Hardening linux [howto?]
dugan at passwall.com
Thu Jun 13 13:59:02 PDT 2002
As for disk quotas, there are plenty of how-tos on that subject "out
there" so I wont cover that part.
I do not think there is a kernel based process control for CPU throttling
as "good" as what we have for disk space and disk/file quotas. (Though it
would be nice to have.)
Disclaimer - What I mean here: though some process control exists, it is
not as controlled as the disk based quota support in Linux is at present.
Some options in this realm:
in bash: ulimit
elsewhere/(per app): getrlimit setrlimit and then getrusage
The kind of granular process control found in *BSD is not so readily
available in Linux land, but welcome others to prove me wrong as it is
something I have wanted for many years now.
Of course disk quotas work very well for users and groups. :-)
TrafficShaper is available for bandwidth throttling too in the 2.4./x
kernels too... but this is not process control and I am off topic...
Process control and restrictions has been something asked for before, and
some clever people made some patches to the 2.2 series kernel (I seem to
recall) but I dont know what ever happened to it. I do not think it made
it into the main kernel tree, and if forked may not be maintained
anymore... searches would be best best for this.
As for wtmp and user listsing, I have not looked into that as a feature as
I have not needed it yet. There may be some tools out there for custom
"whois" and "users" or you could just make these user-checking-tools
unavailable for execution by their ID. As for limiting process listing for
users other than root...
Check out Solar Designers Linux Security enhancements
I can state the 2.2 series patches work very well, and I am testing the
2.4 series patches on non-production machines (test desktop machine that
has no critical data) It will be a while before our servers migrate to the
2.4 kernels and the associated patches.
One of the extra option in his secuirty patches is for "restricted /proc"
which limits users' ability to see processes exepc their own. I dont use
this, but have used it in 2.2. There are other features in his patches
that are very useful such as the non-executable stack patch for targeting
buffer over-run that exploit code to write binary executable data to the
stack segment and then jmp to it. Also has support for forked process
limits tied in with the original request. I *strongly* encourage you to
check those out. Some things have not worked in the past with it ("at" for
example, but cron was fine).
Afraid, the restricted /proc is all (but root) or nothing. (Kind of binary
in that respect... heh heh)
There are other options to check. When you apply then to the kernel, you
will have a new menu (when you use make menuconfig) "Security
Options" where you can read about them as you choose to enable them with
the same "?" as other kernel options.
Hope this helps. BTW, I did not keep the original announcement of your
arrival. Where are you from, and how did you hear about this LUG? Your
questions have been good ones! The earliest message I found from
this address was did not jog my memory into matching a face name and
e-mail address, sorry about that :-( Feel free to respond in private
for these Q's. :-) Sorry for not paying attention like I should have been.
-----BEGIN GEEK CODE BLOCK-----
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ !PGP
t at -(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html
On 13 Jun 2002, error wrote:
> I am looking to do process, disk and memory quotas on a per user basis.
> I have searched around and I can find nothing on process and memory
> Do any of you have any idea how one could go about setting up process
> and/or memory quotas?
> Also, how would one go about locking down the wtmp file? I would like it
> so the user can only see them self logged in (ie all other processes are
> hidden to them, even root)
> I know this can be done in freebsd, but I have yet to see it done in
> The flavor I am using for this box is redhat 7.2
More information about the talk