Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
linux:grsec [2006/07/26 14:23]
a
linux:grsec [2008/09/26 20:23]
a
Line 41: Line 41:
  
 ==== kernel 2.4.x tips ==== ==== kernel 2.4.x tips ====
 +
 ==== kernel 2.6.x tips ==== ==== kernel 2.6.x tips ====
 +
 +
 +=== What to include in 2.6 with GRSecurity (Safeway) ===
 +**taken from: [[http://lists.grok.org.uk/pipermail/full-disclosure/2003-August/008236.htm|here]]
 +**
 +
 +There are some problems with some applications with parts of the patch. For 
 +example, turning on the non-executeable stack will break anything that uses 
 +an executeable stack. ie: X, java, or wine, now you can use chpax and give 
 +each of these a non executable stack. There are also some problems with the 
 +way grsecurity gets a little to restrictive with things like restericting 
 +filesystems ect. All of these can be overcome, however, you need to do some 
 +magic to get some of these things to work, and frankly, some of it really 
 +isnt worth it. 
 +
 +There are several options inside the grsecurity patch that you can choose.
 +
 +What you can safely turn on in GRsecurity without breaking anything is:
 +   * **''Address Space Protection''**
 +   * **''Address Space Layout Randomization''**
 +      * **''Randomize kernel stack base''**
 +      * **''Randomize user stack base''**
 +      * **''Randomize mmap() base''**
 +
 +   * **Filesystem Protections**
 +      * //Everything under this option is safe to include//
 +
 +   * **''Kernel Auditing''**
 +      * //Everything under this option is safe to include//
 +
 +   * **''Executable Protections''**
 +      * //Everything under this option is safe to __incude except__:// ''Partially restrict non-root users''
 +
 +  * **''Network Protections''**
 +     * //Everything under this option is safe to include//
 +
 +  * **''Sysctl support''** //This is usefull to enable, but not necesary
 +//
 +
 +Compile everything staticly and you shold be fine. 
 +
 +I have tested this on production servers, and desktop boxes in mass and its 
 +come out fine for x86 and sparc. I havent tried it on ppc but for the most 
 +part it is safe, and it is also safe for production envoirnments.
  
 ===== Configuration ===== ===== Configuration =====
Line 159: Line 204:
  
    gradm -D     gradm -D 
 +
  
 ==== grsec iptables patch ==== ==== grsec iptables patch ====
 FIXME TODO FIXME TODO
 +
 +===== Tips / troubleshooting =====
 +
 +==== complaints of grsecurity-kernel about RLIMIT_CORE being 0 ====
 +
 +If, while running program x, a segmentation fault occurs in program x and syslog outputs the following string:
 +   Apr 17 11:55:06 yyy kernel: grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by (x:z) UID(y) EUID(y), parent (y:y) UID(y) EUID(y) 
 +then kernel tried to write a core-file for the program x to disk, BUT the max size of the core file is set to 0.
 +Growing the maximum size of a core file:
 +
 +  # ulimit -S -c 8192
 +
 +
linux/grsec.txt ยท Last modified: 2009/05/25 00:35 (external edit)
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready