public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
From: Sebastian Werner <sebastian@werner-productions.de>
To: gentoo-dev@gentoo.org
Subject: [gentoo-dev] grsecurity support
Date: 13 Dec 2001 18:52:54 +0100	[thread overview]
Message-ID: <1008265978.20651.4.camel@wp.smile> (raw)

[-- Attachment #1: Type: text/plain, Size: 611 bytes --]

Hey

i like to protect my system against hackers. So i patched my kernel with
grsecurity (www.grsecurity.org). It is a patch like openwall++. I have
written a script to read a config-file in /etc and a init.d-script to
start this while booting (grsecurity could use sysctl - you need to
enable it to use these scripts!)

You could use 'grsec init' to create a config-file with all options
disabled. Enable the ones you like. Then start the init.d-script
'/etc/init.d/grsec start' or put it to your boot-runlevel 'rc-update add
grsec boot'

Ok, please try it and tell me suggestions,

Thanks

Sebastian Werner



[-- Attachment #2: grsec.conf --]
[-- Type: text/plain, Size: 667 bytes --]

# CFGFILE for GrSecurity - Kernel 2.4 Security Enhancement
 
# This entry must be set to enable(1) to work
grsec_lock=1
 
# These are the available option 1=enable, 0=disable
stealth_flags=0
stealth_igmp=1
stealth_icmp=1
stealth_udp=0
stealth_rst=0
rand_ttl_thresh=0
rand_ttl=0
altered_pings=0
rand_tcp_src_ports=1
rand_ip_ids=1
rand_pids=1
chroot_caps=0
chroot_restrict_nice=0
chroot_deny_ptrace=1
chroot_deny_mknod=1
chroot_deny_chmod=1
chroot_deny_chdir=1
chroot_deny_chroot=1
chroot_deny_mount=1
chroot_restrict_sigs=0
rand_net=0
secure_kbmap=1
coredump=1
execve_limiting=0
secure_fds=0
fifo_restrictions=1
linking_restrictions=1

[-- Attachment #3: grsec --]
[-- Type: text/plain, Size: 297 bytes --]

#!/sbin/runscript

# apply grsecurity options in /etc/grsec.conf 
# with sysctl to the kernel

depend() {
	need clock localmount
}

start() {
	ebegin "Enable advanced network and system-protection (grsec)"
	grsec start 2>&1 | /usr/bin/logger -t "grsec" -p daemon.notice
	eend $?
}


[-- Attachment #4: grsec --]
[-- Type: text/x-sh, Size: 2757 bytes --]

#!/bin/bash

CFGFILE="/etc/grsec.conf"
PROCPATH="/proc/sys/kernel/grsecurity/"
CTLFLAG="grsec_lock"

if [ `id -u` != 0 ]; then
  echo "ERROR:"
  echo "You must be root to set grsec vars!"
  exit 1
fi

if [ ! -d $PROCPATH ]; then
  echo "ERROR:"
  echo "It seems that grsecurity sysctl option isn't enabled"
  exit 1
fi

if [ "e$1" = "e" ]; then
  echo "ERROR:"
  echo "Please call me: $0 [start|init]"
  exit 1
fi

if [ "`cat ${PROCPATH}/${CTLFLAG}`" = "1" -a "$1" = "start" ]; then
  echo "ERROR:"
  echo "Sorry: $CTLFLAG is set to 1. Changes not possible!"
  exit 1
fi

if [ "$1" = "init" ]; then
  if [ -e $CFGFILE ]; then
    echo -n "Are you sure to overwrite current config-file: $CFGFILE? [y|n] "
    read input
    if [ "$input" = "y" ]; then
      echo "Creating backup of old file -> ${CFGFILE}_`date +'%d%m%y%k%M%S'`"
      cp $CFGFILE ${CFGFILE}_`date +"%d%m%y%k%M%S"`
    else
      exit
    fi
  fi

  echo "Creating new config file: ${CFGFILE}"    
  echo "# CFGFILE for GrSecurity - Kernel 2.4 Security Enhancement" > $CFGFILE
  echo " " >> $CFGFILE
  echo "# This entry must be set to enable(1) to work" >> $CFGFILE
  echo "${CTLFLAG}=0" >> $CFGFILE
  echo " " >> $CFGFILE
  echo "# These are the available option 1=enable, 0=disable" >> $CFGFILE
  for entry in `find $PROCPATH ! -type d`
  do
    Ename=`basename $entry`
    if [ "$Ename" != "grsec_lock" ]; then
      echo "`basename $entry`=0" >> $CFGFILE
    fi
  done
fi

if [ "$1" = "stop" ]; then

  echo "Sorry there is no stop possible."
  echo "After set $CTLFLAG all options are readonly."
  echo "Change settings in config-file and reboot!"

fi

if [ "$1" = "start" ]; then
  
  for entry in `find $PROCPATH ! -type d`
  do
    Ename=`basename $entry`
    if [ $Ename != "$CTLFLAG" ]; then
      Evalue=`grep -v "#" $CFGFILE | grep "${Ename}=" | cut -d= -f2`
      if [ $Evalue = 0 ]; then
        echo -n "Disabling $Ename: "
        echo 0 > ${PROCPATH}/$Ename
        if [ $? = 0 ]; then
          echo "ok"
        else
          echo "error"
        fi
      elif [ $Evalue = 1 ]; then
        echo -n "Enabling $Ename: "
        echo 1 > ${PROCPATH}/$Ename
        if [ $? = 0 ]; then
          echo "ok"
        else
          echo "error"
        fi
      else
        echo "Unknown option for $Ename"
      fi
    else
      Enable=`grep -v "#" $CFGFILE | grep "${Ename}=" | cut -d= -f2`
    fi
  done

  echo " "

  if [ "$Enable" = "1" ]; then
    echo -n "Enabling GrSecurity: "
    echo 1 > ${PROCPATH}/${CTLFLAG}
    if [ $? = 0 ]; then
      echo "ok"
    else
      echo "error"
    fi
  else
    echo "Please set $CTLFLAG to 1 to enable"
  fi  

fi

                 reply	other threads:[~2001-12-13 17:56 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1008265978.20651.4.camel@wp.smile \
    --to=sebastian@werner-productions.de \
    --cc=gentoo-dev@gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox