cgroups - pyllyukko/harden.yml GitHub Wiki
- Using libcgroup Tools
- Control Groups
- cgroups
- Introduction to Control Groups
- A Linux sysadmin's introduction to cgroups
- Slackware 15 probably doesn't properly support cgroup v2 as the tooling was introduced in v2.0 and Slackware 15 has 0.41
- Resource Management Guide
- Device Whitelist Controller
-
rc.cgconfigis responsible for loading/etc/cgconfig.conf -
rc.cgred(CGroups Rules Engine Daemon) (cgrulesengd) places processes into appropriate cgroups based in/etc/cgrules.confconfiguration
lssubsys -ammount|grep cgroup- Listing Controllers
lscgroup
Mount controllers:
for controller in cpuset cpu cpuacct blkio memory devices freezer net_cls perf_event net_prio pids misc; do mount -t cgroup -o ${controller} none /sys/fs/cgroup/${controller}; done
Some tests.
crw-rw-rw- 1 root tty 5, 2 Nov 14 20:41 /dev/ptmx
On the server:
# echo 'c 5:2 rwm' 1>/sys/fs/cgroup/devices/daemons/httpd/devices.deny
On Metasploit:
meterpreter > shell -t
[*] env TERM=xterm HISTFILE= /usr/bin/script -qc /bin/bash /dev/null
Process 29615 created.
Channel 5 created.
script: failed to create pseudo-terminal: Operation not permitted
meterpreter > shell
Process 13870 created.
Channel 9 created.
python -c 'import pty;pty.spawn("/bin/bash")'
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib64/python2.7/pty.py", line 165, in spawn
pid, master_fd = fork()
File "/usr/lib64/python2.7/pty.py", line 107, in fork
master_fd, slave_fd = openpty()
File "/usr/lib64/python2.7/pty.py", line 29, in openpty
master_fd, slave_name = _open_terminal()
File "/usr/lib64/python2.7/pty.py", line 70, in _open_terminal
raise os.error, 'out of pty devices'
OSError: out of pty devices
/usr/sbin/cgconfigparser; error loading /etc/cgconfig.conf: Cgroup one of the needed subsystems is not mounted