Grsecurity patches on Debian
Hi - Has anyone any advice on using grsecurity on a server running Debian (testing) - I'm thinking about patching my new kernel with the grsecurity stuff and starting to use it but I'm unsure of what I can expect. Are the defaults going to break (or stop from functioning) anything obvious (namely sshd/apache etc)? This is a remote box so I want to avoid losing network access etc. Initially I'm going to set it up as in the Quick Start docs on the grsecurity site. Has anyone advice where to start after that? Cheers Marcus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Grsecurity patches on Debian
Hi, You should start with grsec low and proc restricions set customly. Hardening your kernel is always a option. The grsec default high settings, and PaX break Jetty (java server container) in two, so it simply won't start, gradm won't help as I know. After the grsec default low settings you should read about the functions grsec has, and consider which one is good for you or worth using. I have grsec deafult high (+ the new extras set) kernels on gateways and one prod webserver. It works very well so far. Grsec+PaX itself won't break any program, that don't do anything wierd or unusual and suspicous. When you use chroot (postfix uses it by default), grsec can harden very vell your chroot systems. Regards, Andrej Marcus Williams rta: Hi - Has anyone any advice on using grsecurity on a server running Debian (testing) - I'm thinking about patching my new kernel with the grsecurity stuff and starting to use it but I'm unsure of what I can expect. Are the defaults going to break (or stop from functioning) anything obvious (namely sshd/apache etc)? This is a remote box so I want to avoid losing network access etc. Initially I'm going to set it up as in the Quick Start docs on the grsecurity site. Has anyone advice where to start after that? Cheers Marcus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Grsecurity patches on Debian
Greetings,.. Am Montag, 7. Februar 2005 14:10 schrieb Andras Got: Hi, You should start with grsec low and proc restricions set customly. Hardening your kernel is always a option. The grsec default high settings, and PaX break Jetty (java server container) in two, so it simply won't start, gradm won't help as I know. After the grsec default low settings you should read about the functions grsec has, and consider which one is good for you or worth using. I have grsec deafult high (+ the new extras set) kernels on gateways and one prod webserver. It works very well so far. Grsec+PaX itself won't break any program, that don't do anything wierd or unusual and suspicous. When you use chroot (postfix uses it by default), grsec can harden very vell your chroot systems. Well, once I had some trouble using wine on an openwall patched terminal server. I don't know, whetere these issue still apply. Keep smiling yanosz -- Achtung: Die E-Mail-Adresse [EMAIL PROTECTED] wird in Krze deaktiviert werden. Bitte nutzen Sie die Adresse [EMAIL PROTECTED]
Re: Grsecurity patches on Debian
On Mon, Feb 07, 2005 at 02:10:07PM +0100, Andras Got wrote: You should start with grsec low and proc restricions set customly. Hardening your kernel is always a option. Running grsec isn't a problem, I use on both clients and servers. Dont start with grsec low but with the custom option, CONFIG_GRKERNSEC_CUSTOM and read the help sections. The grsec default high settings, IIRC it defaults to custom. and PaX break Jetty (java server container) in two, so it simply won't start, gradm won't help as I know. changing PaX-settings is done by chpax or paxctl. gradm is for the acl. if something breaks chpax -peMRXs usually works, after that its about fine tuning. /Thomas -- signature.asc Description: Digital signature
Re: Grsecurity patches on Debian
Hi, That's it, the chpax. I tried these things almost a year ago with JSP thingy. I googled and the like, but chpax didn't help. I meant that I selected high settings, then selected custom, then did some changes. :) A. Thomas Sjgren rta: On Mon, Feb 07, 2005 at 02:10:07PM +0100, Andras Got wrote: You should start with grsec low and proc restricions set customly. Hardening your kernel is always a option. Running grsec isn't a problem, I use on both clients and servers. Dont start with grsec low but with the custom option, CONFIG_GRKERNSEC_CUSTOM and read the help sections. The grsec default high settings, IIRC it defaults to custom. and PaX break Jetty (java server container) in two, so it simply won't start, gradm won't help as I know. changing PaX-settings is done by chpax or paxctl. gradm is for the acl. if something breaks chpax -peMRXs usually works, after that its about fine tuning. /Thomas -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Grsecurity patches on Debian
On Monday 07 February 2005 at 16:17, Andras Got wrote: Hi, That's it, the chpax. I tried these things almost a year ago with JSP thingy. I googled and the like, but chpax didn't help. I meant that I selected high settings, then selected custom, then did some changes. :) A. Thomas Sjögren írta: On Mon, Feb 07, 2005 at 02:10:07PM +0100, Andras Got wrote: You should start with grsec low and proc restricions set customly. Hardening your kernel is always a option. Running grsec isn't a problem, I use on both clients and servers. Dont start with grsec low but with the custom option, CONFIG_GRKERNSEC_CUSTOM and read the help sections. The grsec default high settings, IIRC it defaults to custom. and PaX break Jetty (java server container) in two, so it simply won't start, gradm won't help as I know. changing PaX-settings is done by chpax or paxctl. gradm is for the acl. if something breaks chpax -peMRXs usually works, after that its about fine tuning. Using grsecurity with level set to High enables Pax features. This works well on most daemons delivered as packages in Debian Woody and hopefuly testing. At least this is the case for Apache, Postfix and Cyrus. When ever there is a problem with a binary there will be a log trace in the syslog specifying the binary that was terminated. You can correct the problem by using chpax. Xavier. -- Xavier Sudre Homepage: http://xavier.sudre.fr/ Email:[EMAIL PROTECTED] GPG key: http://xavier.sudre.fr/gpg/xavier.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Grsecurity patches on Debian
hi, I use Grsecurity with High level for over 2 years now on 2.4.X without any problems running debian woody. These daemons works fine: ssh postfix courier-imap (with and without ssl) courier-pop (with and without ssl) apache apache-ssl mysql snort and a view other ... The best way would be for you to test this configuration offline on a system with the same packages and then install it on the production system. For further question and special question you can contact the grsecurity mailing list. It is a very low traffic list and brad sprengler help you with every question or the pax team. Greetz Konstantin On Tue, 8 Feb 2005 02:32:03 +0100 Xavier Sudre [EMAIL PROTECTED] wrote: On Monday 07 February 2005 at 16:17, Andras Got wrote: Hi, That's it, the chpax. I tried these things almost a year ago with JSP thingy. I googled and the like, but chpax didn't help. I meant that I selected high settings, then selected custom, then did some changes. :) A. Thomas Sjögren írta: On Mon, Feb 07, 2005 at 02:10:07PM +0100, Andras Got wrote: You should start with grsec low and proc restricions set customly. Hardening your kernel is always a option. Running grsec isn't a problem, I use on both clients and servers. Dont start with grsec low but with the custom option, CONFIG_GRKERNSEC_CUSTOM and read the help sections. The grsec default high settings, IIRC it defaults to custom. and PaX break Jetty (java server container) in two, so it simply won't start, gradm won't help as I know. changing PaX-settings is done by chpax or paxctl. gradm is for the acl. if something breaks chpax -peMRXs usually works, after that its about fine tuning. Using grsecurity with level set to High enables Pax features. This works well on most daemons delivered as packages in Debian Woody and hopefuly testing. At least this is the case for Apache, Postfix and Cyrus. When ever there is a problem with a binary there will be a log trace in the syslog specifying the binary that was terminated. You can correct the problem by using chpax. Xavier. -- Xavier Sudre Homepage: http://xavier.sudre.fr/ Email:[EMAIL PROTECTED] GPG key: http://xavier.sudre.fr/gpg/xavier.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] Building an operation system without source code, is like buying a self assemble space shuttle without instructions. pgp8BqUPZYcjK.pgp Description: PGP signature