core and tools revision

1 files changed, 17 insertions, 18 deletions

diff --git a/core/sysctl.html b/core/sysctl.html
index 4e13209..d85aca4 100644
--- a/core/sysctl.html
+++ b/core/sysctl.html
@@ -2,13 +2,13 @@
 <html dir="ltr" lang="en">
     <head>
         <meta charset='utf-8'>
-        <title>2.2.3. Sysctl</title>
+        <title>2.2.2. Sysctl</title>
     </head>
     <body>
 
         <a href="index.html">Core OS Index</a>
 
-        <h1 id="sysctl">2.2.3. Sysctl</h1>
+        <h1 id="sysctl">2.2.2. Sysctl</h1>
 
         <p>Sysctl references
         <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>,
@@ -51,7 +51,7 @@
         #  If you're using XFree86 or a version of Xorg from 2012 or earlier,
         #  you may not be able to boot into a graphical environment with this
         #  option enabled.  In this case, you should use the RBAC system instead.
-        kernel.grsecurity.disable_priv_io = 0
+        kernel.grsecurity.disable_priv_io = 1
 
         #  If you say Y here, attempts to bruteforce exploits against forking
         #  daemons such as apache or sshd, as well as against suid/sgid binaries
@@ -85,7 +85,7 @@
         #  symlink is the owner of the directory. users will also not be
         #  able to hardlink to files they do not own.  If the sysctl option is
         #  enabled, a sysctl option with name "linking_restrictions" is created.
-        kernel.grsecurity.linking_restrictions = 0
+        kernel.grsecurity.linking_restrictions = 1
 
 
         #  Apache's SymlinksIfOwnerMatch option has an inherent race condition
@@ -99,15 +99,15 @@
         #  will be in place for the group you specify. If the sysctl option
         #  is enabled, a sysctl option with name "enforce_symlinksifowner" is
         #  created.
-        kernel.grsecurity.enforce_symlinksifowner = 0
-        #kernel.grsecurity.symlinkown_gid = 33
+        kernel.grsecurity.enforce_symlinksifowner = 1
+        kernel.grsecurity.symlinkown_gid = 15
 
         #  if you say Y here, users will not be able to write to FIFOs they don't
         #  own in world-writable +t directories (e.g. /tmp), unless the owner of
         #  the FIFO is the same owner of the directory it's held in.  If the sysctl
         #  option is enabled, a sysctl option with name "fifo_restrictions" is
         #  created.
-        kernel.grsecurity.fifo_restrictions = 0
+        kernel.grsecurity.fifo_restrictions = 1
 
         #  If you say Y here, a sysctl option with name "romount_protect" will
         #  be created.  By setting this option to 1 at runtime, filesystems
@@ -123,7 +123,7 @@
         #  and GRKERNSEC_IO should be enabled and module loading disabled via
         #  config or at runtime.
         #  This feature is mainly intended for secure embedded systems.
-        #kernel.grsecurity.romount_protect = 0
+        #kernel.grsecurity.romount_protect = 1
 
         #  if you say Y here, the capabilities on all processes within a
         #  chroot jail will be lowered to stop module insertion, raw i/o,
@@ -239,14 +239,14 @@
         #  watch certain users instead of having a large amount of logs from the
         #  entire system.  If the sysctl option is enabled, a sysctl option with
         #  name "audit_group" is created.
-        kernel.grsecurity.audit_group = 0
+        kernel.grsecurity.audit_group = 1
 
         #  If you say Y here, the exec and chdir logging features will only operate
         #  on a group you specify.  This option is recommended if you only want to
         #  watch certain users instead of having a large amount of logs from the
         #  entire system.  If the sysctl option is enabled, a sysctl option with
         #  name "audit_group" is created.
-        #kernel.grsecurity.audit_gid = 201
+        kernel.grsecurity.audit_gid = 99
 
         #  If you say Y here, all execve() calls will be logged (since the
         #  other exec*() calls are frontends to execve(), all execution
@@ -274,7 +274,7 @@
         #  If you say Y here, all attempts to attach to a process via ptrace
         #  will be logged.  If the sysctl option is enabled, a sysctl option
         #  with name "audit_ptrace" is created.
-        kernel.grsecurity.audit_ptrace = 1
+        #kernel.grsecurity.audit_ptrace = 1
 
         #  If you say Y here, all attempts to attach to a process via ptrace
         #  will be logged.  If the sysctl option is enabled, a sysctl option
@@ -297,7 +297,6 @@
         #  This could suggest a fork bomb, or someone attempting to overstep
         #  their process limit.  If the sysctl option is enabled, a sysctl option
         #  with name "forkfail_logging" is created.
-        #kernel.grsecurity.forkfail_logging = 1
         kernel.grsecurity.forkfail_logging = 1
 
         #  If you say Y here, any changes of the system clock will be logged.
@@ -329,7 +328,7 @@
         kernel.grsecurity.dmesg = 1
 
         # Hide symbol addresses in /proc/kallsyms
-        #kernel.kptr_restrict = 2
+        kernel.kptr_restrict = 2
 
         #  If you say Y here, TTY sniffers and other malicious monitoring
         #  programs implemented through ptrace will be defeated.  If you
@@ -365,7 +364,7 @@
         #  same way, allowing the other threads of the process to continue
         #  running with root privileges.  If the sysctl option is enabled,
         #  a sysctl option with name "consistent_setxid" is created.
-        kernel.grsecurity.consistent_setxid = 0
+        kernel.grsecurity.consistent_setxid = 1
 
         #  If you say Y here, access to overly-permissive IPC objects (shared
         #  memory, message queues, and semaphores) will be denied for processes
@@ -383,7 +382,7 @@
         #  CAP_IPC_OWNER are still permitted to access these IPC objects.
         #  If the sysctl option is enabled, a sysctl option with name
         #  "harden_ipc" is created.
-        kernel.grsecurity.harden_ipc = 0
+        kernel.grsecurity.harden_ipc = 1
 
         #  If you say Y here, you will be able to choose a gid to add to the
         #  supplementary groups of users you want to mark as "untrusted."
@@ -391,7 +390,7 @@
         #  root-owned directories writable only by root.  If the sysctl option
         #  is enabled, a sysctl option with name "tpe" is created.
         kernel.grsecurity.tpe = 1
-        kernel.grsecurity.tpe_gid = 4
+        kernel.grsecurity.tpe_gid = 100
 
         #  If you say Y here, the group you specify in the TPE configuration will
         #  decide what group TPE restrictions will be *disabled* for.  This
@@ -555,13 +554,13 @@
         #  be unable to connect to other hosts from your machine or run server
         #  applications from your machine.  If the sysctl option is enabled, a
         #  sysctl option with name "socket_all" is created.
-        kernel.grsecurity.socket_all = 0
+        kernel.grsecurity.socket_all = 1
 
         #  Here you can choose the GID to disable socket access for. Remember to
         #  add the users you want socket access disabled for to the GID
         #  specified here.  If the sysctl option is enabled, a sysctl option
         #  with name "socket_all_gid" is created.
-        #kernel.grsecurity.socket_all_gid = 202
+        kernel.grsecurity.socket_all_gid = 200
 
         #  If you say Y here, you will be able to choose a GID of whose users will
         #  be unable to connect to other hosts from your machine, but will be