about summary refs log tree commit diff stats
path: root/core/linux.html
diff options
context:
space:
mode:
authorSilvino Silva <silvino@bk.ru>2017-02-20 09:06:21 +0000
committerSilvino Silva <silvino@bk.ru>2017-02-20 09:06:21 +0000
commit0e7880313b3a3e016c0d2e287802cc6ddff9edd1 (patch)
tree4ab03821ada4e4817dd58d161ae46041e24575b0 /core/linux.html
parentfd15c7a1ea378eaea467a741253483b2f5b31ea9 (diff)
downloaddoc-0e7880313b3a3e016c0d2e287802cc6ddff9edd1.tar.gz
core revision
Diffstat (limited to 'core/linux.html')
-rw-r--r--core/linux.html676


1 files changed, 625 insertions, 51 deletions
diff --git a/core/linux.html b/core/linux.html
index 53fc304..0304884 100644
--- a/core/linux.html
+++ b/core/linux.html
@@ -2,12 +2,12 @@
 <html dir="ltr" lang="en">
     <head>
         <meta charset='utf-8'>
-        <title>2.3. Kernel Linux</title>
+        <title>2.1. Kernel Linux</title>
     </head>
     <body>
 
         <a href="index.html">Core OS Index</a>
-        <h1 id="kernel">2.3. Kernel Linux</h1>
+        <h1 id="kernel">2.1. Kernel Linux</h1>
 
         <p>Linux is a monolith kernel, a big one ! Visit
         <a href="http://www.fsfla.org/ikiwiki/selibre/linux-libre/">Linux Libre</a>
@@ -15,58 +15,41 @@
         <a href="https://www.kernel.org/">Linux Non-Libre</a> pages for more links
         and information.</p>
 
-        <h2 id="#linuxlibre">2.3.1. Port Linux Libre</h2>
+        <h2 id="#linuxlibre">2.1.1. Port Linux Libre</h2>
 
-        <p>Collection c9-ports have linux-libre port with default crux
-        configuration, this port depends on dracut and grub but is not
-        required to install them. To build and install this port using
-        prt-get;</p>
+        <p>Default crux configuration can be obtained from iso, this port depends
+        on dracut and grub but is not required to install them. To build and install
+        this port using prt-get;</p>
 
         <pre>
         $ prt-get depinst linux-libre
         </pre>
 
-        <h2 id="kinstall">2.3.2. Manual Install</h2>
+        <h2 id="kinstall">2.1.2. Manual Install</h2>
 
         <p>Download Linux Source from
         <a href="http://linux-libre.fsfla.org/pub/linux-libre/releases/">linux libre</a>,
         or using the port system;</p>
 
-        <pre>
-        $ cd /usr/ports/c9-ports/linux-libre
-        $ sudo -u pkgmk pkgmk -do
-        </pre>
-
-        <p>Crux iso comes with config that is used in this port, is
-        a good starting point to personalize according to your needs;</p>
+        <p>Crux iso comes with config that is more generic than used on linux-libre
+        port, crux default is a good starting point to personalize according to your
+        needs (build default, detect modules needed);</p>
 
         <pre>
         $ mkdir ~/kernel
         $ cd ~/kernel
-        $ cp /usr/ports/c9-ports/linux-libre/linux-4.1.32.defconfig .
-        $ cp /usr/ports/distfiles/linux-libre-4.1.32-gnu.tar.xz .
-        $ tar xf linux-libre-4.1.32-gnu.tar.xz
-        $ cp linux-4.1.32.defconfig linux-4.1.32/.config
+        $ cp /usr/ports/distfiles/linux-libre-4.9.11-gnu.tar.xz .
+        $ tar xf linux-libre-4.9.11-gnu.tar.xz
+        $ cd linux-4.9.11/
         </pre>
 
-        <p>If you like <a href="https://github.com/graysky2/kernel_gcc_patch/">graysky2</a> kernel_gcc_patch (<a href="https://github.com/graysky2/kernel_gcc_patch/archive/master.zip">download master</a>) that adds more cpu options (FLAGS native)</p>
-
-        <pre>
-        $ cp /usr/ports/distfiles/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch cpu_optimizations.patch
-        </pre>
-
-        <pre>
-        $ cd ~/linux-4.1.32/
-        $ patch -p1 &lt; ../cpu_optimizations.patch
-        patching file arch/x86/include/asm/module.h
-        patching file arch/x86/Kconfig.cpu
-        patching file arch/x86/Makefile
-        Hunk #1 succeeded at 85 with fuzz 1 (offset -9 lines).
-        patching file arch/x86/Makefile_32.cpu
-        $
-        </pre>
-
-        <p>Read <a href="https://en.wikibooks.org/wiki/Grsecurity/Configuring_and_Installing_grsecurity#Patching_Your_Kernel_with_grsecurity">Gresecurity</a>.</p>
+        <p><a href="grsecurity.net">Grsecurity</a> patch for
+        <a href="https://grsecurity.net/test/grsecurity-3.1-4.9.9-201702122044.patch">4.9.11</a>.
+        Gcc <a href="https://github.com/graysky2/kernel_gcc_patch/">graysky2</a> kernel_gcc_patch (<a href="https://github.com/graysky2/kernel_gcc_patch/archive/master.zip">master.zip</a>)
+        that adds more cpu options (FLAGS native).
+        Check <a href="ports/linux-libre/Pkgfile">Pkgfile</a> for instructions and
+        more patches used on linux-libre port. Read patching your kernel with
+        <a href="https://en.wikibooks.org/wiki/Grsecurity/Configuring_and_Installing_grsecurity#Patching_Your_Kernel_with_grsecurity">gresecurity</a>.</p>
 
         <p>Configure kernel according to your current kernel
         hardware support;</p>
@@ -77,11 +60,10 @@
 
         <p>This will disable all unloaded modules,
         you can use localyesconfig mark all loaded
-        to be built in the kernel.</p>
-
-        <p>To get information about your hardware,
-        for example information about which graphic
-        module (driver) is in use as root run;</p>
+        to be built in the kernel. To get information
+        about your hardware, for example information
+        about which graphic module (driver) is in use
+        as root run;</p>
 
         <pre>
         # lspci -nnk | grep -i vga -A3 | grep 'in use'
@@ -95,16 +77,16 @@
         </pre>
 
         <pre>
-        $ make -j $(nproc) all
+        $ make -j $(nproc) bzImage modules
         $ sudo make modules_install
-        $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.1.32-gnu_crux
-        $ sudo cp System.map /boot/System.map-4.1.32-gnu_crux
+        $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.11-gnu
+        $ sudo cp System.map /boot/System.map-4.9.11-gnu
         </pre>
 
         <p>Create dracut initramfs;</p>
 
         <pre>
-        $sudo dracut --fstab /boot/initramfs-4.1.32-gnu_crux.img 4.1.32-gnu_crux
+        $sudo dracut --fstab /boot/initramfs-4.9.11-gnu.img 4.9.11-gnu
         </pre>
 
         <p>Update grub;</p>
@@ -113,17 +95,609 @@
         # grub-mkconfig -o /boot/grub/grub.cfg
         </pre>
 
-        <h2 id="kuninstall">2.3.3. Manual Remove</h2>
+        <h2 id="kuninstall">2.1.3. Manual Remove</h2>
 
         <pre>
-        $ sudo rm -r /lib/modules/4.1.12-gnu_crux
-        $ sudo rm /boot/vmlinuz-4.1.12-gnu_crux
-        $ sudo rm /boot/System.map-4.1.12-gnu_crux
+        $ sudo rm -r /lib/modules/4.9.11-gnu
+        $ sudo rm /boot/vmlinuz-4.9.11-gnu
+        $ sudo rm /boot/System.map-4.9.11-gnu
         </pre>
 
