> Without hardened userland only in access controls. You can implement > for example one Trusted Path Execution with LIDS, RSBAC, GRSEC or > SELinux. They could try to stop crackers that gain unpriviledge access > to the host (with a remote exploit for example) to execute exploits to > scale priviledges. They could give you one least priviledge approach > (as PaX does) and other useful things, as isolation of daemons, > resources controls. And a lot of more. With TPE however, untrusted > scripts (exploits) could be launched without execution rights, and > even restricting the use of perl and python, you must grant your users > the access to bash.
Thank you for taking the time to explain, but I'm afraid I don't understand. I'm looking for things I can implement that don't require me to understand their inner workings. This is not ideal, but I only have so much time to devote to sysadmin duties since I'm not a real sysadmin. My server runs a hardened profile because it hasn't caused any problems, but running a hardened profile on my desktops has proven to be too difficult. All of my systems run a hardened kernel but the only hardened feature I've enabled in the kernel is Grsecurity set to medium or low depending on the system. Do the hardened profile and hardened kernels do me any good without further configuration? - Grant >>> In terms of userland, non hardened profile doesn't protect you at all >>> against buffer overflows, you are removing one important security >>> layer. SSP protects you against buffer overflows in terms that the >>> vulnerable application gets killed when the canary is modified before >>> the execution of the arbitrary code. PIE protects you against return >>> into libc attacks that doesn't need an executable stack. PaX is not >>> perfect and needs them as complementary solutions. For example I think >>> that RANDEXEC was removed from PaX time ago, one buffer overflow that >>> uses return into libc attack could be succesfully against one >>> non-hardened binary. Since skype is a network oriented software... >> >> In what situations is a hardened kernel useful? >> >> - Grant
