Airtight system security with Grsecurity
Seal It!
Security-conscious people dig a deep moat with crocodiles around their homes, hide their furniture in back rooms, and only let visitors into the bathroom if they know the secret password. Grsecurity follows a similarly extreme principle.
A small Linux patch collection called Grsecurity (for Greater Security) transforms the Linux kernel into an extremely untrusting fellow. Grsecurity unleashes a whole package of actions that preemptively block out attackers. Each user is initially treated as a principal source of danger. For example, Grsecurity only allows certain users to call dmesg; it locks the /proc directory, and it prevents access to /dev/kmem, /dev/mem, and /dev/port. Grsecurity also moves applications to a random location in memory (address space layout randomization), and it hides all the kernel threads.
Role-Play
The core of Grsecurity is Role-Based Access Control (RBAC for short), which sits on top of existing rights management. Grsecurity initially deprives all users of their access
rights, even hiding parts of the filesystem from them, and thus allows only the bare necessities. The administrator can then allow specific actions for individual users. Users with similar tasks can be grouped as “roles,” and the admin can then grant additional rights to these roles. For example, the webmaster group needs to start the SSH daemon, but the database administrator group does not.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
US / Canada
UK / Australia
Direct Download
Read full article as PDF:
Price $2.95
Tag Cloud
News
-
Heartbleed Bleeds On
According to a report, many potential victims of the Heartbleed attack have patched their systems, but few have cleaned up the crime scene to protect themselves from the effects of a previous intrusion.
-
Drone Brain Goes Open Source
DARPA and NICTA release the code for the ultra-secure microkernel system used in aerial drones.
-
Password Management Services Vulnerable to Attack
Should you trust an online service to store your online passwords?
-
New Raspberry Pi Adds Two USB Ports
New B+ board lets you build cool things without the complication of a powered USB hub.
-
Microsoft Grabs No-IP.com Domains
Redmond rushes in to root out alleged malware haven.
-
Firefox Steps into 3D
New initiative will bring futuristic virtual reality effects to the web surfing experience.
-
New Trojan Targets Online Banking
Dyreza malware launches a man-in-the-middle attack that compromises SSL.
-
HP Rolls Out Massive Cloud Network
New cloud combines worldwide access with local attention to data security.
-
New Attack Targets Wireless Logins
A first cousin of the recent Heartbleed attack affects EAP-based wireless and peer-to-peer authentication.
-
Geeks Petition for Free Lenovo BIOS
FOSS community acts to protect freedom of choice for laptop devices.