+        <h2 id="sysctl">2.1.4. Sysctl</h2>
+
+        <p>Sysctl references
+        <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>,
+        <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>,
+        <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>,
+        <a href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">Grsecurity and PaX Configuration</a>.</p>
+
+        <p>Since kernels on c9-ports have <a href="pax.grsecurity.net">PaX</a>
+        and <a href="http://grsecurity.net/announce.php">grsecurity</a>,
+        <a href="conf/sysctl.conf">/etc/sysctl.conf</a> can have follow
+        values;</p>
+
+        <pre>
+        #
+        # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
+        #
+
+        kernel.printk = 15 1 1 4
+        kernel.randomize_va_space = 1
+        kernel.shmmax = 500000000
+        # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
+        kernel.pid_max = 65536
+
+        #
+        # Memory Protections
+        #
+
+        #  If you say Y here, all ioperm and iopl calls will return an error.
+        #  Ioperm and iopl can be used to modify the running kernel.
+        #  Unfortunately, some programs need this access to operate properly,
+        #  the most notable of which are XFree86 and hwclock.  hwclock can be
+        #  remedied by having RTC support in the kernel, so real-time
+        #  clock support is enabled if this option is enabled, to ensure
+        #  that hwclock operates correctly.
+        #
+        #  If you're using XFree86 or a version of Xorg from 2012 or earlier,
+        #  you may not be able to boot into a graphical environment with this
+        #  option enabled.  In this case, you should use the RBAC system instead.
+        #kernel.grsecurity.disable_priv_io = 1
+        kernel.grsecurity.disable_priv_io = 0
+
+        #  If you say Y here, attempts to bruteforce exploits against forking
+        #  daemons such as apache or sshd, as well as against suid/sgid binaries
+        #  will be deterred.  When a child of a forking daemon is killed by PaX
+        #  or crashes due to an illegal instruction or other suspicious signal,
+        #  the parent process will be delayed 30 seconds upon every subsequent
+        #  fork until the administrator is able to assess the situation and
+        #  restart the daemon.
+        #  In the suid/sgid case, the attempt is logged, the user has all their
+        #  existing instances of the suid/sgid binary terminated and will
+        #  be unable to execute any suid/sgid binaries for 15 minutes.
+        #
+        #  It is recommended that you also enable signal logging in the auditing
+        #  section so that logs are generated when a process triggers a suspicious
+        #  signal.
+        #  If the sysctl option is enabled, a sysctl option with name
+        #  "deter_bruteforce" is created.
+        #kernel.grsecurity.deter_bruteforce = 1
+
+        #
+        # Filesystem Protections
+        #
+
+        # Optimization for port usefor LBs
+        # Increase system file descriptor limit
+        fs.file-max = 65535
+
+        #  If you say Y here, /tmp race exploits will be prevented, since users
+        #  will no longer be able to follow symlinks owned by other users in
+        #  world-writable +t directories (e.g. /tmp), unless the owner of the
+        #  symlink is the owner of the directory. users will also not be
+        #  able to hardlink to files they do not own.  If the sysctl option is
+        #  enabled, a sysctl option with name "linking_restrictions" is created.
+        kernel.grsecurity.linking_restrictions = 1
+
+
+        #  Apache's SymlinksIfOwnerMatch option has an inherent race condition
+        #  that prevents it from being used as a security feature.  As Apache
+        #  verifies the symlink by performing a stat() against the target of
+        #  the symlink before it is followed, an attacker can setup a symlink
+        #  to point to a same-owned file, then replace the symlink with one
+        #  that targets another user's file just after Apache "validates" the
+        #  symlink -- a classic TOCTOU race.  If you say Y here, a complete,
+        #  race-free replacement for Apache's "SymlinksIfOwnerMatch" option
+        #  will be in place for the group you specify. If the sysctl option
+        #  is enabled, a sysctl option with name "enforce_symlinksifowner" is
+        #  created.
+        #kernel.grsecurity.enforce_symlinksifowner = 1
+        #kernel.grsecurity.symlinkown_gid = 33
+
+        #  if you say Y here, users will not be able to write to FIFOs they don't
+        #  own in world-writable +t directories (e.g. /tmp), unless the owner of
+        #  the FIFO is the same owner of the directory it's held in.  If the sysctl
+        #  option is enabled, a sysctl option with name "fifo_restrictions" is
+        #  created.
+        #kernel.grsecurity.fifo_restrictions = 1
+
+        #  If you say Y here, a sysctl option with name "romount_protect" will
+        #  be created.  By setting this option to 1 at runtime, filesystems
+        #  will be protected in the following ways:
+        #  * No new writable mounts will be allowed
+        #  * Existing read-only mounts won't be able to be remounted read/write
+        #  * Write operations will be denied on all block devices
+        #  This option acts independently of grsec_lock: once it is set to 1,
+        #  it cannot be turned off.  Therefore, please be mindful of the resulting
+        #  behavior if this option is enabled in an init script on a read-only
+        #  filesystem.
+        #  Also be aware that as with other root-focused features, GRKERNSEC_KMEM
+        #  and GRKERNSEC_IO should be enabled and module loading disabled via
+        #  config or at runtime.
+        #  This feature is mainly intended for secure embedded systems.
+        #kernel.grsecurity.romount_protect = 0
+
+        #  if you say Y here, the capabilities on all processes within a
+        #  chroot jail will be lowered to stop module insertion, raw i/o,
+        #  system and net admin tasks, rebooting the system, modifying immutable
+        #  files, modifying IPC owned by another, and changing the system time.
+        #  This is left an option because it can break some apps.  Disable this
+        #  if your chrooted apps are having problems performing those kinds of
+        #  tasks.  If the sysctl option is enabled, a sysctl option with
+        #  name "chroot_caps" is created.
+        kernel.grsecurity.chroot_caps = 1
+
+        #kernel.grsecurity.chroot_deny_bad_rename = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to chmod
+        #  or fchmod files to make them have suid or sgid bits.  This protects
+        #  against another published method of breaking a chroot.  If the sysctl
+        #  option is enabled, a sysctl option with name "chroot_deny_chmod" is
+        #  created.
+        kernel.grsecurity.chroot_deny_chmod     = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to chroot
+        #  again outside the chroot.  This is a widely used method of breaking
+        #  out of a chroot jail and should not be allowed.  If the sysctl
+        #  option is enabled, a sysctl option with name
+        #  "chroot_deny_chroot" is created.
+        kernel.grsecurity.chroot_deny_chroot    = 1
+
+        #  If you say Y here, a well-known method of breaking chroots by fchdir'ing
+        #  to a file descriptor of the chrooting process that points to a directory
+        #  outside the filesystem will be stopped.  If the sysctl option
+        #  is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
+        kernel.grsecurity.chroot_deny_fchdir = 1
+
+        #  If you say Y here, processes inside a chroot will not be allowed to
+        #  mknod.  The problem with using mknod inside a chroot is that it
+        #  would allow an attacker to create a device entry that is the same
+        #  as one on the physical root of your system, which could range from
+        #  anything from the console device to a device for your harddrive (which
+        #  they could then use to wipe the drive or steal data).  It is recommended
+        #  that you say Y here, unless you run into software incompatibilities.
+        #  If the sysctl option is enabled, a sysctl option with name
+        #  "chroot_deny_mknod" is created.
+        kernel.grsecurity.chroot_deny_mknod = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to
+        #  mount or remount filesystems.  If the sysctl option is enabled, a
+        #  sysctl option with name "chroot_deny_mount" is created.
+        kernel.grsecurity.chroot_deny_mount = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to use
+        #  a function called pivot_root() that was introduced in Linux 2.3.41.  It
+        #  works similar to chroot in that it changes the root filesystem.  This
+        #  function could be misused in a chrooted process to attempt to break out
+        #  of the chroot, and therefore should not be allowed.  If the sysctl
+        #  option is enabled, a sysctl option with name "chroot_deny_pivot" is
+        #  created.
+        kernel.grsecurity.chroot_deny_pivot     = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to attach
+        #  to shared memory segments that were created outside of the chroot jail.
+        #  It is recommended that you say Y here.  If the sysctl option is enabled,
+        #  a sysctl option with name "chroot_deny_shmat" is created.
+        kernel.grsecurity.chroot_deny_shmat = 1
+
