Gradm initialization on boot

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Gradm initialization on boot

Postby derez » Sun Oct 10, 2004 11:47 am

After reviewing the forum and past mailing lists it seems there were two
approaches to the initialization of the operating system.

1) To start a restrictive firewall that kills all traffic -> Start needed
services -> Start Gradm -> Start normal firwall ruleset (mentioned by Brad
in this forum)
2) Start Gradm -> Start normal firewall ruleset -> Start needed services
(method used by sekko at http://people.roma2.infn.it/~claudio/en/grsec/)

Curious to what method others are using and any pros/cons for each?


Danny
derez
 
Posts: 2
Joined: Sun Oct 10, 2004 11:43 am

Postby spender » Tue Oct 12, 2004 7:13 am

I prefer my method, of course, because it allows for stricter policies on services. Many apps do things at startup that they don't need to do while running. For instance, you don't need to give CAP_NET_BIND_SERVICE privileges to inetd, so an attacker can't gain that by exploiting it. As long as you keep your init scripts read-only to everyone but the admin role, there is no harm in doing this.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support