Mike/Scott,

What limitations have been imposed in terms of things that need to talk to hardware?

If X is disabled by grsec, does this also mean that I'll have problems with CAPI?

The problem is that I need to harden a server running Plesk and Asterisk (a software-based PBX -- www.asterisk.org). And in order to talk to the outside world without using VoIP, I have a couple of ISDN cards which Asterisk talks to via CAPI.

I'm wondering if the grsec patch will stop this from working in the same way as it stopped X from working?

Admittedly this server won't be accessible to the public over anything except http, https, 5060 and some RTP on ports above 1000, but a weakness in any php script I might write, or a flaw in Asterisk itself (which currently runs as root!) would make it very vulnerable.

I'm working to get Asterisk to run as another (unprived) user, and I'll be a lot happier once I do so. But I'd still like a grsec kernel running on this beast.

Faris.

p.s. any chance of a gradm HOWTO/INTRO please? I'm ashamed to admit that I'm not really sure what I should be doing with it.

Just to answer my own question, Asterisk hates grsec (as configured as standard). Not surprising, but a big shame really.

Faris.