+        #  If you say Y here, an attacker in a chroot will not be able to
+        #  write to sysctl entries, either by sysctl(2) or through a /proc
+        #  interface.  It is strongly recommended that you say Y here. If the
+        #  sysctl option is enabled, a sysctl option with name
+        #  "chroot_deny_sysctl" is created.
+        kernel.grsecurity.chroot_deny_sysctl = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to
+        #  connect to abstract (meaning not belonging to a filesystem) Unix
+        #  domain sockets that were bound outside of a chroot.  It is recommended
+        #  that you say Y here.  If the sysctl option is enabled, a sysctl option
+        #  with name "chroot_deny_unix" is created.
+        kernel.grsecurity.chroot_deny_unix = 1
+
+        #  If you say Y here, the current working directory of all newly-chrooted
+        #  applications will be set to the the root directory of the chroot.
+        #  The man page on chroot(2) states:
+        #  Note that usually chhroot does not change  the  current  working
+        #  directory,  so  that `.' can be outside the tree rooted at
+        #  `/'.  In particular, the  super-user  can  escape  from  a
+        #  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
+        #
+        #  It is recommended that you say Y here, since it's not known to break
+        #  any software.  If the sysctl option is enabled, a sysctl option with
+        #  name "chroot_enforce_chdir" is created.
+        kernel.grsecurity.chroot_enforce_chdir  = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to
+        #  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
+        #  getsid, or view any process outside of the chroot.  If the sysctl
+        #  option is enabled, a sysctl option with name "chroot_findtask" is
+        #  created.
+        kernel.grsecurity.chroot_findtask = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to raise
+        #  the priority of processes in the chroot, or alter the priority of
+        #  processes outside the chroot.  This provides more security than simply
+        #  removing CAP_SYS_NICE from the process' capability set.  If the
+        #  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
+        #  is created.
+        kernel.grsecurity.chroot_restrict_nice = 1
+
+        #
+        # Kernel Auditing
+        #
+
+        #  If you say Y here, the exec and chdir logging features will only operate
+        #  on a group you specify.  This option is recommended if you only want to
+        #  watch certain users instead of having a large amount of logs from the
+        #  entire system.  If the sysctl option is enabled, a sysctl option with
+        #  name "audit_group" is created.
+        kernel.grsecurity.audit_group = 0
+
+        #  If you say Y here, the exec and chdir logging features will only operate
+        #  on a group you specify.  This option is recommended if you only want to
+        #  watch certain users instead of having a large amount of logs from the
+        #  entire system.  If the sysctl option is enabled, a sysctl option with
+        #  name "audit_group" is created.
+        #kernel.grsecurity.audit_gid = 201
+
+        #  If you say Y here, all execve() calls will be logged (since the
+        #  other exec*() calls are frontends to execve(), all execution
+        #  will be logged).  Useful for shell-servers that like to keep track
+        #  of their users.  If the sysctl option is enabled, a sysctl option with
+        #  name "exec_logging" is created.
+        #  WARNING: This option when enabled will produce a LOT of logs, especially
+        #  on an active system.
+        kernel.grsecurity.exec_logging = 0
+
+        #  If you say Y here, all attempts to overstep resource limits will
+        #  be logged with the resource name, the requested size, and the current
+        #  limit.  It is highly recommended that you say Y here.  If the sysctl
+        #  option is enabled, a sysctl option with name "resource_logging" is
+        #  created.  If the RBAC system is enabled, the sysctl value is ignored.
+        #kernel.grsecurity.resource_logging = 1
+        kernel.grsecurity.resource_logging = 0
+
+        #  If you say Y here, all executions inside a chroot jail will be logged
+        #  to syslog.  This can cause a large amount of logs if certain
+        #  applications (eg. djb's daemontools) are installed on the system, and
+        #  is therefore left as an option.  If the sysctl option is enabled, a
+        #  sysctl option with name "chroot_execlog" is created.
+        kernel.grsecurity.chroot_execlog = 0
+
+        #  If you say Y here, all attempts to attach to a process via ptrace
+        #  will be logged.  If the sysctl option is enabled, a sysctl option
+        #  wi






