Currently we are testing grsecurity on some of our machines, but are wondering what kind of services should be protected by grsecurity.
It seems clear to us that protecting system-services like apache, ssh etc makes sense, but what about a firewall-script ??
Should we set up special rules for this purpose or will disabling CAP_NET_ADMIN be enough??
Thanks for your help
Services to protect with grsecurity
3 posts
• Page 1 of 1
Services to protect with grsecurity
by adk » Wed Mar 26, 2003 4:14 pm
- adk
- Posts: 6
- Joined: Tue Mar 18, 2003 12:53 pm
by TGKx » Thu Mar 27, 2003 1:48 am
A strict default acl for the system, any processes that will be run by root should have their own acl, and any processes that will need more access than the default restrictive acl.
You can set your firewall script to be read only so it cant be modified.
These should be a good start.
You can set your firewall script to be read only so it cant be modified.
These should be a good start.
- TGKx
- Posts: 50
- Joined: Wed Feb 19, 2003 4:39 am
by spender » Thu Mar 27, 2003 11:53 am
What I like to do is start the ACL system after all startup services have loaded. This saves you a lot of work, and allows you to set more restrictive ACLs on your daemons. Any kind of administrative tasks should not be given privileged ACLs, but rather should be done through administration mode.
-Brad
-Brad
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
3 posts
• Page 1 of 1