CWP custom kernel with security level similar to SeLinux.

Since this protection is MAC at the kernel level meaning all not allowed by the policy by default is denied and that provides the highest security for your system.

Not supported systems: openVZ, cloudlinux
Supported: All servers having ability to run & install default centos kernel.

How does it work?
We need to define into policy each binary file which is executed and specify allow list of rules for it.
We can allow per application, user, program, service access to specif file, port, ip …
We can allow for example that test.php file of the user “john” located at /home/john/public_html/test.php can be executed only by john user and only from php-cgi program which needs to be run by the john user.

File Based restrictions (please note all not allowed, by default is denied)
file read
file write
file execute
file append
file truncate
file rename
file getattr
file create
file unlink
file symlink
file link
file chown
file chgrp
file chmod
file chroot
file mkdir
file rmdir
file mkfifo
file mksock
file mkblock
file mkchar
file ioctl
file mount
file unmount
file pivot_root
misc env

Network limits
This rules allows to perform network socket operations.
network inet

Network limits
This rules allows to perform unix socket operations.
network unix

This protection can limit connection on the ip and/or port,
deny read/write/execute…. access to the files if owner is not match….

At the moment we have defined more than 650 rules which works with cwp only.
List of possible limits is huge so we can’t add all info here.

Since this requires maintenance at the moment its available only for our clients having an active support service.

If you have an active support service with us and you need additional high security of your server you can contact us for installation of our tools.