 

generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2025-04-06 23:36:35 +0000


 


'add'>+        #  will be logged.  If the sysctl option is enabled, a sysctl option
+        #  with name "audit_ptrace" is created.
+        kernel.grsecurity.audit_chdir = 0
+
+        #  If you say Y here, all mounts and unmounts will be logged.  If the
+        #  sysctl option is enabled, a sysctl option with name "audit_mount" is
+        #  created.
+        #kernel.grsecurity.audit_mount = 1
+        kernel.grsecurity.audit_mount = 0
+
+        #  If you say Y here, certain important signals will be logged, such as
+        #  SIGSEGV, which will as a result inform you of when a error in a program
+        #  occurred, which in some cases could mean a possible exploit attempt.
+        #  If the sysctl option is enabled, a sysctl option with name
+        #  "signal_logging" is created.
+        kernel.grsecurity.signal_logging = 0
+
+        #  If you say Y here, all failed fork() attempts will be logged.
+        #  This could suggest a fork bomb, or someone attempting to overstep
+        #  their process limit.  If the sysctl option is enabled, a sysctl option
+        #  with name "forkfail_logging" is created.
+        #kernel.grsecurity.forkfail_logging = 1
+        kernel.grsecurity.forkfail_logging = 0
+
+        #  If you say Y here, any changes of the system clock will be logged.
+        #  If the sysctl option is enabled, a sysctl option with name
+        #  "timechange_logging" is created.
+        #kernel.grsecurity.timechange_logging = 1
+
+        #  if you say Y here, calls to mmap() and mprotect() with explicit
+        #  usage of PROT_WRITE and PROT_EXEC together will be logged when
+        #  denied by the PAX_MPROTECT feature.  This feature will also
+        #  log other problematic scenarios that can occur when PAX_MPROTECT
+        #  is enabled on a binary, like textrels and PT_GNU_STACK.  If the
+        #  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
+        #  is created.
+        #kernel.grsecurity.rwxmap_logging = 1
+
+        #
+        # Executable Protections
+        #
+
+
+        #  if you say Y here, non-root users will not be able to use dmesg(8)
+        #  to view the contents of the kernel's circular log buffer.
+        #  The kernel's log buffer often contains kernel addresses and other
+        #  identifying information useful to an attacker in fingerprinting a
+        #  system for a targeted exploit.
+        #  If the sysctl option is enabled, a sysctl option with name "dmesg" is
+        #  created.
+        kernel.grsecurity.dmesg = 1
+
+        # Hide symbol addresses in /proc/kallsyms
+        kernel.kptr_restrict = 1
+
+        #  If you say Y here, TTY sniffers and other malicious monitoring
+        #  programs implemented through ptrace will be defeated.  If you
+        #  have been using the RBAC system, this option has already been
+        #  enabled for several years for all users, with the ability to make
+        #  fine-grained exceptions.
+        #
+        #  This option only affects the ability of non-root users to ptrace
+        #  processes that are not a descendent of the ptracing process.
+        #  This means that strace ./binary and gdb ./binary will still work,
+        #  but attaching to arbitrary processes will not.  If the sysctl
+        #  option is enabled, a sysctl option with name "harden_ptrace" is
+        #  created.
+        kernel.grsecurity.harden_ptrace = 1
+
+        #  If you say Y here, unprivileged users will not be able to ptrace unreadable
+        #  binaries.  This option is useful in environments that
+        #  remove the read bits (e.g. file mode 4711) from suid binaries to
+        #  prevent infoleaking of their contents.  This option adds
+        #  consistency to the use of that file mode, as the binary could normally
+        #  be read out when run without privileges while ptracing.
+        #
+        #  If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
+        #  is created.
+        kernel.grsecurity.ptrace_readexec = 1
+
+        #  If you say Y here, a change from a root uid to a non-root uid
+        #  in a multithreaded application will cause the resulting uids,
+        #  gids, supplementary groups, and capabilities in that thread
+        #  to be propagated to the other threads of the process.  In most
+        #  cases this is unnecessary, as glibc will emulate this behavior
+        #  on behalf of the application.  Other libcs do not act in the
+        #  same way, allowing the other threads of the process to continue
+        #  running with root privileges.  If the sysctl option is enabled,
+        #  a sysctl option with name "consistent_setxid" is created.
+        #kernel.grsecurity.consistent_setxid = 1
+
+        #  If you say Y here, access to overly-permissive IPC objects (shared
+        #  memory, message queues, and semaphores) will be denied for processes
+        #  given the following criteria beyond normal permission checks:
+        #  1) If the IPC object is world-accessible and the euid doesn't match
+        #     that of the creator or current uid for the IPC object
+        #  2) If the IPC object is group-accessible and the egid doesn't
+        #     match that of the creator or current gid for the IPC object
+        #  It's a common error to grant too much permission to these objects,
+        #  with impact ranging from denial of service and information leaking to
+        #  privilege escalation.  This feature was developed in response to
+        #  research by Tim Brown:
+        #  http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
+        #  who found hundreds of such insecure usages.  Processes with
+        #  CAP_IPC_OWNER are still permitted to access these IPC objects.
+        #  If the sysctl option is enabled, a sysctl option with name
+        #  "harden_ipc" is created.
+        kernel.grsecurity.harden_ipc = 1
+
+        #  If you say Y here, you will be able to choose a gid to add to the
+        #  supplementary groups of users you want to mark as "untrusted."
+        #  These users will not be able to execute any files that are not in
+        #  root-owned directories writable only by root.  If the sysctl option
+        #  is enabled, a sysctl option with name "tpe" is created.
+        kernel.grsecurity.tpe = 1
+        kernel.grsecurity.tpe_gid = 101
+
+        #  If you say Y here, the group you specify in the TPE configuration will
+        #  decide what group TPE restrictions will be *disabled* for.  This
+        #  option is useful if you want TPE restrictions to be applied to most
+        #  users on the system.  If the sysctl option is enabled, a sysctl option
+        #  with name "tpe_invert" is created.  Unlike other sysctl options, this
+        #  entry will default to on for backward-compatibility.
+        kernel.grsecurity.tpe_invert = 1
+
+        #  If you say Y here, all non-root users will be covered under
+        #  a weaker TPE restriction.  This is separate from, and in addition to,
+        #  the main TPE options that you have selected elsewhere.  Thus, if a
+        #  "trusted" GID is chosen, this restriction applies to even that GID.
+        #  Under this restriction, all non-root users will only be allowed to
+        #  execute files in directories they own that are not group or
+        #  world-writable, or in directories owned by root and writable only by
+        #  root.  If the sysctl option is enabled, a sysctl option with name
+        #  "tpe_restrict_all" is created.
+        kernel.grsecurity.tpe_restrict_all = 0
+
+
+        #kernel.grsecurity.harden_tty = 1
+        #
+        # Network Protections
+        #
+
+        # Increase Linux auto tuning TCP buffer limits
+        # min, default, and max number of bytes to use
+        # set max to at least 4MB, or higher if you use very high BDP paths
+        # Tcp Windows etc
+        net.core.rmem_max = 8388608
+        net.core.wmem_max = 8388608
+        net.core.netdev_max_backlog = 5000
+        net.ipv4.tcp_window_scaling = 1
+
+        # Both ports linux-blob and linux-libre don't build with ipv6
+        # Disable ipv6
+        net.ipv6.conf.all.disable_ipv6 = 1
+        net.ipv6.conf.default.disable_ipv6 = 1
+        net.ipv6.conf.lo.disable_ipv6 = 1
+
+        # Tuen IPv6
+        #net.ipv6.conf.default.router_solicitations = 0
+        #net.ipv6.conf.default.accept_ra_rtr_pref = 0
+        #net.ipv6.conf.default.accept_ra_pinfo = 0
+        #net.ipv6.conf.default.accept_ra_defrtr = 0
+        #net.ipv6.conf.default.autoconf = 0
+        #net.ipv6.conf.default.dad_transmits = 0
+        #net.ipv6.conf.default.max_addresses = 0
+
+        # Avoid a smurf attack
+        net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+        # Turn on protection for bad icmp error messages
+        net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+        # Turn on syncookies for SYN flood attack protection
+        net.ipv4.tcp_syncookies = 1
+
+        ## protect against tcp time-wait assassination hazards
+        ## drop RST packets for sockets in the time-wait state
+        ## (not widely supported outside of linux, but conforms to RFC)
+        net.ipv4.tcp_rfc1337 = 1
+
+        ## tcp timestamps
+        ## + protect against wrapping sequence numbers (at gigabit speeds)
+        ## + round trip time calculation implemented in TCP
+        ## - causes extra overhead and allows uptime detection by scanners like nmap
+        ## enable @ gigabit speeds
+        net.ipv4.tcp_timestamps = 0
+        #net.ipv4.tcp_timestamps = 1
+
+        # Turn on and log spoofed, source routed, and redirect packets
+        net.ipv4.conf.all.log_martians = 1
+        net.ipv4.conf.default.log_martians = 1
+
+        ## ignore echo broadcast requests to prevent being part of smurf attacks (default)
+        net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+        # No source routed packets here
+        net.ipv4.conf.all.accept_source_route = 0
+        net.ipv4.conf.default.accept_source_route = 0
+
+        ## sets the kernels reverse path filtering mechanism to value 1(on)
+        ## will do source validation of the packet's recieved from all the interfaces on the machine
+        ## protects from attackers that are using ip spoofing methods to do harm
+        net.ipv4.conf.all.rp_filter = 1
+        net.ipv4.conf.default.rp_filter = 1
+        #net.ipv6.conf.default.rp_filter = 1
+        #net.ipv6.conf.all.rp_filter = 1
+
+        # Make sure no one can alter the routing tables
+        net.ipv4.conf.all.accept_redirects = 0
+        net.ipv4.conf.default.accept_redirects = 0
+        net.ipv4.conf.all.secure_redirects = 0
+        net.ipv4.conf.default.secure_redirects = 0
+
+        # Act as a router, necessary for Access Point
+        net.ipv4.ip_forward = 1
+        net.ipv4.conf.all.send_redirects = 1
+        net.ipv4.conf.default.send_redirects = 1
+
+        # Increase system IP port limits
+        net.ipv4.ip_local_port_range = 2000 65000
+
+        # Increase TCP max buffer size setable using setsockopt()
+        net.ipv4.tcp_rmem = 4096 87380 8388608
