Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : grsecurity kernel

[gpl24]

Emphasize the point in the Wikipedia entry:

Quote:

Its typical application is in web servers and systems that accept remote connections from untrusted locations, such as systems offering shell access to its users.

My server is private, I don't resell it's space to people I do not know.

Do I need grsecurity or am I safe on a standard kernel?

[PCS-Chris]

Your fine with a standard kernel really.

[gpl24]

Thank you!
So it does not offer much other than what the wikipedia article explains?



One thing I did like about it was the segfault errors.. . it told me what program started & what program the error forced a kill on.
Does any other application offer more expletive info for errors is this manner? (other than grsecurity)

[zacharooni]

My policy is 'never trust anyone but yourself'. Put it on anyway, might make you feel safer, which is all that really matters anyway. Pretty simple to do

[atomicturtle]

Grsec is an extremely effective addition to your overall security policy. Youve got PaX, which more or less mitigates the risks of buffer overruns. Trusted Path Execution, which prevents untrusted users from executing commands not owned by root, client/server policies that dictate if a user id can create listeners, or connect outbound. Restricts access to /proc, has a learning mode, RBAC, etc. Its also far more practical than SElinux in a web hosting environment.

[gpl24]

I put it back on, now I am seeing these:
Jul 20 02:10:02 host kernel: grsec: denied resource overstep by requesting 92793384673280 for RLIMIT_STACK against limit 8388608 for /[grep:18782] uid/euid:0/0 gid/egid:0/0, parent /usr/local/sim/sim[sim:18780] uid/euid:0/0 gid/egid:0/0

Jul 20 02:40:01 host kernel: grsec: denied resource overstep by requesting 92758867386368 for RLIMIT_STACK against limit 8388608 for /[grep:22215] uid/euid:0/0 gid/egid:0/0, parent /usr/local/bfd/bfd[bfd:22213]uid/euid:0/0 gid/egid:0/0

Jul 20 04:20:01 host kernel: grsec: denied resource overstep by requesting 93307418767360 for RLIMIT_STACK against limit 8388608 for /[cut:25973] uid/euid:0/0 gid/egid:0/0, parent /etc/apf/ad/antidos[antidos:25954] uid/euid:0/0 gid/egid:0/0

Anybody know what this is all about?

[ifastsupport]

grsecurity offers among many other features:

* An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
* Change root (chroot) hardening
* /tmp race prevention
* Extensive auditing
* Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
* Prevention of arbitrary code execution in the kernel
* Randomization of the stack, library, and heap bases
* Kernel stack base randomization
* Protection against exploitable null-pointer dereference bugs in the kernel
* Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
* A restriction that allows a user to only view his/her processes
* Security alerts and audits that contain the IP address of the person causing the alert