Grsecurity utilities are installed and configured in hardening, kernel witch grsecurity patch is installed using linux port.
getent group tpe >/dev/null || groupadd -g 200 tpe
getent group audit >/dev/null || groupadd -g 201 audit
getent group socket-deny-all >/dev/null || groupadd -g 202 socket-deny-all
getent group socket-deny-client >/dev/null || groupadd -g 203 socket-deny-client
getent group socket-deny-server >/dev/null || groupadd -g 204 socket-deny-server
Grub uses nested functions and thus needs either PAX_EMUTRAMP enabled in the kernel and EMUTRAMP enabled on affected binaries, or if PAX_EMUTRAMP is not enabled in the kernel, needs MPROTECT disabled on affected binaries. Depending on the version of grub in use, some of the following files may not exist, but you should mark all those that exist. To add EMUTRAMP, use the '-CE' argument to paxctl. To remove MPROTECT, use '-Cm'.
/usr/bin/grub-script-check /usr/sbin/grub-probe /usr/sbin/grub-mkdevicemapGradm is grsecurity access control lists administration utility. Gradm have a learning mode per-subject, per-role or system-wide. Learning mode gather information that RBAC system supports, it reduces policy size, increase readability and enforces that is configurable. Protected resources can be added to /etc/grsec/learn_cong to learning system.
Entering in learning mode;
# gradm -F -L /etc/grsec/learning.log
To perform administrative tasks while system learning is running, authenticate to admin role;
# gradm -a admin
When learning system have gather sufficient data disable RBAC system;
# gradm -D
Now that RBAC is disable data collected can be used to generate ACLs;
# gradm -F -L /etc/grsec/learning.logs -O /etc/grset/policy
Start RBAC with policy;
# gradm -E
Tools Index
This is part of the c9-doc Manual. Copyright (C) 2017 c9 team. See the file Gnu Free Documentation License for copying conditions.