core revision

1 files changed, 500 insertions, 38 deletions

diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf
index b419628..b60d3e6 100644
--- a/core/conf/sysctl.conf
+++ b/core/conf/sysctl.conf
@@ -3,20 +3,420 @@
 #
 
 kernel.printk = 15 1 1 4
+kernel.randomize_va_space = 1
+kernel.shmmax = 500000000
+# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
+kernel.pid_max = 65536
+
+#
+# Memory Protections
+#
+
+#  If you say Y here, all ioperm and iopl calls will return an error.
+#  Ioperm and iopl can be used to modify the running kernel.
+#  Unfortunately, some programs need this access to operate properly,
+#  the most notable of which are XFree86 and hwclock.  hwclock can be
+#  remedied by having RTC support in the kernel, so real-time 
+#  clock support is enabled if this option is enabled, to ensure 
+#  that hwclock operates correctly.
+#  
+#  If you're using XFree86 or a version of Xorg from 2012 or earlier,
+#  you may not be able to boot into a graphical environment with this
+#  option enabled.  In this case, you should use the RBAC system instead.
+#kernel.grsecurity.disable_priv_io = 1
+kernel.grsecurity.disable_priv_io = 0
+
+#  If you say Y here, attempts to bruteforce exploits against forking
+#  daemons such as apache or sshd, as well as against suid/sgid binaries
+#  will be deterred.  When a child of a forking daemon is killed by PaX
+#  or crashes due to an illegal instruction or other suspicious signal,
+#  the parent process will be delayed 30 seconds upon every subsequent
+#  fork until the administrator is able to assess the situation and
+#  restart the daemon.
+#  In the suid/sgid case, the attempt is logged, the user has all their
+#  existing instances of the suid/sgid binary terminated and will
+#  be unable to execute any suid/sgid binaries for 15 minutes.
+#  
+#  It is recommended that you also enable signal logging in the auditing
+#  section so that logs are generated when a process triggers a suspicious
+#  signal.
+#  If the sysctl option is enabled, a sysctl option with name
+#  "deter_bruteforce" is created.
+#kernel.grsecurity.deter_bruteforce = 1
+
+#
+# Filesystem Protections
+#
+
+# Optimization for port usefor LBs
+# Increase system file descriptor limit
+fs.file-max = 65535
+
+#  If you say Y here, /tmp race exploits will be prevented, since users
+#  will no longer be able to follow symlinks owned by other users in
+#  world-writable +t directories (e.g. /tmp), unless the owner of the
+#  symlink is the owner of the directory. users will also not be
+#  able to hardlink to files they do not own.  If the sysctl option is
+#  enabled, a sysctl option with name "linking_restrictions" is created.
+kernel.grsecurity.linking_restrictions = 1
+
+
+#  Apache's SymlinksIfOwnerMatch option has an inherent race condition
+#  that prevents it from being used as a security feature.  As Apache
+#  verifies the symlink by performing a stat() against the target of
+#  the symlink before it is followed, an attacker can setup a symlink
+#  to point to a same-owned file, then replace the symlink with one
+#  that targets another user's file just after Apache "validates" the
+#  symlink -- a classic TOCTOU race.  If you say Y here, a complete,
+#  race-free replacement for Apache's "SymlinksIfOwnerMatch" option
+#  will be in place for the group you specify. If the sysctl option
+#  is enabled, a sysctl option with name "enforce_symlinksifowner" is
+#  created.
+#kernel.grsecurity.enforce_symlinksifowner = 1
+#kernel.grsecurity.symlinkown_gid = 33
+
+#  if you say Y here, users will not be able to write to FIFOs they don't
+#  own in world-writable +t directories (e.g. /tmp), unless the owner of
+#  the FIFO is the same owner of the directory it's held in.  If the sysctl
+#  option is enabled, a sysctl option with name "fifo_restrictions" is
+#  created.
+#kernel.grsecurity.fifo_restrictions = 1
+
+#  If you say Y here, a sysctl option with name "romount_protect" will
+#  be created.  By setting this option to 1 at runtime, filesystems
+#  will be protected in the following ways:
+#  * No new writable mounts will be allowed
+#  * Existing read-only mounts won't be able to be remounted read/write
+#  * Write operations will be denied on all block devices
+#  This option acts independently of grsec_lock: once it is set to 1,
+#  it cannot be turned off.  Therefore, please be mindful of the resulting
+#  behavior if this option is enabled in an init script on a read-only
+#  filesystem.
+#  Also be aware that as with other root-focused features, GRKERNSEC_KMEM
+#  and GRKERNSEC_IO should be enabled and module loading disabled via
+#  config or at runtime.
+#  This feature is mainly intended for secure embedded systems.
+#kernel.grsecurity.romount_protect = 0
+
+#  if you say Y here, the capabilities on all processes within a
+#  chroot jail will be lowered to stop module insertion, raw i/o,
+#  system and net admin tasks, rebooting the system, modifying immutable
+#  files, modifying IPC owned by another, and changing the system time.
+#  This is left an option because it can break some apps.  Disable this
+#  if your chrooted apps are having problems performing those kinds of
+#  tasks.  If the sysctl option is enabled, a sysctl option with
+#  name "chroot_caps" is created.
+kernel.grsecurity.chroot_caps = 1
+
+#kernel.grsecurity.chroot_deny_bad_rename = 1
+
+#  If you say Y here, processes inside a chroot will not be able to chmod
+#  or fchmod files to make them have suid or sgid bits.  This protects
+#  against another published method of breaking a chroot.  If the sysctl
+#  option is enabled, a sysctl option with name "chroot_deny_chmod" is
+#  created.
+kernel.grsecurity.chroot_deny_chmod     = 1
+
+#  If you say Y here, processes inside a chroot will not be able to chroot
+#  again outside the chroot.  This is a widely used method of breaking
+#  out of a chroot jail and should not be allowed.  If the sysctl 
+#  option is enabled, a sysctl option with name 
+#  "chroot_deny_chroot" is created.
+kernel.grsecurity.chroot_deny_chroot    = 1
+
+#  If you say Y here, a well-known method of breaking chroots by fchdir'ing
+#  to a file descriptor of the chrooting process that points to a directory
+#  outside the filesystem will be stopped.  If the sysctl option
+#  is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
+kernel.grsecurity.chroot_deny_fchdir = 1
+
+#  If you say Y here, processes inside a chroot will not be allowed to
+#  mknod.  The problem with using mknod inside a chroot is that it
+#  would allow an attacker to create a device entry that is the same
+#  as one on the physical root of your system, which could range from
+#  anything from the console device to a device for your harddrive (which
+#  they could then use to wipe the drive or steal data).  It is recommended
+#  that you say Y here, unless you run into software incompatibilities.
+#  If the sysctl option is enabled, a sysctl option with name
+#  "chroot_deny_mknod" is created.
+kernel.grsecurity.chroot_deny_mknod = 1
+
+#  If you say Y here, processes inside a chroot will not be able to
+#  mount or remount filesystems.  If the sysctl option is enabled, a
+#  sysctl option with name "chroot_deny_mount" is created.
+kernel.grsecurity.chroot_deny_mount = 1
+
+#  If you say Y here, processes inside a chroot will not be able to use
+#  a function called pivot_root() that was introduced in Linux 2.3.41.  It
+#  works similar to chroot in that it changes the root filesystem.  This
+#  function could be misused in a chrooted process to attempt to break out
+#  of the chroot, and therefore should not be allowed.  If the sysctl
+#  option is enabled, a sysctl option with name "chroot_deny_pivot" is
+#  created.
+kernel.grsecurity.chroot_deny_pivot     = 1
+
+#  If you say Y here, processes inside a chroot will not be able to attach
+#  to shared memory segments that were created outside of the chroot jail.
+#  It is recommended that you say Y here.  If the sysctl option is enabled,
+#  a sysctl option with name "chroot_deny_shmat" is created.
+kernel.grsecurity.chroot_deny_shmat = 1
+
+#  If you say Y here, an attacker in a chroot will not be able to
+#  write to sysctl entries, either by sysctl(2) or through a /proc
+#  interface.  It is strongly recommended that you say Y here. If the
+#  sysctl option is enabled, a sysctl option with name
+#  "chroot_deny_sysctl" is created.
+kernel.grsecurity.chroot_deny_sysctl = 1
+
+#  If you say Y here, processes inside a chroot will not be able to
+#  connect to abstract (meaning not belonging to a filesystem) Unix
+#  domain sockets that were bound outside of a chroot.  It is recommended
+#  that you say Y here.  If the sysctl option is enabled, a sysctl option
+#  with name "chroot_deny_unix" is created.
+kernel.grsecurity.chroot_deny_unix = 1
+
+#  If you say Y here, the current working directory of all newly-chrooted
+#  applications will be set to the the root directory of the chroot.
+#  The man page on chroot(2) states:
+#  Note that usually chhroot does not change  the  current  working
+#  directory,  so  that `.' can be outside the tree rooted at
+#  `/'.  In particular, the  super-user  can  escape  from  a
+#  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
+#  
+#  It is recommended that you say Y here, since it's not known to break
+#  any software.  If the sysctl option is enabled, a sysctl option with
+#  name "chroot_enforce_chdir" is created.
+kernel.grsecurity.chroot_enforce_chdir  = 1
+
+#  If you say Y here, processes inside a chroot will not be able to
+#  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, 
+#  getsid, or view any process outside of the chroot.  If the sysctl
+#  option is enabled, a sysctl option with name "chroot_findtask" is
+#  created.
+kernel.grsecurity.chroot_findtask = 1
+
+#  If you say Y here, processes inside a chroot will not be able to raise
+#  the priority of processes in the chroot, or alter the priority of
+#  processes outside the chroot.  This provides more security than simply
+#  removing CAP_SYS_NICE from the process' capability set.  If the
+#  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
+#  is created.
+kernel.grsecurity.chroot_restrict_nice = 1
+
+#
+# Kernel Auditing
+#
+
+#  If you say Y here, the exec and chdir logging features will only operate
+#  on a group you specify.  This option is recommended if you only want to
+#  watch certain users instead of having a large amount of logs from the
+#  entire system.  If the sysctl option is enabled, a sysctl option with
+#  name "audit_group" is created.
+kernel.grsecurity.audit_group = 0		
+
+#  If you say Y here, the exec and chdir logging features will only operate
+#  on a group you specify.  This option is recommended if you only want to
+#  watch certain users instead of having a large amount of logs from the
+#  entire system.  If the sysctl option is enabled, a sysctl option with
+#  name "audit_group" is created.
+#kernel.grsecurity.audit_gid = 201
+
+#  If you say Y here, all execve() calls will be logged (since the
+#  other exec*() calls are frontends to execve(), all execution
+#  will be logged).  Useful for shell-servers that like to keep track
+#  of their users.  If the sysctl option is enabled, a sysctl option with
+#  name "exec_logging" is created.
+#  WARNING: This option when enabled will produce a LOT of logs, especially
+#  on an active system.
+kernel.grsecurity.exec_logging = 0				
+
+#  If you say Y here, all attempts to overstep resource limits will
+#  be logged with the resource name, the requested size, and the current
+#  limit.  It is highly recommended that you say Y here.  If the sysctl
+#  option is enabled, a sysctl option with name "resource_logging" is
+#  created.  If the RBAC system is enabled, the sysctl value is ignored.
+#kernel.grsecurity.resource_logging = 1
+kernel.grsecurity.resource_logging = 0
+
+#  If you say Y here, all executions inside a chroot jail will be logged
+#  to syslog.  This can cause a large amount of logs if certain
+#  applications (eg. djb's daemontools) are installed on the system, and
+#  is therefore left as an option.  If the sysctl option is enabled, a
+#  sysctl option with name "chroot_execlog" is created.
+kernel.grsecurity.chroot_execlog = 0	
+
+#  If you say Y here, all attempts to attach to a process via ptrace
+#  will be logged.  If the sysctl option is enabled, a sysctl option
+#  with name "audit_ptrace" is created.
+#kernel.grsecurity.audit_ptrace = 1
+kernel.grsecurity.audit_ptrace = 0
+
+#  If you say Y here, all attempts to attach to a process via ptrace
+#  will be logged.  If the sysctl option is enabled, a sysctl option
+#  with name "audit_ptrace" is created.
+kernel.grsecurity.audit_chdir = 0				
+
+#  If you say Y here, all mounts and unmounts will be logged.  If the
+#  sysctl option is enabled, a sysctl option with name "audit_mount" is
+#  created.
+#kernel.grsecurity.audit_mount = 1
+kernel.grsecurity.audit_mount = 0
+
+#  If you say Y here, certain important signals will be logged, such as
+#  SIGSEGV, which will as a result inform you of when a error in a program
+#  occurred, which in some cases could mean a possible exploit attempt.
+#  If the sysctl option is enabled, a sysctl option with name
+#  "signal_logging" is created.
+kernel.grsecurity.signal_logging = 0
+
+#  If you say Y here, all failed fork() attempts will be logged.
+#  This could suggest a fork bomb, or someone attempting to overstep
+#  their process limit.  If the sysctl option is enabled, a sysctl option
+#  with name "forkfail_logging" is created.
+#kernel.grsecurity.forkfail_logging = 1
+kernel.grsecurity.forkfail_logging = 0
+
+#  If you say Y here, any changes of the system clock will be logged.
+#  If the sysctl option is enabled, a sysctl option with name
+#  "timechange_logging" is created.
+#kernel.grsecurity.timechange_logging = 1
+
+#  if you say Y here, calls to mmap() and mprotect() with explicit
+#  usage of PROT_WRITE and PROT_EXEC together will be logged when
+#  denied by the PAX_MPROTECT feature.  This feature will also
+#  log other problematic scenarios that can occur when PAX_MPROTECT
+#  is enabled on a binary, like textrels and PT_GNU_STACK.  If the 
+#  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
+#  is created.
+#kernel.grsecurity.rwxmap_logging = 1
+
+#
+# Executable Protections
+#
+
 
+#  if you say Y here, non-root users will not be able to use dmesg(8)
+#  to view the contents of the kernel's circular log buffer.
+#  The kernel's log buffer often contains kernel addresses and other
+#  identifying information useful to an attacker in fingerprinting a
+#  system for a targeted exploit.
+#  If the sysctl option is enabled, a sysctl option with name "dmesg" is
+#  created.
+kernel.grsecurity.dmesg = 1
+
+# Hide symbol addresses in /proc/kallsyms
+kernel.kptr_restrict = 1
+
+#  If you say Y here, TTY sniffers and other malicious monitoring
+#  programs implemented through ptrace will be defeated.  If you
+#  have been using the RBAC system, this option has already been
+#  enabled for several years for all users, with the ability to make
+#  fine-grained exceptions.
+#  
+#  This option only affects the ability of non-root users to ptrace
+#  processes that are not a descendent of the ptracing process.
+#  This means that strace ./binary and gdb ./binary will still work,
+#  but attaching to arbitrary processes will not.  If the sysctl
+#  option is enabled, a sysctl option with name "harden_ptrace" is
+#  created.
+kernel.grsecurity.harden_ptrace = 1
+
+#  If you say Y here, unprivileged users will not be able to ptrace unreadable
+#  binaries.  This option is useful in environments that
+#  remove the read bits (e.g. file mode 4711) from suid binaries to
+#  prevent infoleaking of their contents.  This option adds
+#  consistency to the use of that file mode, as the binary could normally
+#  be read out when run without privileges while ptracing.
+#  
+#  If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
+#  is created.
+kernel.grsecurity.ptrace_readexec = 1
+
+#  If you say Y here, a change from a root uid to a non-root uid
+#  in a multithreaded application will cause the resulting uids,
+#  gids, supplementary groups, and capabilities in that thread
+#  to be propagated to the other threads of the process.  In most
+#  cases this is unnecessary, as glibc will emulate this behavior
+#  on behalf of the application.  Other libcs do not act in the
+#  same way, allowing the other threads of the process to continue
+#  running with root privileges.  If the sysctl option is enabled,
+#  a sysctl option with name "consistent_setxid" is created.
+#kernel.grsecurity.consistent_setxid = 1
+
+#  If you say Y here, access to overly-permissive IPC objects (shared
+#  memory, message queues, and semaphores) will be denied for processes
+#  given the following criteria beyond normal permission checks:
+#  1) If the IPC object is world-accessible and the euid doesn't match
+#     that of the creator or current uid for the IPC object
+#  2) If the IPC object is group-accessible and the egid doesn't
+#     match that of the creator or current gid for the IPC object
+#  It's a common error to grant too much permission to these objects,
+#  with impact ranging from denial of service and information leaking to
+#  privilege escalation.  This feature was developed in response to
+#  research by Tim Brown:
+#  http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
+#  who found hundreds of such insecure usages.  Processes with
+#  CAP_IPC_OWNER are still permitted to access these IPC objects.
+#  If the sysctl option is enabled, a sysctl option with name
+#  "harden_ipc" is created.
+kernel.grsecurity.harden_ipc = 1
+
+#  If you say Y here, you will be able to choose a gid to add to the
+#  supplementary groups of users you want to mark as "untrusted."
+#  These users will not be able to execute any files that are not in
+#  root-owned directories writable only by root.  If the sysctl option
+#  is enabled, a sysctl option with name "tpe" is created.
+kernel.grsecurity.tpe = 1
+kernel.grsecurity.tpe_gid = 101
+
+#  If you say Y here, the group you specify in the TPE configuration will
+#  decide what group TPE restrictions will be *disabled* for.  This
+#  option is useful if you want TPE restrictions to be applied to most
+#  users on the system.  If the sysctl option is enabled, a sysctl option
+#  with name "tpe_invert" is created.  Unlike other sysctl options, this
+#  entry will default to on for backward-compatibility.
+kernel.grsecurity.tpe_invert = 1
+
+#  If you say Y here, all non-root users will be covered under
+#  a weaker TPE restriction.  This is separate from, and in addition to,
+#  the main TPE options that you have selected elsewhere.  Thus, if a
+#  "trusted" GID is chosen, this restriction applies to even that GID.
+#  Under this restriction, all non-root users will only be allowed to
+#  execute files in directories they own that are not group or
+#  world-writable, or in directories owned by root and writable only by
+#  root.  If the sysctl option is enabled, a sysctl option with name
+#  "tpe_restrict_all" is created.
+kernel.grsecurity.tpe_restrict_all = 0
+
+
+#kernel.grsecurity.harden_tty = 1
+#
+# Network Protections
+#
+
+# Increase Linux auto tuning TCP buffer limits
+# min, default, and max number of bytes to use
+# set max to at least 4MB, or higher if you use very high BDP paths
+# Tcp Windows etc
+net.core.rmem_max = 8388608
+net.core.wmem_max = 8388608
+net.core.netdev_max_backlog = 5000
+net.ipv4.tcp_window_scaling = 1
+
+# Both ports linux-blob and linux-libre don't build with ipv6
 # Disable ipv6
 net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.default.disable_ipv6 = 1
 net.ipv6.conf.lo.disable_ipv6 = 1
 
 # Tuen IPv6
-net.ipv6.conf.default.router_solicitations = 0
-net.ipv6.conf.default.accept_ra_rtr_pref = 0
-net.ipv6.conf.default.accept_ra_pinfo = 0
-net.ipv6.conf.default.accept_ra_defrtr = 0
-net.ipv6.conf.default.autoconf = 0
-net.ipv6.conf.default.dad_transmits = 0
-net.ipv6.conf.default.max_addresses = 0
+#net.ipv6.conf.default.router_solicitations = 0
+#net.ipv6.conf.default.accept_ra_rtr_pref = 0
+#net.ipv6.conf.default.accept_ra_pinfo = 0
+#net.ipv6.conf.default.accept_ra_defrtr = 0
+#net.ipv6.conf.default.autoconf = 0
+#net.ipv6.conf.default.dad_transmits = 0
+#net.ipv6.conf.default.max_addresses = 0
 
 # Avoid a smurf attack
 net.ipv4.icmp_echo_ignore_broadcasts = 1
@@ -56,8 +456,8 @@ net.ipv4.conf.default.accept_source_route = 0
 ## protects from attackers that are using ip spoofing methods to do harm
 net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.default.rp_filter = 1
-net.ipv6.conf.default.rp_filter = 1
-net.ipv6.conf.all.rp_filter = 1
+#net.ipv6.conf.default.rp_filter = 1
+#net.ipv6.conf.all.rp_filter = 1
 
 # Make sure no one can alter the routing tables
 net.ipv4.conf.all.accept_redirects = 0
@@ -70,18 +470,6 @@ net.ipv4.ip_forward = 1
 net.ipv4.conf.all.send_redirects = 1
 net.ipv4.conf.default.send_redirects = 1
 
-kernel.shmmax = 500000000
-# Turn on execshild
-kernel.exec-shield = 1
-kernel.randomize_va_space = 1
-
-# Optimization for port usefor LBs
-# Increase system file descriptor limit
-fs.file-max = 65535
-
-# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
-kernel.pid_max = 65536
-
 # Increase system IP port limits
 net.ipv4.ip_local_port_range = 2000 65000
 
@@ -89,25 +477,99 @@ net.ipv4.ip_local_port_range = 2000 65000
 net.ipv4.tcp_rmem = 4096 87380 8388608
 net.ipv4.tcp_wmem = 4096 87380 8388608
 
-# Increase Linux auto tuning TCP buffer limits
-# min, default, and max number of bytes to use
-# set max to at least 4MB, or higher if you use very high BDP paths
-# Tcp Windows etc
-net.core.rmem_max = 8388608
-net.core.wmem_max = 8388608
-net.core.netdev_max_backlog = 5000
-net.ipv4.tcp_window_scaling = 1
 
-# Grsecurity stuff
+#  If you say Y here, neither TCP resets nor ICMP
+#  destination-unreachable packets will be sent in response to packets
+#  sent to ports for which no associated listening process exists.
+#  This feature supports both IPV4 and IPV6 and exempts the 
+#  loopback interface from blackholing.  Enabling this feature 
+#  makes a host more resilient to DoS attacks and reduces network
+#  visibility against scanners.
+#  
+#  The blackhole feature as-implemented is equivalent to the FreeBSD
+#  blackhole feature, as it prevents RST responses to all packets, not
+#  just SYNs.  Under most application behavior this causes no
+#  problems, but applications (like haproxy) may not close certain
+#  connections in a way that cleanly terminates them on the remote
+#  end, leaving the remote host in LAST_ACK state.  Because of this
+#  side-effect and to prevent intentional LAST_ACK DoSes, this
+#  feature also adds automatic mitigation against such attacks.
+#  The mitigation drastically reduces the amount of time a socket
+#  can spend in LAST_ACK state.  If you're using haproxy and not
+#  all servers it connects to have this option enabled, consider
+#  disabling this feature on the haproxy host.
+#  
+#  If the sysctl option is enabled, two sysctl options with names
+#  "ip_blackhole" and "lastack_retries" will be created.
+#  While "ip_blackhole" takes the standard zero/non-zero on/off
+#  toggle, "lastack_retries" uses the same kinds of values as
+#  "tcp_retries1" and "tcp_retries2".  The default value of 4
+#  prevents a socket from lasting more than 45 seconds in LAST_ACK
+#  state.
+#kernel.grsecurity.ip_blackhole = 1
+#kernel.grsecurity.lastack_retries = 4
+
+#  If you say Y here, you will be able to choose a GID of whose users will
+#  be unable to connect to other hosts from your machine or run server
+#  applications from your machine.  If the sysctl option is enabled, a
+#  sysctl option with name "socket_all" is created.
+#kernel.grsecurity.socket_all = 1
+
+#  Here you can choose the GID to disable socket access for. Remember to
+#  add the users you want socket access disabled for to the GID
+#  specified here.  If the sysctl option is enabled, a sysctl option
+#  with name "socket_all_gid" is created.
+#kernel.grsecurity.socket_all_gid = 202
+
+#  If you say Y here, you will be able to choose a GID of whose users will
+#  be unable to connect to other hosts from your machine, but will be
+#  able to run servers.  If this option is enabled, all users in the group
+#  you specify will have to use passive mode when initiating ftp transfers
+#  from the shell on your machine.  If the sysctl option is enabled, a
+#  sysctl option with name "socket_client" is created.
+#kernel.grsecurity.socket_client = 1
+
+#  Here you can choose the GID to disable client socket access for.
+#  Remember to add the users you want client socket access disabled for to
+#  the GID specified here.  If the sysctl option is enabled, a sysctl
+#  option with name "socket_client_gid" is created.
+#kernel.grsecurity.socket_client_gid = 203
+
+#  If you say Y here, you will be able to choose a GID of whose users will
+#  be unable to connect to other hosts from your machine, but will be
+#  able to run servers.  If this option is enabled, all users in the group
+#  you specify will have to use passive mode when initiating ftp transfers
+#  from the shell on your machine.  If the sysctl option is enabled, a
+#  sysctl option with name "socket_client" is created.
+#kernel.grsecurity.socket_server = 1
+
+#  Here you can choose the GID to disable server socket access for.
+#  Remember to add the users you want server socket access disabled for to
+#  the GID specified here.  If the sysctl option is enabled, a sysctl
+#  option with name "socket_server_gid" is created.
+#kernel.grsecurity.socket_server_gid = 204
+
+#
+# Physical Protections
+#
+
+#  If you say Y here, a new sysctl option with name "deny_new_usb"
+#  will be created.  Setting its value to 1 will prevent any new
+#  USB devices from being recognized by the OS.  Any attempted USB
+#  device insertion will be logged.  This option is intended to be
+#  used against custom USB devices designed to exploit vulnerabilities
+#  in various USB device drivers.
+#  
+#  For greatest effectiveness, this sysctl should be set after any
+#  relevant init scripts.  This option is safe to enable in distros
+#  as each user can choose whether or not to toggle the sysctl.
+#kernel.grsecurity.deny_new_usb = 0
+
+#
+# Restrict grsec sysctl changes after this was set
+#
+#kernel.grsecurity.grsec_lock = 1
 
-# cant chroot to outside chroot used to break chroot
-kernel.grsecurity.chroot_deny_chroot    = 1
-# function related to filesystems used to exploit
-kernel.grsecurity.chroot_deny_pivot     = 1
-# enforce current directory to chroot
-kernel.grsecurity.chroot_enforce_chdir  = 1
-# cant chmod inside chroot used to break chroot
-kernel.grsecurity.chroot_deny_chmod     = 0
 
 
 # End of file