l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 24: LUGOD election season has begun!
Page last updated:
2008 Aug 21 22:15

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Linux file/module security proposal.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Linux file/module security proposal.



Quoting Bill Broadley (bill@cse.ucdavis.edu):

> Yup, /dev/kmem, /dev/mem and friends need protected, I think that's default 
> these days, might need a tweak or two, it's been implemented with selinux, 
> seclvl, er, I think grsecurity and a few others.

I've in the past had very good experience with grsecurity on 2.4 kernels.
There was a while when it was unclear what exactly would happen in the
2.6 series, but that's been resolved:  Now, you get a kernel patch with
the buffer-protecting PaX scheme (enforcement of non-executable pages
protection of /dev/kmem / /dev/mem / /dev/port, etc.), improved /tmp
handling (anticipating race-condition attacks), control over who's
allowed what process information, a number of filesystem protections,
improved PID and TCP/IP source port randomisation, and an optional RBAC
framework.  I really think it should be routinely preferred for default
systems (although as usual RBAC complicates one's life and is best
approached with caution if at all).

Maybe I'm shiftless, but I've seldom more than kicked the tires of any
RBAC -- and, in that, I think I have a great deal of company.  Most
real-world RBAC on Linux amounts to "I installed {Fedora|RHEL|CentOS},
and it came with something called an 'SELinux targeted policy', which
I left alone until {a Web app|a CGI|syslog-ng|cacti|a proprietary video
driver} didn't work, and I couldn't figure out the required SELinux
policy tweak, so I turned it off."
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.