welcome: please sign in

Please enter your password of your account at the remote wiki below.
/!\ You should trust both wikis because the password could be read by the particular administrators.

Clear message
Edit

ShellServerSecurityRestrictions

We use grsec on our shell servers, and have enabled the following features. There is a remote possibility that they may interfere with your applications; so we have documented which features we enable in order to avoid any surprises.

CONFIG_GRKERNSEC_IO=y
   - disables ioperm/iopl calls which could modify running kernel

CONFIG_GRKERNSEC_BRUTE=y
   - prevents rapid respawning of apache and ssh daemons (when someone's
     bruteforcing)

CONFIG_GRKERNSEC_EXECLOG=y
   - logs all execs

CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
   - logs execs in chroots

CONFIG_GRKERNSEC_AUDIT_MOUNT=y
   - logs *un)mounts

CONFIG_GRKERNSEC_SIGNAL=y
   - logs signals like sigsegv

CONFIG_GRKERNSEC_FORKFAIL=y
   - logs failed forks

CONFIG_GRKERNSEC_TIME=y
   - logs time changes

CONFIG_GRKERNSEC_PROC_IPADDR=y
   - saves each process owner's IP address in /proc/PID/ipaddr

CONFIG_GRKERNSEC_SHM=y
   - shared memory protections

CONFIG_GRKERNSEC_TPE=y
   - ability to restrict certain users to only running trusted executables
CONFIG_GRKERNSEC_RANDNET=y
   - larger entropy pool

CONFIG_GRKERNSEC_SOCKET=y
CONFIG_GRKERNSEC_SOCKET_ALL=y
CONFIG_GRKERNSEC_SOCKET_CLIENT=y
CONFIG_GRKERNSEC_SOCKET_SERVER=y
   - fine-grainer control who gets access to sockets

CONFIG_GRKERNSEC_SYSCTL=y
   - allow runtime tuning of all options through sysctl


CategoryOutdated