Atomicorp ASL installed in VZ-container reports various Kernel Vulnerabilities

S

Stephan J.

New Member
Apr 24, 2012
17
1
1
Hello,

I have a VZ-Container running Centos6 with Plesk10. I also installed ASL3 from atomicorp.com for added security.

Now I get reports of various kernel vulnerabilities:

Code: 
  Trusted Path Execution(TPE): not available               [CRITICAL]
  Disable Privileged I/O: not available                    [CRITICAL]


 Runtime module loading: enabled                          [HIGH]
  Executable anonymous mapping (mprotect): yes             [HIGH]
  Executable bss  (mprotect): yes                          [HIGH]
  Executable data  (mprotect): yes                         [HIGH]
  Executable heap  (mprotect): yes                         [HIGH]
  Executable shared library bss (mprotect): yes            [HIGH]
  Executable shared library data (mprotect): yes           [HIGH]
  Executable stack (mprotect): yes                         [HIGH]
  Shared library randomisation test: yes                   [HIGH]
  Writable text segments: yes                              [HIGH]
  Restrict chroot() capabilities: not available            [HIGH]

  Restrict chroot() capabilities: not available            [HIGH]
  Chroot restrictions, deny chmod(): not available         [MODERATE]
  Chroot restrictions, deny chroot(): not available        [MODERATE]
  Chroot restrictions, deny fchdir(): not available        [MODERATE]
  Chroot restrictions, deny mknod(): not available         [MODERATE]
  Chroot restrictions, deny mount(): not available         [MODERATE]
  Chroot restrictions, deny pivot(): not available         [MODERATE]
  Chroot restrictions, deny external shmem access: not avai[MODERATE]
  Chroot restrictions, deny sysctl: not available          [MODERATE]
  Chroot restrictions, deny unix domain sockets: not availa[MODERATE]
  Chroot restrictions, set cwd to chroot dir: not available[MODERATE]
  Chroot restrictions, process controls: not available     [MODERATE]
  Restrict dmesg: not available                            [LOW]
  Enhanced FIFO restrictions: not available                [LOW]
  Fork() failure logging: not available                    [LOW]
  Harden ptrace(): not available                           [MODERATE]
  Network Stack, IP Blackhole policy: not available        [LOW]
  Linking Restrictions: not available                      [LOW]

Are these something to worry about or can they be fixed?

AtomiCorp provide their own kernel which has these covered and on their wiki-pages they recommend installing it on the hardware-node in a VPS-environment (f.e. http://www.atomicorp.com/wiki/index.php/Vuln_kernel_mprotbss) but I'm not sure if that's such a good idea.

kind regards -Stephan
 
My Plesk 10 do not work with ptrace. I learned about it from Google. How I can disable ptrace for specific LXC CT? PVE4
 
You must log in or register to reply here.
Top Bottom