summaryrefslogtreecommitdiff
path: root/libre/linux-libre-grsec/sysctl.conf
diff options
context:
space:
mode:
Diffstat (limited to 'libre/linux-libre-grsec/sysctl.conf')
-rw-r--r--libre/linux-libre-grsec/sysctl.conf131
1 files changed, 0 insertions, 131 deletions
diff --git a/libre/linux-libre-grsec/sysctl.conf b/libre/linux-libre-grsec/sysctl.conf
deleted file mode 100644
index a5f6bf83e..000000000
--- a/libre/linux-libre-grsec/sysctl.conf
+++ /dev/null
@@ -1,131 +0,0 @@
-# All features in the kernel.grsecurity namespace are disabled by default in
-# the kernel and must be enabled here.
-
-#
-# Disable PaX enforcement by default.
-#
-# The `paxd` package sets softmode back to 0 in a configuration file loaded
-# after this one. It automatically handles setting exceptions from the PaX
-# exploit mitigations after Pacman operations. Altering the setting here rather
-# than using `paxd` is not recommended.
-#
-
-kernel.pax.softmode = 1
-
-#
-# Memory protections
-#
-
-#kernel.grsecurity.disable_priv_io = 1
-kernel.grsecurity.deter_bruteforce = 1
-
-#
-# Race free SymLinksIfOwnerMatch for web servers
-#
-# symlinkown_gid: http group
-#
-
-kernel.grsecurity.enforce_symlinksifowner = 1
-kernel.grsecurity.symlinkown_gid = 33
-
-#
-# FIFO restrictions
-#
-# Prevent writing to a FIFO in a world-writable sticky directory (e.g. /tmp),
-# unless the owner of the FIFO is the same owner of the directory it's held in.
-#
-
-kernel.grsecurity.fifo_restrictions = 1
-
-#
-# Deny any further rw mounts
-#
-
-#kernel.grsecurity.romount_protect = 1
-
-#
-# chroot restrictions (the commented options will break containers)
-#
-
-#kernel.grsecurity.chroot_caps = 1
-#kernel.grsecurity.chroot_deny_chmod = 1
-#kernel.grsecurity.chroot_deny_chroot = 1
-kernel.grsecurity.chroot_deny_fchdir = 1
-#kernel.grsecurity.chroot_deny_mknod = 1
-#kernel.grsecurity.chroot_deny_mount = 1
-#kernel.grsecurity.chroot_deny_pivot = 1
-kernel.grsecurity.chroot_deny_shmat = 1
-kernel.grsecurity.chroot_deny_sysctl = 1
-kernel.grsecurity.chroot_deny_unix = 1
-kernel.grsecurity.chroot_enforce_chdir = 1
-kernel.grsecurity.chroot_findtask = 1
-#kernel.grsecurity.chroot_restrict_nice = 1
-
-#
-# Kernel auditing
-#
-# audit_group: Restrict exec/chdir logging to a group.
-# audit_gid: audit group
-#
-
-#kernel.grsecurity.audit_group = 1
-kernel.grsecurity.audit_gid = 201
-#kernel.grsecurity.exec_logging = 1
-#kernel.grsecurity.resource_logging = 1
-#kernel.grsecurity.chroot_execlog = 1
-#kernel.grsecurity.audit_ptrace = 1
-#kernel.grsecurity.audit_chdir = 1
-#kernel.grsecurity.audit_mount = 1
-#kernel.grsecurity.signal_logging = 1
-#kernel.grsecurity.forkfail_logging = 1
-#kernel.grsecurity.timechange_logging = 1
-kernel.grsecurity.rwxmap_logging = 1
-
-#
-# Executable protections
-#
-
-kernel.grsecurity.harden_ptrace = 1
-kernel.grsecurity.ptrace_readexec = 1
-kernel.grsecurity.consistent_setxid = 1
-kernel.grsecurity.harden_ipc = 1
-
-#
-# Trusted Path Execution
-#
-# tpe_gid: tpe group
-#
-
-#kernel.grsecurity.tpe = 1
-kernel.grsecurity.tpe_gid = 200
-#kernel.grsecurity.tpe_invert = 1
-#kernel.grsecurity.tpe_restrict_all = 1
-
-#
-# Network protections
-#
-# socket_all_gid: socket-deny-all group
-# socket_client_gid: socket-deny-client group
-# socket_server_gid: socket-deny-server group
-#
-
-#kernel.grsecurity.ip_blackhole = 1
-kernel.grsecurity.lastack_retries = 4
-kernel.grsecurity.socket_all = 1
-kernel.grsecurity.socket_all_gid = 202
-kernel.grsecurity.socket_client = 1
-kernel.grsecurity.socket_client_gid = 203
-kernel.grsecurity.socket_server = 1
-kernel.grsecurity.socket_server_gid = 204
-
-#
-# Prevent any new USB devices from being recognized by the OS.
-#
-
-#kernel.grsecurity.deny_new_usb = 1
-
-#
-# Restrict grsec sysctl changes after this was set
-#
-
-kernel.grsecurity.grsec_lock = 0