|
Size: 1385
Comment: converted to 1.6 markup
|
← Revision 4 as of 2012-12-09 05:59:35 ⇥
Size: 1409
Comment: this is not true for !mire
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 52: | Line 52: |
| ---- CategoryOutdated |
We use grsec on our shell servers, and have enabled the following features. There is a remote possibility that they may interfere with your applications; so we have documented which features we enable in order to avoid any surprises.
CONFIG_GRKERNSEC_IO=y
- disables ioperm/iopl calls which could modify running kernel
CONFIG_GRKERNSEC_BRUTE=y
- prevents rapid respawning of apache and ssh daemons (when someone's
bruteforcing)
CONFIG_GRKERNSEC_EXECLOG=y
- logs all execs
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
- logs execs in chroots
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
- logs *un)mounts
CONFIG_GRKERNSEC_SIGNAL=y
- logs signals like sigsegv
CONFIG_GRKERNSEC_FORKFAIL=y
- logs failed forks
CONFIG_GRKERNSEC_TIME=y
- logs time changes
CONFIG_GRKERNSEC_PROC_IPADDR=y
- saves each process owner's IP address in /proc/PID/ipaddr
CONFIG_GRKERNSEC_SHM=y
- shared memory protections
CONFIG_GRKERNSEC_TPE=y
- ability to restrict certain users to only running trusted executables
CONFIG_GRKERNSEC_RANDNET=y
- larger entropy pool
CONFIG_GRKERNSEC_SOCKET=y
CONFIG_GRKERNSEC_SOCKET_ALL=y
CONFIG_GRKERNSEC_SOCKET_CLIENT=y
CONFIG_GRKERNSEC_SOCKET_SERVER=y
- fine-grainer control who gets access to sockets
CONFIG_GRKERNSEC_SYSCTL=y
- allow runtime tuning of all options through sysctl