linux-grsec-base/0000755000000000000000000000000012650240204011107 5ustar linux-grsec-base/debian/0000755000000000000000000000000012656113444012344 5ustar linux-grsec-base/debian/changelog0000644000000000000000000000246112656113444014221 0ustar linux-grsec-base (6) unstable; urgency=medium * debian/control: - drop Recommends on gradm2 since it doesn't work with current patch. * debian/rules: - install grsec.conf 0600 to restrict the settings to root. -- Yves-Alexis Perez Mon, 08 Feb 2016 14:24:50 +0100 linux-grsec-base (5) unstable; urgency=medium * sysctl: enable audit_group and set gid=0 by default * sysctl: enable SymlinksIfOwnerMatch with gid=33 -- Yves-Alexis Perez Fri, 08 Jan 2016 09:49:41 +0100 linux-grsec-base (4) unstable; urgency=medium * sysctl/grsec.conf: remove duplicate auditing section * sysctl/grsec.conf: remove more duplicates -- Yves-Alexis Perez Tue, 05 Jan 2016 15:45:55 +0100 linux-grsec-base (3) unstable; urgency=medium * remove execve_limiting, it's gone now * romount_protect is present twice, remove one occurrence * don't set romount_protect by default -- Yves-Alexis Perez Mon, 04 Jan 2016 13:38:20 +0100 linux-grsec-base (2) unstable; urgency=medium * Update sysctls for grsecurity 3.1 -- Yves-Alexis Perez Mon, 21 Dec 2015 21:24:57 +0100 linux-grsec-base (1) unstable; urgency=low * Initial release. -- Yves-Alexis Perez Mon, 21 Dec 2015 21:02:03 +0100 linux-grsec-base/debian/compat0000644000000000000000000000000211645231213013532 0ustar 7 linux-grsec-base/debian/copyright0000644000000000000000000000026111645231213014266 0ustar Packaging is © 2010 Yves-Alexis Perez and released under the GPLv2. On Debian systems, GPLv2 can be found in /usr/share/common-licenses/GPL-2. linux-grsec-base/debian/postinst0000644000000000000000000000057011645231213014144 0ustar #!/bin/sh -e case "$1" in configure) addgroup --gid 64040 --system --quiet grsec-tpe ||true addgroup --gid 64041 --system --quiet grsec-sock-all ||true addgroup --gid 64042 --system --quiet grsec-sock-clt ||true addgroup --gid 64043 --system --quiet grsec-sock-srv ||true addgroup --gid 64044 --system --quiet grsec-proc ||true ;; esac #DEBHELPER# linux-grsec-base/debian/rules0000755000000000000000000000030612656113102013412 0ustar #!/usr/bin/make -f override_dh_auto_install: install -d $(CURDIR)/debian/linux-grsec-base/etc/sysctl.d install -m 0600 sysctl/grsec.conf $(CURDIR)/debian/linux-grsec-base/etc/sysctl.d %: dh $@ linux-grsec-base/debian/control0000644000000000000000000000103712656113021013737 0ustar Source: linux-grsec-base Section: kernel Priority: optional Maintainer: Yves-Alexis Perez Build-Depends: debhelper (>= 7.0.50~) Standards-Version: 3.9.6 Homepage: http://www.grsecurity.net Package: linux-grsec-base Architecture: all Depends: ${shlibs:Depends}, ${misc:Depends} Recommends: paxctl, pax-utils Description: Linux image base package, grsec featureset This package contains documentation and maintainer scripts for configuring grsecurity features. The package is useless without a running grsecurity kernel. linux-grsec-base/debian/postrm0000644000000000000000000000070711645231213013607 0ustar #!/bin/sh -e if [ "$1" = "purge" ]; then echo "Removing grsec groups" >&2 groupdel grsec-tpe || echo "Error removing group grsec-tpe" >&2 groupdel grsec-sock-all || echo "Error removing group grsec-sock-all" >&2 groupdel grsec-sock-clt || echo "Error removing group grsec-sock-clt" >&2 groupdel grsec-sock-srv || echo "Error removing group grsec-sock-srv" >&2 groupdel grsec-proc || echo "Error removing group grsec-proc" >&2 fi #DEBHELPER# linux-grsec-base/sysctl/0000755000000000000000000000000012643443127012443 5ustar linux-grsec-base/sysctl/grsec.conf0000644000000000000000000000634212643443127014422 0ustar ## Address Space Protection # Disable privileged io: iopl(2) and ioperm(2) # Warning: Xorg without modesetting needs it to be 0 kernel.grsecurity.disable_priv_io = 1 kernel.grsecurity.deter_bruteforce = 1 kernel.grsecurity.deny_new_usb = 0 kernel.grsecurity.harden_ipc = 1 ## Filesystem Protections # Prevent symlinks/hardlinks exploits (don't follow symlink on world-writable +t # folders) kernel.grsecurity.linking_restrictions = 1 # Prevent writing to fifo not owned in world-writable +t folders kernel.grsecurity.fifo_restrictions = 1 # Chroot restrictions kernel.grsecurity.chroot_deny_bad_rename = 1 kernel.grsecurity.chroot_deny_mount = 1 kernel.grsecurity.chroot_deny_chroot = 1 kernel.grsecurity.chroot_deny_pivot = 1 kernel.grsecurity.chroot_enforce_chdir = 1 kernel.grsecurity.chroot_deny_chmod = 1 kernel.grsecurity.chroot_deny_fchdir = 1 kernel.grsecurity.chroot_deny_mknod = 1 kernel.grsecurity.chroot_deny_shmat = 1 kernel.grsecurity.chroot_deny_unix = 1 kernel.grsecurity.chroot_findtask = 1 kernel.grsecurity.chroot_restrict_nice = 1 kernel.grsecurity.chroot_deny_sysctl = 1 kernel.grsecurity.chroot_caps = 1 ## Kernel Auditing kernel.grsecurity.exec_logging = 1 kernel.grsecurity.audit_chdir = 1 # By default exec_logging and audit_chdir only target members of audit_gid, you # can change that by setting audit_group to 0 kernel.grsecurity.audit_group = 1 # You can also override audit_gid to use another group kernel.grsecurity.audit_gid = 0 kernel.grsecurity.resource_logging = 1 kernel.grsecurity.chroot_execlog = 1 kernel.grsecurity.audit_ptrace = 1 kernel.grsecurity.audit_mount = 1 kernel.grsecurity.signal_logging = 1 kernel.grsecurity.forkfail_logging = 1 kernel.grsecurity.timechange_logging = 1 kernel.grsecurity.rwxmap_logging = 1 ## Executable Protections kernel.grsecurity.dmesg = 1 kernel.grsecurity.consistent_setxid = 1 # Trusted execution # Add users to the 64040 (grsec-tpe) group to enable them to execute binaries # from untrusted directories kernel.grsecurity.tpe = 1 kernel.grsecurity.tpe_invert = 1 kernel.grsecurity.tpe_restrict_all = 1 kernel.grsecurity.tpe_gid = 64040 ## Kernel-enforce SymlinkIfOwnerMatch kernel.grsecurity.enforce_symlinksifowner = 1 kernel.grsecurity.symlinkown_gid = 33 ## Network Protections kernel.grsecurity.ip_blackhole = 1 kernel.grsecurity.lastack_retries = 4 # Socket restrictions # If the setting is enabled and an user is added to relevant group, she won't # be able to open this kind of socket kernel.grsecurity.socket_all = 1 kernel.grsecurity.socket_all_gid = 64041 kernel.grsecurity.socket_client = 1 kernel.grsecurity.socket_client_gid = 64042 kernel.grsecurity.socket_server = 1 kernel.grsecurity.socket_server_gid = 64043 # Ptrace kernel.grsecurity.harden_ptrace = 1 kernel.grsecurity.ptrace_readexec = 1 # Protect mounts # don't try to set it to 0, it'll fail, just let it commented # kernel.grsecurity.romount_protect = 1 # PAX kernel.pax.softmode = 0 # Disable module loading # This is not a grsecurity anymore, but you might still want to disable module # loading so no code is inserted into the kernel # kernel.modules_disabled=1 # Once you're satisfied with settings, set grsec_lock to 1 so noone can change # grsec sysctl on a running system kernel.grsecurity.grsec_lock = 1 # vim: filetype=conf: