1 files changed, 98 insertions, 0 deletions
diff --git a/src/tools/grsec.conf b/src/tools/grsec.conf
new file mode 100644
index 000000000..177e4d59b
--- /dev/null
+++ b/src/tools/grsec.conf
@@ -0,0 +1,98 @@
+## Address Space Protection
+# Disable privileged io: iopl(2) and ioperm(2)
+# Warning: Xorg without modesetting needs it to be 0
+kernel.grsecurity.disable_priv_io = 1
+kernel.grsecurity.deter_bruteforce = 1
+kernel.grsecurity.deny_new_usb = 0
+kernel.grsecurity.harden_ipc = 1
+## Filesystem Protections
+# Prevent symlinks/hardlinks exploits (don't follow symlink on world-writable +t
+# folders)
+kernel.grsecurity.linking_restrictions = 1
+# Prevent writing to fifo not owned in world-writable +t folders
+kernel.grsecurity.fifo_restrictions = 1
+# Chroot restrictions
+kernel.grsecurity.chroot_deny_bad_rename = 1
+kernel.grsecurity.chroot_deny_mount = 1
+kernel.grsecurity.chroot_deny_chroot = 1
+kernel.grsecurity.chroot_deny_pivot = 1
+kernel.grsecurity.chroot_enforce_chdir = 1
+kernel.grsecurity.chroot_deny_chmod = 1
+kernel.grsecurity.chroot_deny_fchdir = 1
+kernel.grsecurity.chroot_deny_mknod = 1
+kernel.grsecurity.chroot_deny_shmat = 1
+kernel.grsecurity.chroot_deny_unix = 1
+kernel.grsecurity.chroot_findtask = 1
+kernel.grsecurity.chroot_restrict_nice = 1
+kernel.grsecurity.chroot_deny_sysctl = 1
+kernel.grsecurity.chroot_caps = 1
+## Kernel Auditing
+kernel.grsecurity.exec_logging = 1
+kernel.grsecurity.audit_chdir = 1
+# By default exec_logging and audit_chdir only target members of audit_gid, you
+# can change that by setting audit_group to 0
+kernel.grsecurity.audit_group = 1
+# You can also override audit_gid to use another group
+kernel.grsecurity.audit_gid = 0
+kernel.grsecurity.resource_logging = 1
+kernel.grsecurity.chroot_execlog = 1
+kernel.grsecurity.audit_ptrace = 1
+kernel.grsecurity.audit_mount = 1
+kernel.grsecurity.signal_logging = 1
+kernel.grsecurity.forkfail_logging = 1
+kernel.grsecurity.timechange_logging = 1
+kernel.grsecurity.rwxmap_logging = 1
+## Executable Protections
+kernel.grsecurity.dmesg = 1
+kernel.grsecurity.consistent_setxid = 1
+# Trusted execution
+# Add users to the 64040 (grsec-tpe) group to enable them to execute binaries
+# from untrusted directories
+kernel.grsecurity.tpe = 1
+kernel.grsecurity.tpe_invert = 1
+kernel.grsecurity.tpe_restrict_all = 1
+kernel.grsecurity.tpe_gid = 64040
+## Kernel-enforce SymlinkIfOwnerMatch
+kernel.grsecurity.enforce_symlinksifowner = 1
+kernel.grsecurity.symlinkown_gid = 33
+## Network Protections
+kernel.grsecurity.ip_blackhole = 1
+kernel.grsecurity.lastack_retries = 4
+# Socket restrictions
+# If the setting is enabled and an user is added to relevant group, she won't
+# be able to open this kind of socket
+kernel.grsecurity.socket_all = 1
+kernel.grsecurity.socket_all_gid = 64041
+kernel.grsecurity.socket_client = 1
+kernel.grsecurity.socket_client_gid = 64042
+kernel.grsecurity.socket_server = 1
+kernel.grsecurity.socket_server_gid = 64043
+# Ptrace
+kernel.grsecurity.harden_ptrace = 1
+kernel.grsecurity.ptrace_readexec = 1
+# Protect mounts
+# don't try to set it to 0, it'll fail, just let it commented
+# kernel.grsecurity.romount_protect = 1
+# PAX
+kernel.pax.softmode = 0
+# Disable module loading
+# This is not a grsecurity anymore, but you might still want to disable module
+# loading so no code is inserted into the kernel
+# kernel.modules_disabled=1
+# Once you're satisfied with settings, set grsec_lock to 1 so noone can change
+# grsec sysctl on a running system
+kernel.grsecurity.grsec_lock = 1
+# vim: filetype=conf:

diff --git a/src/tools/grsec.conf b/src/tools/grsec.conf new file mode 100644 index 000000000..177e4d59b --- /dev/null +++ b/src/tools/grsec.conf
@@ -0,0 +1,98 @@
	1	## Address Space Protection
	2	# Disable privileged io: iopl(2) and ioperm(2)
	3	# Warning: Xorg without modesetting needs it to be 0
	4	kernel.grsecurity.disable_priv_io = 1
	5	kernel.grsecurity.deter_bruteforce = 1
	6
	7	kernel.grsecurity.deny_new_usb = 0
	8	kernel.grsecurity.harden_ipc = 1
	9
	10	## Filesystem Protections
	11	# Prevent symlinks/hardlinks exploits (don't follow symlink on world-writable +t
	12	# folders)
	13	kernel.grsecurity.linking_restrictions = 1
	14	# Prevent writing to fifo not owned in world-writable +t folders
	15	kernel.grsecurity.fifo_restrictions = 1
	16
	17	# Chroot restrictions
	18	kernel.grsecurity.chroot_deny_bad_rename = 1
	19	kernel.grsecurity.chroot_deny_mount = 1
	20	kernel.grsecurity.chroot_deny_chroot = 1
	21	kernel.grsecurity.chroot_deny_pivot = 1
	22	kernel.grsecurity.chroot_enforce_chdir = 1
	23	kernel.grsecurity.chroot_deny_chmod = 1
	24	kernel.grsecurity.chroot_deny_fchdir = 1
	25	kernel.grsecurity.chroot_deny_mknod = 1
	26	kernel.grsecurity.chroot_deny_shmat = 1
	27	kernel.grsecurity.chroot_deny_unix = 1
	28	kernel.grsecurity.chroot_findtask = 1
	29	kernel.grsecurity.chroot_restrict_nice = 1
	30	kernel.grsecurity.chroot_deny_sysctl = 1
	31	kernel.grsecurity.chroot_caps = 1
	32
	33	## Kernel Auditing
	34	kernel.grsecurity.exec_logging = 1
	35	kernel.grsecurity.audit_chdir = 1
	36	# By default exec_logging and audit_chdir only target members of audit_gid, you
	37	# can change that by setting audit_group to 0
	38	kernel.grsecurity.audit_group = 1
	39	# You can also override audit_gid to use another group
	40	kernel.grsecurity.audit_gid = 0
	41	kernel.grsecurity.resource_logging = 1
	42	kernel.grsecurity.chroot_execlog = 1
	43	kernel.grsecurity.audit_ptrace = 1
	44	kernel.grsecurity.audit_mount = 1
	45	kernel.grsecurity.signal_logging = 1
	46	kernel.grsecurity.forkfail_logging = 1
	47	kernel.grsecurity.timechange_logging = 1
	48	kernel.grsecurity.rwxmap_logging = 1
	49
	50	## Executable Protections
	51	kernel.grsecurity.dmesg = 1
	52	kernel.grsecurity.consistent_setxid = 1
	53	# Trusted execution
	54	# Add users to the 64040 (grsec-tpe) group to enable them to execute binaries
	55	# from untrusted directories
	56	kernel.grsecurity.tpe = 1
	57	kernel.grsecurity.tpe_invert = 1
	58	kernel.grsecurity.tpe_restrict_all = 1
	59	kernel.grsecurity.tpe_gid = 64040
	60
	61	## Kernel-enforce SymlinkIfOwnerMatch
	62	kernel.grsecurity.enforce_symlinksifowner = 1
	63	kernel.grsecurity.symlinkown_gid = 33
	64
	65	## Network Protections
	66	kernel.grsecurity.ip_blackhole = 1
	67	kernel.grsecurity.lastack_retries = 4
	68	# Socket restrictions
	69	# If the setting is enabled and an user is added to relevant group, she won't
	70	# be able to open this kind of socket
	71	kernel.grsecurity.socket_all = 1
	72	kernel.grsecurity.socket_all_gid = 64041
	73	kernel.grsecurity.socket_client = 1
	74	kernel.grsecurity.socket_client_gid = 64042
	75	kernel.grsecurity.socket_server = 1
	76	kernel.grsecurity.socket_server_gid = 64043
	77
	78	# Ptrace
	79	kernel.grsecurity.harden_ptrace = 1
	80	kernel.grsecurity.ptrace_readexec = 1
	81
	82	# Protect mounts
	83	# don't try to set it to 0, it'll fail, just let it commented
	84	# kernel.grsecurity.romount_protect = 1
	85
	86	# PAX
	87	kernel.pax.softmode = 0
	88
	89	# Disable module loading
	90	# This is not a grsecurity anymore, but you might still want to disable module
	91	# loading so no code is inserted into the kernel
	92	# kernel.modules_disabled=1
	93
	94	# Once you're satisfied with settings, set grsec_lock to 1 so noone can change
	95	# grsec sysctl on a running system
	96	kernel.grsecurity.grsec_lock = 1
	97
	98	# vim: filetype=conf: