Airtight system security with Grsecurity

Seal It!

Article from Issue 149/2013
Author(s):

Security-conscious people dig a deep moat with crocodiles around their homes, hide their furniture in back rooms, and only let visitors into the bathroom if they know the secret password. Grsecurity follows a similarly extreme principle.

A small Linux patch collection called Grsecurity (for Greater Security) transforms the Linux kernel into an extremely untrusting fellow. Grsecurity unleashes a whole package of actions that preemptively block out attackers. Each user is initially treated as a principal source of danger. For example, Grsecurity only allows certain users to call dmesg; it locks the /proc directory, and it prevents access to /dev/kmem, /dev/mem, and /dev/port. Grsecurity also moves applications to a random location in memory (address space layout randomization), and it hides all the kernel threads.

Role-Play

The core of Grsecurity is Role-Based Access Control (RBAC for short), which sits on top of existing rights management. Grsecurity initially deprives all users of their access
rights, even hiding parts of the filesystem from them, and thus allows only the bare necessities. The administrator can then allow specific actions for individual users. Users with similar tasks can be grouped as “roles,” and the admin can then grant additional rights to these roles. For example, the webmaster group needs to start the SSH daemon, but the database administrator group does not.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Brad Spengler Exposes Exploit in Linux Kernel 2.6.31

    The developer behind the grsecurity.net security portal, Brad Spengler, has released videos on the Web that demonstrate a security hole in the current Linux kernel.

    more »
  • Root Exploit Vulnerability in Kernel 2.6.30

    A recently discovered root exploit attacked the newest Linux versions and circumvented protection systems such as SELinux and AppArmor. A solution has been found.

    more »
  • Subgraph OS

    Kid-tested and Snowden approved – is Subgraph, the privacy-oriented OS, now ready for humans?

    more »
  • Security Lessons: Capabilities

    Granting root access, even temporarily, is rife with danger. Capabilities could help.

    more »
  • Whonix

    The curiosity of various players on the Internet is making anonymity increasingly important. The Debian derivative Whonix offers an easy-to-install, comprehensive solution with a complete virtual work environment to protect your privacy.

    more »
comments powered by Disqus

Visit Our Shop

Trial Subscription

Digital Subscription

Subscribe

Direct Download

Read full article as PDF:

Price $2.95

DevOps

News

Tag Cloud

Administration Community Events Hardware Linux Linux New Media Linux Pro Magazine Mobile Programming Software Ubuntu Web Development Windows free software open source