lvs fullnat部署手册(四)相关配置篇
一、内核提权由于目前fullnat用的内核是2.6.32-220.23.1.e16这个版本。最近存在内核提权的漏洞。这次受影响的存在于centos6中除了6.5的所有系统。
乌云上已经公布了http://zone.wooyun.org/content/3733
解决的办法是:
sysctl kernel.perf_event_paranoid=2
并写到/etc/sysctl.conf 关于kernel.perf_event_paranoid:
kernel.perf_event_paranoid = 2: you can't take any measurements. The perf utility might still be useful to analyse existing records with perf ls, perf report, perf timechart or perf trace.
kernel.perf_event_paranoid = 1: you can trace a command with perf stat or perf record, and get kernel profiling data.
kernel.perf_event_paranoid = 0: you can trace a command with perf stat or perf record, and get CPU event data.
kernel.perf_event_paranoid = -1: you get raw access to kernel tracepoints (specifically, you can mmap the file created by perf_event_open, I don't know what the implications are).
如果想直接打到内核中,修改kernel/events/core.c,找到int sysctl_perf_event_paranoid在最后改成2。然后搭乘patch,做成内核rpm包
二、待续
页:
[1]