Airtight system security with Grsecurity
Security-conscious people dig a deep moat with crocodiles around their homes, hide their furniture in back rooms, and only let visitors into the bathroom if they know the secret password. Grsecurity follows a similarly extreme principle.
A small Linux patch collection called Grsecurity (for Greater Security) transforms the Linux kernel into an extremely untrusting fellow. Grsecurity unleashes a whole package of actions that preemptively block out attackers. Each user is initially treated as a principal source of danger. For example, Grsecurity only allows certain users to call dmesg; it locks the /proc directory, and it prevents access to /dev/kmem, /dev/mem, and /dev/port. Grsecurity also moves applications to a random location in memory (address space layout randomization), and it hides all the kernel threads.
The core of Grsecurity is Role-Based Access Control (RBAC for short), which sits on top of existing rights management. Grsecurity initially deprives all users of their access
rights, even hiding parts of the filesystem from them, and thus allows only the bare necessities. The administrator can then allow specific actions for individual users. Users with similar tasks can be grouped as “roles,” and the admin can then grant additional rights to these roles. For example, the webmaster group needs to start the SSH daemon, but the database administrator group does not.
Buy this article as PDF
New partnership will bring more and better CS training to US schools
Criminals offer online help over Tor network
Sophisticated malware is still present on Joomla and WordPress sites around the world.
Future versions of Ubuntu's code service will support the popular Git version control system used with Linux and other open source projects.
New release marks the arrival of AMD’s unified driver strategy.
A new study by IDC charts big changes in the big hardware market.
Azure CTO says Redmond has already considered the unthinkable.
Lead developer quells rumors that the Debian version is slated for center stage.
MSBuild is now just another GitHub project as Redmond continues its path to the light.
Malware could pass data and commands between disconnected computers without leaving a trace on the network.