Services to protect with grsecurity

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Services to protect with grsecurity

Postby adk » Wed Mar 26, 2003 4:14 pm

Currently we are testing grsecurity on some of our machines, but are wondering what kind of services should be protected by grsecurity.

It seems clear to us that protecting system-services like apache, ssh etc makes sense, but what about a firewall-script ??

Should we set up special rules for this purpose or will disabling CAP_NET_ADMIN be enough??

Thanks for your help
adk
 
Posts: 6
Joined: Tue Mar 18, 2003 12:53 pm

Postby TGKx » Thu Mar 27, 2003 1:48 am

A strict default acl for the system, any processes that will be run by root should have their own acl, and any processes that will need more access than the default restrictive acl.

You can set your firewall script to be read only so it cant be modified.

These should be a good start.
TGKx
 
Posts: 50
Joined: Wed Feb 19, 2003 4:39 am

Postby spender » Thu Mar 27, 2003 11:53 am

What I like to do is start the ACL system after all startup services have loaded. This saves you a lot of work, and allows you to set more restrictive ACLs on your daemons. Any kind of administrative tasks should not be given privileged ACLs, but rather should be done through administration mode.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support

cron