hardening, you can make life very difficult for the crackers.


(Log in to post comments)

Use grsecurity on critical machines!

Posted Dec 13, 2003 7:58 UTC (Sat) by penguinroar (guest, #14460) [Link]

I agree with the parent poster, its time to harden the kernel a bit to keep ahead of the crackers. I dont meen that bugs should be downplayed but to have both belt and straps is by my own opinion a good thing. There are several implementations of hardened kernels but i havent seen any broad use of them yet.

Intrusion detection is a harder nut to crack since a to vicious one will cry wolf to much. Some kind of self check of the kernel against a hash only readable and written once at boot maybe?

hardening the kernel

Posted Dec 13, 2003 19:16 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

Some kind of self check of the kernel against a hash only readable and written once at boot maybe?

Maybe, but that wouldn't be a lesson learned from this incident. The kernel wasn't modified. (The problem is that the cracker was able to read kernel memory).


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds