Is PAX built in the GrSecurity ???
Posted: Thu Mar 16, 2006 8:29 amSorry for, maybe, stupid question, but I don't understand the PAX role in GrSecurity.
I have a web server and I prepared 2 kernels for it let's say NORMAL and SECURE, both without modules support. NORMAL to test if my server still works and SECURE = NORMAL + GrSecurity to use GrSecurity. Easy.
I would like to use an option CONFIG_GRKERNSEC_PROC_MEMMAP in "Address Space Protection --->" and others which talk about PAX features, but I don't know, should I use all "PaX Control --->" suboptions? If I check them, should I download and compile/recompile other software?
At the moment I have kernel 2.4.32 + grsec 2.1.7 and in "PaX Control" I have only (none) MAC system integration.
In PDF grsecurity QuickStart Guide "Support soft mode" is OFF, "Use legacy ELF header marking" is ON, "Use ELF program header marking" is ON.
What should I do?
(Debian Linux 3.1r1 up-to-date with chrooted Apache 2.0.55 worker + PHP 4.2.2 on Intel PIII)
I have a web server and I prepared 2 kernels for it let's say NORMAL and SECURE, both without modules support. NORMAL to test if my server still works and SECURE = NORMAL + GrSecurity to use GrSecurity. Easy.
I would like to use an option CONFIG_GRKERNSEC_PROC_MEMMAP in "Address Space Protection --->" and others which talk about PAX features, but I don't know, should I use all "PaX Control --->" suboptions? If I check them, should I download and compile/recompile other software?
At the moment I have kernel 2.4.32 + grsec 2.1.7 and in "PaX Control" I have only (none) MAC system integration.
In PDF grsecurity QuickStart Guide "Support soft mode" is OFF, "Use legacy ELF header marking" is ON, "Use ELF program header marking" is ON.
What should I do?
(Debian Linux 3.1r1 up-to-date with chrooted Apache 2.0.55 worker + PHP 4.2.2 on Intel PIII)
- Code: Select all
#
# Grsecurity
#
CONFIG_GRKERNSEC=y
CONFIG_CRYPTO=y
CONFIG_CRYPTO_SHA256=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y
#
# PaX Control
#
# CONFIG_GRKERNSEC_PAX_SOFTMODE is not set
# CONFIG_GRKERNSEC_PAX_EI_PAX is not set
# CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS is not set
CONFIG_GRKERNSEC_PAX_NO_ACL_FLAGS=y
# CONFIG_GRKERNSEC_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_GRKERNSEC_PAX_HOOK_ACL_FLAGS is not set
#
# Address Space Protection
#
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_RTC=y
# CONFIG_GRKERNSEC_PROC_MEMMAP is not set
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_HIDESYM=y
#
# Role Based Access Control Options
#
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set
#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDSRC=y
# CONFIG_GRKERNSEC_SOCKET is not set
#
# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
#
# Logging options
#
CONFIG_GRKERNSEC_FLOODTIME=2
CONFIG_GRKERNSEC_FLOODBURST=4