Grsecurity

From Segfault
Jump to: navigation, search

Installation

Debian shipped[1][2] a grsecurity enabled kernel and its installation is pretty straightforward

sudo apt-get install linux-image-grsec-amd64

Note: there's no linux-headers-grsec-amd64 package, only a versioned package is available that needs to be installed manually:

sudo apt-get install linux-headers-4.6.0-1-grsec-amd64

Configuration

Before the first reboot (to activate the new kernel), the following settings[3] may be needed:

$ cat /etc/sysctl.d/grsec.conf
[...]
kernel.grsecurity.deny_new_usb=1
kernel.grsecurity.harden_tty=1

kernel.grsecurity.exec_logging=0
kernel.grsecurity.audit_chdir=0

The last sysctl in grsec.conf should be kernel.grsecurity.grsec_lock=1 to lock the Grsecurity settings until the next reboot.

We also may want to grant a certain group to monitor the system's process list:

$ getent group naemon
naemon:x:114:

$ grep grsec /etc/default/grub 
GRUB_CMDLINE_LINUX_DEFAULT="rootfstype=ext4 grsec_proc_gid=114"

After this settings becomes active, all users in this group will see all processes in the system. The hidepid mount option for /proc is no longer necessary with Grsecurity.

Links

References

  1. Debian #861332 - RM: linux-grsec-base/6
  2. Debian #810506 - linux-grsec not suitable for stable
  3. Grsecurity/Appendix/Sysctl Options