Linux Advanced Hardening With the Capability Bounding Set
Posted on: 02/22/2011 11:33 AM

nixCraft shows you how to hardening you Linux installation with the Capability Bounding Set

Linux Advanced Hardening With the Capability Bounding Set


The last time I wrote about basic "Linux Server Hardening Security" tips. In this post I will write about the /proc/sys/kernel/cap-bound file which act as a powerful Linux hardening tool. This file holds the value of the kernel capability bounding set (expressed as a signed decimal number). This set is ANDed against the capabilities permitted to a process during exec. You can make changes to this file (bit value of cap-bound) and you can restrict many capabilities of process and put restrictions on root related process too. Using capability you can enable or disable Linux kernel modules loading, firewall, routing, raw sockets, locking of memory segments, restrictions on changing file ownership, restrictions on read and search of files and directories, sending signals to processes owned by others, modification of immutable and append-only file attributes, use of chroot(), rebooting the system, conman sys admin tasks such as mount, quotas, swapping and much more.



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/linux_advanced_hardening_with_the_capability_bounding_set.html)