summaryrefslogtreecommitdiff
path: root/libre/linux-libre-grsec/sysctl.conf
blob: a1af2c48eb7347d4b22220493687ae9d1b56b2aa (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
# All features in the kernel.grsecurity namespace are disabled by default.

#
# Disable PaX enforcement by default, due to lacking integration with packages.
#
# This is considered a major flaw in this package and will be corrected in the
# future. Many binaries need to be flagged as requiring an exception from the
# PaX rules.
#

kernel.pax.softmode = 1

#
# Memory protections
#

#kernel.grsecurity.disable_priv_io = 1
kernel.grsecurity.deter_bruteforce = 1

#
# Race free SymLinksIfOwnerMatch for web servers
#
# symlinkown_gid: http group
#

kernel.grsecurity.enforce_symlinksifowner = 1
kernel.grsecurity.symlinkown_gid = 33

#
# FIFO restrictions
#
# Prevent writing to a FIFO in a world-writable sticky directory (e.g. /tmp),
# unless the owner of the FIFO is the same owner of the directory it's held in.
#

kernel.grsecurity.fifo_restrictions = 1

#
# Deny any further rw mounts
#

#kernel.grsecurity.romount_protect = 1

#
# chroot restrictions (these will break containers)
#

#kernel.grsecurity.chroot_caps = 1
#kernel.grsecurity.chroot_deny_chmod = 1
#kernel.grsecurity.chroot_deny_chroot = 1
#kernel.grsecurity.chroot_deny_fchdir = 1
#kernel.grsecurity.chroot_deny_mknod = 1
#kernel.grsecurity.chroot_deny_mount = 1
#kernel.grsecurity.chroot_deny_pivot = 1
#kernel.grsecurity.chroot_deny_shmat = 1
#kernel.grsecurity.chroot_deny_sysctl = 1
#kernel.grsecurity.chroot_deny_unix = 1
#kernel.grsecurity.chroot_enforce_chdir = 1
#kernel.grsecurity.chroot_findtask = 1
#kernel.grsecurity.chroot_restrict_nice = 1

#
# Kernel auditing
#
# audit_group: Restrict exec/chdir logging to a group.
# audit_gid: audit group
#

#kernel.grsecurity.audit_group = 1
kernel.grsecurity.audit_gid = 201
#kernel.grsecurity.exec_logging = 1
#kernel.grsecurity.resource_logging = 1
#kernel.grsecurity.chroot_execlog = 1
#kernel.grsecurity.audit_ptrace = 1
#kernel.grsecurity.audit_chdir = 1
#kernel.grsecurity.audit_mount = 1
#kernel.grsecurity.signal_logging = 1
#kernel.grsecurity.forkfail_logging = 1
#kernel.grsecurity.timechange_logging = 1
#kernel.grsecurity.rwxmap_logging = 1

#
# Executable protections
#

kernel.grsecurity.harden_ptrace = 1
kernel.grsecurity.ptrace_readexec = 1
kernel.grsecurity.consistent_setxid = 1
kernel.grsecurity.harden_ipc = 1

#
# Trusted Path Execution
#
# tpe_gid: tpe group
#

#kernel.grsecurity.tpe = 1
kernel.grsecurity.tpe_gid = 200
#kernel.grsecurity.tpe_invert = 1
#kernel.grsecurity.tpe_restrict_all = 1

#
# Network protections
#
# socket_all_gid:    socket-deny-all group
# socket_client_gid: socket-deny-client group
# socket_server_gid: socket-deny-server group
#

#kernel.grsecurity.ip_blackhole = 1
kernel.grsecurity.lastack_retries = 4
kernel.grsecurity.socket_all = 1
kernel.grsecurity.socket_all_gid = 202
kernel.grsecurity.socket_client = 1
kernel.grsecurity.socket_client_gid = 203
kernel.grsecurity.socket_server = 1
kernel.grsecurity.socket_server_gid = 204

#
# Prevent any new USB devices from being recognized by the OS.
#

#kernel.grsecurity.deny_new_usb = 1

#
# Restrict grsec sysctl changes after this was set
#

kernel.grsecurity.grsec_lock = 0