unSpawn |
06-13-2004 05:45 PM |
Before you're going to do this ask yourself why you want it, and why you choose that route. You should probably first start basic hardening of the box, make sure only services, processess you authorise are runnable and accessable by authorised users. Ditching any compilers and unnecessary packages, restricting access to interpreters to a select group, mounting /home (where *all* your unprivileged userss homes are, right) with noexec,nodev,nosuid, using GRSecurity's proc restrictions, auditing, TPE, making sure users $TMP lies within their home, else mount /tmp and /var/tmp with nosuid,noexec too (might break some, like mc's executing scripts but thats only a nuisance) is a start.Update everyting til current and top that part off with running Bastille-Linux and Tiger to catch stuff you've overlooked (authentication, passwd aging, "bad" services, setuid/setgid root binaries, cron, at, tcp wrapper access lists etc etc).
While both deal with limits, with GRSec's ACL's you focu5 on per-process restrictions while PAM_limits focusses on users and groups (and users own processes). For (unprivileged) user limiting I'd say you best start using PAM_limits. Once enabled GRSec will notice any errors in processes too and log 'em. Then you've got some leads on which regular processes to ACL (else just enable ACL's in learning mode). For background processes there's daemons. Search Freshmeat. If careless (when renicing/killing processes as root user) based on the process name can lead to interesting things if users get the chance to rename their process to something legitimate, or something other users use.
|