LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-16-2003, 03:35 AM   #1
hardigunawan
Member
 
Registered: Dec 2001
Posts: 35

Rep: Reputation: 15
grsecurity acl config


anyone has created the acl for redhat's services, such as apache, ftpd etc?

Care to share on how to do it? I've tried it, but rather confused. Let's say for apache, do I create an acl for /etc/rc.d/init.d/httpd or /usr/sbin/httpd?

Both of them require very different acl config, and I don't know which one is better
 
Old 01-16-2003, 08:31 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,469
Blog Entries: 54

Rep: Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900
No I'm still wrestling with the ACL part.
AFAIK /etc/rc.d/init.d/httpd is the script that starts /usr/sbin/httpd, s IMO you should make it for the /usr/sbin/httpd binary. Create an ACL for it and enable learning mode (see gracl.(swx|doc). I'll see if I can come up with one for Apache-SSL one of these days when I switch to grsecurity-1.9.8-2.4.20.
 
Old 01-16-2003, 08:01 PM   #3
hardigunawan
Member
 
Registered: Dec 2001
Posts: 35

Original Poster
Rep: Reputation: 15
When I created the learning mode for /usr/sbin/httpd, it didn't log the writing of /var/run/httpd.pid (in redhat). Further, /etc/rc.d/init.d/httpd called logging functions (initlog) that creates errors This should be due to improper ACL config on my part Hopefully I can configure the / subject more properly.

With the ACL not enabled, does it protect chrooted services? For example, does it protect chrooted apache so that it would not be able to do a 2nd chroot (breaking out of chroot)? Do I have to set anything at the /proc fs for that?

I'm learning grsec too and trying to create ACLs for my redhat services.
 
Old 01-17-2003, 03:43 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,469
Blog Entries: 54

Rep: Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900Reputation: 2900
Even w/o ACL's enabled the extra chroot supporting features can be enabled. Just check your /proc/sys/kernel/grsecurity/* settings if they are:
for i in $(\ls /proc/sys/kernel/grsecurity/*) | grep -ve "acl"; do
echo "kernel.grsecurity.$(basename ${i})= $(cat ${i})"; done
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
GRsecurity dbi Slackware 6 08-28-2006 11:50 PM
grsecurity and slackware james penguin Linux - Security 0 12-01-2005 04:25 PM
grsecurity and 2.6.11.7 houler Slackware 2 05-07-2005 02:21 AM
GRSecurity Obie Linux - Security 6 05-31-2004 08:27 PM
INFO: creating a special secured kernel (grsecurity kernel patch) w sysctl config markus1982 Linux - Security 0 05-25-2003 05:29 AM


All times are GMT -5. The time now is 01:38 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration