After reviewing the forum and past mailing lists it seems there were two
approaches to the initialization of the operating system.
1) To start a restrictive firewall that kills all traffic -> Start needed
services -> Start Gradm -> Start normal firwall ruleset (mentioned by Brad
in this forum)
2) Start Gradm -> Start normal firewall ruleset -> Start needed services
(method used by sekko at http://people.roma2.infn.it/~claudio/en/grsec/)
Curious to what method others are using and any pros/cons for each?
Danny
Gradm initialization on boot
2 posts
• Page 1 of 1
Gradm initialization on boot
by derez » Sun Oct 10, 2004 11:47 am
- derez
- Posts: 2
- Joined: Sun Oct 10, 2004 11:43 am
by spender » Tue Oct 12, 2004 7:13 am
I prefer my method, of course, because it allows for stricter policies on services. Many apps do things at startup that they don't need to do while running. For instance, you don't need to give CAP_NET_BIND_SERVICE privileges to inetd, so an attacker can't gain that by exploiting it. As long as you keep your init scripts read-only to everyone but the admin role, there is no harm in doing this.
-Brad
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
2 posts
• Page 1 of 1