taking feature requests

Discuss and suggest new grsecurity features

taking feature requests

Postby spender » Wed Mar 20, 2002 5:06 pm

what features would you like to see in new versions of grsecurity? post them here. Here's some things we have already planned:

native encrypted swap support (just like openbsd)
per-binary passwords for the authentication system
auto-generated acls

i'm also thinking of writing some kind of web-based admin tool focusing more on keeping watch and taking control over your users
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Stuff also being worked on

Postby michaeld » Wed Mar 20, 2002 10:32 pm

I'm working on time support for acls like in LIDS, as well as improved documentation(anyone interested in writing docs please contact me), and inheritance levels.
michaeld
 
Posts: 37
Joined: Mon Feb 25, 2002 12:32 am

Re: taking feature requests

Postby lazy » Tue Mar 26, 2002 10:32 am

spender wrote:what features would you like to see in new versions of grsecurity? post them here. Here's some things we have already planned:

i would like to see sth like BIND_ONCE to allow a daemon to bind
to the port only once

AFAIK there is sth similar in in LIDS
lazy
 
Posts: 1
Joined: Tue Mar 26, 2002 10:24 am

OpenBSD

Postby ktr » Tue Apr 02, 2002 7:19 am

This might be a little bit far off, but I'm wondering if you have any plans porting grsecurity to other platforms. OpenBSD for instance. :roll:
ktr
 
Posts: 4
Joined: Tue Apr 02, 2002 7:16 am

Actually...

Postby michaeld » Tue Apr 02, 2002 10:50 am

I had considered porting the ACL system at one time. Its a little far off, but yeah its probably doable. It'd be a nasty job, but there's nothing specifically tieing us to linux.
michaeld
 
Posts: 37
Joined: Mon Feb 25, 2002 12:32 am

openbsd?

Postby RG » Tue Apr 02, 2002 4:18 pm

does it really need such a thing to improve system security?
which parts of grsec aren't present in OpenBSD, and which aren't present in TrustedBSD?? :roll:
RG
 
Posts: 5
Joined: Mon Mar 04, 2002 5:05 pm

many

Postby spender » Tue Apr 02, 2002 4:44 pm

there's many things that aren't present in openbsd. Really the only things that are present in bsd are some of the chroot stuff (via its jail interface) and the randomized options. There's still plenty more features of grsecurity to port.
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

TrustedBSD

Postby michaeld » Wed Apr 03, 2002 1:28 am

TrustedBSD uses POSIX .1e ACLS, which are limited, fs-specific ACLs, as well as Biba/MLS acl models. Our acl system is more robust than Biba/MLS, which are more suited
to certain military situations (hmm..DARPA funding for
TrustedBSD and military situation-friendly ACLs..surprise:).
If requested we can support the classification of files
by "integrity" like Biba does with relative ease, as well
as possessing our file / program acl checks and capability
management. We also have a fs-independant ACL system,
unlike POSIX .1e ACLs, so our portability is superior. FreeBSD
has LOMAC committed, something by the TrustedBSD guy that
divides the system into trusted and untrusted files. I don't
think I need to compare that to grsecurity's acl system,
although I will concede that it is most likely easier to
configure due to its simpler nature. Hope this helped

Michael
michaeld
 
Posts: 37
Joined: Mon Feb 25, 2002 12:32 am

Same old

Postby ktr » Tue Apr 23, 2002 8:15 am

It would be great to have the various log features ported to OpenBSD. The CONFIG_GRKERNSEC_EXECLOG - for instance - would be great to have on servers with shell users present.

You're doing a great job!
ktr
 
Posts: 4
Joined: Tue Apr 02, 2002 7:16 am

resources

Postby ryan » Wed May 29, 2002 3:49 am

one of the biggest problems i encounter with my web hosting service - is problems with fork bombs or other attacks targeted to consume resources.

PAM Resource limiting is good but it lacks some features (e.g: logging). To that effect i also encounter users trying to run scripts via apache (php, perl and other types of scripts) that attempt to consume resources. This is not something that occurs all the time but when it does it is offten a a painfull task in tracking offending users (lack of logging ?) and more so preventing such attacks.

So i think it would be very nice if grsecurity provided some type of resource limiting of some type or something similar. Perhaps there is already such features in the works and i just dont know :P
ryan
 
Posts: 13
Joined: Tue Mar 26, 2002 6:48 am

Postby Technion » Thu May 30, 2002 7:33 am

grsecurity already provides fork bomb protection. Have a look through the "features" page.
Technion
 
Posts: 15
Joined: Thu Apr 25, 2002 12:23 am

core dumps

Postby Technion » Thu May 30, 2002 7:35 am

One suggestion a friend of mine was interested in was getting killed processes (by PaX/Openwall) to, instead of just logging the EIP and the data there, drop a core dump, so if someone was so inclined they could see _exactly_ what the user was trying to do at the time.
Technion
 
Posts: 15
Joined: Thu Apr 25, 2002 12:23 am

ick

Postby spender » Thu May 30, 2002 2:06 pm

something like that would get too yucky. There's reasons why sometimes you don't want to coredump. One of them is that you don't want files left around that contain sensitive information. fork bomb protection is removed in 1.9.5, as there's many other ways to raise huge loads on a server, and you can handle limiting the number of processes in PAM in a more fine-grained way.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

fork bomb

Postby ryan » Thu May 30, 2002 5:22 pm

you mean a fork bomb feature... yes i know its their and have used it - it doesnt do me much good. If a user writes a perl script to exectue itself 10,000 times and runs it via apache - the fork bomb features of grsecurity prove uselss (of cource).

What im saying is grsecurity needs more features surounding restrictions on resources - i dont know if this is somthing to be considered for the ACL system or the core grsec path.
ryan
 
Posts: 13
Joined: Tue Mar 26, 2002 6:48 am

MD5 check on binaries?

Postby blueberry » Fri Jun 14, 2002 5:43 am

Could we get MD5 sums on selected sensitive binaries (suid/sgid f.ex.)
that were checked against a central db before execution?

That way we could get rid of trojans and rootkits alike... Seen it done
in a couple of firewalls on Win.

-blue
blueberry
 
Posts: 5
Joined: Sat Jun 08, 2002 4:22 pm

Next

Return to grsecurity development

cron