welcome: please sign in

The following 101 words could not be found in the dictionary of 7 words (including 7 LocalSpellingWords) and are highlighted below:
ability   access   address   all   allow   and   any   apache   applications   avoid   bruteforcing   calls   Category   certain   changes   chroots   control   could   daemons   disables   documented   each   enable   enabled   entropy   execs   executables   failed   features   fine   following   forks   gets   grainer   grsec   have   in   interfere   ioperm   iopl   ipaddr   is   kernel   larger   like   logs   may   memory   modify   mounts   of   on   only   options   order   our   Outdated   owner   pool   possibility   prevents   proc   process   protections   rapid   remote   respawning   restrict   running   runtime   saves   servers   shared   shell   signals   sigsegv   so   sockets   someone   ssh   surprises   sysctl   that   the   There   they   through   time   to   trusted   tuning   un   use   users   We   we   when   which   who   with   your  

Clear message
Edit

ShellServerSecurityRestrictions

We use grsec on our shell servers, and have enabled the following features. There is a remote possibility that they may interfere with your applications; so we have documented which features we enable in order to avoid any surprises.

CONFIG_GRKERNSEC_IO=y
   - disables ioperm/iopl calls which could modify running kernel

CONFIG_GRKERNSEC_BRUTE=y
   - prevents rapid respawning of apache and ssh daemons (when someone's
     bruteforcing)

CONFIG_GRKERNSEC_EXECLOG=y
   - logs all execs

CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
   - logs execs in chroots

CONFIG_GRKERNSEC_AUDIT_MOUNT=y
   - logs *un)mounts

CONFIG_GRKERNSEC_SIGNAL=y
   - logs signals like sigsegv

CONFIG_GRKERNSEC_FORKFAIL=y
   - logs failed forks

CONFIG_GRKERNSEC_TIME=y
   - logs time changes

CONFIG_GRKERNSEC_PROC_IPADDR=y
   - saves each process owner's IP address in /proc/PID/ipaddr

CONFIG_GRKERNSEC_SHM=y
   - shared memory protections

CONFIG_GRKERNSEC_TPE=y
   - ability to restrict certain users to only running trusted executables
CONFIG_GRKERNSEC_RANDNET=y
   - larger entropy pool

CONFIG_GRKERNSEC_SOCKET=y
CONFIG_GRKERNSEC_SOCKET_ALL=y
CONFIG_GRKERNSEC_SOCKET_CLIENT=y
CONFIG_GRKERNSEC_SOCKET_SERVER=y
   - fine-grainer control who gets access to sockets

CONFIG_GRKERNSEC_SYSCTL=y
   - allow runtime tuning of all options through sysctl


CategoryOutdated

ShellServerSecurityRestrictions (last edited 2012-12-09 05:59:35 by ClintonEbadi)