diff options
Diffstat (limited to 'app-admin/grsecurity-scripts/files/sysctl.conf')
-rw-r--r-- | app-admin/grsecurity-scripts/files/sysctl.conf | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/app-admin/grsecurity-scripts/files/sysctl.conf b/app-admin/grsecurity-scripts/files/sysctl.conf new file mode 100644 index 0000000..f32a9e6 --- /dev/null +++ b/app-admin/grsecurity-scripts/files/sysctl.conf @@ -0,0 +1,88 @@ +# +# Copyright 1999-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: $ +# +# Created by Wolfram Schlich <wschlich@gentoo.org> +# Feedback is greatly appreciated! +# + +## +## GRsecurity sysctl options +## + +# +# Misc Restrictions +# + +#kernel.grsecurity.execve_limiting = 1 +#kernel.grsecurity.fifo_restrictions = 1 +#kernel.grsecurity.linking_restrictions = 1 +#kernel.grsecurity.dmesg = 1 + +# +# Misc Protections +# + +#kernel.grsecurity.destroy_unused_shm = 1 + +# +# Socket Restrictions +# + +#kernel.grsecurity.socket_server_gid = 1002 +#kernel.grsecurity.socket_server = 1 +#kernel.grsecurity.socket_client_gid = 1003 +#kernel.grsecurity.socket_client = 1 +#kernel.grsecurity.socket_all_gid = 1004 +#kernel.grsecurity.socket_all = 1 + +# +# Trusted Path Execution +# + +#kernel.grsecurity.tpe_gid = 1005 +#kernel.grsecurity.tpe = 1 + +# +# Chroot Restrictions +# + +#kernel.grsecurity.chroot_findtask = 1 +#kernel.grsecurity.chroot_deny_sysctl = 1 +#kernel.grsecurity.chroot_caps = 1 +#kernel.grsecurity.chroot_execlog = 1 +#kernel.grsecurity.chroot_restrict_nice = 1 +#kernel.grsecurity.chroot_deny_mknod = 1 +#kernel.grsecurity.chroot_deny_chmod = 1 +#kernel.grsecurity.chroot_enforce_chdir = 1 +#kernel.grsecurity.chroot_deny_pivot = 1 +#kernel.grsecurity.chroot_deny_chroot = 1 +#kernel.grsecurity.chroot_deny_fchdir = 1 +#kernel.grsecurity.chroot_deny_mount = 1 +#kernel.grsecurity.chroot_deny_unix = 1 +#kernel.grsecurity.chroot_deny_shmat = 1 + +# +# Auditing & Logging +# + +kernel.grsecurity.audit_ipc = 1 +kernel.grsecurity.audit_mount = 1 + +kernel.grsecurity.forkfail_logging = 1 +kernel.grsecurity.resource_logging = 1 +kernel.grsecurity.signal_logging = 1 +kernel.grsecurity.timechange_logging = 1 + +# +# Disable the loading of modules +# + +#kernel.grsecurity.disable_modules = 1 + +# +# Finally lock the sysctl settings +# + +#kernel.grsecurity.grsec_lock = 1 |