[grsec] info still visible in /proc
Carlos Carvalho
carlos at fisica.ufpr.br
Thu Jan 24 10:13:34 EST 2008
Ariel Garcia (garcia at iwr.fzk.de) wrote on 24 January 2008 09:10:
>Hi,
>
>> I configured grsec to limit /proc access to group 0 only:
>>
>> CONFIG_GRKERNSEC_PROC=y
>> # CONFIG_GRKERNSEC_PROC_USER is not set
>> CONFIG_GRKERNSEC_PROC_USERGROUP=y
>> CONFIG_GRKERNSEC_PROC_GID=0
>> CONFIG_GRKERNSEC_PROC_ADD=y
>>
>> However some things that [I think] should be hidden are not:
>
>
>did you check if gresec is being enforced?
>
>CONFIG_GRKERNSEC_SYSCTL (provides de/activation of grsec over /sys)
>CONFIG_GRKERNSEC_SYSCTL_ON (Turn on features by default )
Everything visible in /proc/sys/kernel/grsecurity is activated, except
the chroot options. There's no sysctl entry for /proc restrictions.
Further, /proc restrictions are active because users cannot see others
processes, except for what I described.
More information about the grsecurity
mailing list