From 2702acf6a54c50b53011754092d3cdaaaea0714c Mon Sep 17 00:00:00 2001 From: shackra Date: Wed, 23 Apr 2014 16:03:40 -0600 Subject: Merge branch 'master' of ssh://projects.parabolagnulinux.org:1863/srv/git/abslibre # Please enter a commit message to explain why this merge is necessary, # especially if it merges an updated upstream into a topic branch. # # Lines starting with '#' will be ignored, and an empty message aborts # the commit. Signed-off-by: shackra --- libre/linux-libre-grsec/sysctl.conf | 129 ++++++++++++++++++++++++++++++++++++ 1 file changed, 129 insertions(+) create mode 100644 libre/linux-libre-grsec/sysctl.conf (limited to 'libre/linux-libre-grsec/sysctl.conf') diff --git a/libre/linux-libre-grsec/sysctl.conf b/libre/linux-libre-grsec/sysctl.conf new file mode 100644 index 000000000..a1af2c48e --- /dev/null +++ b/libre/linux-libre-grsec/sysctl.conf @@ -0,0 +1,129 @@ +# All features in the kernel.grsecurity namespace are disabled by default. + +# +# Disable PaX enforcement by default, due to lacking integration with packages. +# +# This is considered a major flaw in this package and will be corrected in the +# future. Many binaries need to be flagged as requiring an exception from the +# PaX rules. +# + +kernel.pax.softmode = 1 + +# +# Memory protections +# + +#kernel.grsecurity.disable_priv_io = 1 +kernel.grsecurity.deter_bruteforce = 1 + +# +# Race free SymLinksIfOwnerMatch for web servers +# +# symlinkown_gid: http group +# + +kernel.grsecurity.enforce_symlinksifowner = 1 +kernel.grsecurity.symlinkown_gid = 33 + +# +# FIFO restrictions +# +# Prevent writing to a FIFO in a world-writable sticky directory (e.g. /tmp), +# unless the owner of the FIFO is the same owner of the directory it's held in. +# + +kernel.grsecurity.fifo_restrictions = 1 + +# +# Deny any further rw mounts +# + +#kernel.grsecurity.romount_protect = 1 + +# +# chroot restrictions (these will break containers) +# + +#kernel.grsecurity.chroot_caps = 1 +#kernel.grsecurity.chroot_deny_chmod = 1 +#kernel.grsecurity.chroot_deny_chroot = 1 +#kernel.grsecurity.chroot_deny_fchdir = 1 +#kernel.grsecurity.chroot_deny_mknod = 1 +#kernel.grsecurity.chroot_deny_mount = 1 +#kernel.grsecurity.chroot_deny_pivot = 1 +#kernel.grsecurity.chroot_deny_shmat = 1 +#kernel.grsecurity.chroot_deny_sysctl = 1 +#kernel.grsecurity.chroot_deny_unix = 1 +#kernel.grsecurity.chroot_enforce_chdir = 1 +#kernel.grsecurity.chroot_findtask = 1 +#kernel.grsecurity.chroot_restrict_nice = 1 + +# +# Kernel auditing +# +# audit_group: Restrict exec/chdir logging to a group. +# audit_gid: audit group +# + +#kernel.grsecurity.audit_group = 1 +kernel.grsecurity.audit_gid = 201 +#kernel.grsecurity.exec_logging = 1 +#kernel.grsecurity.resource_logging = 1 +#kernel.grsecurity.chroot_execlog = 1 +#kernel.grsecurity.audit_ptrace = 1 +#kernel.grsecurity.audit_chdir = 1 +#kernel.grsecurity.audit_mount = 1 +#kernel.grsecurity.signal_logging = 1 +#kernel.grsecurity.forkfail_logging = 1 +#kernel.grsecurity.timechange_logging = 1 +#kernel.grsecurity.rwxmap_logging = 1 + +# +# Executable protections +# + +kernel.grsecurity.harden_ptrace = 1 +kernel.grsecurity.ptrace_readexec = 1 +kernel.grsecurity.consistent_setxid = 1 +kernel.grsecurity.harden_ipc = 1 + +# +# Trusted Path Execution +# +# tpe_gid: tpe group +# + +#kernel.grsecurity.tpe = 1 +kernel.grsecurity.tpe_gid = 200 +#kernel.grsecurity.tpe_invert = 1 +#kernel.grsecurity.tpe_restrict_all = 1 + +# +# Network protections +# +# socket_all_gid: socket-deny-all group +# socket_client_gid: socket-deny-client group +# socket_server_gid: socket-deny-server group +# + +#kernel.grsecurity.ip_blackhole = 1 +kernel.grsecurity.lastack_retries = 4 +kernel.grsecurity.socket_all = 1 +kernel.grsecurity.socket_all_gid = 202 +kernel.grsecurity.socket_client = 1 +kernel.grsecurity.socket_client_gid = 203 +kernel.grsecurity.socket_server = 1 +kernel.grsecurity.socket_server_gid = 204 + +# +# Prevent any new USB devices from being recognized by the OS. +# + +#kernel.grsecurity.deny_new_usb = 1 + +# +# Restrict grsec sysctl changes after this was set +# + +kernel.grsecurity.grsec_lock = 0 -- cgit v1.2.3