Airtight system security with Grsecurity
Seal It!
Security-conscious people dig a deep moat with crocodiles around their homes, hide their furniture in back rooms, and only let visitors into the bathroom if they know the secret password. Grsecurity follows a similarly extreme principle.
A small Linux patch collection called Grsecurity (for Greater Security) transforms the Linux kernel into an extremely untrusting fellow. Grsecurity unleashes a whole package of actions that preemptively block out attackers. Each user is initially treated as a principal source of danger. For example, Grsecurity only allows certain users to call dmesg; it locks the /proc directory, and it prevents access to /dev/kmem, /dev/mem, and /dev/port. Grsecurity also moves applications to a random location in memory (address space layout randomization), and it hides all the kernel threads.
Role-Play
The core of Grsecurity is Role-Based Access Control (RBAC for short), which sits on top of existing rights management. Grsecurity initially deprives all users of their access
rights, even hiding parts of the filesystem from them, and thus allows only the bare necessities. The administrator can then allow specific actions for individual users. Users with similar tasks can be grouped as “roles,” and the admin can then grant additional rights to these roles. For example, the webmaster group needs to start the SSH daemon, but the database administrator group does not.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
US / Canada
UK / Australia
Direct Download
Read full article as PDF:
Price $2.95
News
-
LibreOffice 5.4 Released
Comes with improved support for Microsoft Office file formats.
-
Red Hat to Drop Support for Btrfs
The company is building their own storage solution called Stratis.
-
Reinvent your network with DevOps tools and techniques:
Opportunities and Risks: Containers for DevOps
Automated Builds Using CentOS 7 and Kickstart
Elasticsearch, Logstash, and Kibana – The ELK stack
Are you ready for DevOps? Try your luck with the beta version of Linux Professional Institute's new DevOps exam.
-
Kolab Now Integrates Collabora Online
Kolab Now subscribers now have access to Collabora Online.
-
Endless OS, a Distribution Without Internet
A new version of Endless OS has been released.
-
GitHub Announces Open Source Friday Program
They encourage people to take time out and work on open source projects on Friday.
-
System76 Announces Their Own Distro, Pop!_OS
Pop!_OS is based on Ubuntu and uses the Gnome stack.
-
Linus Torvalds Talks About His Motivation
He never tires of working on the Linux kernel.
-
Debian 9 Stretches Its Wings
The new release of Debian has a very strong focus on security.
-
Trojan Turns Raspberry Pi into a Cryptocurrency Mining Device
Two trojans in the wild are targeting Linux machines.