[[linux:grsec]]
Trace: grsec
Show pagesource
AdminRecent ChangesSitemap

This is an old revision of the document!

Linux / grsecurity kernel patch

Grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GPL. It offers among many other features:

  • An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
  • Change root (chroot) hardening
  • /tmp race prevention
  • Extensive auditing
  • Prevention of entire classes of exploits related to address space bugs (from the PaX project)
  • Additional randomness in the TCP/IP stack
  • A restriction that allows a user to only view his/her processes
  • Every security alert or audit contains the IP address of the person that caused the event

taken from GrSecHomepage :)

Instalation

dowload grsecurity patch for your kernel (2.6.x / 2.4.x) from the site. You might need to wait a bit for a grsecurity patch for latest kernel.

Kernel patching

server@/usr/src/linux# zcat ../grsecurity-2.XXX.patch.gz |patch -p1

kernel 2.4.x tips

kernel 2.6.x tips

Configuration

sysctl

kernel.grsecurity.destroy_unused_shm = 1
kernel.grsecurity.chroot_findtask = 1
kernel.grsecurity.dmesg = 0
kernel.grsecurity.audit_ipc = 1
kernel.grsecurity.audit_mount = 0
kernel.grsecurity.audit_chdir = 0
kernel.grsecurity.audit_gid = 33
kernel.grsecurity.audit_group = 1
kernel.grsecurity.rand_tcp_src_ports = 1
kernel.grsecurity.rand_pids = 1
kernel.grsecurity.tpe_restrict_all = 0
kernel.grsecurity.tpe_gid = 0
kernel.grsecurity.tpe = 0
kernel.grsecurity.chroot_deny_sysctl = 1
kernel.grsecurity.chroot_caps = 1
kernel.grsecurity.chroot_execlog = 1
kernel.grsecurity.chroot_restrict_nice = 1
kernel.grsecurity.chroot_deny_mknod = 1
kernel.grsecurity.chroot_deny_chmod = 1
kernel.grsecurity.chroot_enforce_chdir = 1
kernel.grsecurity.chroot_deny_pivot = 1
kernel.grsecurity.chroot_deny_chroot = 1
kernel.grsecurity.chroot_deny_fchdir = 1
kernel.grsecurity.chroot_deny_mount = 1
kernel.grsecurity.chroot_deny_unix = 1
kernel.grsecurity.chroot_deny_shmat = 1
kernel.grsecurity.timechange_logging = 1
kernel.grsecurity.forkfail_logging = 1
kernel.grsecurity.signal_logging = 1
kernel.grsecurity.exec_logging = 0
kernel.grsecurity.execve_limiting = 1
kernel.grsecurity.fifo_restrictions = 1
kernel.grsecurity.linking_restrictions = 1
kernel.pax.softmode = 1
kernel.grsecurity.grsec_lock = 0

PaX

gdadm

TODO

grsec iptables patch

TODO
linux/grsec.1141555342.txt.gz · Last modified: 2009/05/25 00:34 (external edit)
Show pagesourceOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready