Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision Next revision Both sides next revision | ||
linux:grsec [2006/02/19 20:04] 193.77.56.193 created document |
linux:grsec [2006/06/09 00:40] a gradm install |
||
---|---|---|---|
Line 12: | Line 12: | ||
* Every security alert or audit contains the IP address of the person that caused the event | * Every security alert or audit contains the IP address of the person that caused the event | ||
- | taked from GrSecHomepage :) | + | taken from GrSecHomepage :) |
==== Links ==== | ==== Links ==== | ||
* [[http:// | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
===== Instalation ===== | ===== Instalation ===== | ||
Line 24: | Line 26: | ||
server@/ | server@/ | ||
+ | |||
+ | ==== gradm install from source ==== | ||
+ | |||
+ | # gradm-xxxx.tar.gz | ||
+ | # cd gradm | ||
+ | # ./configure | ||
+ | # make && make install | ||
+ | ... | ||
+ | Setting up grsecurity ACL password | ||
+ | Password: | ||
+ | Re-enter Password: | ||
+ | Password written to / | ||
+ | |||
==== kernel 2.4.x tips ==== | ==== kernel 2.4.x tips ==== | ||
Line 29: | Line 44: | ||
===== Configuration ===== | ===== Configuration ===== | ||
+ | |||
+ | putting all Grsec sysctl options into sysctl.conf | ||
+ | |||
+ | sysctl -a |grep grsec >> / | ||
+ | |||
==== sysctl ==== | ==== sysctl ==== | ||
+ | |||
+ | kernel.grsecurity.destroy_unused_shm = 1 | ||
+ | kernel.grsecurity.chroot_findtask = 1 | ||
+ | kernel.grsecurity.dmesg = 0 | ||
+ | kernel.grsecurity.audit_ipc = 1 | ||
+ | kernel.grsecurity.audit_mount = 0 | ||
+ | kernel.grsecurity.audit_chdir = 0 | ||
+ | kernel.grsecurity.audit_gid = 33 | ||
+ | kernel.grsecurity.audit_group = 1 | ||
+ | kernel.grsecurity.rand_tcp_src_ports = 1 | ||
+ | kernel.grsecurity.rand_pids = 1 | ||
+ | kernel.grsecurity.tpe_restrict_all = 0 | ||
+ | kernel.grsecurity.tpe_gid = 0 | ||
+ | kernel.grsecurity.tpe = 0 | ||
+ | kernel.grsecurity.chroot_deny_sysctl = 1 | ||
+ | kernel.grsecurity.chroot_caps = 1 | ||
+ | kernel.grsecurity.chroot_execlog = 1 | ||
+ | kernel.grsecurity.chroot_restrict_nice = 1 | ||
+ | kernel.grsecurity.chroot_deny_mknod = 1 | ||
+ | kernel.grsecurity.chroot_deny_chmod = 1 | ||
+ | kernel.grsecurity.chroot_enforce_chdir = 1 | ||
+ | kernel.grsecurity.chroot_deny_pivot = 1 | ||
+ | kernel.grsecurity.chroot_deny_chroot = 1 | ||
+ | kernel.grsecurity.chroot_deny_fchdir = 1 | ||
+ | kernel.grsecurity.chroot_deny_mount = 1 | ||
+ | kernel.grsecurity.chroot_deny_unix = 1 | ||
+ | kernel.grsecurity.chroot_deny_shmat = 1 | ||
+ | kernel.grsecurity.timechange_logging = 1 | ||
+ | kernel.grsecurity.forkfail_logging = 1 | ||
+ | kernel.grsecurity.signal_logging = 1 | ||
+ | kernel.grsecurity.exec_logging = 0 | ||
+ | kernel.grsecurity.execve_limiting = 1 | ||
+ | kernel.grsecurity.fifo_restrictions = 1 | ||
+ | kernel.grsecurity.linking_restrictions = 1 | ||
+ | kernel.pax.softmode = 1 | ||
+ | kernel.grsecurity.grsec_lock = 0 | ||
+ | |||
+ | ==== PaX ==== | ||
+ | |||
+ | * [[http:// | ||
+ | |||
==== gdadm ==== | ==== gdadm ==== | ||
- | | + | |
+ | The **gradm** utility controls only grsecurity' | ||
+ | |||
+ | | ||
+ | |||
+ | Once you've set up a password, you can log into gradm as admin with the command: | ||
+ | |||
+ | gradm -a | ||
+ | |||
+ | An innovative way to set up RBAC is to use grsecurity' | ||
+ | |||
+ | gradm -F -L / | ||
+ | |||
+ | Let this mode run for a day or two to catch any time-sensitive processes. Avoid any administrative tasks during this time -- remember, the root account is no longer trusted. After grsecurity has had enough time to recognize normal system usage, shut down learning mode and log into gradm as admin. Shutting down learning mode is necessary because grsecurity hides its configuration files when RBAC is running, as it is during learning mode. This means that the system will display an error message about not being able to find learning.log. In fact, the directory /etc/grsec will not appear to exist, even to root. | ||
+ | |||
+ | To write the ACL to disk, run the command: | ||
+ | |||
+ | gradm -F -L / | ||
+ | |||
+ | To start RBAC with your new ACL, run: | ||
+ | |||
+ | gradm -E | ||
+ | |||
+ | You can now enjoy the security advantages of processes running with the least amount of privileges necessary. | ||
+ | |||
+ | If you encounter any problems, disable RBAC by first logging in with the admin password and then running: | ||
+ | |||
+ | gradm -D | ||
==== grsec iptables patch ==== | ==== grsec iptables patch ==== | ||
TODO | TODO |