Global + application specific policy
Posted: Mon Dec 08, 2014 10:47 am
Hi All,
I'm working on project/distribution with high focus on security. I know that grsec policies should be as specific as possible, but I'm looking for ability to provide pre-defined set of policies for roles of the server (e.g. webserver, db server, vpn gateway, mail server, dns server, ...). Roles are managed by distribution control script, so I would know which applications will be installed and what will be their configuration.
So users would have a chance to generate own global policy, but can add as well pre-defined specific policy based on role of their server.
What are to possibilities in this case?
Main questions on my mind:
- is there a chance to have application specific policy, while rest of the system would stay unprotected?
- is there a chance to have multiple policy files (global, webserver specific, DNS server specific, ...) which are all evaluated by grsec and countermeasures applied accordingly?
- is there a chance that rules in application specific policy will overwrite those in global policy when there will be a conflict (import ordering)?
Thank you
I'm working on project/distribution with high focus on security. I know that grsec policies should be as specific as possible, but I'm looking for ability to provide pre-defined set of policies for roles of the server (e.g. webserver, db server, vpn gateway, mail server, dns server, ...). Roles are managed by distribution control script, so I would know which applications will be installed and what will be their configuration.
So users would have a chance to generate own global policy, but can add as well pre-defined specific policy based on role of their server.
What are to possibilities in this case?
Main questions on my mind:
- is there a chance to have application specific policy, while rest of the system would stay unprotected?
- is there a chance to have multiple policy files (global, webserver specific, DNS server specific, ...) which are all evaluated by grsec and countermeasures applied accordingly?
- is there a chance that rules in application specific policy will overwrite those in global policy when there will be a conflict (import ordering)?
Thank you