summaryrefslogtreecommitdiff
path: root/libre/linux-libre-grsec/sysctl.conf
blob: bef8e350d662fd14ad36db5c3baf54e079ac09b4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# All features in the kernel.grsecurity namespace are disabled by default in
# the kernel and must be enabled here.

#
# Disable PaX enforcement by default.
#
# The `paxd` package sets softmode back to 0 in a configuration file loaded
# after this one. It automatically handles setting exceptions from the PaX
# exploit mitigations after Pacman operations. Altering the setting here rather
# than using `paxd` is not recommended.
#

kernel.pax.softmode = 1

#
# Memory protections
#

#kernel.grsecurity.disable_priv_io = 1
kernel.grsecurity.deter_bruteforce = 1

#
# Race free SymLinksIfOwnerMatch for web servers
#
# symlinkown_gid: http group
#

kernel.grsecurity.enforce_symlinksifowner = 1
kernel.grsecurity.symlinkown_gid = 33

#
# FIFO restrictions
#
# Prevent writing to a FIFO in a world-writable sticky directory (e.g. /tmp),
# unless the owner of the FIFO is the same owner of the directory it's held in.
#

kernel.grsecurity.fifo_restrictions = 1

#
# Deny any further rw mounts
#

#kernel.grsecurity.romount_protect = 1

#
# chroot restrictions (these will break containers)
#

#kernel.grsecurity.chroot_caps = 1
#kernel.grsecurity.chroot_deny_chmod = 1
#kernel.grsecurity.chroot_deny_chroot = 1
#kernel.grsecurity.chroot_deny_fchdir = 1
#kernel.grsecurity.chroot_deny_mknod = 1
#kernel.grsecurity.chroot_deny_mount = 1
#kernel.grsecurity.chroot_deny_pivot = 1
#kernel.grsecurity.chroot_deny_shmat = 1
#kernel.grsecurity.chroot_deny_sysctl = 1
#kernel.grsecurity.chroot_deny_unix = 1
#kernel.grsecurity.chroot_enforce_chdir = 1
#kernel.grsecurity.chroot_findtask = 1
#kernel.grsecurity.chroot_restrict_nice = 1

#
# Kernel auditing
#
# audit_group: Restrict exec/chdir logging to a group.
# audit_gid: audit group
#

#kernel.grsecurity.audit_group = 1
kernel.grsecurity.audit_gid = 201
#kernel.grsecurity.exec_logging = 1
#kernel.grsecurity.resource_logging = 1
#kernel.grsecurity.chroot_execlog = 1
#kernel.grsecurity.audit_ptrace = 1
#kernel.grsecurity.audit_chdir = 1
#kernel.grsecurity.audit_mount = 1
#kernel.grsecurity.signal_logging = 1
#kernel.grsecurity.forkfail_logging = 1
#kernel.grsecurity.timechange_logging = 1
kernel.grsecurity.rwxmap_logging = 1

#
# Executable protections
#

kernel.grsecurity.harden_ptrace = 1
kernel.grsecurity.ptrace_readexec = 1
kernel.grsecurity.consistent_setxid = 1
kernel.grsecurity.harden_ipc = 1

#
# Trusted Path Execution
#
# tpe_gid: tpe group
#

#kernel.grsecurity.tpe = 1
kernel.grsecurity.tpe_gid = 200
#kernel.grsecurity.tpe_invert = 1
#kernel.grsecurity.tpe_restrict_all = 1

#
# Network protections
#
# socket_all_gid:    socket-deny-all group
# socket_client_gid: socket-deny-client group
# socket_server_gid: socket-deny-server group
#

#kernel.grsecurity.ip_blackhole = 1
kernel.grsecurity.lastack_retries = 4
kernel.grsecurity.socket_all = 1
kernel.grsecurity.socket_all_gid = 202
kernel.grsecurity.socket_client = 1
kernel.grsecurity.socket_client_gid = 203
kernel.grsecurity.socket_server = 1
kernel.grsecurity.socket_server_gid = 204

#
# Prevent any new USB devices from being recognized by the OS.
#

#kernel.grsecurity.deny_new_usb = 1

#
# Restrict grsec sysctl changes after this was set
#

kernel.grsecurity.grsec_lock = 0