Like most everyone, I'm running around trying to prevent Stack Clash types of issues from happening in the future.
The most 'general purpose' way of doing this is to set the Address Space and Stack limits in pam_limits.
So, two questions:
1) What is a good, general purpose number to set these to? I figured that Red Hat would have a bunch of systems to sample....
2) Should these be included in the SSG?
3) Should the rest of these have nailed in defaults that make sense for most systems? This really should be something that people understand about their applications and/or can adjust to be larger on an as-needed basis.
Thanks,
Trevor
Well, that was about the least fun that I've had in a while.
The magic numbers that I came up with that allowed me to login to GDM, but not run firefox were:
root - stack unlimited root - as unlimited dbus - stack unlimited dbus - as unlimited gdm - as unlimited gdm - stack unlimited * - stack 262144 * - as 4194304
This doesn't appear to be a ratio and the system only had 4G RAM but anything but this pretty much tanked.
Any vendor driven advice would be great but I think it's going to be one of those "set to what your system needs" adventures.
Thanks,
Trevor
On Tue, Jun 20, 2017 at 11:16 AM, Trevor Vaughan tvaughan@onyxpoint.com wrote:
Like most everyone, I'm running around trying to prevent Stack Clash types of issues from happening in the future.
The most 'general purpose' way of doing this is to set the Address Space and Stack limits in pam_limits.
So, two questions:
- What is a good, general purpose number to set these to? I figured that
Red Hat would have a bunch of systems to sample....
Should these be included in the SSG?
Should the rest of these have nailed in defaults that make sense for
most systems? This really should be something that people understand about their applications and/or can adjust to be larger on an as-needed basis.
Thanks,
Trevor
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 <(410)%20541-6699>
-- This account not approved for unencrypted proprietary information --
scap-security-guide@lists.fedorahosted.org