Grsecurity

Grsecurity

Infobox Software
name = grsecurity



caption =
developer = Brad Spengler (Spender)
frequently_updated = yes
operating system = Linux
genre = Security
license = GNU General Public License
website = http://grsecurity.net/

grsecurity is a set of patches for the Linux kernel with an emphasis on enhancing security. Its typical application is in web servers and systems that accept remote connections from untrusted locations, such as systems offering shell access to its users.

Released under the GNU General Public License, grsecurity is free software.

PaX

A major component bundled with grsecurity is PaX, which is a patch that, amongst other things, flags data memory, such as that on the stack, as non-executable, and program memory as non-writable. The aim is to prevent memory from being overwritten, which prevents many types of security vulnerabilities, such as buffer overflows. PaX also provides address space layout randomization (ASLR), which randomizes important memory addresses to hinder attacks that rely on such addresses being easily known. PaX is not itself developed by the grsecurity developers, and is also available independently from grsecurity [http://pax.grsecurity.net] .

Role-based access control

Another notable component of grsecurity is that it provides a full role-based access control (RBAC) system. RBAC is intended to restrict access to the system further than what is normally provided by Unix access control lists, with the aim of creating a fully least-privilege system, where users and processes have the absolute minimum privileges to work correctly and nothing more. This way, if the system is compromised, the ability by the attacker to damage or gain sensitive information on the system can be drastically reduced. RBAC works through a collection of "roles". Each role can have individual restrictions on what they can or cannot do, and these roles and restrictions form a "policy" which can be amended as needed.

Miscellaneous features

grsecurity also adds enhanced auditing to the Linux kernel. It can be configured to audit a specific group of users, audit mounts/unmounts of devices, changes to the system time and date, chdir logging, amongst other things.

Trusted path execution is another optional feature that can be used to prevent users from executing binaries that are not owned by the root user, or are world-writable. This is useful to prevent users from executing their own malicious binaries or accidentally executing system binaries that could have been modified by a malicious user (being world-writable).

grsecurity also hardens the way chroot "jails" work. A chroot jail can be used to isolate a particular process from the rest of the system, which can be used to minimise the potential for damage should the service be compromised. However, there are ways to "break out" of a chroot jail. grsecurity attempts to prevent this.

There are also other features that increase security and prevent users from gaining unnecessary knowledge about the system, such as restricting the dmesg and netstat commands to the root user [http://www.grsecurity.net/features.php] .

See also

*PaX
*Linux Security Modules
*Exec Shield
*Security-Enhanced Linux

External links

* [http://www.grsecurity.net/ Official website]
* [http://freshmeat.net/projects/grsecurity/ grsecurity on freshmeat]


Wikimedia Foundation. 2010.

Игры ⚽ Поможем решить контрольную работу

Look at other dictionaries:

  • GrSecurity — est un patch de sécurité pour le noyau Linux distribué sous la licence publique générale GNU. Il inclut différents éléments, dont PaX, un système de contrôle d accès à base de rôles et différents moyen de renforcer la sécurité générale du noyau.… …   Wikipédia en Français

  • Grsecurity — est un patch de sécurité pour le noyau Linux distribué sous la licence publique générale GNU. Il inclut différents éléments, dont PaX, un système de contrôle d accès à base de rôles et différents moyen de renforcer la sécurité générale du noyau.… …   Wikipédia en Français

  • Grsecurity — Grsecurity  это проект для Linux, который включает в себя некоторые улучшения связанные с безопасностью, включая принудительный контроль доступа, рандомизацию ключевых локальных и сетевых информативных данных, ограничения /proc и chroot()… …   Википедия

  • grsecurity — est un correctif (patch) de sécurité pour le noyau Linux distribué sous la licence publique générale GNU. Il inclut différents éléments, dont PaX, un système de contrôle d accès à base de rôles et différents moyen de renforcer la sécurité… …   Wikipédia en Français

  • GrSecurity — …   Википедия

  • Grsec — grsecurity grsecurity est un patch de sécurité pour le noyau Linux distribué sous la licence publique générale GNU. Il inclut différents éléments, dont PaX, un système de contrôle d accès à base de rôles et différents moyen de renforcer la… …   Wikipédia en Français

  • PaX — In computer security, PaX is a patch for the Linux kernel that implements least privilege protections for memory pages. The least privilege approach allows computer programs to do only what they have to do in order to be able to execute properly …   Wikipedia

  • Mandatory access control — In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target.… …   Wikipedia

  • Hardened Gentoo — is a project of Gentoo Linux that is enhancing the distribution with security addons. Current security enhancements to Gentoo Linux can be:*SELinux **A system of mandatory access controls. SELinux can enforce the security policy over all… …   Wikipedia

  • Linux Security Modules — (LSM) is a framework that allows the Linux kernel to support a variety of computer security models while avoiding favoritism toward any single security implementation. The framework is licensed under the terms of the GNU General Public License… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”