Differences
This shows you the differences between two versions of the page.
linux:grsec [2006/04/17 16:12] a more |
linux:grsec [2009/05/25 00:35] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Linux / grsecurity kernel patch ====== | ||
- | **Grsecurity** is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GPL. | ||
- | It offers among many other features: | ||
- | * An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration | ||
- | * Change root (chroot) hardening | ||
- | * /tmp race prevention | ||
- | * Extensive auditing | ||
- | * Prevention of entire classes of exploits related to address space bugs (from the PaX project) | ||
- | * Additional randomness in the TCP/IP stack | ||
- | * A restriction that allows a user to only view his/her processes | ||
- | * Every security alert or audit contains the IP address of the person that caused the event | ||
- | |||
- | taken from GrSecHomepage :) | ||
- | |||
- | ==== Links ==== | ||
- | * [[http:// | ||
- | |||
- | |||
- | ===== Instalation ===== | ||
- | |||
- | dowload grsecurity patch for your kernel (2.6.x / 2.4.x) from the [[http:// | ||
- | |||
- | ==== Kernel patching ==== | ||
- | |||
- | server@/ | ||
- | |||
- | ==== kernel 2.4.x tips ==== | ||
- | ==== kernel 2.6.x tips ==== | ||
- | |||
- | ===== Configuration ===== | ||
- | |||
- | putting all Grsec sysctl options into sysctl.conf | ||
- | |||
- | sysctl -a |grep grsec >> / | ||
- | |||
- | ==== sysctl ==== | ||
- | |||
- | kernel.grsecurity.destroy_unused_shm = 1 | ||
- | kernel.grsecurity.chroot_findtask = 1 | ||
- | kernel.grsecurity.dmesg = 0 | ||
- | kernel.grsecurity.audit_ipc = 1 | ||
- | kernel.grsecurity.audit_mount = 0 | ||
- | kernel.grsecurity.audit_chdir = 0 | ||
- | kernel.grsecurity.audit_gid = 33 | ||
- | kernel.grsecurity.audit_group = 1 | ||
- | kernel.grsecurity.rand_tcp_src_ports = 1 | ||
- | kernel.grsecurity.rand_pids = 1 | ||
- | kernel.grsecurity.tpe_restrict_all = 0 | ||
- | kernel.grsecurity.tpe_gid = 0 | ||
- | kernel.grsecurity.tpe = 0 | ||
- | kernel.grsecurity.chroot_deny_sysctl = 1 | ||
- | kernel.grsecurity.chroot_caps = 1 | ||
- | kernel.grsecurity.chroot_execlog = 1 | ||
- | kernel.grsecurity.chroot_restrict_nice = 1 | ||
- | kernel.grsecurity.chroot_deny_mknod = 1 | ||
- | kernel.grsecurity.chroot_deny_chmod = 1 | ||
- | kernel.grsecurity.chroot_enforce_chdir = 1 | ||
- | kernel.grsecurity.chroot_deny_pivot = 1 | ||
- | kernel.grsecurity.chroot_deny_chroot = 1 | ||
- | kernel.grsecurity.chroot_deny_fchdir = 1 | ||
- | kernel.grsecurity.chroot_deny_mount = 1 | ||
- | kernel.grsecurity.chroot_deny_unix = 1 | ||
- | kernel.grsecurity.chroot_deny_shmat = 1 | ||
- | kernel.grsecurity.timechange_logging = 1 | ||
- | kernel.grsecurity.forkfail_logging = 1 | ||
- | kernel.grsecurity.signal_logging = 1 | ||
- | kernel.grsecurity.exec_logging = 0 | ||
- | kernel.grsecurity.execve_limiting = 1 | ||
- | kernel.grsecurity.fifo_restrictions = 1 | ||
- | kernel.grsecurity.linking_restrictions = 1 | ||
- | kernel.pax.softmode = 1 | ||
- | kernel.grsecurity.grsec_lock = 0 | ||
- | |||
- | ==== PaX ==== | ||
- | ==== gdadm ==== | ||
- | TODO | ||
- | |||
- | ==== grsec iptables patch ==== | ||
- | TODO |