Enabling security features
Posted: Sun May 30, 2004 7:01 pmI enabled some og the grsecurity and PaX security features, but none of them seem to be enabled. I used paxtest v0.9.5 to test my system and all of them say I am vulnerable or there is no randomization. Do you need to enable the protections manually for them to take any effect?
I have these security options selected:
Enable different security modles
-Socket and Networking Security Hooks
-Default Linux Capabilities
-NSA SELinux Support
--NSA SELinux boot parameter
Grsecurity
-Address Space Protection
--Deny writting to /dev/kmem, /dev/mem, and dev/port
--Remove addresses from /proc/<pid>/[maps|stat]
--Hide kernel symbols
-Role Based Access Control Options
--Hide kernel processes
-Filesystem Protections
--Proc restrictions
--Additional restrictions
--Linking restrictions
--FIFO restriictions
-Executable Protections
--Enforce RLIMIT_NPROC on execs
--Dmesg(8) restriction
--Randomized PIDs
-Network Protections
--Larger entropy pools
--Truly random TCP ISN selection
--Randomized IP IDs
--Randomized TCP source ports
--Randomized RPC XIDs
-Sysctl support
--Sysctl support
Pax
-Enable various Pax Features
--Pax Control
---Support soft mode
---Use legacy ELF header marking
---Use ELF program header marking
--Non-executable pages
---Enforce non-executable pages
--Address Space Layout Randomization
---Randomize kernel stack base
---Randomize user stack base
---Randomize mmap() base
---Disable the vsyscall page
I have these security options selected:
Enable different security modles
-Socket and Networking Security Hooks
-Default Linux Capabilities
-NSA SELinux Support
--NSA SELinux boot parameter
Grsecurity
-Address Space Protection
--Deny writting to /dev/kmem, /dev/mem, and dev/port
--Remove addresses from /proc/<pid>/[maps|stat]
--Hide kernel symbols
-Role Based Access Control Options
--Hide kernel processes
-Filesystem Protections
--Proc restrictions
--Additional restrictions
--Linking restrictions
--FIFO restriictions
-Executable Protections
--Enforce RLIMIT_NPROC on execs
--Dmesg(8) restriction
--Randomized PIDs
-Network Protections
--Larger entropy pools
--Truly random TCP ISN selection
--Randomized IP IDs
--Randomized TCP source ports
--Randomized RPC XIDs
-Sysctl support
--Sysctl support
Pax
-Enable various Pax Features
--Pax Control
---Support soft mode
---Use legacy ELF header marking
---Use ELF program header marking
--Non-executable pages
---Enforce non-executable pages
--Address Space Layout Randomization
---Randomize kernel stack base
---Randomize user stack base
---Randomize mmap() base
---Disable the vsyscall page