blob: e746201aced4f57187cfb72b66e33b449b65c2f1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
# GR Security toggles.
#
# Note: chpax support has been removed from this init script.
# Configure /etc/conf.d/chpax instead
# Check your running kernel for valid options.
# "sysctl -a | grep kernel.grsecurity. | cut -d '.' -f 3 | awk '{print $1}'"
#
# Some of the kernel options may be:
#
# allow_ptrace_group
# alt_ipc_perms
# altered_pings
# audit_chdir
# audit_gid
# audit_group
# audit_ipc
# audit_mount
# audit_ptrace
# chroot_caps
# chroot_deny_chdir
# chroot_deny_chmod
# chroot_deny_chroot
# chroot_deny_fchdir
# chroot_deny_mknod
# chroot_deny_mount
# chroot_deny_pivot
# chroot_deny_ptrace
# chroot_deny_shmat
# chroot_deny_sysctl
# chroot_deny_unix
# chroot_enforce_chdir
# chroot_execlog
# chroot_findtask
# chroot_restrict_nice
# chroot_restrict_sigs
# coredump
# deny_phys_root
# deny_pseudo_root
# deny_serial_root
# dmesg
# exec_logging
# execve_limiting
# fifo_restrictions
# fork_bomb_prot
# forkfail_logging
# grsec_lock
# linking_restrictions
# rand_ip_ids
# rand_isns
# rand_pids
# rand_rpc
# rand_tcp_src_ports
# rand_ttl
# restrict_ptrace
# secure_fds
# secure_kbmap
# signal_logging
# socket_all
# socket_client
# socket_server
# suid_logging
# suid_root_logging
# timechange_logging
# tpe
# tpe_glibc
# tpe_restrict_all
# Strict set with negligible performance impact:
#ENABLED="audit_chdir audit_group audit_ipc audit_mount chroot_caps \
# chroot_deny_chmod chroot_deny_chroot chroot_deny_fchdir \
# chroot_deny_mknod chroot_deny_mount chroot_deny_pivot \
# chroot_deny_shmat chroot_deny_sysctl chroot_deny_unix \
# chroot_enforce_chdir chroot_execlog chroot_findtask \
# chroot_restrict_nice dmesg exec_logging execve_limiting \
# fifo_restrictions forkfail_logging linking_restrictions rand_isns \
# rand_ip_ids rand_pids rand_rpc rand_tcp_src_ports signal_logging \
# socket_all socket_client socket_server timechange_logging tpe"
ENABLED=""
# Set when audit_group is enabled
audit_gid=1007
# Set when allow_ptrace_group is enabled
ptrace_gid=10
# Set when tpe is enabled
tpe_gid=1005
# Set when fork_bomb_prot is enabled
fork_bomb_gid=1006
fork_bomb_sec=40
fork_bomb_max=20
# Set when one of socket_* is enabled
socket_all_gid=1004
socket_client_gid=1003
socket_server_gid=1002
# Lock the above settings on boot
LOCK=0
|
GitWeb