Created
January 21, 2016 20:25
-
-
Save ageis/5875289fd85d7e2d30e1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Address Space Protection | |
# Disable privileged io: iopl(2) and ioperm(2) | |
# Warning: Xorg without modesetting needs it to be 0 | |
kernel.grsecurity.disable_priv_io = 1 | |
kernel.grsecurity.deter_bruteforce = 1 | |
kernel.grsecurity.deny_new_usb = 0 | |
kernel.grsecurity.harden_ipc = 1 | |
## Filesystem Protections | |
# Prevent symlinks/hardlinks exploits (don't follow symlink on world-writable +t | |
# folders) | |
kernel.grsecurity.linking_restrictions = 1 | |
# Prevent writing to fifo not owned in world-writable +t folders | |
kernel.grsecurity.fifo_restrictions = 1 | |
# Chroot restrictions | |
kernel.grsecurity.chroot_deny_bad_rename = 1 | |
kernel.grsecurity.chroot_deny_mount = 1 | |
kernel.grsecurity.chroot_deny_chroot = 1 | |
kernel.grsecurity.chroot_deny_pivot = 1 | |
kernel.grsecurity.chroot_enforce_chdir = 1 | |
kernel.grsecurity.chroot_deny_chmod = 1 | |
kernel.grsecurity.chroot_deny_fchdir = 1 | |
kernel.grsecurity.chroot_deny_mknod = 1 | |
kernel.grsecurity.chroot_deny_shmat = 1 | |
kernel.grsecurity.chroot_deny_unix = 1 | |
kernel.grsecurity.chroot_findtask = 1 | |
kernel.grsecurity.chroot_restrict_nice = 1 | |
kernel.grsecurity.chroot_deny_sysctl = 1 | |
kernel.grsecurity.chroot_caps = 1 | |
## Kernel Auditing | |
kernel.grsecurity.exec_logging = 0 | |
kernel.grsecurity.audit_chdir = 0 | |
# By default exec_logging and audit_chdir only target members of audit_gid, you | |
# can change that by setting audit_group to 0 | |
kernel.grsecurity.audit_group = 1 | |
# You can also override audit_gid to use another group | |
kernel.grsecurity.audit_gid = 0 | |
kernel.grsecurity.resource_logging = 1 | |
kernel.grsecurity.chroot_execlog = 1 | |
kernel.grsecurity.audit_ptrace = 1 | |
kernel.grsecurity.audit_mount = 1 | |
kernel.grsecurity.signal_logging = 1 | |
kernel.grsecurity.forkfail_logging = 1 | |
kernel.grsecurity.timechange_logging = 1 | |
kernel.grsecurity.rwxmap_logging = 1 | |
## Executable Protections | |
kernel.grsecurity.dmesg = 1 | |
kernel.grsecurity.consistent_setxid = 1 | |
# Trusted execution | |
# Add users to the 64040 (grsec-tpe) group to enable them to execute binaries | |
# from untrusted directories | |
kernel.grsecurity.tpe = 1 | |
kernel.grsecurity.tpe_invert = 1 | |
kernel.grsecurity.tpe_restrict_all = 1 | |
kernel.grsecurity.tpe_gid = 64040 | |
## Kernel-enforce SymlinkIfOwnerMatch | |
kernel.grsecurity.enforce_symlinksifowner = 1 | |
kernel.grsecurity.symlinkown_gid = 33 | |
## Network Protections | |
kernel.grsecurity.ip_blackhole = 1 | |
kernel.grsecurity.lastack_retries = 4 | |
# Socket restrictions | |
# If the setting is enabled and an user is added to relevant group, she won't | |
# be able to open this kind of socket | |
kernel.grsecurity.socket_all = 1 | |
kernel.grsecurity.socket_all_gid = 64041 | |
kernel.grsecurity.socket_client = 1 | |
kernel.grsecurity.socket_client_gid = 64042 | |
kernel.grsecurity.socket_server = 1 | |
kernel.grsecurity.socket_server_gid = 64043 | |
# Ptrace | |
kernel.grsecurity.harden_ptrace = 1 | |
kernel.grsecurity.ptrace_readexec = 1 | |
# Protect mounts | |
# don't try to set it to 0, it'll fail, just let it commented | |
# kernel.grsecurity.romount_protect = 1 | |
# PAX | |
kernel.pax.softmode = 0 | |
# Disable module loading | |
# This is not a grsecurity anymore, but you might still want to disable module | |
# loading so no code is inserted into the kernel | |
# kernel.modules_disabled=1 | |
# Once you're satisfied with settings, set grsec_lock to 1 so noone can change | |
# grsec sysctl on a running system | |
kernel.grsecurity.grsec_lock = 0 | |
# vim: filetype=conf: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment