[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-relays] Towards a Tor Node Best Best Practices Document
On Sun, Apr 29, 2012 at 1:59 PM, Mike Perry <mikeperry@xxxxxxxxxxxxxx> wrote:
>
[snipped]
>
> After reading a few mailinglist archives about kernel.modules_disabled,
> it looks like there is a contingent of kernel developers who are arguing
> for "layered security" over "perfect security", and they are working to
> enumerate and close holes that elevate root directly to ring0. Even if
> the LKML people occasionally refuse to take their patches for old
> unixbeard dogmatic reasons, it looks like they are still being picked up
> by RHEL/CentOS and Ubuntu.
>
> But, this reminds me that I might need to add a "Auditing
> Recommendations" section to the APT. Technically, the truly paranoid
> should also keep pristine copies of their initrd, kernel, modules, and
> init itself, and veryify/replace them in the event of sketchy activity.
> But the question of how to actually verify/replace these files while
> using an untrusted kernel is another matter.. A few ways come to mind,
> but if we specify just One True Way, obviously custom rootkits could
> still be written to cloak against it...
What do you feel about promoting grsec?
>
[snipped]
>
>
> --
> Mike Perry
>
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
Thanks,
Kasimir
--
Kasimir Gabert
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays