Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Web server security?

From: Mason <hr824 () sunwave net>
Date: Tue, 22 Jun 2004 07:35:05 -0700
On June 22, 2004 05:01 am, you wrote:

FC2 is only interesting to me in that it contains Exec Shield, which
should take away stack and heap overflows, leaving us perhaps with just
return-into-libc exploits and software bugs...  I've got a kernel module
that needs dusting off  that doesn't allow daemons to execve, which makes
things a little better for that last vector...


Paul, may I suggest you check out grsecurity with vserver as opposed to rsbac 
with UML?  Vserver is more lightweight and was designed to isolate a single 
service rather than providing a whole new kernel, binaries, etc. as UML does.  
Grsecurity allows you to implement RBAC and MAC and has a application 
learning mode to help you generate least privilege policies.  Grsecurity uses 
PaX (which I'm guessing you are familiar with) for its buffer/heap overflow 
protection, it hardens chroots, etc, etc.  If you haven't read about them 
before, here are some links.

Grsecurity
http://grsecurity.net/index.php
http://grsecurity.net/features.php

PaX
http://pax.grsecurity.net/docs/index.html

Vserver
http://www.solucorp.qc.ca/miscprj/s_context.hc?s1=2&s2=2&s3=0&s4=0&full=0&prjstate=1&nodoc=0

I think I have mentioned this combination on the list before...  I'm not at 
all affiliated with any of these projects, their approaches just appeal to 
me.

--
Mason Schmitt
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: