[LUG.ro] Seguridad en Linux
Alberto Ferrer
lugro@lugro.org.ar
Tue, 13 Jan 2004 16:23:48 -0300
--Signature=_Tue__13_Jan_2004_16_23_48_-0300_9exw/hzeWJ6mOXdw
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Es un marchi de seguridad avanzado para el kernel, con estas features:
# grsecurity 2.0 RBAC features Role-Based Access Control
# User, group, and special roles
# Role transition tables
# IP-based roles
# Non-root access to special roles
# Special roles that require no authentication
# Nested subjects
# Variable support in configuration
# And, or, and difference set operations on variables in configuration
# Object mode that controls the creation of setuid and setgid files
# Create and delete object modes
# /dev/grsec entry for kernel authentication and learning logs
# Next-generation code that produces least-privilege policies for the entire system with no configuration
# Full pathnames for offending process and parent process
# RBAC status function for gradm
# /proc/<pid>/ipaddr gives the remote address of the person who started a given process
# All other features of grsecurity 1.9.x MAC system
# Chroot restrictions No attaching shared memory outside of chroot
# No kill outside of chroot
# No ptrace outside of chroot (architecture independent)
# No capget outside of chroot
# No setpgid outside of chroot
# No getpgid outside of chroot
# No getsid outside of chroot
# No sending of signals by fcntl outside of chroot
# No viewing of any process outside of chroot, even if /proc is mounted
# No mounting or remounting
# No pivot_root
# No double chroot
# No fchdir out of chroot
# Enforced chdir("/") upon chroot
# No (f)chmod +s
# No mknod
# No sysctl writes
# No raising of scheduler priority
# No connecting to abstract unix domain sockets outside of chroot
# Removal of harmful privileges via capabilities
# Exec logging within chroot
Y tiene una BANDA mas, es MUY bueno, pero configura y lee con detalle, aca sigue:
http://www.grsecurity.org/features.php
On Mon, 12 Jan 2004 12:58:35 -0300
ArinoO@bancobsf.com.ar wrote:
> Disculpen mi ignoracia, pero que caraj... es GR-Security?
>
> -----Mensaje original-----
> De: Alberto Ferrer
>
> Compilate un Kernel con GR-Security, y mientras no tenga ningun software
> viejo o "explotable dale una shellcita, conseguite alguna proteccion para
> bombas fork, asi
> no te intentan colgar la pc, con eso creo que basta.
>
> On Sun, 11 Jan 2004 22:40:48 +0000
> _______________________________________________
> Lugro mailing list
> Lugro@lugro.org.ar
> http://www.lugro.org.ar/mailman/listinfo/lugro
>
>
--
--------------------------
Alberto Ferrer
albertof@barrahome.org
http://www.barrahome.org
JID: albertof@dattatec.com
--------------------------
SNMP = Security? Not My Problem!
--Signature=_Tue__13_Jan_2004_16_23_48_-0300_9exw/hzeWJ6mOXdw
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFABEXIquh9sbHnN3gRAv3nAJ9i5ZqorFnvkQehY1eCCPzZFDz2pwCfeEeP
CJuilKxddv40/lyMIQEBD70=
=rbSk
-----END PGP SIGNATURE-----
--Signature=_Tue__13_Jan_2004_16_23_48_-0300_9exw/hzeWJ6mOXdw--