From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OOpSE-0005w1-Jm for garchives@archives.gentoo.org; Wed, 16 Jun 2010 10:02:43 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3D764E0ABB for ; Wed, 16 Jun 2010 10:02:42 +0000 (UTC) Received: from mail-bw0-f53.google.com (mail-bw0-f53.google.com [209.85.214.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 20C09E0885 for ; Wed, 16 Jun 2010 09:27:49 +0000 (UTC) Received: by bwz5 with SMTP id 5so962704bwz.40 for ; Wed, 16 Jun 2010 02:27:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=s5/tkIRNckOw/ziVj1xSa8SQ+OacCXprFKVHiP2uOZM=; b=ACDbmUTrLwy68/NFbmPPIBHvSu1uJ58u/0EioCze5rikFOBLkS/Lga4NwtDoEPw8yY R22OQK1RZe9v7X16vb38nK2UnUJOAfCW4Q//2SgG+tMNrf3bp6/9cY2qf7UKgPRuxqOw ufiSRlEiPfswxbkpvz4p83nL0PbTL71/GdQVA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=OuRmBzFMjyrLQ84rHOE68i/remTDZl9tQZwhPu6UVTRbmZih0OjQxPutOHtSpT31Tn DaDcsPy4YqCDyRxa57tR2g1or1fPq0qiAb6YlLL4cuNNFAPddvEWnVw2p5XBACmjFUxT 52fG25Sco0eh2MpUJH5JaRRmUB5lKLjBBMdLs= Received: by 10.204.81.222 with SMTP id y30mr6383322bkk.155.1276680468222; Wed, 16 Jun 2010 02:27:48 -0700 (PDT) Received: from [172.30.0.2] (stc.44.93.188.95.dsl.krasnet.ru [95.188.93.44]) by mx.google.com with ESMTPS id v2sm28543138bkz.13.2010.06.16.02.27.45 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 16 Jun 2010 02:27:45 -0700 (PDT) Message-ID: <4C1898D6.7030304@gmail.com> Date: Wed, 16 Jun 2010 17:26:46 +0800 From: Pavel Labushev User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100412 Thunderbird/3.0.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Re: Giving a hand with docs References: <4C0D8FFE.4040502@gmail.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 80a2c702-4fe4-4118-b411-83f169bf2b8c X-Archives-Hash: f9a96571b21b3d8054a8974459821964 13.06.2010 17:15, klondike =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > Well for now I have written a 12 page doc praying the goodness of > Gentoo Hardened. Well done, thank you! That's what I'm gonna show my coworkers when they ask me about what Hardened is. > Also ask for excuses because maybe the document has a few imprecisions > or white lies due to a bad understanding, feel free to outline them > to. I think GRKERNSEC_BRUTE deserves a bit more explaination, as long as in some (most?) cases it seems to be the single little trick that prevents preforked apps to be eventually owned with no regard to ASLR, especially on x86. Also, maybe a reader should be advised to develop a policy to autorestart preforked apps when the relevant records appear in the grsec log? They are "Segmentation fault" and "Illegal instruction". And maybe it deserves to be mentioned that SIGSEGV does not trigger the fork() delay, so the autorestart policy which takes frequent SIGSEGV log messages into account is a right thing. Btw, it's not "some delays" but the 30 seconds hardcoded in grsecurity/grsec_sig.c.