about summary refs log tree commit diff stats
path: root/core/grsecurity.html
diff options
context:
space:
mode:
Diffstat (limited to 'core/grsecurity.html')
-rw-r--r--core/grsecurity.html247
1 files changed, 232 insertions, 15 deletions
diff --git a/core/grsecurity.html b/core/grsecurity.html
index adfd292..30ee28c 100644
--- a/core/grsecurity.html
+++ b/core/grsecurity.html
@@ -2,31 +2,248 @@
 <html dir="ltr" lang="en">
     <head>
         <meta charset='utf-8'>
-        <title>Grsecurity</title>
+        <title>2.2.1. Grsecurity</title>
     </head>
     <body>
 
         <a href="index.html">Core OS Index</a>
 
-        <h1>Grsecurity</h1>
+        <h1>2.2.1. Grsecurity</h1>
 
-        <p>Grsecurity utilities are installed and configured in
-        <a href="hardening.html">hardening</a>, kernel witch grsecurity
-        patch is installed using 
-        <a href="../core/reboot.html#linux">linux port</a>.</p>
+        <p>Install grsecurity <a href="hardening.html">utilities</a>, kernel
+        configuration is based on
+        <a href="../core/reboot.html#linux">port kernel</a>, for manual
+        configuration check <a href="linux.html">linux kernel</a>. Configuration
+        is not enable by default, groups with special permissions and other
+        protections are set with <a href="sysctl.html">sysctl.html</a>;</p>
 
+        <dl>
+
+        <dt>proc</dt>
+        <dd>GID 4 - adm group</dd>
+        <dd>If you say Y here, you will be able to select a group that will be
+        able to view all processes and network-related information.
+        GRKERNSEC_HIDESYM is enabled, kernel and symbol information may still
+        remain hidden.</dd>
+
+        <dt>symlinks owner match</dt>
+        <dd>GID 15 - www group</dd>
+        <dd>Kernel-enforced SymlinksIfOwnerMatch group.</dd>
+
+        <dt>group for auditing</dt>
+        <dd>GID 99 - nobody group</dd>
+        <dd>This option is recommended if you only want to watch certain
+        users exec and chdir logging features instead of having a large
+        amount of logs from the entire system</dd>
+
+        <dt>tpe</dt>
+        <dd>GID 100 - users</dd>
+        <dd>Supplementary groups of users you want to mark as "untrusted".
+        Invert gid option causes to not apply tpe protection to this group,
+        allowing to build software with partially restrict all non-root users
+        enable.</dd>
+
+        <dt>socket all</dt>
+        <dd>GID 200 - non existent</dd>
+        <dd>Deny sockets to this group.</dd>
+
+        <dt>socket client</dt>
+        <dd>GID 15 - www group</dd>
+        <dd>Deny client sockets to this group.</dd>
+
+        <dt>socket server</dt>
+        <dd>GID 99 - nobody group</dd>
+        <dd>Deny server sockets to this group.</dd>
+
+        </dl>
+
+        <p>Kernel configuration related to grsecurity;</p>
 
