Re: kernel+grsecurity
On Mon, May 19, 2003 at 08:38:56AM +0000, Andr?s Rold?n wrote:
> Hi list.
>
> I am the CSO of a company and I am going to install several Debian woody
> machines with a kernel patched with grsecurity. Theses servers will be
> critical production-ready machines. The question is, what should I have
> to be aware of by compiling this kernel and what should I do to ensure
> a stability in those servers?
>
I believe there was a recent thread on grsecurity, although it may have
been over on Debian-isp instead.
Anywho...
Your asking the question of 'what should I have to be aware of by
compiling this kernel and....' leads me to ask 'Well, what exactly are
you doing with the servers and what do you need protection from?'
Some of the major questions that spring to my mind are:
- Will there be other 'users' on the systems? Or are they just servers
to be used by 'trusted' employees?
- If $USERS=1, then what are the users allowed to do? Why are they on
the system in the first place? Just to update web files? Compile
programs?
- IF $USERS=0, then you have less to worry about, unless you're planning
to run your daemons as restricted users. And if you will do that, you
need to be aware that some of those daemon/users will not have access
to some of the things they might WANT or NEED in order to run as they
normally do. You may have to recompile those daemons from source in
order to make them behave properly in this new environment.
- Will the server be on the Internet? Behind a firewall? With ipchains?
You can go from the simple "only run what services/daemons are necessary
and keep up on security patches" all the way up to "EVERYONE IS OUT TO
GET ME AND HACK ME! AND THE PEOPLE ON THE MAILING LIST ARE DOING IT
NOW!" level of paranoia (sorry for the yelling, but it's needed for the
effect of insane raving).
You really need to define your goals of what the servers will be used
for and who will be using the servers in order to decide how to best use
grsecurity. Just looking at the number of lines in my kernel config that
have "GRK" in them indicates that there's 47 options available for
grsecurity. Each one of those options needs to be examined and you'd
need to know what it does and decide whether you really need it, whether
you simply want it and mostly (on multiuser server) whether those
adjustments would be received by your user base as acceptable to how
they do things.
I hope that I've given some direction as to the questions I'd be asking
myself under similar circumstances and that my reply doesn't sound
simply as though it's a 'non-answer linux support answer' which we all
sometimes receive or send.
I've been running grsecurity for a while now, previously having used it
when it was simply 'openwall' - or was it 'smoothwall' , I get em
confused. I think openwall. Without taunting the server pixies, I've had
good luck with it and haven't had an outage due to kernel issues at all.
A wayward SCSI drive cause my last troubles and have resulted in the
number 140 as indicated below instead of something like 440.
$ uptime
17:33:17 up 140 days, 18:32, 4 users, load average: 0.87, 0.88, 0.96
Some other servers running similar bits of patched kernels for security,
mostly from multiuser systems that might have prying eyes:
1:33pm up 199 days, 18:19, 1 user, load average: 0.28, 0.22, 0.18
13:35:15 up 171 days, 4:19, 1 user, load average: 0.01, 0.00, 0.00
1:35pm up 171 days, 4:22, 1 user, load average: 0.08, 0.02, 0.01
13:35:52 up 171 days, 4:25, 4 users, load average: 0.08, 0.05, 0.01
Hope this helps...
--
==================================================
+ It's simply not | John Keimel +
+ RFC1149 compliant! | john@keimel.com +
+ | http://www.keimel.com +
==================================================
Reply to: