diff options
author | jc_gargma <jc_gargma@iserlohn-fortress.net> | 2017-05-11 22:58:41 -0700 |
---|---|---|
committer | jc_gargma <jc_gargma@iserlohn-fortress.net> | 2017-05-11 22:58:41 -0700 |
commit | 215e9e8340711633e5d8c7ff28f8386a67ef7486 (patch) | |
tree | 0d692831d1b663bde272fa125c560fa0ccb7d40e | |
download | grsec-common-215e9e8340711633e5d8c7ff28f8386a67ef7486.tar.xz |
Initial Commit
-rw-r--r-- | 05-grsecurity.conf | 131 | ||||
-rw-r--r-- | 05-grsecurity.conf.sig | bin | 0 -> 566 bytes | |||
-rw-r--r-- | PKGBUILD | 19 | ||||
-rw-r--r-- | grsec-common.install | 7 |
4 files changed, 157 insertions, 0 deletions
diff --git a/05-grsecurity.conf b/05-grsecurity.conf new file mode 100644 index 0000000..4beddce --- /dev/null +++ b/05-grsecurity.conf @@ -0,0 +1,131 @@ +# All features in the kernel.grsecurity namespace are disabled by default. + +# +# Disable PaX enforcement by default. +# +# The `paxd` package sets softmode back to 0 in a configuration file loaded +# after this one. It automatically handles setting exceptions from the PaX +# exploit mitigations after Pacman operations. Altering the setting manually +# rather than using `paxd` is not recommended. +# + +kernel.pax.softmode = 1 + +# +# Memory protections +# + +#kernel.grsecurity.disable_priv_io = 1 +kernel.grsecurity.deter_bruteforce = 1 + +# +# Race free SymLinksIfOwnerMatch for web servers +# +# symlinkown_gid: http group +# + +kernel.grsecurity.enforce_symlinksifowner = 1 +kernel.grsecurity.symlinkown_gid = 33 + +# +# FIFO restrictions +# +# Prevent writing to a FIFO in a world-writable sticky directory (e.g. /tmp), +# unless the owner of the FIFO is the same owner of the directory it's held in. +# + +kernel.grsecurity.fifo_restrictions = 1 + +# +# Deny any further rw mounts +# + +#kernel.grsecurity.romount_protect = 1 + +# +# chroot restrictions (the commented options will break containers) +# + +#kernel.grsecurity.chroot_caps = 1 +kernel.grsecurity.chroot_deny_bad_rename = 1 +#kernel.grsecurity.chroot_deny_chmod = 1 +#kernel.grsecurity.chroot_deny_chroot = 1 +kernel.grsecurity.chroot_deny_fchdir = 1 +#kernel.grsecurity.chroot_deny_mknod = 1 +#kernel.grsecurity.chroot_deny_mount = 1 +#kernel.grsecurity.chroot_deny_pivot = 1 +kernel.grsecurity.chroot_deny_shmat = 1 +kernel.grsecurity.chroot_deny_sysctl = 1 +kernel.grsecurity.chroot_deny_unix = 1 +kernel.grsecurity.chroot_enforce_chdir = 1 +kernel.grsecurity.chroot_findtask = 1 +#kernel.grsecurity.chroot_restrict_nice = 1 + +# +# Kernel auditing +# +# audit_group: Restrict exec/chdir logging to a group. +# audit_gid: audit group +# + +#kernel.grsecurity.audit_group = 1 +kernel.grsecurity.audit_gid = 201 +#kernel.grsecurity.exec_logging = 1 +#kernel.grsecurity.resource_logging = 1 +#kernel.grsecurity.chroot_execlog = 1 +#kernel.grsecurity.audit_ptrace = 1 +#kernel.grsecurity.audit_chdir = 1 +#kernel.grsecurity.audit_mount = 1 +#kernel.grsecurity.signal_logging = 1 +#kernel.grsecurity.forkfail_logging = 1 +#kernel.grsecurity.timechange_logging = 1 +kernel.grsecurity.rwxmap_logging = 1 + +# +# Executable protections +# + +kernel.grsecurity.harden_ptrace = 1 +kernel.grsecurity.ptrace_readexec = 1 +kernel.grsecurity.consistent_setxid = 1 +kernel.grsecurity.harden_ipc = 1 + +# +# Trusted Path Execution +# +# tpe_gid: tpe group +# + +#kernel.grsecurity.tpe = 1 +kernel.grsecurity.tpe_gid = 200 +#kernel.grsecurity.tpe_invert = 1 +kernel.grsecurity.tpe_restrict_all = 1 + +# +# Network protections +# +# socket_all_gid: socket-deny-all group +# socket_client_gid: socket-deny-client group +# socket_server_gid: socket-deny-server group +# + +#kernel.grsecurity.ip_blackhole = 1 +kernel.grsecurity.lastack_retries = 4 +kernel.grsecurity.socket_all = 1 +kernel.grsecurity.socket_all_gid = 202 +kernel.grsecurity.socket_client = 1 +kernel.grsecurity.socket_client_gid = 203 +kernel.grsecurity.socket_server = 1 +kernel.grsecurity.socket_server_gid = 204 + +# +# Prevent any new USB devices from being recognized by the OS. +# + +#kernel.grsecurity.deny_new_usb = 1 + +# +# Restrict grsec sysctl changes after this was set +# + +#kernel.grsecurity.grsec_lock = 1 diff --git a/05-grsecurity.conf.sig b/05-grsecurity.conf.sig Binary files differnew file mode 100644 index 0000000..d8b8823 --- /dev/null +++ b/05-grsecurity.conf.sig diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 0000000..ded68af --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,19 @@ +# $Id$ +# Maintainer: Daniel Micay <danielmicay@gmail.com> +pkgname=grsec-common +pkgver=4 +pkgrel=1 +pkgdesc='Base package for grsecurity kernels' +arch=(any) +url='https://archlinux.org/' +license=('GPL2') +install=$pkgname.install +source=(05-grsecurity.conf + 05-grsecurity.conf.sig) +sha512sums=('5c69955645eba5e07d6523281310ff0935c58ee90f99af33ea427ec4029524bbdfa5928dbf8c24beed4ec3e671cfccde690228898fc7fa0b76445276b2ace391' + 'SKIP') +backup=(etc/sysctl.d/05-grsecurity.conf) + +package() { + install -Dm600 05-grsecurity.conf "$pkgdir/etc/sysctl.d/05-grsecurity.conf" +} diff --git a/grsec-common.install b/grsec-common.install new file mode 100644 index 0000000..0244dc8 --- /dev/null +++ b/grsec-common.install @@ -0,0 +1,7 @@ +post_install() { + getent group tpe >/dev/null || groupadd -g 200 tpe + getent group audit >/dev/null || groupadd -g 201 audit + getent group socket-deny-all >/dev/null || groupadd -g 202 socket-deny-all + getent group socket-deny-client >/dev/null || groupadd -g 203 socket-deny-client + getent group socket-deny-server >/dev/null || groupadd -g 204 socket-deny-server +} |