Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
linux:grsec [2006/07/26 14:23] a |
linux:grsec [2008/09/26 20:23] a |
||
|---|---|---|---|
| Line 41: | Line 41: | ||
| ==== kernel 2.4.x tips ==== | ==== kernel 2.4.x tips ==== | ||
| + | |||
| ==== kernel 2.6.x tips ==== | ==== kernel 2.6.x tips ==== | ||
| + | |||
| + | |||
| + | === What to include in 2.6 with GRSecurity (Safeway) === | ||
| + | **taken from: [[http:// | ||
| + | ** | ||
| + | |||
| + | There are some problems with some applications with parts of the patch. For | ||
| + | example, turning on the non-executeable stack will break anything that uses | ||
| + | an executeable stack. ie: X, java, or wine, now you can use chpax and give | ||
| + | each of these a non executable stack. There are also some problems with the | ||
| + | way grsecurity gets a little to restrictive with things like restericting | ||
| + | filesystems ect. All of these can be overcome, however, you need to do some | ||
| + | magic to get some of these things to work, and frankly, some of it really | ||
| + | isnt worth it. | ||
| + | |||
| + | There are several options inside the grsecurity patch that you can choose. | ||
| + | |||
| + | What you can safely turn on in GRsecurity without breaking anything is: | ||
| + | * **'' | ||
| + | * **'' | ||
| + | * **'' | ||
| + | * **'' | ||
| + | * **'' | ||
| + | |||
| + | * **Filesystem Protections** | ||
| + | * // | ||
| + | |||
| + | * **'' | ||
| + | * // | ||
| + | |||
| + | * **'' | ||
| + | * // | ||
| + | |||
| + | * **'' | ||
| + | * // | ||
| + | |||
| + | * **'' | ||
| + | // | ||
| + | |||
| + | Compile everything staticly and you shold be fine. | ||
| + | |||
| + | I have tested this on production servers, and desktop boxes in mass and its | ||
| + | come out fine for x86 and sparc. I havent tried it on ppc but for the most | ||
| + | part it is safe, and it is also safe for production envoirnments. | ||
| ===== Configuration ===== | ===== Configuration ===== | ||
| Line 159: | Line 204: | ||
| gradm -D | gradm -D | ||
| + | |||
| ==== grsec iptables patch ==== | ==== grsec iptables patch ==== | ||
| FIXME TODO | FIXME TODO | ||
| + | |||
| + | ===== Tips / troubleshooting ===== | ||
| + | |||
| + | ==== complaints of grsecurity-kernel about RLIMIT_CORE being 0 ==== | ||
| + | |||
| + | If, while running program x, a segmentation fault occurs in program x and syslog outputs the following string: | ||
| + | Apr 17 11:55:06 yyy kernel: grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by (x:z) UID(y) EUID(y), parent (y:y) UID(y) EUID(y) | ||
| + | then kernel tried to write a core-file for the program x to disk, BUT the max size of the core file is set to 0. | ||
| + | Growing the maximum size of a core file: | ||
| + | |||
| + | # ulimit -S -c 8192 | ||
| + | |||
| + | |||
