aboutsummaryrefslogtreecommitdiff
path: root/files
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2017-03-09 11:01:47 -0300
committerSilvio Rhatto <rhatto@riseup.net>2017-03-09 11:01:47 -0300
commit31fb7797293dd3244a48503ff579e8a755c25e87 (patch)
treea8ad99995989c6e1e4d5b30aa72c2b8ae409f80b /files
parent0ed40a837c25bf2c22eb04ec9ad1ae676c0d6e28 (diff)
downloadpuppet-nodo-31fb7797293dd3244a48503ff579e8a755c25e87.tar.gz
puppet-nodo-31fb7797293dd3244a48503ff579e8a755c25e87.tar.bz2
Manage /etc/sysctl.d/grsec.conf at nodo::subsystem::grsec
Diffstat (limited to 'files')
-rw-r--r--files/etc/sysctl.d/grsec.conf99
1 files changed, 99 insertions, 0 deletions
diff --git a/files/etc/sysctl.d/grsec.conf b/files/etc/sysctl.d/grsec.conf
new file mode 100644
index 0000000..aa169f0
--- /dev/null
+++ b/files/etc/sysctl.d/grsec.conf
@@ -0,0 +1,99 @@
+## Address Space Protection
+# Disable privileged io: iopl(2) and ioperm(2)
+# Warning: Xorg without modesetting needs it to be 0
+kernel.grsecurity.disable_priv_io = 1
+kernel.grsecurity.deter_bruteforce = 1
+
+kernel.grsecurity.deny_new_usb = 0
+kernel.grsecurity.harden_ipc = 1
+
+## Filesystem Protections
+# Prevent symlinks/hardlinks exploits (don't follow symlink on world-writable +t
+# folders)
+kernel.grsecurity.linking_restrictions = 1
+# Prevent writing to fifo not owned in world-writable +t folders
+kernel.grsecurity.fifo_restrictions = 1
+
+# Chroot restrictions
+kernel.grsecurity.chroot_deny_bad_rename = 1
+kernel.grsecurity.chroot_deny_mount = 1
+kernel.grsecurity.chroot_deny_chroot = 1
+kernel.grsecurity.chroot_deny_pivot = 1
+kernel.grsecurity.chroot_enforce_chdir = 1
+kernel.grsecurity.chroot_deny_chmod = 1
+kernel.grsecurity.chroot_deny_fchdir = 1
+kernel.grsecurity.chroot_deny_mknod = 1
+kernel.grsecurity.chroot_deny_shmat = 1
+kernel.grsecurity.chroot_deny_unix = 1
+kernel.grsecurity.chroot_findtask = 1
+kernel.grsecurity.chroot_restrict_nice = 1
+kernel.grsecurity.chroot_deny_sysctl = 1
+kernel.grsecurity.chroot_caps = 1
+
+## Kernel Auditing
+kernel.grsecurity.exec_logging = 1
+kernel.grsecurity.audit_chdir = 1
+# By default exec_logging and audit_chdir only target members of audit_gid, you
+# can change that by setting audit_group to 0
+kernel.grsecurity.audit_group = 1
+# You can also override audit_gid to use another group
+kernel.grsecurity.audit_gid = 0
+kernel.grsecurity.resource_logging = 1
+kernel.grsecurity.chroot_execlog = 1
+kernel.grsecurity.audit_ptrace = 1
+kernel.grsecurity.audit_mount = 1
+kernel.grsecurity.signal_logging = 1
+kernel.grsecurity.forkfail_logging = 1
+kernel.grsecurity.timechange_logging = 1
+kernel.grsecurity.rwxmap_logging = 1
+
+## Executable Protections
+kernel.grsecurity.dmesg = 1
+kernel.grsecurity.consistent_setxid = 1
+# Trusted execution
+# Add users to the 64040 (grsec-tpe) group to enable them to execute binaries
+# from untrusted directories
+kernel.grsecurity.tpe = 1
+kernel.grsecurity.tpe_invert = 1
+kernel.grsecurity.tpe_restrict_all = 1
+kernel.grsecurity.tpe_gid = 64040
+
+## Kernel-enforce SymlinkIfOwnerMatch
+kernel.grsecurity.enforce_symlinksifowner = 1
+kernel.grsecurity.symlinkown_gid = 33
+
+## Network Protections
+kernel.grsecurity.ip_blackhole = 1
+kernel.grsecurity.lastack_retries = 4
+# Socket restrictions
+# If the setting is enabled and an user is added to relevant group, she won't
+# be able to open this kind of socket
+kernel.grsecurity.socket_all = 1
+kernel.grsecurity.socket_all_gid = 64041
+kernel.grsecurity.socket_client = 1
+kernel.grsecurity.socket_client_gid = 64042
+kernel.grsecurity.socket_server = 1
+kernel.grsecurity.socket_server_gid = 64043
+
+# Ptrace
+kernel.grsecurity.harden_ptrace = 1
+kernel.grsecurity.ptrace_readexec = 1
+
+# Protect mounts
+# don't try to set it to 0, it'll fail, just let it commented
+# kernel.grsecurity.romount_protect = 1
+
+# PAX
+kernel.pax.softmode = 0
+
+# Disable module loading
+# This is not a grsecurity anymore, but you might still want to disable module
+# loading so no code is inserted into the kernel
+# kernel.modules_disabled=1
+
+# Once you're satisfied with settings, set grsec_lock to 1 so noone can change
+# grsec sysctl on a running system
+# This done at /etc/sysctl.d/99-kernel.grsecurity.grsec_lock.conf
+#kernel.grsecurity.grsec_lock = 1
+
+# vim: filetype=conf: