diff options
Diffstat (limited to 'app-admin/grsecurity-scripts/files/sample-kernel-config-pax-grsec.txt')
| -rw-r--r-- | app-admin/grsecurity-scripts/files/sample-kernel-config-pax-grsec.txt | 149 |
1 files changed, 149 insertions, 0 deletions
diff --git a/app-admin/grsecurity-scripts/files/sample-kernel-config-pax-grsec.txt b/app-admin/grsecurity-scripts/files/sample-kernel-config-pax-grsec.txt new file mode 100644 index 0000000..23b7a39 --- /dev/null +++ b/app-admin/grsecurity-scripts/files/sample-kernel-config-pax-grsec.txt @@ -0,0 +1,149 @@ +# +# Security options +# + +# +# PaX +# +CONFIG_PAX=y + +# +# PaX Control +# +# CONFIG_PAX_SOFTMODE is not set +CONFIG_PAX_EI_PAX=y +CONFIG_PAX_PT_PAX_FLAGS=y +# CONFIG_PAX_NO_ACL_FLAGS is not set +CONFIG_PAX_HAVE_ACL_FLAGS=y +# CONFIG_PAX_HOOK_ACL_FLAGS is not set + +# +# Non-executable pages +# +CONFIG_PAX_NOEXEC=y +CONFIG_PAX_PAGEEXEC=y +CONFIG_PAX_SEGMEXEC=y +# CONFIG_PAX_DEFAULT_PAGEEXEC is not set +CONFIG_PAX_DEFAULT_SEGMEXEC=y +CONFIG_PAX_EMUTRAMP=y +CONFIG_PAX_MPROTECT=y +CONFIG_PAX_NOELFRELOCS=y +CONFIG_PAX_KERNEXEC=y + +# +# Address Space Layout Randomization +# +CONFIG_PAX_ASLR=y +CONFIG_PAX_RANDKSTACK=y +CONFIG_PAX_RANDUSTACK=y +CONFIG_PAX_RANDMMAP=y + +# +# Miscellaneous hardening features +# +CONFIG_PAX_MEMORY_SANITIZE=y +CONFIG_PAX_MEMORY_UDEREF=y + +# +# Grsecurity +# +CONFIG_GRKERNSEC=y +# CONFIG_GRKERNSEC_LOW is not set +# CONFIG_GRKERNSEC_MEDIUM is not set +# CONFIG_GRKERNSEC_HIGH is not set +CONFIG_GRKERNSEC_CUSTOM=y + +# +# Address Space Protection +# +CONFIG_GRKERNSEC_KMEM=y +CONFIG_GRKERNSEC_IO=y +CONFIG_GRKERNSEC_PROC_MEMMAP=y +CONFIG_GRKERNSEC_BRUTE=y +CONFIG_GRKERNSEC_MODSTOP=y +CONFIG_GRKERNSEC_HIDESYM=y + +# +# Role Based Access Control Options +# +CONFIG_GRKERNSEC_ACL_HIDEKERN=y +CONFIG_GRKERNSEC_ACL_MAXTRIES=3 +CONFIG_GRKERNSEC_ACL_TIMEOUT=30 + +# +# Filesystem Protections +# +CONFIG_GRKERNSEC_PROC=y +# CONFIG_GRKERNSEC_PROC_USER is not set +CONFIG_GRKERNSEC_PROC_USERGROUP=y +CONFIG_GRKERNSEC_PROC_GID=1001 +CONFIG_GRKERNSEC_PROC_ADD=y +CONFIG_GRKERNSEC_LINK=y +CONFIG_GRKERNSEC_FIFO=y +CONFIG_GRKERNSEC_CHROOT=y +CONFIG_GRKERNSEC_CHROOT_MOUNT=y +CONFIG_GRKERNSEC_CHROOT_DOUBLE=y +CONFIG_GRKERNSEC_CHROOT_PIVOT=y +CONFIG_GRKERNSEC_CHROOT_CHDIR=y +CONFIG_GRKERNSEC_CHROOT_CHMOD=y +CONFIG_GRKERNSEC_CHROOT_FCHDIR=y +CONFIG_GRKERNSEC_CHROOT_MKNOD=y +CONFIG_GRKERNSEC_CHROOT_SHMAT=y +CONFIG_GRKERNSEC_CHROOT_UNIX=y +CONFIG_GRKERNSEC_CHROOT_FINDTASK=y +CONFIG_GRKERNSEC_CHROOT_NICE=y +CONFIG_GRKERNSEC_CHROOT_SYSCTL=y +CONFIG_GRKERNSEC_CHROOT_CAPS=y + +# +# Kernel Auditing +# +# CONFIG_GRKERNSEC_AUDIT_GROUP is not set +# CONFIG_GRKERNSEC_EXECLOG is not set +CONFIG_GRKERNSEC_RESLOG=y +CONFIG_GRKERNSEC_CHROOT_EXECLOG=y +# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set +CONFIG_GRKERNSEC_AUDIT_MOUNT=y +CONFIG_GRKERNSEC_AUDIT_IPC=y +CONFIG_GRKERNSEC_SIGNAL=y +CONFIG_GRKERNSEC_FORKFAIL=y +CONFIG_GRKERNSEC_TIME=y +CONFIG_GRKERNSEC_PROC_IPADDR=y +# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set + +# +# Executable Protections +# +CONFIG_GRKERNSEC_EXECVE=y +CONFIG_GRKERNSEC_SHM=y +CONFIG_GRKERNSEC_DMESG=y +CONFIG_GRKERNSEC_TPE=y +# CONFIG_GRKERNSEC_TPE_ALL is not set +CONFIG_GRKERNSEC_TPE_INVERT=y +CONFIG_GRKERNSEC_TPE_GID=1005 + +# +# Network Protections +# +CONFIG_GRKERNSEC_RANDNET=y +CONFIG_GRKERNSEC_SOCKET=y +CONFIG_GRKERNSEC_SOCKET_ALL=y +CONFIG_GRKERNSEC_SOCKET_ALL_GID=1004 +CONFIG_GRKERNSEC_SOCKET_CLIENT=y +CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=1003 +CONFIG_GRKERNSEC_SOCKET_SERVER=y +CONFIG_GRKERNSEC_SOCKET_SERVER_GID=1002 + +# +# Sysctl support +# +CONFIG_GRKERNSEC_SYSCTL=y +CONFIG_GRKERNSEC_SYSCTL_ON=y + +# +# Logging Options +# +CONFIG_GRKERNSEC_FLOODTIME=10 +CONFIG_GRKERNSEC_FLOODBURST=4 +# CONFIG_KEYS is not set +# CONFIG_SECURITY is not set |