hardened-sources is a great kernel to use. With all the GRSecurity and PaX options enabled it's quite a step above stock.
RBAC (ACL) is a wonderful way to lock down the system, but takes a long time to get right. I would highly recommend mirroring your production environment with a dev environment to play with this feature. With your company's policy of 0 downtime, they have a load-balanced/cluster environment, correct? If so, rebooting one server shouldn't be a huge deal.. if they do not have a load-balanced/cluster environment, 0 downtime is going to be very difficult to maintain. Just my 2 cents. ;) On Wed, 2006-01-25 at 12:09 +0200, Jean Blignaut wrote: > (Hi I posted this before in the “portscanning worm?” thread but > thought that people might not have seen it there cause I’ve not had > any comments/replys?) > > > > I have often considered and even tried a couple of times to setup a > hardened box however I get confused between all the different options > and all the different implications. What with Selinux Grsecurity 1/2 > RSBAC PIE etc. etc. > > > > Also the kernel patching concerns me a bit, I would much rather not > have to search around an battle to patch kernels my self if at all > possible. > > I don't get to upgrade the kernel on my production servers very often > since company policy is 0 downtime. > > > > Also Because these are production servers in use by 1000s of customers > I would have to find a hardened kernel (or what ever) that would have > as small an impact on the current workings and config of the systems > involved. > > > > I have all my partitions formatted (and kernels built) with support > for security labels, but that's as far as I've gotten. Also the idea > of splitting up roots permissions into roles is an interesting > prospect but I've yet to find decent documentation on how to > implement/use POSIX ROLES > > > -- [email protected] mailing list
