Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux:grsec [2008/09/26 20:23] a |
linux:grsec [2009/05/25 00:35] (current) |
||
---|---|---|---|
Line 41: | Line 41: | ||
==== kernel 2.4.x tips ==== | ==== kernel 2.4.x tips ==== | ||
+ | |||
==== kernel 2.6.x tips ==== | ==== kernel 2.6.x tips ==== | ||
Line 87: | Line 88: | ||
come out fine for x86 and sparc. I havent tried it on ppc but for the most | come out fine for x86 and sparc. I havent tried it on ppc but for the most | ||
part it is safe, and it is also safe for production envoirnments. | part it is safe, and it is also safe for production envoirnments. | ||
+ | |||
+ | === Using Pax and Grsecurity features === | ||
+ | |||
+ | First get a grsecurity patch kernel ready go in your **'' | ||
+ | |||
+ | < | ||
+ | Enable various PaX features | ||
+ | |||
+ | [*] Support soft mode | ||
+ | [*] Use legacy ELF header marking | ||
+ | [*] Use ELF program header marking | ||
+ | MAC system integration (direct) | ||
+ | |||
+ | Non-executable pages | ||
+ | |||
+ | [*] Enforce non-executable pages | ||
+ | [*] | ||
+ | [*] | ||
+ | [*] Emulate trampolines | ||
+ | [*] Restrict mprotect() | ||
+ | [ ] | ||
+ | [*] Enforce non-executable kernel pages | ||
+ | |||
+ | [*] Address Space Layout Randomization | ||
+ | [*] | ||
+ | [*] | ||
+ | [*] | ||
+ | </ | ||
+ | And for Miscellaneous hardening features I advise not to select any. | ||
+ | |||
+ | <note important> | ||
===== Configuration ===== | ===== Configuration ===== | ||
Line 131: | Line 163: | ||
kernel.pax.softmode = 1 | kernel.pax.softmode = 1 | ||
kernel.grsecurity.grsec_lock = 0 | kernel.grsecurity.grsec_lock = 0 | ||
+ | |||
==== PaX ==== | ==== PaX ==== | ||
Line 174: | Line 207: | ||
Executable shared library data : Vulnerable | Executable shared library data : Vulnerable | ||
Writable text segments | Writable text segments | ||
+ | |||
+ | ==== Hardening Webservers ==== | ||
+ | |||
+ | For example | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | |||
+ | You can even use wildcards like'' | ||
+ | |||
+ | Also make sure you do the** '' | ||
==== gdadm ==== | ==== gdadm ==== |