From 31fb7797293dd3244a48503ff579e8a755c25e87 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 9 Mar 2017 11:01:47 -0300 Subject: Manage /etc/sysctl.d/grsec.conf at nodo::subsystem::grsec --- files/etc/sysctl.d/grsec.conf | 99 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 files/etc/sysctl.d/grsec.conf (limited to 'files') diff --git a/files/etc/sysctl.d/grsec.conf b/files/etc/sysctl.d/grsec.conf new file mode 100644 index 0000000..aa169f0 --- /dev/null +++ b/files/etc/sysctl.d/grsec.conf @@ -0,0 +1,99 @@ +## Address Space Protection +# Disable privileged io: iopl(2) and ioperm(2) +# Warning: Xorg without modesetting needs it to be 0 +kernel.grsecurity.disable_priv_io = 1 +kernel.grsecurity.deter_bruteforce = 1 + +kernel.grsecurity.deny_new_usb = 0 +kernel.grsecurity.harden_ipc = 1 + +## Filesystem Protections +# Prevent symlinks/hardlinks exploits (don't follow symlink on world-writable +t +# folders) +kernel.grsecurity.linking_restrictions = 1 +# Prevent writing to fifo not owned in world-writable +t folders +kernel.grsecurity.fifo_restrictions = 1 + +# Chroot restrictions +kernel.grsecurity.chroot_deny_bad_rename = 1 +kernel.grsecurity.chroot_deny_mount = 1 +kernel.grsecurity.chroot_deny_chroot = 1 +kernel.grsecurity.chroot_deny_pivot = 1 +kernel.grsecurity.chroot_enforce_chdir = 1 +kernel.grsecurity.chroot_deny_chmod = 1 +kernel.grsecurity.chroot_deny_fchdir = 1 +kernel.grsecurity.chroot_deny_mknod = 1 +kernel.grsecurity.chroot_deny_shmat = 1 +kernel.grsecurity.chroot_deny_unix = 1 +kernel.grsecurity.chroot_findtask = 1 +kernel.grsecurity.chroot_restrict_nice = 1 +kernel.grsecurity.chroot_deny_sysctl = 1 +kernel.grsecurity.chroot_caps = 1 + +## Kernel Auditing +kernel.grsecurity.exec_logging = 1 +kernel.grsecurity.audit_chdir = 1 +# By default exec_logging and audit_chdir only target members of audit_gid, you +# can change that by setting audit_group to 0 +kernel.grsecurity.audit_group = 1 +# You can also override audit_gid to use another group +kernel.grsecurity.audit_gid = 0 +kernel.grsecurity.resource_logging = 1 +kernel.grsecurity.chroot_execlog = 1 +kernel.grsecurity.audit_ptrace = 1 +kernel.grsecurity.audit_mount = 1 +kernel.grsecurity.signal_logging = 1 +kernel.grsecurity.forkfail_logging = 1 +kernel.grsecurity.timechange_logging = 1 +kernel.grsecurity.rwxmap_logging = 1 + +## Executable Protections +kernel.grsecurity.dmesg = 1 +kernel.grsecurity.consistent_setxid = 1 +# Trusted execution +# Add users to the 64040 (grsec-tpe) group to enable them to execute binaries +# from untrusted directories +kernel.grsecurity.tpe = 1 +kernel.grsecurity.tpe_invert = 1 +kernel.grsecurity.tpe_restrict_all = 1 +kernel.grsecurity.tpe_gid = 64040 + +## Kernel-enforce SymlinkIfOwnerMatch +kernel.grsecurity.enforce_symlinksifowner = 1 +kernel.grsecurity.symlinkown_gid = 33 + +## Network Protections +kernel.grsecurity.ip_blackhole = 1 +kernel.grsecurity.lastack_retries = 4 +# Socket restrictions +# If the setting is enabled and an user is added to relevant group, she won't +# be able to open this kind of socket +kernel.grsecurity.socket_all = 1 +kernel.grsecurity.socket_all_gid = 64041 +kernel.grsecurity.socket_client = 1 +kernel.grsecurity.socket_client_gid = 64042 +kernel.grsecurity.socket_server = 1 +kernel.grsecurity.socket_server_gid = 64043 + +# Ptrace +kernel.grsecurity.harden_ptrace = 1 +kernel.grsecurity.ptrace_readexec = 1 + +# Protect mounts +# don't try to set it to 0, it'll fail, just let it commented +# kernel.grsecurity.romount_protect = 1 + +# PAX +kernel.pax.softmode = 0 + +# Disable module loading +# This is not a grsecurity anymore, but you might still want to disable module +# loading so no code is inserted into the kernel +# kernel.modules_disabled=1 + +# Once you're satisfied with settings, set grsec_lock to 1 so noone can change +# grsec sysctl on a running system +# This done at /etc/sysctl.d/99-kernel.grsecurity.grsec_lock.conf +#kernel.grsecurity.grsec_lock = 1 + +# vim: filetype=conf: -- cgit v1.2.3