I have often considered and even tried a couple of times to setup a hardened box however I get confused between all the different options and all the different implications. What with Selinux Grsecurity 1/2 RSBAC PIE etc. etc.
Also the kernel patching concerns me a bit, I would much rather not have to search around an battle to patch kernels my self if at all possible. I don't get to upgrade the kernel on my production servers very often since company policy is 0 downtime. Also Because these are production servers in use by 1000s of customers I would have to find a hardened kernel (or what ever) that would have as small an impact on the current workings and config of the systems involved. I have all my partitions formatted (and kernels built) with support for security labels, but that's as far as I've gotten. Also the idea of splitting up roots permissions into roles is an interesting prospect but I've yet to find decent documentation on how to implement/use POSIX ROLES -----Original Message----- From: Michael Liesenfelt [mailto:[EMAIL PROTECTED] Sent: Friday, January 20, 2006 9:46 PM To: [email protected] Subject: Re: [gentoo-server] portscanning worm? / GRSecurity I definitely agree. xyon wrote: >down more tightly. I'd also recommend disabling loadable module support in >your kernel ;) > >Also, didn't that paper on the idle scan mention that more random IPIDs >would help prevent idle scans? GrSecurity has just the feature to take >care of this. You might want to check into using some of the GRSecurity >features in the kernel. :) > >HTH! > I decided to make all of my servers on hardened gentoo kernels without loadable module support. GRSecurity has a number of great features including /proc restrictions, memory randomization, trusted execution, and denial of server sockets to users. The trusted execution is a very powerful feature. "Untrusted users will not be able to execute any files that are not in root-owned directories writable only by root." Also, I think the Gentoo Infrastructure servers are all hardened boxes. -- Michael Liesenfelt University of Florida Innovative Nuclear Space Power and Propulsion Institute -- [email protected] mailing list
