diff options
| author | Silvino Silva <silvino@bk.ru> | 2017-02-25 18:40:03 +0000 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2017-02-25 18:40:03 +0000 |
| commit | d26a4e12deafade205d37a9fda748a6b78dfdb6a (patch) | |
| tree | 2ed6d8ca57e6c095748eeb99c811cf9d038ad1af /core/linux.html | |
| parent | 7ecd18da2b5518296bdb366234fb04a1e46335e8 (diff) | |
| download | doc-d26a4e12deafade205d37a9fda748a6b78dfdb6a.tar.gz | |
overall revesion
Diffstat (limited to 'core/linux.html')
| -rw-r--r-- | core/linux.html | 71 |
1 files changed, 34 insertions, 37 deletions
diff --git a/core/linux.html b/core/linux.html index 903d9e2..888b916 100644 --- a/core/linux.html +++ b/core/linux.html @@ -164,9 +164,8 @@ kernel.printk = 7 1 1 4 kernel.randomize_va_space = 2 - kernel.kptr_restrict = 2 # Shared Memory - kernel.shmmax = 500000000 + #kernel.shmmax = 500000000 # Total allocated file handlers that can be allocated # fs.file-nr= vm.mmap_min_addr=65536 @@ -188,7 +187,6 @@ # If you're using XFree86 or a version of Xorg from 2012 or earlier, # you may not be able to boot into a graphical environment with this # option enabled. In this case, you should use the RBAC system instead. - #kernel.grsecurity.disable_priv_io = 1 kernel.grsecurity.disable_priv_io = 0 # If you say Y here, attempts to bruteforce exploits against forking @@ -207,7 +205,7 @@ # signal. # If the sysctl option is enabled, a sysctl option with name # "deter_bruteforce" is created. - #kernel.grsecurity.deter_bruteforce = 1 + kernel.grsecurity.deter_bruteforce = 1 # # Filesystem Protections @@ -223,7 +221,7 @@ # symlink is the owner of the directory. users will also not be # able to hardlink to files they do not own. If the sysctl option is # enabled, a sysctl option with name "linking_restrictions" is created. - kernel.grsecurity.linking_restrictions = 1 + kernel.grsecurity.linking_restrictions = 0 # Apache's SymlinksIfOwnerMatch option has an inherent race condition @@ -237,7 +235,7 @@ # will be in place for the group you specify. If the sysctl option # is enabled, a sysctl option with name "enforce_symlinksifowner" is # created. - #kernel.grsecurity.enforce_symlinksifowner = 1 + kernel.grsecurity.enforce_symlinksifowner = 0 #kernel.grsecurity.symlinkown_gid = 33 # if you say Y here, users will not be able to write to FIFOs they don't @@ -245,7 +243,7 @@ # the FIFO is the same owner of the directory it's held in. If the sysctl # option is enabled, a sysctl option with name "fifo_restrictions" is # created. - #kernel.grsecurity.fifo_restrictions = 1 + kernel.grsecurity.fifo_restrictions = 0 # If you say Y here, a sysctl option with name "romount_protect" will # be created. By setting this option to 1 at runtime, filesystems @@ -280,14 +278,14 @@ # against another published method of breaking a chroot. If the sysctl # option is enabled, a sysctl option with name "chroot_deny_chmod" is # created. - kernel.grsecurity.chroot_deny_chmod = 1 + kernel.grsecurity.chroot_deny_chmod = 1 # If you say Y here, processes inside a chroot will not be able to chroot # again outside the chroot. This is a widely used method of breaking # out of a chroot jail and should not be allowed. If the sysctl # option is enabled, a sysctl option with name # "chroot_deny_chroot" is created. - kernel.grsecurity.chroot_deny_chroot = 1 + kernel.grsecurity.chroot_deny_chroot = 1 # If you say Y here, a well-known method of breaking chroots by fchdir'ing # to a file descriptor of the chrooting process that points to a directory @@ -400,7 +398,7 @@ # limit. It is highly recommended that you say Y here. If the sysctl # option is enabled, a sysctl option with name "resource_logging" is # created. If the RBAC system is enabled, the sysctl value is ignored. - #kernel.grsecurity.resource_logging = 1 + kernel.grsecurity.resource_logging = 1 # If you say Y here, all executions inside a chroot jail will be logged # to syslog. This can cause a large amount of logs if certain @@ -412,8 +410,7 @@ # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option # with name "audit_ptrace" is created. - #kernel.grsecurity.audit_ptrace = 1 - kernel.grsecurity.audit_ptrace = 0 + kernel.grsecurity.audit_ptrace = 1 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option @@ -423,27 +420,26 @@ # If you say Y here, all mounts and unmounts will be logged. If the # sysctl option is enabled, a sysctl option with name "audit_mount" is # created. - #kernel.grsecurity.audit_mount = 1 - kernel.grsecurity.audit_mount = 0 + kernel.grsecurity.audit_mount = 1 # If you say Y here, certain important signals will be logged, such as # SIGSEGV, which will as a result inform you of when a error in a program # occurred, which in some cases could mean a possible exploit attempt. # If the sysctl option is enabled, a sysctl option with name # "signal_logging" is created. - kernel.grsecurity.signal_logging = 0 + kernel.grsecurity.signal_logging = 1 # If you say Y here, all failed fork() attempts will be logged. # This could suggest a fork bomb, or someone attempting to overstep # their process limit. If the sysctl option is enabled, a sysctl option # with name "forkfail_logging" is created. #kernel.grsecurity.forkfail_logging = 1 - kernel.grsecurity.forkfail_logging = 0 + kernel.grsecurity.forkfail_logging = 1 # If you say Y here, any changes of the system clock will be logged. # If the sysctl option is enabled, a sysctl option with name # "timechange_logging" is created. - #kernel.grsecurity.timechange_logging = 1 + kernel.grsecurity.timechange_logging = 1 # if you say Y here, calls to mmap() and mprotect() with explicit # usage of PROT_WRITE and PROT_EXEC together will be logged when @@ -452,7 +448,7 @@ # is enabled on a binary, like textrels and PT_GNU_STACK. If the # sysctl option is enabled, a sysctl option with name "rwxmap_logging" # is created. - #kernel.grsecurity.rwxmap_logging = 1 + kernel.grsecurity.rwxmap_logging = 1 # # Executable Protections @@ -469,7 +465,7 @@ kernel.grsecurity.dmesg = 1 # Hide symbol addresses in /proc/kallsyms - kernel.kptr_restrict = 1 + #kernel.kptr_restrict = 2 # If you say Y here, TTY sniffers and other malicious monitoring # programs implemented through ptrace will be defeated. If you @@ -505,7 +501,7 @@ # same way, allowing the other threads of the process to continue # running with root privileges. If the sysctl option is enabled, # a sysctl option with name "consistent_setxid" is created. - #kernel.grsecurity.consistent_setxid = 1 + kernel.grsecurity.consistent_setxid = 0 # If you say Y here, access to overly-permissive IPC objects (shared # memory, message queues, and semaphores) will be denied for processes @@ -523,7 +519,7 @@ # CAP_IPC_OWNER are still permitted to access these IPC objects. # If the sysctl option is enabled, a sysctl option with name # "harden_ipc" is created. - kernel.grsecurity.harden_ipc = 1 + kernel.grsecurity.harden_ipc = 0 # If you say Y here, you will be able to choose a gid to add to the # supplementary groups of users you want to mark as "untrusted." @@ -531,7 +527,7 @@ # root-owned directories writable only by root. If the sysctl option # is enabled, a sysctl option with name "tpe" is created. kernel.grsecurity.tpe = 1 - kernel.grsecurity.tpe_gid = 101 + kernel.grsecurity.tpe_gid = 4 # If you say Y here, the group you specify in the TPE configuration will # decide what group TPE restrictions will be *disabled* for. This @@ -550,10 +546,11 @@ # world-writable, or in directories owned by root and writable only by # root. If the sysctl option is enabled, a sysctl option with name # "tpe_restrict_all" is created. - kernel.grsecurity.tpe_restrict_all = 0 + kernel.grsecurity.tpe_restrict_all = 1 - #kernel.grsecurity.harden_tty = 1 + kernel.grsecurity.harden_tty = 1 + # # Network Protections # @@ -687,14 +684,14 @@ # "tcp_retries1" and "tcp_retries2". The default value of 4 # prevents a socket from lasting more than 45 seconds in LAST_ACK # state. - #kernel.grsecurity.ip_blackhole = 1 - #kernel.grsecurity.lastack_retries = 4 + kernel.grsecurity.ip_blackhole = 1 + kernel.grsecurity.lastack_retries = 4 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine or run server # applications from your machine. If the sysctl option is enabled, a # sysctl option with name "socket_all" is created. - #kernel.grsecurity.socket_all = 1 + kernel.grsecurity.socket_all = 0 # Here you can choose the GID to disable socket access for. Remember to # add the users you want socket access disabled for to the GID @@ -708,13 +705,13 @@ # you specify will have to use passive mode when initiating ftp transfers # from the shell on your machine. If the sysctl option is enabled, a # sysctl option with name "socket_client" is created. - #kernel.grsecurity.socket_client = 1 + kernel.grsecurity.socket_client = 1 # Here you can choose the GID to disable client socket access for. # Remember to add the users you want client socket access disabled for to # the GID specified here. If the sysctl option is enabled, a sysctl # option with name "socket_client_gid" is created. - #kernel.grsecurity.socket_client_gid = 203 + kernel.grsecurity.socket_client_gid = 15 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine, but will be @@ -722,13 +719,13 @@ # you specify will have to use passive mode when initiating ftp transfers # from the shell on your machine. If the sysctl option is enabled, a # sysctl option with name "socket_client" is created. - #kernel.grsecurity.socket_server = 1 + kernel.grsecurity.socket_server = 1 # Here you can choose the GID to disable server socket access for. # Remember to add the users you want server socket access disabled for to # the GID specified here. If the sysctl option is enabled, a sysctl # option with name "socket_server_gid" is created. - #kernel.grsecurity.socket_server_gid = 204 + kernel.grsecurity.socket_server_gid = 99 # # Physical Protections @@ -744,12 +741,12 @@ # For greatest effectiveness, this sysctl should be set after any # relevant init scripts. This option is safe to enable in distros # as each user can choose whether or not to toggle the sysctl. - #kernel.grsecurity.deny_new_usb = 0 + kernel.grsecurity.deny_new_usb = 0 # # Restrict grsec sysctl changes after this was set # - #kernel.grsecurity.grsec_lock = 1 + kernel.grsecurity.grsec_lock = 0 # End of file </pre> @@ -757,10 +754,10 @@ <a href="index.html">Core OS Index</a> <p>This is part of the c9-doc Manual. -Copyright (C) 2017 -c9 team. -See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> -for copying conditions.</p> + Copyright (C) 2017 + c9 team. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> </body> </html> |