Re: Grsecurity patches on Debian
On Monday 07 February 2005 at 16:17, Andras Got wrote:
> Hi,
>
> That's it, the chpax. I tried these things almost a year ago with JSP
> thingy. I googled and the like, but chpax didn't help.
>
> I meant that I selected high settings, then selected custom, then did some
> changes. :)
>
> A.
>
>
> Thomas Sjögren írta:
>
> >On Mon, Feb 07, 2005 at 02:10:07PM +0100, Andras Got wrote:
> >
> >>You should start with grsec low and proc restricions set customly.
> >>Hardening your kernel is always a option.
> >
> >
> >Running grsec isn't a problem, I use on both clients and servers.
> >Dont start with grsec low but with the custom option,
> >CONFIG_GRKERNSEC_CUSTOM and read the help sections.
> >
> >
> >>The grsec default high settings,
> >
> >
> >IIRC it defaults to custom.
> >
> >
> >>and PaX break Jetty (java server container) in two, so it simply won't
> >>start, gradm won't help as I know.
> >
> >
> >changing PaX-settings is done by chpax or paxctl. gradm is for the acl. if
> >something breaks
> >chpax -peMRXs usually works, after that its about fine tuning.
> >
Using grsecurity with level set to High enables Pax features.
This works well on most daemons delivered as packages in Debian Woody
and hopefuly testing. At least this is the case for Apache, Postfix and Cyrus.
When ever there is a problem with a binary there will be a log trace in
the syslog specifying the binary that was terminated. You can correct
the problem by using chpax.
Xavier.
--
Xavier Sudre
Homepage: http://xavier.sudre.fr/
Email: xavier@sudre.fr
GPG key: http://xavier.sudre.fr/gpg/xavier.asc
Reply to: