hi, I use Grsecurity with High level for over 2 years now on 2.4.X without any problems running debian woody. These daemons works fine: ssh postfix courier-imap (with and without ssl) courier-pop (with and without ssl) apache apache-ssl mysql snort and a view other ... The best way would be for you to test this configuration offline on a system with the same packages and then install it on the production system. For further question and special question you can contact the grsecurity mailing list. It is a very low traffic list and brad sprengler help you with every question or the pax team. Greetz Konstantin On Tue, 8 Feb 2005 02:32:03 +0100 Xavier Sudre <xavier@sudre.fr> wrote: > On Monday 07 February 2005 at 16:17, Andras Got wrote: > > Hi, > > > > That's it, the chpax. I tried these things almost a year ago with JSP > > thingy. I googled and the like, but chpax didn't help. > > > > I meant that I selected high settings, then selected custom, then did some > > changes. :) > > > > A. > > > > > > Thomas Sjögren írta: > > > > >On Mon, Feb 07, 2005 at 02:10:07PM +0100, Andras Got wrote: > > > > > >>You should start with grsec low and proc restricions set customly. > > >>Hardening your kernel is always a option. > > > > > > > > >Running grsec isn't a problem, I use on both clients and servers. > > >Dont start with grsec low but with the custom option, > > >CONFIG_GRKERNSEC_CUSTOM and read the help sections. > > > > > > > > >>The grsec default high settings, > > > > > > > > >IIRC it defaults to custom. > > > > > > > > >>and PaX break Jetty (java server container) in two, so it simply won't > > >>start, gradm won't help as I know. > > > > > > > > >changing PaX-settings is done by chpax or paxctl. gradm is for the acl. if > > >something breaks > > >chpax -peMRXs usually works, after that its about fine tuning. > > > > > Using grsecurity with level set to High enables Pax features. > This works well on most daemons delivered as packages in Debian Woody > and hopefuly testing. At least this is the case for Apache, Postfix and Cyrus. > > When ever there is a problem with a binary there will be a log trace in > the syslog specifying the binary that was terminated. You can correct > the problem by using chpax. > > Xavier. > > -- > Xavier Sudre > Homepage: http://xavier.sudre.fr/ > Email: xavier@sudre.fr > GPG key: http://xavier.sudre.fr/gpg/xavier.asc > > > -- > To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > ---------------------------- Building an operation system without source code, is like buying a self assemble space shuttle without instructions.
Attachment:
pgpnpo322Evbg.pgp
Description: PGP signature