Grsecurity
Jump to navigation
Jump to search
Installation
Debian shipped[1][2] a grsecurity enabled kernel and its installation is pretty straightforward
sudo apt-get install linux-image-grsec-amd64
Note: there's no linux-headers-grsec-amd64 package, only a versioned package is available that needs to be installed manually:
sudo apt-get install linux-headers-4.6.0-1-grsec-amd64
Configuration
Before the first reboot (to activate the new kernel), the following settings[3] may be needed:
$ cat /etc/sysctl.d/grsec.conf [...] kernel.grsecurity.deny_new_usb=1 kernel.grsecurity.harden_tty=1 kernel.grsecurity.exec_logging=0 kernel.grsecurity.audit_chdir=0
The last sysctl in grsec.conf should be kernel.grsecurity.grsec_lock=1 to lock the Grsecurity settings until the next reboot.
We also may want to grant a certain group to monitor the system's process list:
$ getent group naemon naemon:x:114: $ grep grsec /etc/default/grub GRUB_CMDLINE_LINUX_DEFAULT="rootfstype=ext4 grsec_proc_gid=114"
After this settings becomes active, all users in this group will see all processes in the system. The hidepid mount option for /proc is no longer necessary with Grsecurity.
Links
References
- ↑ Debian #861332 - RM: linux-grsec-base/6
- ↑ Debian #810506 - linux-grsec not suitable for stable
- ↑ Grsecurity/Appendix/Sysctl Options