What limitations have been imposed in terms of things that need to talk to hardware?
If X is disabled by grsec, does this also mean that I'll have problems with CAPI?
The problem is that I need to harden a server running Plesk and Asterisk (a software-based PBX -- www.asterisk.org
). And in order to talk to the outside world without using VoIP, I have a couple of ISDN cards which Asterisk talks to via CAPI.
I'm wondering if the grsec patch will stop this from working in the same way as it stopped X from working?
Admittedly this server won't be accessible to the public over anything except http, https, 5060 and some RTP on ports above 1000, but a weakness in any php script I might write, or a flaw in Asterisk itself (which currently runs as root!) would make it very vulnerable.
I'm working to get Asterisk to run as another (unprived) user, and I'll be a lot happier once I do so. But I'd still like a grsec kernel running on this beast.
p.s. any chance of a gradm HOWTO/INTRO please? I'm ashamed to admit that I'm not really sure what I should be doing with it.