+        net.ipv4.tcp_wmem = 4096 87380 8388608
+
+
+        #  If you say Y here, neither TCP resets nor ICMP
+        #  destination-unreachable packets will be sent in response to packets
+        #  sent to ports for which no associated listening process exists.
+        #  This feature supports both IPV4 and IPV6 and exempts the
+        #  loopback interface from blackholing.  Enabling this feature
+        #  makes a host more resilient to DoS attacks and reduces network
+        #  visibility against scanners.
+        #
+        #  The blackhole feature as-implemented is equivalent to the FreeBSD
+        #  blackhole feature, as it prevents RST responses to all packets, not
+        #  just SYNs.  Under most application behavior this causes no
+        #  problems, but applications (like haproxy) may not close certain
+        #  connections in a way that cleanly terminates them on the remote
+        #  end, leaving the remote host in LAST_ACK state.  Because of this
+        #  side-effect and to prevent intentional LAST_ACK DoSes, this
+        #  feature also adds automatic mitigation against such attacks.
+        #  The mitigation drastically reduces the amount of time a socket
+        #  can spend in LAST_ACK state.  If you're using haproxy and not
+        #  all servers it connects to have this option enabled, consider
+        #  disabling this feature on the haproxy host.
+        #
+        #  If the sysctl option is enabled, two sysctl options with names
+        #  "ip_blackhole" and "lastack_retries" will be created.
+        #  While "ip_blackhole" takes the standard zero/non-zero on/off
+        #  toggle, "lastack_retries" uses the same kinds of values as
+        #  "tcp_retries1" and "tcp_retries2".  The default value of 4
+        #  prevents a socket from lasting more than 45 seconds in LAST_ACK
+        #  state.
+        #kernel.grsecurity.ip_blackhole = 1
+        #kernel.grsecurity.lastack_retries = 4
+
+        #  If you say Y here, you will be able to choose a GID of whose users will
+        #  be unable to connect to other hosts from your machine or run server
+        #  applications from your machine.  If the sysctl option is enabled, a
+        #  sysctl option with name "socket_all" is created.
+        #kernel.grsecurity.socket_all = 1
+
+        #  Here you can choose the GID to disable socket access for. Remember to
+        #  add the users you want socket access disabled for to the GID
+        #  specified here.  If the sysctl option is enabled, a sysctl option
+        #  with name "socket_all_gid" is created.
+        #kernel.grsecurity.socket_all_gid = 202
+
+        #  If you say Y here, you will be able to choose a GID of whose users will
+        #  be unable to connect to other hosts from your machine, but will be
+        #  able to run servers.  If this option is enabled, all users in the group
+        #  you specify will have to use passive mode when initiating ftp transfers
+        #  from the shell on your machine.  If the sysctl option is enabled, a
+        #  sysctl option with name "socket_client" is created.
+        #kernel.grsecurity.socket_client = 1
+
+        #  Here you can choose the GID to disable client socket access for.
+        #  Remember to add the users you want client socket access disabled for to
+        #  the GID specified here.  If the sysctl option is enabled, a sysctl
+        #  option with name "socket_client_gid" is created.
+        #kernel.grsecurity.socket_client_gid = 203
+
+        #  If you say Y here, you will be able to choose a GID of whose users will
+        #  be unable to connect to other hosts from your machine, but will be
+        #  able to run servers.  If this option is enabled, all users in the group
+        #  you specify will have to use passive mode when initiating ftp transfers
+        #  from the shell on your machine.  If the sysctl option is enabled, a
+        #  sysctl option with name "socket_client" is created.
+        #kernel.grsecurity.socket_server = 1
+
+        #  Here you can choose the GID to disable server socket access for.
+        #  Remember to add the users you want server socket access disabled for to
+        #  the GID specified here.  If the sysctl option is enabled, a sysctl
+        #  option with name "socket_server_gid" is created.
+        #kernel.grsecurity.socket_server_gid = 204
+
+        #
+        # Physical Protections
+        #
+
+        #  If you say Y here, a new sysctl option with name "deny_new_usb"
+        #  will be created.  Setting its value to 1 will prevent any new
+        #  USB devices from being recognized by the OS.  Any attempted USB
+        #  device insertion will be logged.  This option is intended to be
+        #  used against custom USB devices designed to exploit vulnerabilities
+        #  in various USB device drivers.
+        #
+        #  For greatest effectiveness, this sysctl should be set after any
+        #  relevant init scripts.  This option is safe to enable in distros
+        #  as each user can choose whether or not to toggle the sysctl.
+        #kernel.grsecurity.deny_new_usb = 0
+
+        #
+        # Restrict grsec sysctl changes after this was set
+        #
+        #kernel.grsecurity.grsec_lock = 1
+
+
+
+        # End of file
+        </pre>
+
+
         <a href="index.html">Core OS Index</a>
         <p>This is part of the c9-doc Manual.
-Copyright (C) 2016
+Copyright (C) 2017
 c9 team.
 See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
 for copying conditions.</p>
 

generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2025-04-06 23:36:35 +0000