-        <h2>Special Groups</h2>
         <pre>
-        getent group tpe >/dev/null || groupadd -g 200 tpe
-        getent group audit >/dev/null || groupadd -g 201 audit
-        getent group socket-deny-all >/dev/null || groupadd -g 202 socket-deny-all
-        getent group socket-deny-client >/dev/null || groupadd -g 203 socket-deny-client
-        getent group socket-deny-server >/dev/null || groupadd -g 204 socket-deny-server
+        #
+        # Grsecurity
+        #
+        CONFIG_PAX_PER_CPU_PGD=y
+        CONFIG_TASK_SIZE_MAX_SHIFT=42
+        CONFIG_GRKERNSEC=y
+        # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
+        CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
+        CONFIG_GRKERNSEC_PROC_GID=4
+        CONFIG_GRKERNSEC_TPE_TRUSTED_GID=100
+        CONFIG_GRKERNSEC_SYMLINKOWN_GID=15
+
+        #
+        # PaX
+        #
+        CONFIG_PAX=y
+
+        #
+        # PaX Control
+        #
+        # CONFIG_PAX_SOFTMODE is not set
+        # CONFIG_PAX_EI_PAX is not set
+        CONFIG_PAX_PT_PAX_FLAGS=y
+        CONFIG_PAX_XATTR_PAX_FLAGS=y
+        # CONFIG_PAX_NO_ACL_FLAGS is not set
+        CONFIG_PAX_HAVE_ACL_FLAGS=y
+        # CONFIG_PAX_HOOK_ACL_FLAGS is not set
+
+        #
+        # Non-executable pages
+        #
+        CONFIG_PAX_NOEXEC=y
+        CONFIG_PAX_PAGEEXEC=y
+        CONFIG_PAX_EMUTRAMP=y
+        CONFIG_PAX_MPROTECT=y
+        # CONFIG_PAX_MPROTECT_COMPAT is not set
+        # CONFIG_PAX_ELFRELOCS is not set
+        CONFIG_PAX_KERNEXEC=y
+        CONFIG_PAX_KERNEXEC_PLUGIN=y
+        # CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set
+        CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
+
+        #
+        # Address Space Layout Randomization
+        #
+        CONFIG_PAX_ASLR=y
+        CONFIG_PAX_RANDKSTACK=y
+        CONFIG_PAX_RANDUSTACK=y
+        CONFIG_PAX_RANDMMAP=y
+
+        #
+        # Miscellaneous hardening features
+        #
+        CONFIG_PAX_MEMORY_SANITIZE=y
+        CONFIG_PAX_MEMORY_STACKLEAK=y
+        CONFIG_PAX_MEMORY_STRUCTLEAK=y
+        CONFIG_PAX_MEMORY_UDEREF=y
+        CONFIG_PAX_REFCOUNT=y
+        CONFIG_PAX_USERCOPY=y
+        CONFIG_PAX_CONSTIFY_PLUGIN=y
+        # CONFIG_PAX_USERCOPY_DEBUG is not set
+        CONFIG_PAX_SIZE_OVERFLOW=y
+        CONFIG_PAX_SIZE_OVERFLOW_EXTRA=y
+        # CONFIG_PAX_INITIFY is not set
+        CONFIG_HAVE_PAX_INITIFY_INIT_EXIT=y
+        CONFIG_PAX_LATENT_ENTROPY=y
+        CONFIG_PAX_RAP=y
+
+        #
+        # Memory Protections
+        #
+        CONFIG_GRKERNSEC_KMEM=y
+        CONFIG_GRKERNSEC_IO=y
+        CONFIG_GRKERNSEC_BPF_HARDEN=y
+        CONFIG_GRKERNSEC_PERF_HARDEN=y
+        CONFIG_GRKERNSEC_RAND_THREADSTACK=y
+        CONFIG_GRKERNSEC_PROC_MEMMAP=y
+        CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
+        CONFIG_GRKERNSEC_BRUTE=y
+        CONFIG_GRKERNSEC_MODHARDEN=y
+        CONFIG_GRKERNSEC_HIDESYM=y
+        CONFIG_GRKERNSEC_RANDSTRUCT=y
+        CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y
+        CONFIG_GRKERNSEC_KERN_LOCKOUT=y
+
+        #
+        # Role Based Access Control Options
+        #
+        # CONFIG_GRKERNSEC_NO_RBAC is not set
+        CONFIG_GRKERNSEC_ACL_HIDEKERN=y
+        CONFIG_GRKERNSEC_ACL_MAXTRIES=3
+        CONFIG_GRKERNSEC_ACL_TIMEOUT=30
+
+        #
+        # Filesystem Protections
+        #
+        CONFIG_GRKERNSEC_PROC=y
+        # CONFIG_GRKERNSEC_PROC_USER is not set
+        CONFIG_GRKERNSEC_PROC_USERGROUP=y
+        CONFIG_GRKERNSEC_PROC_ADD=y
+        CONFIG_GRKERNSEC_LINK=y
+        CONFIG_GRKERNSEC_SYMLINKOWN=y
+        CONFIG_GRKERNSEC_FIFO=y
+        # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
