welcome: please sign in
Page Locked

ShellServerSecurityRestrictions

We use grsec on our shell servers, and have enabled the following features. There is a remote possibility that they may interfere with your applications; so we have documented which features we enable in order to avoid any surprises.

CONFIG_GRKERNSEC_IO=y
   - disables ioperm/iopl calls which could modify running kernel

CONFIG_GRKERNSEC_BRUTE=y
   - prevents rapid respawning of apache and ssh daemons (when someone's
     bruteforcing)

CONFIG_GRKERNSEC_EXECLOG=y
   - logs all execs

CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
   - logs execs in chroots

CONFIG_GRKERNSEC_AUDIT_MOUNT=y
   - logs *un)mounts

CONFIG_GRKERNSEC_SIGNAL=y
   - logs signals like sigsegv

CONFIG_GRKERNSEC_FORKFAIL=y
   - logs failed forks

CONFIG_GRKERNSEC_TIME=y
   - logs time changes

CONFIG_GRKERNSEC_PROC_IPADDR=y
   - saves each process owner's IP address in /proc/PID/ipaddr

CONFIG_GRKERNSEC_SHM=y
   - shared memory protections

CONFIG_GRKERNSEC_TPE=y
   - ability to restrict certain users to only running trusted executables
CONFIG_GRKERNSEC_RANDNET=y
   - larger entropy pool

CONFIG_GRKERNSEC_SOCKET=y
CONFIG_GRKERNSEC_SOCKET_ALL=y
CONFIG_GRKERNSEC_SOCKET_CLIENT=y
CONFIG_GRKERNSEC_SOCKET_SERVER=y
   - fine-grainer control who gets access to sockets

CONFIG_GRKERNSEC_SYSCTL=y
   - allow runtime tuning of all options through sysctl


CategoryOutdated

ShellServerSecurityRestrictions (last edited 2012-12-09 05:59:35 by ClintonEbadi)