i am going to compile my 2.6.7 kernel with the latest grsecurity; i have patched my tree successfully
if someone could clarify these for me, it would be appreciated:
1.) will compiling in grsecurity (let's say at medium level) and pax slow down my kernel and system? even in the most insignificant slowdown, i just want to know
2.) is there an option for randomized PID's? (and is it enabled in medium security?)
3.) after compiling in grsecurity (and with sysctl enabled) and pax, are all the settings enabled once the kernel loads, or do i have to echo or use a program to enable the security?
4.) what is the iptables stealth module patch? what do i patch that against, and how do i use it? (will it let me stealth my port 80 even while i run an apache server there?)
5.) what log files does grsecurity and pax log to?
6.) i run a single machine with a bunch of servers (nfs, apache, sendmail, mysql, etc) on my daily-computer-use machine mostly just for fun and security isn't an enormous issue, but i'd like to avoid getting hacked without sacrificing my daily programs (which is why i'm settling for medium security without proc restrictions) - will grsecurity or pax hinder the usage of any of these servers?
a few questions before i install
7 posts
• Page 1 of 1
a few questions before i install
by TheOneAndOnlySM » Sat Aug 21, 2004 2:27 pm
- TheOneAndOnlySM
- Posts: 4
- Joined: Sat Aug 21, 2004 2:13 pm
by TheOneAndOnlySM » Fri Sep 03, 2004 8:20 pm
anyone? can no one answer a single question?
i've gone ahead and compiled in some grsecurity options, but running paxtest says that i am vulnerable to all tests; i have pax options set, so how do i enable them?
i've gone ahead and compiled in some grsecurity options, but running paxtest says that i am vulnerable to all tests; i have pax options set, so how do i enable them?
- TheOneAndOnlySM
- Posts: 4
- Joined: Sat Aug 21, 2004 2:13 pm
by fonya » Thu Sep 09, 2004 4:50 am
Hi!
1: Try it! Maybe it will be slover, than before.
2: If You see Configure.help, You can find Your answer easily... Yes, the pids will be randomised /if You choose low security it will be randomized too./
3: If You select the CONFIG_GRKERNSEC_SYSCTL, You must echo, or somthing, to enable some special features, or change behavior.
4: See Configre.help:
Enabling this option will drop all syn packets coming to unserved tcp
ports as well as all packets coming to unserved udp ports. If you
are using your system to route any type of packets (ie. via NAT)
you should put this module at the end of your ruleset, since it will
drop packets that aren't going to ports that are listening on your
machine itself, it doesn't take into account that the packet might be
destined for someone on your internal network if you're using NAT for
instance.
5: In my system grsec.log
It uses the kernel ring buffer.
6: Maybe. Try it, and configure the pax, and grsec right.
And see the docs, if You don't know what You do, the security will be weak.
1: Try it! Maybe it will be slover, than before.
2: If You see Configure.help, You can find Your answer easily... Yes, the pids will be randomised /if You choose low security it will be randomized too./
3: If You select the CONFIG_GRKERNSEC_SYSCTL, You must echo, or somthing, to enable some special features, or change behavior.
4: See Configre.help:
Enabling this option will drop all syn packets coming to unserved tcp
ports as well as all packets coming to unserved udp ports. If you
are using your system to route any type of packets (ie. via NAT)
you should put this module at the end of your ruleset, since it will
drop packets that aren't going to ports that are listening on your
machine itself, it doesn't take into account that the packet might be
destined for someone on your internal network if you're using NAT for
instance.
5: In my system grsec.log
It uses the kernel ring buffer.
6: Maybe. Try it, and configure the pax, and grsec right.
And see the docs, if You don't know what You do, the security will be weak.
- fonya
- Posts: 36
- Joined: Thu Mar 28, 2002 11:22 am
by TheOneAndOnlySM » Fri Sep 10, 2004 9:25 pm
thanks for replying!
do you know what i need to echo and where i echo these to? (i assume somewhere in proc)
do you know what i need to echo and where i echo these to? (i assume somewhere in proc)
- TheOneAndOnlySM
- Posts: 4
- Joined: Sat Aug 21, 2004 2:13 pm
by fonya » Sat Sep 11, 2004 1:55 pm
In the /proc/sys/kernel/grsecurity, and /proc/sys/kernel/pax I think, but I not use sysctl code, I compile it in the kernel.
For example:
echo 1 > /proc/sys/kernel/grsec/something
or,
sysctl -w kernel.grsec.something=1
BTW, if You don't know this, why do You want to use it? This is the basic knowledge for the kernel runtime configuration. Please read some docs, before
You get start this. (All grsec related docs int the Configure.help, all docs in the grsec site, and http://www.grsecurity.net/~spender/doc/ http://www.grsecurity.net/~spender/quickstart.doc and in the linux source Documentation/sysctl/*)
For example:
echo 1 > /proc/sys/kernel/grsec/something
or,
sysctl -w kernel.grsec.something=1
BTW, if You don't know this, why do You want to use it? This is the basic knowledge for the kernel runtime configuration. Please read some docs, before
You get start this. (All grsec related docs int the Configure.help, all docs in the grsec site, and http://www.grsecurity.net/~spender/doc/ http://www.grsecurity.net/~spender/quickstart.doc and in the linux source Documentation/sysctl/*)
- fonya
- Posts: 36
- Joined: Thu Mar 28, 2002 11:22 am
by TheOneAndOnlySM » Sat Sep 11, 2004 5:11 pm
well, i want to learn, so i have to find some resources, and the best resources are humans themselves; that is why i like forums
i know about sysctl, i just didn't know where the sysctl options were located; thanks for the information, grsecurity is working, but....
PaX still doesn't seem to be doing anything; running paxtest still shows everything with vulnerabilities, even when i have the randomisation options set and elf header marking, etc - i have tried with softmode enabled and disabled, but i cannot see anything in proc related to PaX
kernel 2.6.7 with latest grsec path... any ideas?
i know about sysctl, i just didn't know where the sysctl options were located; thanks for the information, grsecurity is working, but....
PaX still doesn't seem to be doing anything; running paxtest still shows everything with vulnerabilities, even when i have the randomisation options set and elf header marking, etc - i have tried with softmode enabled and disabled, but i cannot see anything in proc related to PaX
kernel 2.6.7 with latest grsec path... any ideas?
- TheOneAndOnlySM
- Posts: 4
- Joined: Sat Aug 21, 2004 2:13 pm
by PaX Team » Sun Sep 12, 2004 4:49 am
then feel free to use this one as wellTheOneAndOnlySM wrote:well, i want to learn, so i have to find some resources, and the best resources are humans themselves; that is why i like forums
, there's a search button somewhere at the top, look for EI_PAX and read those threads, hopefully they will help.- PaX Team
- Posts: 2310
- Joined: Mon Mar 18, 2002 4:35 pm
7 posts
• Page 1 of 1