Differences
This shows you the differences between two versions of the page.
|
linux:grsec [2006/04/17 16:12] a more |
linux:grsec [2009/05/25 00:35] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Linux / grsecurity kernel patch ====== | ||
| - | **Grsecurity** is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GPL. | ||
| - | It offers among many other features: | ||
| - | * An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration | ||
| - | * Change root (chroot) hardening | ||
| - | * /tmp race prevention | ||
| - | * Extensive auditing | ||
| - | * Prevention of entire classes of exploits related to address space bugs (from the PaX project) | ||
| - | * Additional randomness in the TCP/IP stack | ||
| - | * A restriction that allows a user to only view his/her processes | ||
| - | * Every security alert or audit contains the IP address of the person that caused the event | ||
| - | |||
| - | taken from GrSecHomepage :) | ||
| - | |||
| - | ==== Links ==== | ||
| - | * [[http:// | ||
| - | |||
| - | |||
| - | ===== Instalation ===== | ||
| - | |||
| - | dowload grsecurity patch for your kernel (2.6.x / 2.4.x) from the [[http:// | ||
| - | |||
| - | ==== Kernel patching ==== | ||
| - | |||
| - | server@/ | ||
| - | |||
| - | ==== kernel 2.4.x tips ==== | ||
| - | ==== kernel 2.6.x tips ==== | ||
| - | |||
| - | ===== Configuration ===== | ||
| - | |||
| - | putting all Grsec sysctl options into sysctl.conf | ||
| - | |||
| - | sysctl -a |grep grsec >> / | ||
| - | |||
| - | ==== sysctl ==== | ||
| - | |||
| - | kernel.grsecurity.destroy_unused_shm = 1 | ||
| - | kernel.grsecurity.chroot_findtask = 1 | ||
| - | kernel.grsecurity.dmesg = 0 | ||
| - | kernel.grsecurity.audit_ipc = 1 | ||
| - | kernel.grsecurity.audit_mount = 0 | ||
| - | kernel.grsecurity.audit_chdir = 0 | ||
| - | kernel.grsecurity.audit_gid = 33 | ||
| - | kernel.grsecurity.audit_group = 1 | ||
| - | kernel.grsecurity.rand_tcp_src_ports = 1 | ||
| - | kernel.grsecurity.rand_pids = 1 | ||
| - | kernel.grsecurity.tpe_restrict_all = 0 | ||
| - | kernel.grsecurity.tpe_gid = 0 | ||
| - | kernel.grsecurity.tpe = 0 | ||
| - | kernel.grsecurity.chroot_deny_sysctl = 1 | ||
| - | kernel.grsecurity.chroot_caps = 1 | ||
| - | kernel.grsecurity.chroot_execlog = 1 | ||
| - | kernel.grsecurity.chroot_restrict_nice = 1 | ||
| - | kernel.grsecurity.chroot_deny_mknod = 1 | ||
| - | kernel.grsecurity.chroot_deny_chmod = 1 | ||
| - | kernel.grsecurity.chroot_enforce_chdir = 1 | ||
| - | kernel.grsecurity.chroot_deny_pivot = 1 | ||
| - | kernel.grsecurity.chroot_deny_chroot = 1 | ||
| - | kernel.grsecurity.chroot_deny_fchdir = 1 | ||
| - | kernel.grsecurity.chroot_deny_mount = 1 | ||
| - | kernel.grsecurity.chroot_deny_unix = 1 | ||
| - | kernel.grsecurity.chroot_deny_shmat = 1 | ||
| - | kernel.grsecurity.timechange_logging = 1 | ||
| - | kernel.grsecurity.forkfail_logging = 1 | ||
| - | kernel.grsecurity.signal_logging = 1 | ||
| - | kernel.grsecurity.exec_logging = 0 | ||
| - | kernel.grsecurity.execve_limiting = 1 | ||
| - | kernel.grsecurity.fifo_restrictions = 1 | ||
| - | kernel.grsecurity.linking_restrictions = 1 | ||
| - | kernel.pax.softmode = 1 | ||
| - | kernel.grsecurity.grsec_lock = 0 | ||
| - | |||
| - | ==== PaX ==== | ||
| - | ==== gdadm ==== | ||
| - | TODO | ||
| - | |||
| - | ==== grsec iptables patch ==== | ||
| - | TODO | ||
