|
|
Sponsored Content
Top Forums
UNIX for Advanced & Expert Users
"Signed Linux" - Only executing signed programs
Post 302498987 by disaster on Wednesday 23rd of February 2011 03:20:16 AM
02-23-2011
"Signed Linux" - Only executing signed programs
Hey folks,
not sure whether this or the security board is the right forum. If I failed, please move
So here's the problem:
I need to build a Linux environment in which only "signed" processes are allowed to run. When I say signed I don't mean a VeriSign signature like you know it from Windows, but I mean signed by myself. I.e. I choose the software allowed to run, sign it, and then want to deny any other processes to run.
If it is somehow possible I'd like to extend this even to scripts and the kernel (i.e. no unsigned modules can be loaded).
Does anyone have a good idea how to solve this problem?
The bad thing is: I'm pretty fine with coding stuff myself in C, but have absolutely 0 experience or knowledge in kernel (module)-programming.
Any tipps, links, literature, finished programs will be appreciated, thanks
A short idea I had and almost forgot: How difficult is it to change the routine of linux which starts a process in such a way that it will call for every process start a little programm of myself which will then check the program to be executed and - in case of a missing signature - will cancel it?
not sure whether this or the security board is the right forum. If I failed, please move
So here's the problem:
I need to build a Linux environment in which only "signed" processes are allowed to run. When I say signed I don't mean a VeriSign signature like you know it from Windows, but I mean signed by myself. I.e. I choose the software allowed to run, sign it, and then want to deny any other processes to run.
If it is somehow possible I'd like to extend this even to scripts and the kernel (i.e. no unsigned modules can be loaded).
Does anyone have a good idea how to solve this problem?
The bad thing is: I'm pretty fine with coding stuff myself in C, but have absolutely 0 experience or knowledge in kernel (module)-programming.
Any tipps, links, literature, finished programs will be appreciated, thanks
A short idea I had and almost forgot: How difficult is it to change the routine of linux which starts a process in such a way that it will call for every process start a little programm of myself which will then check the program to be executed and - in case of a missing signature - will cancel it?
|
|
We Also Found This Discussion For You
1. Shell Programming and Scripting
Hi All,
i am trying to ssh to a remote machine and execute certain command to remote machine through script.
i am able to ssh but after its getting hung at the promt and after pressing ctrl +d i am gettin the out put as
expect: spawn id exp5 not open
while executing
"expect "$" {... (3 Replies)
Discussion started by: Siddharth shivh
3 Replies
LEARN ABOUT HPUX
serialize
serialize(1) General Commands Manual serialize(1) NAME
serialize - force target process to run serially with other processes SYNOPSIS
command [command_args] pid] DESCRIPTION
The command is used to force the target process to run serially with other processes also marked by this command. The target process can be referred to by pid value, or it can be invoked directly on the command. Once a process has been marked by the process stays marked until process completion unless is reissued on the serialized process with the option. The option causes the pid specified with the option to return to normal timeshare scheduling algorithms. This call is used to improve process throughput, since process throughput usually increases for large processes when they are executed serially instead of allowing each program to run for only a short period of time. By running large processes one at a time, the system makes more efficient use of the CPU as well as system memory, since each process does not end up constantly faulting in its working set, to only have the pages stolen when another process starts running. As long as there is enough memory in the system, processes marked by behave no differently from other processes in the system. However, once memory becomes tight, processes marked by are run one at a time with the highest priority processes being run first. Each process will run for a finite interval of time before another serialized process is allowed to run. Options supports the following options: Indicates the process specified by pid should be returned to timeshare scheduling. Indicates the pid of the target process. If neither option is specified, is invoked on the command line passed in. RETURN VALUE
returns the following value: Successful completion. Invalid pid specification, nonnumeric entry, or pid specification is that of a special system process. Could not execute the specified command. No such process. Must be root or a member of a group having the privilege to execute ERRORS
fails under the following condition and sets (see errno(2)) to the following value: The pid passed in does not exist. EXAMPLES
Use to force a database application to run serially with other processes marked for serialization: Force a currently running process with a pid value of 215 to run serially with other processes marked for serialization: Return a process previously marked for serialization to normal timeshare scheduling. The pid of the target process for this example is WARNINGS
The user has no way of forcing an execution order on serialized processes. AUTHOR
was developed by HP. SEE ALSO
setprivgrp(1M), getprivgrp(2), serialize(2). serialize(1)