[grsec] info still visible in /proc
brant williams
brant at tnarb.net
Thu Jan 24 14:38:58 EST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
The grsec restrictions for /proc will generally only allow non-priviledged
users to view their own process information (e.g. when using "/bin/ps" or
"/usr/bin/top". If you want to restrict access further, you can use the
RBAC system to close things off at the directory level (but really, what
information are you trying to protect?).
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Thu, 24 Jan 2008, Ariel Garcia wrote:
> Date: Thu, 24 Jan 2008 09:10:43 +0100
> From: Ariel Garcia <garcia at iwr.fzk.de>
> To: grsecurity at grsecurity.net
> Subject: Re: [grsec] info still visible in /proc
>
> Hi,
>
>> I configured grsec to limit /proc access to group 0 only:
>>
>> CONFIG_GRKERNSEC_PROC=y
>> # CONFIG_GRKERNSEC_PROC_USER is not set
>> CONFIG_GRKERNSEC_PROC_USERGROUP=y
>> CONFIG_GRKERNSEC_PROC_GID=0
>> CONFIG_GRKERNSEC_PROC_ADD=y
>>
>> However some things that [I think] should be hidden are not:
>
>
> did you check if gresec is being enforced?
>
> CONFIG_GRKERNSEC_SYSCTL (provides de/activation of grsec over /sys)
> CONFIG_GRKERNSEC_SYSCTL_ON (Turn on features by default )
>
> Hope it helps
> Cheers, Ariel
> _______________________________________________
> grsecurity mailing list
> grsecurity at grsecurity.net
> http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
iD8DBQFHmOlXdCBnhE3rYAIRCCU1AJ969nJp46MZ0UgkTpDJfj+DgLrEHwCgl/aS
iJCOMhaVXyS5jedy+XBdHvA=
=EF1B
-----END PGP SIGNATURE-----
More information about the grsecurity
mailing list