news   papers   download   features   compare   mirrors mailinglist   forum   cvs   donations   contact

	ACL system features Process-based Mandatory Access Control Secure policy enforcement Supports read, write, append, execute, view, and read-only ptrace object permissions Supports hide, protect, and override subject flags Supports the PaX flags Shared memory protection feature Integrated local attack response on all alerts Subject flag that ensures a process can never execute trojaned code Intelligent learning mode that produces least-privilege ACLs with no configuration Full-featured fine-grained auditing Resource ACLs Socket ACLs File/process ACLs Capabilities Protection against exploit bruteforcing /proc/pid filedescriptor/memory protection ACLs can be placed on non-existent files/processes ACL regeneration on subjects and objects Administrative mode to use for regular sysadmin tasks ACL system is resealed up admin logout Globbing support on ACL objects Configurable log suppression Configurable process accounting Human-readable configuration Not filesystem dependent Not architecture dependent Scales well: supports as many ACLs as memory can handle No runtime memory allocation SMP safe O(1) time efficiency for most operations Include directive for specifying additional ACLs Enable, disable, reload capabilities Userspace option to test permissions on an ACL Option to hide kernel processes

	Chroot restrictions No attaching shared memory outside of chroot No kill outside of chroot No ptrace outside of chroot (architecture independent) No capget outside of chroot No setpgid outside of chroot No getpgid outside of chroot No getsid outside of chroot No sending of signals by fcntl outside of chroot No viewing of any process outside of chroot, even if /proc is mounted No mounting or remounting No pivot_root No double chroot No fchdir out of chroot Enforced chdir("/") upon chroot No (f)chmod +s No mknod No sysctl writes No raising of scheduler priority No connecting to abstract unix domain sockets outside of chroot Removal of harmful privileges via capabilities Exec logging within chroot

	Address space modification protection PaX: Page-based implementation of non-executable pages for i386, sparc, sparc64, alpha, and parisc PaX: Segmentation-based implementation of non-executable pages for i386 with negligible performance hit PaX: Mprotect restrictions prevent new code from entering a task PaX: Randomization of stack and mmap base for i386, sparc, sparc64, alpha, and parisc PaX: Randomization of executable base for i386, sparc, sparc64, alpha, and parisc PaX: Randomization of kernel stack PaX: Automatically emulate sigreturn trampolines (for libc5, glibc 2.0, uClibc, Modula-3 compatibility) PaX: No ELF .text relocations PaX: Trampoline emulation (GCC and linux sigreturn) PaX: PLT emulation for non-i386 archs No kernel modification via /dev/mem, /dev/kmem, or /dev/port Option to disable use of raw I/O Removal of addresses from /proc/<pid>/maps

	Auditing features Option to specify single group to audit Exec logging with arguments Denied resource logging Chdir logging Mount and unmount logging IPC creation/removal logging Signal logging Failed fork logging Time change logging

	Randomization features Larger entropy pools Randomized TCP Initial Sequence Numbers Randomized PIDs Randomized IP IDs Randomized TCP source ports Randomized RPC XIDs

	Other features /proc restrictions that don't leak information about process owners Symlink/hardlink restrictions to prevent /tmp races FIFO restrictions Dmesg(8) restriction Altered ICMP echo IDs Enhanced implementation of Trusted Path Execution GID-based socket restrictions Nearly all options are sysctl-tunable, with a locking mechanism All alerts and audits support a feature that logs the IP of the attacker with the log Stream connections across unix domain sockets carry the attacker's IP with them Detection of local connections: copies attacker's IP to the other task Low, Medium, High, and Custom security levels Tunable flood-time and burst for logging