grsecurity forums


https://forums.grsecurity.net./

Gradm initialization on boot

https://forums.grsecurity.net./viewtopic.php?f=3&t=956

Page 1 of 1

Gradm initialization on boot

PostPosted: Sun Oct 10, 2004 11:47 am
by derez
After reviewing the forum and past mailing lists it seems there were two
approaches to the initialization of the operating system.

1) To start a restrictive firewall that kills all traffic -> Start needed
services -> Start Gradm -> Start normal firwall ruleset (mentioned by Brad
in this forum)
2) Start Gradm -> Start normal firewall ruleset -> Start needed services
(method used by sekko at http://people.roma2.infn.it/~claudio/en/grsec/)

Curious to what method others are using and any pros/cons for each?


Danny

PostPosted: Tue Oct 12, 2004 7:13 am
by spender
I prefer my method, of course, because it allows for stricter policies on services. Many apps do things at startup that they don't need to do while running. For instance, you don't need to give CAP_NET_BIND_SERVICE privileges to inetd, so an attacker can't gain that by exploiting it. As long as you keep your init scripts read-only to everyone but the admin role, there is no harm in doing this.

-Brad
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/