Securise votre Kernel
Bonsoir chez Journal,
Ce soir j’ai termine la mise en place de mon firewall migration de ipchains -> iptables.
Vraiment tres interessants les nouvelles fonctions disponible avec cette outil de gestion des packets.
Egalement, j’ai decouvert un patch pour le noyaux (KERNEL) qui permet de faire bien des choses que je cherche
depuis bien longtemps http://grsecurity.net.
En voici une petite liste :
# ACL system features Process-based Mandatory Access Control
# Secure policy enforcement
# Supports read, write, append, execute, view, and read-only ptrace object permissions
# Supports hide, protect, and override subject flags
# Supports the PaX flags
# Shared memory protection feature
# Integrated local attack response on all alerts
# Subject flag that ensures a process can never execute trojaned code
# Intelligent learning mode that produces least-privilege ACLs with no configuration
# Full-featured fine-grained auditing
# Resource ACLs
# Socket ACLs
# File/process ACLs
# Capabilities
# Protection against exploit bruteforcing
# /proc/pid filedescriptor/memory protection
# ACLs can be placed on non-existent files/processes
# ACL regeneration on subjects and objects
# Administrative mode to use for regular sysadmin tasks
# ACL system is resealed up admin logout
# Globbing support on ACL objects
# Configurable log suppression
# Configurable process accounting
# Human-readable configuration
# Not filesystem dependent
# Not architecture dependent
# Scales well: supports as many ACLs as memory can handle
# No runtime memory allocation
# SMP safe
# O(1) time efficiency for most operations
# Include directive for specifying additional ACLs
# Enable, disable, reload capabilities
# Userspace option to test permissions on an ACL
# Option to hide kernel processes
# Chroot restrictions No attaching shared memory outside of chroot
# No kill outside of chroot
# No ptrace outside of chroot (architecture independent)
# No capget outside of chroot
# No setpgid outside of chroot
# No getpgid outside of chroot
# No getsid outside of chroot
# No sending of signals by fcntl outside of chroot
# No viewing of any process outside of chroot, even if /proc is mounted
# No mounting or remounting
# No pivot_root
# No double chroot
# No fchdir out of chroot
# Enforced chdir(“/”) upon chroot
# No (f)chmod +s
# No mknod
# No sysctl writes
# No raising of scheduler priority
# No connecting to abstract unix domain sockets outside of chroot
# Removal of harmful privileges via capabilities
# Exec logging within chroot
# Address space modification protection PaX: Page-based implementation of non-executable pages for i386, sparc, sparc64, alpha, and parisc
# PaX: Segmentation-based implementation of non-executable pages for i386 with negligible performance hit
# PaX: Mprotect restrictions prevent new code from entering a task
# PaX: Randomization of stack and mmap base for i386, sparc, sparc64, alpha, and parisc
# PaX: Randomization of executable base for i386, sparc, sparc64, alpha, and parisc
# PaX: Randomization of kernel stack
# PaX: Automatically emulate sigreturn trampolines (for libc5, glibc 2.0, uClibc, Modula-3 compatibility)
# PaX: No ELF .text relocations
# PaX: Trampoline emulation (GCC and linux sigreturn)
# PaX: PLT emulation for non-i386 archs
# No kernel modification via /dev/mem, /dev/kmem, or /dev/port
# Option to disable use of raw I/O
# Removal of addresses from /proc/
# Auditing features Option to specify single group to audit
# Exec logging with arguments
# Denied resource logging
# Chdir logging
# Mount and unmount logging
# IPC creation/removal logging
# Signal logging
# Failed fork logging
# Time change logging
# Randomization features Larger entropy pools
# Randomized TCP Initial Sequence Numbers
# Randomized PIDs
# Randomized IP IDs
# Randomized TCP source ports
# Randomized RPC XIDs
# Other features /proc restrictions that don’t leak information about process owners
# Symlink/hardlink restrictions to prevent /tmp races
# FIFO restrictions
# Dmesg(8) restriction
# Altered ICMP echo IDs
# Enhanced implementation of Trusted Path Execution
# GID-based socket restrictions
# Nearly all options are sysctl-tunable, with a locking mechanism
# All alerts and audits support a feature that logs the IP of the attacker with the log
# Stream connections across unix domain sockets carry the attacker’s IP with them
# Detection of local connections: copies attacker’s IP to the other task
# Low, Medium, High, and Custom security levels
# Tunable flood-time and burst for logging
Bonne Lecture
Script Firewall
Bonsoir,
Ce soir a l’affiche rien de vraiment interessant mise a part le fait que je suis entrain
de passe a travers netfilter et iptables. Mon script devrait etre disponible a tous tres bientot.
Weeken de programmation … Et oui je dois termine mon site web.
La decouverte de la journee Le musee de l’Informatique
Mes Tweets!
- Bonne Année 2012.. premier tweet de #2012
- @cyber6_ une resolution pour 2012
- #geekbecois Vous avez été coupé par les lutins !
- Superbe atelier ce matin François Desrosiers Utilisation du flash #ZPFS Zoom Photo Festivale Saguenay 2011 http://t.co/K0mDu9Er
- RT @_unoyt: Il parait que l'annonce se fera demain soir à 20h....http://www.geocaching-qc.com/index.php @GeoQC @AGTMIB @Newk82 @NoNameX03
Mes images
Aquariophilie
Baladodiffusion
Categories
- Aquaphilie
- Découverte
- Divers
- Fete
- Film
- Gaspésie 2010
- General
- GéoCaching
- IPV6
- Jeux
- Kayak
- Lan Party
- Linux
- Mise a jours
- Mise en test
- NB'09
- Nouvelles
- Passions
- Perte de Temps!
- photographie
- Photos
- Plein Air!
- PodCast
- Prix Essences
- Rallye
- Renovation
- Sans Fil
- Securite
- Sports
- Star Trek
- Techno
- Vacances
- Voitures
- WebCam
Recent Comments
- Coach sportif on La photo d’action.. motocross…
- L'Frere on Gaspésie Je t’aime 2.0 … Jour 1 -
- L'Frere on Coin de mon enfance!
- Eric Lachance on Coin de mon enfance!
- L'Frere on Moncton, Shediac, IPE….