about summary refs log tree commit diff stats
path: root/core/grsecurity.html
diff options
context:
space:
mode:
Diffstat (limited to 'core/grsecurity.html')
-rw-r--r--core/grsecurity.html85
1 files changed, 85 insertions, 0 deletions
diff --git a/core/grsecurity.html b/core/grsecurity.html
new file mode 100644
index 0000000..cda9bfb
--- /dev/null
+++ b/core/grsecurity.html
@@ -0,0 +1,85 @@
+<!DOCTYPE html>
+<html dir="ltr" lang="en">
+    <head>
+        <meta charset='utf-8'>
+        <title>Grsecurity</title>
+    </head>
+    <body>
+
+        <a href="index.html">Tools Index</a>
+
+        <h1>Grsecurity</h1>
+
+        <p>Grsecurity utilities are installed and configured in
+        <a href="hardening.html">hardening</a>, kernel witch grsecurity
+        patch is installed using 
+        <a href="../core/reboot.html#linux">linux port</a>.</p>
+
+
+        <h2>Special Groups</h2>
+        <pre>
+        getent group tpe >/dev/null || groupadd -g 200 tpe
+        getent group audit >/dev/null || groupadd -g 201 audit
+        getent group socket-deny-all >/dev/null || groupadd -g 202 socket-deny-all
+        getent group socket-deny-client >/dev/null || groupadd -g 203 socket-deny-client
+        getent group socket-deny-server >/dev/null || groupadd -g 204 socket-deny-server
+        </pre>
+
+        <h2>Pax</h2>
+        
+        <p>Grub uses nested functions and thus needs either PAX_EMUTRAMP enabled in the kernel and EMUTRAMP enabled on affected binaries, or if PAX_EMUTRAMP is not enabled in the kernel, needs MPROTECT disabled on affected binaries. Depending on the version of grub in use, some of the following files may not exist, but you should mark all those that exist. To add EMUTRAMP, use the '-CE' argument to paxctl. To remove MPROTECT, use '-Cm'.</p>
+
+        /usr/bin/grub-script-check
+        /usr/sbin/grub-probe
+        /usr/sbin/grub-mkdevicemap
+
+        <h2 id="gradm">Gradm</h2>
+
+        <p>Gradm is grsecurity access control lists administration utility. Gradm
+        have a 
+        <a href="https://en.wikibooks.org/wiki/Grsecurity/The_Administration_Utility#Learning_Mode">learning mode</a>
+        per-subject, per-role or system-wide. Learning mode gather information that
+        RBAC system supports, it reduces policy size, increase readability and enforces
+        that is configurable. Protected resources can be added to /etc/grsec/learn_cong
+        to learning system.</p>
+
+        <p>Entering in learning mode;</p>
+
+        <pre>
+        # gradm -F -L /etc/grsec/learning.log
+        </pre>
+
+        <p>To perform administrative tasks while system learning is running,
+        authenticate to admin role;</p>
+
+        <pre>
+        # gradm -a admin
+        </pre>
+
+        <p>When learning system have gather sufficient data disable RBAC system;</p>
+
+        <pre>
+        # gradm -D
+        </pre>
+
+        <p>Now that RBAC is disable data collected can be used to generate ACLs;</p>
+
+        <pre>
+        # gradm -F -L /etc/grsec/learning.logs -O /etc/grset/policy
+        </pre>
+
+        <p>Start RBAC with policy;</p>
+
+        <pre>
+        # gradm -E
+        </pre>
+
+        <a href="index.html">Tools Index</a>
+        <p>This is part of the c9-doc Manual.
+        Copyright (C) 2017
+        c9 team.
+        See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
+        for copying conditions.</p>
+
+    </body>
+</html>