is grsec ready for productive systems?

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

is grsec ready for productive systems?

Postby msi » Tue May 13, 2003 3:55 pm

Hallo,

do you think that grsecurity is ready to be used in productive systems, which are required to be as secure as possible?
I can't rate the actuel status of developpement. Until now I only tested it on my private boxes and I were very pleased with the results.

Markus
msi
 
Posts: 29
Joined: Fri Sep 13, 2002 2:37 pm

Re: is grsec ready for productive systems?

Postby hightower » Tue May 13, 2003 5:15 pm

Hi msi,

msi wrote:Hallo,

do you think that grsecurity is ready to be used in productive systems, which are required to be as secure as possible?
I can't rate the actuel status of developpement. Until now I only tested it on my private boxes and I were very pleased with the results.


well, grsecurity is _rock_ solid, at least for me. I use 1.99* on many production machines (my wolk4 tree) w/o any problems at all. The biggest machine is a server for ~3000 users acting as a file-,print-,VPN-,proxy-,shell-,firewall- and mailserver.

This are the config options for grsec I am using on those machines:

CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CUSTOM=y
CONFIG_GRKERNSEC_PAX_NOEXEC=y
CONFIG_GRKERNSEC_PAX_SEGMEXEC=y
CONFIG_GRKERNSEC_PAX_MPROTECT=y
CONFIG_GRKERNSEC_PAX_KERNEXEC=y
CONFIG_GRKERNSEC_PAX_ASLR=y
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=1001
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=1007
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_AUDIT_IPC=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_TPE_GID=1005
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDISN=y
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
CONFIG_GRKERNSEC_RANDPING=y
CONFIG_GRKERNSEC_SOCKET=y
CONFIG_GRKERNSEC_SOCKET_ALL=y
CONFIG_GRKERNSEC_SOCKET_ALL_GID=1004
CONFIG_GRKERNSEC_SOCKET_CLIENT=y
CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=1003
CONFIG_GRKERNSEC_SOCKET_SERVER=y
CONFIG_GRKERNSEC_SOCKET_SERVER_GID=1002
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

ciao; Marc
hightower
 
Posts: 49
Joined: Wed Mar 06, 2002 11:36 am

Postby mutombo » Sat May 24, 2003 12:00 pm

im sorry to say.
but i used grsecurity now for 2 month and i had to quit.
the system goes down this time more than 20 times. no logfiles give any information about a problem. sometimes the host didnt reboot by its own again. our provider already exchanged our complete serverhardware. thats no good to work with this productive.

im now back on a plain 2.4.20 kernel everything is fine !!
mutombo
 
Posts: 3
Joined: Fri Mar 07, 2003 2:24 pm

Postby PaX Team » Sun May 25, 2003 8:05 am

mutombo wrote:the system goes down this time more than 20 times. no logfiles give any information about a problem.
since this is the first time you posted these problems here, a few standard questions (in hindsight, anyway): what grsecurity version(s) did you use? did you use any other other patches along with grsecurity? what is (was) your .config? did you enable ACLs? if so, how do (did) your ACLs look like?
sometimes the host didnt reboot by its own again. our provider already exchanged our complete serverhardware.
i have had one or two reports that indicate a problem with SEGMEXEC (dual GDT) and APM (note that 2.4.20 itself has a problem with APM on SMP). i have a patch for this (for UP only, not SMP), you could have tried it out as well.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity support