On lun., 2016-02-01 at 15:08 +0100, HacKurx wrote: > I just saw the changes in your recent release. I still have a few remarks: > > 1] Recommendation from compatibility with ubuntu system: Rename > grsec.conf to 10-grsec.conf or 30-grsec.conf view /etc/sysctl.d/README > (ubuntu procps).
Can you provide it? I'm not against it but as it's a config file it needs to be handled properly so honestly I'm all in favor of doing nothing :) > 2] chmod 600 if possible! if an attacker access in system (system > without RBAC), this file indicate the grsecurity options which are > deactivated... Practice to try to become root. Yeah, I guess so. > 3] Consider adding in postinst "usermod -aG grsec-tpe root ||true" for > avoid many problems (systemd). That doesn't look like a good idea at first sight. First, I'm unsure if TPE restriction apply to uid 0 (and if adding it to grsec-tpe will change anything). Second, if it's actually useful, that's something which should be done on a per-system basis, I think. Regards, -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part
