Grsecurity is a set of patches to the Linux 2.4 and 2.6 kernels that implements various security-oriented features such as stack randomization and permissions clamping to prevent common attacks against Linux systems from succeeding. I won’t go into an argument here about its effectiveness or its competitors, but I personally believe it’s a great defense barrier for public multiuser type systems.
Currently you must patch/compile manually, but that’s not the big roadblock… Sometimes turning hardening on too much will cause the system to fail to boot.
For Ubuntu, you need to disable CONFIG_COMPAT_VDSO in the kernel and possibly pass in “vdso=0″ to the kernel at bootup via grub config. Otherwise, you’ll get the dreaded everything-segfaults-and-dies phenomenon. It looks something like this:
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
Segmentation Fault
You get the point….
Once that’s done, I have been able to bump security level to HIGH with no problems whatsoever. It also helps to turn off kernel debugging in general, to avoid ridiculous 208MB large kernel packages!
Brano said
Hi,
i am quite newbie in linux world.
Several days ago i installed Cache intersystems database on my ubuntu feisty machine. This software isnt directly supported for ubuntu, just for Suse and RedHat.
When i try to login to its db session, sometimes it works and sometimes it prints “Shared memory segment does not exists” message.
I found out, same problem happens on red hat when feature called “exec-shield ” is enabled.
After many googling i obtained feeling that this article is somehow related to my problem. I tried procedure written in this article but without success.
Pls, if you got some idea, i will appreciate it very much.
Thanks for any help, Branislav Kalas.