Patches di sicurezza Linux
AppArmor
Se decidessimo di usare AppArmor potremmo cominciare con questa configurazione:
#include
/usr/sbin/hiawatha {
#include
capability dac_override,
capability net_bind_service,
capability sys_chroot,
capability setgid,
capability setuid,
network inet tcp,
/usr/sbin/hiawatha mr,
/usr/sbin/cgi-wrapper mr,
/etc/passwd r,
/etc/group r,
/etc/hiawatha/** r,
/etc/nsswitch.conf r,
/var/log/hiawatha/* rw,
/var/run/hiawatha.pid w,
/var/lib/hiawatha/* rw,
/var/www/** rw,
/home/*/public_html/** r,
}
grsecurity
Se volessimo usare il sistema RBAC di grsecurity con Hiawatha, potremmo conciare col seguente file di configurazione:
subject /usr/sbin/hiawatha o
/ r
/etc/hiawatha r
/var/run/hiawatha.pid cw
/var/log/hiawatha rwca
/var/lib/hiawatha rwmcd
/var/www rxwmcad
/home
/home/*/public_html rxwmcad
/usr/sbin/cgi-wrapper x
/lib rx
/usr/lib rx
/proc
/proc/kcore h
/proc/sys h
/proc/*/fd rw
/dev
/dev/random r
/dev/urandom r
/dev/null rw
/dev/pts rw
/dev/std* rw
+CAP_SETUID
+CAP_SETGID
+CAP_SYS_CHROOT
+CAP_NET_BIND_SERVICE
Pagina originale: https://www.hiawatha-webserver.org/howto/linux_security_patches
[Segnala un errore o un'imprecisione] Ultimo aggiornamento: 06-11-2016 01:43