Re: [fw-wiz] Web server security?

• Previous message: Nathan Casey: "[fw-wiz] Access to internal resources"
• In reply to: Paul D. Robertson: "Re: [fw-wiz] Web server security?"
• Next in thread: Crispin Cowan: "Re: [fw-wiz] Web server security?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Paul D. Robertson" <paul@compuwar.net>
Date: Tue, 22 Jun 2004 07:35:05 -0700

On June 22, 2004 05:01 am, you wrote:
> FC2 is only interesting to me in that it contains Exec Shield, which
> should take away stack and heap overflows, leaving us perhaps with just
> return-into-libc exploits and software bugs... I've got a kernel module
> that needs dusting off that doesn't allow daemons to execve, which makes
> things a little better for that last vector...
>
Paul, may I suggest you check out grsecurity with vserver as opposed to rsbac
with UML? Vserver is more lightweight and was designed to isolate a single
service rather than providing a whole new kernel, binaries, etc. as UML does.
Grsecurity allows you to implement RBAC and MAC and has a application
learning mode to help you generate least privilege policies. Grsecurity uses
PaX (which I'm guessing you are familiar with) for its buffer/heap overflow
protection, it hardens chroots, etc, etc. If you haven't read about them
before, here are some links.

Grsecurity
http://grsecurity.net/index.php
http://grsecurity.net/features.php

PaX
http://pax.grsecurity.net/docs/index.html

Vserver
http://www.solucorp.qc.ca/miscprj/s_context.hc?s1=2&s2=2&s3=0&s4=0&full=0&prjstate=1&nodoc=0

I think I have mentioned this combination on the list before... I'm not at
all affiliated with any of these projects, their approaches just appeal to
me.

--
Mason Schmitt
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Nathan Casey: "[fw-wiz] Access to internal resources"
• In reply to: Paul D. Robertson: "Re: [fw-wiz] Web server security?"
• Next in thread: Crispin Cowan: "Re: [fw-wiz] Web server security?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Virtualization for security (Was: CD-based boot for security ... > around in, between LIDS, SELinux, GRSecurity, and the like. ... > vserver patches the kernel and adds some userspace goodies, ... I don't feel so in need of expansion that I'd add virtual servers. ... > On my firewall/server, I've used lcap to remove capabilities, to the ... (comp.os.linux.security) Re: Value of selinux+grsecurity (was: Re: Anybody deploy grsecurity on Fedora?) ... I noticed that the PaX stuff seems to now be merged into grsecurity. ... Anyone deploy grsecurity on a recent Fedora release or RHEL ... I believe the two (selinux and ... (Fedora) Re: Value of selinux+grsecurity (was: Re: Anybody deploy grsecurity on Fedora?) ... I noticed that the PaX stuff seems to now be merged into grsecurity. ... Anyone deploy grsecurity on a recent Fedora release or RHEL ... I believe the two (selinux and ... (Fedora) Value of selinux+grsecurity (was: Re: Anybody deploy grsecurity on Fedora?) ... I noticed that the PaX stuff seems to now be merged into grsecurity. ... Anyone deploy grsecurity on a recent Fedora release or RHEL ... I believe the two (selinux and ... (Fedora) Re: Anybody deploy grsecurity on Fedora? ... had a need to add them to a Linux box yet…either for a customer, ... I noticed that the PaX stuff seems to now be merged into grsecurity. ... (Fedora)