On 14/02/06, Ow Mun Heng <[EMAIL PROTECTED]> wrote: > Ah.. Mr. Millar. I have seen your name before. In those exact same BUgs > I have see the patches and I am going to see if I can duplicate it. (I > have downgraded the original server from a hardened sources to vanilla > sources just because of this "feature"
Yes, it's apparently a problem with the kill/killall application. Perhaps the fix would be best applied there in the longer term. But the kernel-side patch in question definitely resolves the issue. > ps : hardenend-sources config sample anyone? > Here's a simple ".config" from one of my boxes which is fairly typical of the sort of configuration I'd use (remember not to select PAGEEXEC as the default if you're using P4/Xeon though; SEGMEXEC is the better option there). Note that this example has exec logging enabled which can make a lot of noise. However, because sysctl funtionality is enabled you can disable that at boot with sysctl.conf or in /etc/conf.d/local.start. Here's an example snippet: # Uncomment when building gentoo in a chroot # kernel.grsecurity.chroot_caps = 0 # kernel.grsecurity.chroot_deny_chmod = 0 # Disable exec logging by default kernel.grsecurity.exec_logging = 0 # Uncomment to prevent modules from being loaded/unloaded # kernel.grsecurity.disable_modules = 1 # Uncomment this to lock down grsec options (advisable) # kernel.grsecurity.grsec_lock = 1 Incidentally, I'm currently looking at refining the default syslog-ng.conf policy which is provided in the hardened case. It's based on debian's logging policy with selinux/grsec/pax specific logging hooks. However, it has a few flaws (ends up duplicating messages between separate logs unnecessarily for example). I'll probably file a bug on that once I'm satisfied with the revision. Regards, --Kerin
dot-config_2.6.14-hardened-r6
Description: Binary data
