diff options
Diffstat (limited to 'src/tools/grsec.conf')
-rw-r--r-- | src/tools/grsec.conf | 98 |
1 files changed, 0 insertions, 98 deletions
diff --git a/src/tools/grsec.conf b/src/tools/grsec.conf deleted file mode 100644 index 177e4d59b..000000000 --- a/src/tools/grsec.conf +++ /dev/null | |||
@@ -1,98 +0,0 @@ | |||
1 | ## Address Space Protection | ||
2 | # Disable privileged io: iopl(2) and ioperm(2) | ||
3 | # Warning: Xorg without modesetting needs it to be 0 | ||
4 | kernel.grsecurity.disable_priv_io = 1 | ||
5 | kernel.grsecurity.deter_bruteforce = 1 | ||
6 | |||
7 | kernel.grsecurity.deny_new_usb = 0 | ||
8 | kernel.grsecurity.harden_ipc = 1 | ||
9 | |||
10 | ## Filesystem Protections | ||
11 | # Prevent symlinks/hardlinks exploits (don't follow symlink on world-writable +t | ||
12 | # folders) | ||
13 | kernel.grsecurity.linking_restrictions = 1 | ||
14 | # Prevent writing to fifo not owned in world-writable +t folders | ||
15 | kernel.grsecurity.fifo_restrictions = 1 | ||
16 | |||
17 | # Chroot restrictions | ||
18 | kernel.grsecurity.chroot_deny_bad_rename = 1 | ||
19 | kernel.grsecurity.chroot_deny_mount = 1 | ||
20 | kernel.grsecurity.chroot_deny_chroot = 1 | ||
21 | kernel.grsecurity.chroot_deny_pivot = 1 | ||
22 | kernel.grsecurity.chroot_enforce_chdir = 1 | ||
23 | kernel.grsecurity.chroot_deny_chmod = 1 | ||
24 | kernel.grsecurity.chroot_deny_fchdir = 1 | ||
25 | kernel.grsecurity.chroot_deny_mknod = 1 | ||
26 | kernel.grsecurity.chroot_deny_shmat = 1 | ||
27 | kernel.grsecurity.chroot_deny_unix = 1 | ||
28 | kernel.grsecurity.chroot_findtask = 1 | ||
29 | kernel.grsecurity.chroot_restrict_nice = 1 | ||
30 | kernel.grsecurity.chroot_deny_sysctl = 1 | ||
31 | kernel.grsecurity.chroot_caps = 1 | ||
32 | |||
33 | ## Kernel Auditing | ||
34 | kernel.grsecurity.exec_logging = 1 | ||
35 | kernel.grsecurity.audit_chdir = 1 | ||
36 | # By default exec_logging and audit_chdir only target members of audit_gid, you | ||
37 | # can change that by setting audit_group to 0 | ||
38 | kernel.grsecurity.audit_group = 1 | ||
39 | # You can also override audit_gid to use another group | ||
40 | kernel.grsecurity.audit_gid = 0 | ||
41 | kernel.grsecurity.resource_logging = 1 | ||
42 | kernel.grsecurity.chroot_execlog = 1 | ||
43 | kernel.grsecurity.audit_ptrace = 1 | ||
44 | kernel.grsecurity.audit_mount = 1 | ||
45 | kernel.grsecurity.signal_logging = 1 | ||
46 | kernel.grsecurity.forkfail_logging = 1 | ||
47 | kernel.grsecurity.timechange_logging = 1 | ||
48 | kernel.grsecurity.rwxmap_logging = 1 | ||
49 | |||
50 | ## Executable Protections | ||
51 | kernel.grsecurity.dmesg = 1 | ||
52 | kernel.grsecurity.consistent_setxid = 1 | ||
53 | # Trusted execution | ||
54 | # Add users to the 64040 (grsec-tpe) group to enable them to execute binaries | ||
55 | # from untrusted directories | ||
56 | kernel.grsecurity.tpe = 1 | ||
57 | kernel.grsecurity.tpe_invert = 1 | ||
58 | kernel.grsecurity.tpe_restrict_all = 1 | ||
59 | kernel.grsecurity.tpe_gid = 64040 | ||
60 | |||
61 | ## Kernel-enforce SymlinkIfOwnerMatch | ||
62 | kernel.grsecurity.enforce_symlinksifowner = 1 | ||
63 | kernel.grsecurity.symlinkown_gid = 33 | ||
64 | |||
65 | ## Network Protections | ||
66 | kernel.grsecurity.ip_blackhole = 1 | ||
67 | kernel.grsecurity.lastack_retries = 4 | ||
68 | # Socket restrictions | ||
69 | # If the setting is enabled and an user is added to relevant group, she won't | ||
70 | # be able to open this kind of socket | ||
71 | kernel.grsecurity.socket_all = 1 | ||
72 | kernel.grsecurity.socket_all_gid = 64041 | ||
73 | kernel.grsecurity.socket_client = 1 | ||
74 | kernel.grsecurity.socket_client_gid = 64042 | ||
75 | kernel.grsecurity.socket_server = 1 | ||
76 | kernel.grsecurity.socket_server_gid = 64043 | ||
77 | |||
78 | # Ptrace | ||
79 | kernel.grsecurity.harden_ptrace = 1 | ||
80 | kernel.grsecurity.ptrace_readexec = 1 | ||
81 | |||
82 | # Protect mounts | ||
83 | # don't try to set it to 0, it'll fail, just let it commented | ||
84 | # kernel.grsecurity.romount_protect = 1 | ||
85 | |||
86 | # PAX | ||
87 | kernel.pax.softmode = 0 | ||
88 | |||
89 | # Disable module loading | ||
90 | # This is not a grsecurity anymore, but you might still want to disable module | ||
91 | # loading so no code is inserted into the kernel | ||
92 | # kernel.modules_disabled=1 | ||
93 | |||
94 | # Once you're satisfied with settings, set grsec_lock to 1 so noone can change | ||
95 | # grsec sysctl on a running system | ||
96 | kernel.grsecurity.grsec_lock = 1 | ||
97 | |||
98 | # vim: filetype=conf: | ||