general hints

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Moderators: spender, PaX Team

general hints

Postby elv » Wed Mar 06, 2002 2:20 pm

hi, what about the patch compressed in bz2 and gz format ?
elv
 
Posts: 4
Joined: Wed Mar 06, 2002 2:18 pm
Location: memphis

re:

Postby spender » Wed Mar 06, 2002 3:09 pm

yea, i'll start doing that for 1.9.5. i've got mod_gzip on my server so if you're using a http/1.1 browser, it should gzip it on its way to you.
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

A bit more info?

Postby rizza » Fri Mar 08, 2002 7:28 am

Hiya,

I saw you have created RPM's with kernel and applied patch, this is verry nice ofcource but it said "low, medium or high security" also these options are verry nice, but it would help to know what kinda security is low ? and what kinda security is high ? what have you got enabled in the rpm's. I tried to search but i coulnd find anything about it.

It could be just silly me :D

best regards,
rizza
rizza
 
Posts: 1
Joined: Fri Mar 08, 2002 7:25 am

here

Postby spender » Fri Mar 08, 2002 8:32 am

here's your answer, straight from the features page:

Low additional security
-----------------------------------------------------------------------
If you choose this option, several of the grsecurity options will
be enabled that will give you greater protection against a number
of attacks, while assuring that none of your software will have any
conflicts with the additional security measures. If you run a lot of
unusual software, or you are having problems with the higher security
levels, you should say Y here. With this option, the following features
are enabled:

linking restrictions
fifo restrictions
secure fds
random pids
enforcing nproc on execve()
restricted dmesg
random ip ids
enforced chdir("/") on chroot
secure keymap loading

Medium additional security
-----------------------------------------------------------------------
If you say Y here, several features in addition to those included in the
low additional security level will be enabled. These features provide
even more security to your system, though in rare cases they may
be incompatible with very old or poorly written software. If you
enable this option, make sure that your auth service (identd) is
running as gid 10 (usually group wheel). With this option the following
features (in addition to those provided in the low additional security
level) will be enabled:

random tcp source ports
altered ping ids
failed fork logging
time change logging
signal logging
deny mounts in chroot
deny double chrooting
deny mknod in chroot
/proc restrictions with special gid set to 10 (usually wheel)
pax's random mmap

High additional security
----------------------------------------------------------------------
If you say Y here, many of the features of grsecurity will be enabled,
that will protect you against virtually all kinds of attacks against
your system. The much hightened security comes at a cost of an
increased chance of incompatabilities with rare software on your
machine. It is highly recommended that you view
and read about each option. Since
this security level enabled PaX, you should also view
and read about the PaX project. While
you are there, download chpax.c and run chpax -p on binaries that cause
problems with PaX. Also remember that since the /proc restrictions are
enabled, you must run your identd as group wheel (gid 10). The
grsecurity ACL system is also enabled in this level. To learn how to
correctly configure it, view the ACL documentation on
. This security level enables the following
features in addition to those listed in the low and medium security
levels:

grsecurity ACL system
additional /proc restrictions
signal restrictions in chroot
chmod restrictions in chroot
no ptrace in chroot
priority restrictions in chroot
PaX - random mmap, noexec on all memory pages, restricted mprotect
fixed mmap restrictions
mount/unmount/remount logging
restricted ptrace (only root and users in group wheel (gid 10) are
allowed to ptrace)
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to grsecurity support