On 14/02/06, Ow Mun Heng <[EMAIL PROTECTED]> wrote:

> Ah.. Mr. Millar. I have seen your name before. In those exact same BUgs
> I have see the patches and I am going to see if I can duplicate it. (I
> have downgraded the original server from a hardened sources to vanilla
> sources just because of this "feature"

Yes, it's apparently a problem with the kill/killall application.
Perhaps the fix would be best applied there in the longer term. But
the kernel-side patch in question definitely resolves the issue.

> ps : hardenend-sources config sample anyone?
>

Here's a simple ".config" from one of my boxes which is fairly typical
of the sort of configuration I'd use (remember not to select PAGEEXEC
as the default if you're using P4/Xeon though; SEGMEXEC is the better
option there). Note that this example has exec logging enabled which
can make a lot of noise. However, because sysctl funtionality is
enabled you can disable that at boot with sysctl.conf or in
/etc/conf.d/local.start. Here's an example snippet:

  # Uncomment when building gentoo in a chroot
  # kernel.grsecurity.chroot_caps = 0
  # kernel.grsecurity.chroot_deny_chmod = 0

  # Disable exec logging by default
  kernel.grsecurity.exec_logging = 0

  # Uncomment to prevent modules from being loaded/unloaded
  # kernel.grsecurity.disable_modules = 1

  # Uncomment this to lock down grsec options (advisable)
  # kernel.grsecurity.grsec_lock = 1

Incidentally, I'm currently looking at refining the default
syslog-ng.conf policy which is provided in the hardened case. It's
based on debian's logging policy with selinux/grsec/pax specific
logging hooks. However, it has a few flaws (ends up duplicating
messages between separate logs unnecessarily for example). I'll
probably file a bug on that once I'm satisfied with the revision.

Regards,

--Kerin

Attachment: dot-config_2.6.14-hardened-r6
Description: Binary data

Reply via email to