[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Grsecurity patches on Debian



hi,

I use Grsecurity with High level for over 2 years now on 2.4.X without
any problems running debian woody. These daemons works fine:
ssh
postfix
courier-imap (with and without ssl)
courier-pop (with and without ssl)
apache
apache-ssl
mysql
snort
and a view other ...

The best way would be for you to test this configuration offline on a
system with the same packages and then install it on the production
system.

For further question and special question you can contact the grsecurity
mailing list. It is a very low traffic list and brad sprengler help you
with every question or the pax team.

Greetz

Konstantin




On Tue, 8 Feb 2005 02:32:03 +0100
Xavier Sudre <xavier@sudre.fr> wrote:

> On Monday 07 February 2005 at 16:17, Andras Got wrote:
> > Hi,
> > 
> > That's it, the chpax. I tried these things almost a year ago with
JSP 
> > thingy. I googled and the like, but chpax didn't help.
> > 
> > I meant that I selected high settings, then selected custom, then
did some 
> > changes. :)
> > 
> > A.
> > 
> > 
> > Thomas Sjögren írta:
> > 
> > >On Mon, Feb 07, 2005 at 02:10:07PM +0100, Andras Got wrote:
> > >
> > >>You should start with grsec low and proc restricions set customly.

> > >>Hardening your kernel is always a option. 
> > >
> > >
> > >Running grsec isn't a problem, I use on both clients and servers.
> > >Dont start with grsec low but with the custom option,
> > >CONFIG_GRKERNSEC_CUSTOM and read the help sections.
> > >
> > >
> > >>The grsec default high settings, 
> > >
> > >
> > >IIRC it defaults to custom.
> > >
> > >
> > >>and PaX break Jetty (java server container) in two, so it simply
won't 
> > >>start, gradm won't help as I know. 
> > >
> > >
> > >changing PaX-settings is done by chpax or paxctl. gradm is for the
acl. if 
> > >something breaks
> > >chpax -peMRXs usually works, after that its about fine tuning.
> > >
> 
> Using grsecurity with level set to High enables Pax features.
> This works well on most daemons delivered as packages in Debian Woody
> and hopefuly testing. At least this is the case for Apache, Postfix
and Cyrus.
> 
> When ever there is a problem with a binary there will be a log trace
in
> the syslog specifying the binary that was terminated. You can correct
> the problem by using chpax.
> 
> Xavier.
> 
> -- 
> Xavier Sudre
> Homepage: http://xavier.sudre.fr/
> Email:    xavier@sudre.fr
> GPG key:  http://xavier.sudre.fr/gpg/xavier.asc
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
> 


---------------------------- 
Building an operation system without source code,
is like buying a  self assemble space shuttle without
instructions.

Attachment: pgpGk6XdR_LWG.pgp
Description: PGP signature


Reply to: