core and tools revision

1 files changed, 33 insertions, 34 deletions

diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf
index d17c0c6..b0972e2 100644
--- a/core/conf/sysctl.conf
+++ b/core/conf/sysctl.conf
@@ -20,14 +20,14 @@ kernel.pid_max = 65536
 #  Ioperm and iopl can be used to modify the running kernel.
 #  Unfortunately, some programs need this access to operate properly,
 #  the most notable of which are XFree86 and hwclock.  hwclock can be
-#  remedied by having RTC support in the kernel, so real-time
-#  clock support is enabled if this option is enabled, to ensure
+#  remedied by having RTC support in the kernel, so real-time 
+#  clock support is enabled if this option is enabled, to ensure 
 #  that hwclock operates correctly.
-#
+#  
 #  If you're using XFree86 or a version of Xorg from 2012 or earlier,
 #  you may not be able to boot into a graphical environment with this
 #  option enabled.  In this case, you should use the RBAC system instead.
-kernel.grsecurity.disable_priv_io = 0
+kernel.grsecurity.disable_priv_io = 1
 
 #  If you say Y here, attempts to bruteforce exploits against forking
 #  daemons such as apache or sshd, as well as against suid/sgid binaries
@@ -39,7 +39,7 @@ kernel.grsecurity.disable_priv_io = 0
 #  In the suid/sgid case, the attempt is logged, the user has all their
 #  existing instances of the suid/sgid binary terminated and will
 #  be unable to execute any suid/sgid binaries for 15 minutes.
-#
+#  
 #  It is recommended that you also enable signal logging in the auditing
 #  section so that logs are generated when a process triggers a suspicious
 #  signal.
@@ -61,7 +61,7 @@ fs.file-max = 65535
 #  symlink is the owner of the directory. users will also not be
 #  able to hardlink to files they do not own.  If the sysctl option is
 #  enabled, a sysctl option with name "linking_restrictions" is created.
-kernel.grsecurity.linking_restrictions = 0
+kernel.grsecurity.linking_restrictions = 1
 
 
 #  Apache's SymlinksIfOwnerMatch option has an inherent race condition
@@ -75,15 +75,15 @@ kernel.grsecurity.linking_restrictions = 0
 #  will be in place for the group you specify. If the sysctl option
 #  is enabled, a sysctl option with name "enforce_symlinksifowner" is
 #  created.
-kernel.grsecurity.enforce_symlinksifowner = 0
-#kernel.grsecurity.symlinkown_gid = 33
+kernel.grsecurity.enforce_symlinksifowner = 1
+kernel.grsecurity.symlinkown_gid = 15
 
 #  if you say Y here, users will not be able to write to FIFOs they don't
 #  own in world-writable +t directories (e.g. /tmp), unless the owner of
 #  the FIFO is the same owner of the directory it's held in.  If the sysctl
 #  option is enabled, a sysctl option with name "fifo_restrictions" is
 #  created.
-kernel.grsecurity.fifo_restrictions = 0
+kernel.grsecurity.fifo_restrictions = 1
 
 #  If you say Y here, a sysctl option with name "romount_protect" will
 #  be created.  By setting this option to 1 at runtime, filesystems
@@ -99,7 +99,7 @@ kernel.grsecurity.fifo_restrictions = 0
 #  and GRKERNSEC_IO should be enabled and module loading disabled via
 #  config or at runtime.
 #  This feature is mainly intended for secure embedded systems.
-#kernel.grsecurity.romount_protect = 0
+#kernel.grsecurity.romount_protect = 1
 
 #  if you say Y here, the capabilities on all processes within a
 #  chroot jail will be lowered to stop module insertion, raw i/o,
@@ -122,8 +122,8 @@ kernel.grsecurity.chroot_deny_chmod = 1
 
 #  If you say Y here, processes inside a chroot will not be able to chroot
 #  again outside the chroot.  This is a widely used method of breaking
-#  out of a chroot jail and should not be allowed.  If the sysctl
-#  option is enabled, a sysctl option with name
+#  out of a chroot jail and should not be allowed.  If the sysctl 
+#  option is enabled, a sysctl option with name 
 #  "chroot_deny_chroot" is created.
 kernel.grsecurity.chroot_deny_chroot = 1
 
@@ -185,14 +185,14 @@ kernel.grsecurity.chroot_deny_unix = 1
 #  directory,  so  that `.' can be outside the tree rooted at
 #  `/'.  In particular, the  super-user  can  escape  from  a
 #  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
-#
+#  
 #  It is recommended that you say Y here, since it's not known to break
 #  any software.  If the sysctl option is enabled, a sysctl option with
 #  name "chroot_enforce_chdir" is created.
 kernel.grsecurity.chroot_enforce_chdir  = 1
 
 #  If you say Y here, processes inside a chroot will not be able to
-#  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
+#  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, 
 #  getsid, or view any process outside of the chroot.  If the sysctl
 #  option is enabled, a sysctl option with name "chroot_findtask" is
 #  created.
@@ -215,14 +215,14 @@ kernel.grsecurity.chroot_restrict_nice = 1
 #  watch certain users instead of having a large amount of logs from the
 #  entire system.  If the sysctl option is enabled, a sysctl option with
 #  name "audit_group" is created.
-kernel.grsecurity.audit_group = 0
+kernel.grsecurity.audit_group = 1
 
 #  If you say Y here, the exec and chdir logging features will only operate
 #  on a group you specify.  This option is recommended if you only want to
 #  watch certain users instead of having a large amount of logs from the
 #  entire system.  If the sysctl option is enabled, a sysctl option with
 #  name "audit_group" is created.
-#kernel.grsecurity.audit_gid = 201
+kernel.grsecurity.audit_gid = 99
 
 #  If you say Y here, all execve() calls will be logged (since the
 #  other exec*() calls are frontends to execve(), all execution
@@ -231,7 +231,7 @@ kernel.grsecurity.audit_group = 0
 #  name "exec_logging" is created.
 #  WARNING: This option when enabled will produce a LOT of logs, especially
 #  on an active system.
-kernel.grsecurity.exec_logging = 0
+kernel.grsecurity.exec_logging = 0				
 
 #  If you say Y here, all attempts to overstep resource limits will
 #  be logged with the resource name, the requested size, and the current
@@ -245,12 +245,12 @@ kernel.grsecurity.resource_logging = 1
 #  applications (eg. djb's daemontools) are installed on the system, and
 #  is therefore left as an option.  If the sysctl option is enabled, a
 #  sysctl option with name "chroot_execlog" is created.
-kernel.grsecurity.chroot_execlog = 0
+kernel.grsecurity.chroot_execlog = 0	
 
 #  If you say Y here, all attempts to attach to a process via ptrace
 #  will be logged.  If the sysctl option is enabled, a sysctl option
 #  with name "audit_ptrace" is created.
-kernel.grsecurity.audit_ptrace = 1
+#kernel.grsecurity.audit_ptrace = 1
 
 #  If you say Y here, all attempts to attach to a process via ptrace
 #  will be logged.  If the sysctl option is enabled, a sysctl option
@@ -273,7 +273,6 @@ kernel.grsecurity.signal_logging = 1
 #  This could suggest a fork bomb, or someone attempting to overstep
 #  their process limit.  If the sysctl option is enabled, a sysctl option
 #  with name "forkfail_logging" is created.
-#kernel.grsecurity.forkfail_logging = 1
 kernel.grsecurity.forkfail_logging = 1
 
 #  If you say Y here, any changes of the system clock will be logged.
@@ -285,7 +284,7 @@ kernel.grsecurity.timechange_logging = 1
 #  usage of PROT_WRITE and PROT_EXEC together will be logged when
 #  denied by the PAX_MPROTECT feature.  This feature will also
 #  log other problematic scenarios that can occur when PAX_MPROTECT
-#  is enabled on a binary, like textrels and PT_GNU_STACK.  If the
+#  is enabled on a binary, like textrels and PT_GNU_STACK.  If the 
 #  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
 #  is created.
 kernel.grsecurity.rwxmap_logging = 1
@@ -305,14 +304,14 @@ kernel.grsecurity.rwxmap_logging = 1
 kernel.grsecurity.dmesg = 1
 
 # Hide symbol addresses in /proc/kallsyms
-#kernel.kptr_restrict = 2
+kernel.kptr_restrict = 2
 
 #  If you say Y here, TTY sniffers and other malicious monitoring
 #  programs implemented through ptrace will be defeated.  If you
 #  have been using the RBAC system, this option has already been
 #  enabled for several years for all users, with the ability to make
 #  fine-grained exceptions.
-#
+#  
 #  This option only affects the ability of non-root users to ptrace
 #  processes that are not a descendent of the ptracing process.
 #  This means that strace ./binary and gdb ./binary will still work,
@@ -327,7 +326,7 @@ kernel.grsecurity.harden_ptrace = 1
 #  prevent infoleaking of their contents.  This option adds
 #  consistency to the use of that file mode, as the binary could normally
 #  be read out when run without privileges while ptracing.
-#
+#  
 #  If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
 #  is created.
 kernel.grsecurity.ptrace_readexec = 1
@@ -341,7 +340,7 @@ kernel.grsecurity.ptrace_readexec = 1
 #  same way, allowing the other threads of the process to continue
 #  running with root privileges.  If the sysctl option is enabled,
 #  a sysctl option with name "consistent_setxid" is created.
-kernel.grsecurity.consistent_setxid = 0
+kernel.grsecurity.consistent_setxid = 1
 
 #  If you say Y here, access to overly-permissive IPC objects (shared
 #  memory, message queues, and semaphores) will be denied for processes
@@ -359,7 +358,7 @@ kernel.grsecurity.consistent_setxid = 0
 #  CAP_IPC_OWNER are still permitted to access these IPC objects.
 #  If the sysctl option is enabled, a sysctl option with name
 #  "harden_ipc" is created.
-kernel.grsecurity.harden_ipc = 0
+kernel.grsecurity.harden_ipc = 1
 
 #  If you say Y here, you will be able to choose a gid to add to the
 #  supplementary groups of users you want to mark as "untrusted."
@@ -367,7 +366,7 @@ kernel.grsecurity.harden_ipc = 0
 #  root-owned directories writable only by root.  If the sysctl option
 #  is enabled, a sysctl option with name "tpe" is created.
 kernel.grsecurity.tpe = 1
-kernel.grsecurity.tpe_gid = 4
+kernel.grsecurity.tpe_gid = 100
 
 #  If you say Y here, the group you specify in the TPE configuration will
 #  decide what group TPE restrictions will be *disabled* for.  This
@@ -499,11 +498,11 @@ net.ipv4.tcp_synack_retries = 3
 #  If you say Y here, neither TCP resets nor ICMP
 #  destination-unreachable packets will be sent in response to packets
 #  sent to ports for which no associated listening process exists.
-#  This feature supports both IPV4 and IPV6 and exempts the
-#  loopback interface from blackholing.  Enabling this feature
+#  This feature supports both IPV4 and IPV6 and exempts the 
+#  loopback interface from blackholing.  Enabling this feature 
 #  makes a host more resilient to DoS attacks and reduces network
 #  visibility against scanners.
-#
+#  
 #  The blackhole feature as-implemented is equivalent to the FreeBSD
 #  blackhole feature, as it prevents RST responses to all packets, not
 #  just SYNs.  Under most application behavior this causes no
@@ -516,7 +515,7 @@ net.ipv4.tcp_synack_retries = 3
 #  can spend in LAST_ACK state.  If you're using haproxy and not
 #  all servers it connects to have this option enabled, consider
 #  disabling this feature on the haproxy host.
-#
+#  
 #  If the sysctl option is enabled, two sysctl options with names
 #  "ip_blackhole" and "lastack_retries" will be created.
 #  While "ip_blackhole" takes the standard zero/non-zero on/off
@@ -531,13 +530,13 @@ kernel.grsecurity.lastack_retries = 4
 #  be unable to connect to other hosts from your machine or run server
 #  applications from your machine.  If the sysctl option is enabled, a
 #  sysctl option with name "socket_all" is created.
-kernel.grsecurity.socket_all = 0
+kernel.grsecurity.socket_all = 1
 
 #  Here you can choose the GID to disable socket access for. Remember to
 #  add the users you want socket access disabled for to the GID
 #  specified here.  If the sysctl option is enabled, a sysctl option
 #  with name "socket_all_gid" is created.
-#kernel.grsecurity.socket_all_gid = 202
+kernel.grsecurity.socket_all_gid = 200
 
 #  If you say Y here, you will be able to choose a GID of whose users will
 #  be unable to connect to other hosts from your machine, but will be
@@ -577,7 +576,7 @@ kernel.grsecurity.socket_server_gid = 99
 #  device insertion will be logged.  This option is intended to be
 #  used against custom USB devices designed to exploit vulnerabilities
 #  in various USB device drivers.
-#
+#  
 #  For greatest effectiveness, this sysctl should be set after any
 #  relevant init scripts.  This option is safe to enable in distros
 #  as each user can choose whether or not to toggle the sysctl.