+        CONFIG_GRKERNSEC_ROFS=y
+        CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
+        CONFIG_GRKERNSEC_CHROOT=y
+        CONFIG_GRKERNSEC_CHROOT_MOUNT=y
+        CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
+        CONFIG_GRKERNSEC_CHROOT_PIVOT=y
+        CONFIG_GRKERNSEC_CHROOT_CHDIR=y
+        CONFIG_GRKERNSEC_CHROOT_CHMOD=y
+        CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
+        CONFIG_GRKERNSEC_CHROOT_MKNOD=y
+        CONFIG_GRKERNSEC_CHROOT_SHMAT=y
+        CONFIG_GRKERNSEC_CHROOT_UNIX=y
+        CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
+        CONFIG_GRKERNSEC_CHROOT_NICE=y
+        CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
+        CONFIG_GRKERNSEC_CHROOT_RENAME=y
+        CONFIG_GRKERNSEC_CHROOT_CAPS=y
+        CONFIG_GRKERNSEC_CHROOT_INITRD=y
+
+        #
+        # Kernel Auditing
+        #
+        CONFIG_GRKERNSEC_AUDIT_GROUP=y
+        CONFIG_GRKERNSEC_AUDIT_GID=99
+        CONFIG_GRKERNSEC_EXECLOG=y
+        CONFIG_GRKERNSEC_RESLOG=y
+        CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
+        CONFIG_GRKERNSEC_AUDIT_PTRACE=y
+        CONFIG_GRKERNSEC_AUDIT_CHDIR=y
+        CONFIG_GRKERNSEC_AUDIT_MOUNT=y
+        CONFIG_GRKERNSEC_SIGNAL=y
+        CONFIG_GRKERNSEC_FORKFAIL=y
+        CONFIG_GRKERNSEC_TIME=y
+        CONFIG_GRKERNSEC_PROC_IPADDR=y
+        CONFIG_GRKERNSEC_RWXMAP_LOG=y
+
+        #
+        # Executable Protections
+        #
+        CONFIG_GRKERNSEC_DMESG=y
+        CONFIG_GRKERNSEC_HARDEN_PTRACE=y
+        CONFIG_GRKERNSEC_PTRACE_READEXEC=y
+        CONFIG_GRKERNSEC_SETXID=y
+        CONFIG_GRKERNSEC_HARDEN_IPC=y
+        CONFIG_GRKERNSEC_HARDEN_TTY=y
+        CONFIG_GRKERNSEC_TPE=y
+        CONFIG_GRKERNSEC_TPE_ALL=y
+        CONFIG_GRKERNSEC_TPE_INVERT=y
+        CONFIG_GRKERNSEC_TPE_GID=100
+
+        #
+        # Network Protections
+        #
+        CONFIG_GRKERNSEC_BLACKHOLE=y
+        CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
+        CONFIG_GRKERNSEC_SOCKET=y
+        CONFIG_GRKERNSEC_SOCKET_ALL=y
+        CONFIG_GRKERNSEC_SOCKET_ALL_GID=200
+        CONFIG_GRKERNSEC_SOCKET_CLIENT=y
+        CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=15
+        CONFIG_GRKERNSEC_SOCKET_SERVER=y
+        CONFIG_GRKERNSEC_SOCKET_SERVER_GID=99
+
+        #
+        # Physical Protections
+        #
+        CONFIG_GRKERNSEC_DENYUSB=y
+        # CONFIG_GRKERNSEC_DENYUSB_FORCE is not set
+
+        #
+        # Sysctl Support
+        #
+        CONFIG_GRKERNSEC_SYSCTL=y
+        CONFIG_GRKERNSEC_SYSCTL_DISTRO=y
+        # CONFIG_GRKERNSEC_SYSCTL_ON is not set
+
         </pre>
 
-        <h2>Pax</h2>
-        
+        <h2 id="pax">Pax</h2>
+
         <p>Grub uses nested functions and thus needs either PAX_EMUTRAMP enabled in the kernel and EMUTRAMP enabled on affected binaries, or if PAX_EMUTRAMP is not enabled in the kernel, needs MPROTECT disabled on affected binaries. Depending on the version of grub in use, some of the following files may not exist, but you should mark all those that exist. To add EMUTRAMP, use the '-CE' argument to paxctl. To remove MPROTECT, use '-Cm'.</p>
 
         /usr/bin/grub-script-check
@@ -36,7 +253,7 @@
         <h2 id="gradm">Gradm</h2>
 
         <p>Gradm is grsecurity access control lists administration utility. Gradm
-        have a 
+        have a
         <a href="https://en.wikibooks.org/wiki/Grsecurity/The_Administration_Utility#Learning_Mode">learning mode</a>
         per-subject, per-role or system-wide. Learning mode gather information that
         RBAC system supports, it reduces policy size, increase readability and enforces
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2024-11-09 09:55:15 +0000