From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on finch.gentoo.org X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_ADSP_NXDOMAIN, DMARC_MISSING,MAILING_LIST_MULTI autolearn=unavailable autolearn_force=no version=4.0.0 Received: from moutvdom01.kundenserver.de (moutvdom01.kundenserver.de [195.20.224.200]) by chiba.3jane.net (Postfix) with ESMTP id B86B01A691 for ; Thu, 13 Dec 2001 11:56:37 -0600 (CST) Received: from [195.20.224.219] (helo=mrvdom03.kundenserver.de) by moutvdom01.kundenserver.de with esmtp (Exim 2.12 #2) id 16Ea6K-0006qy-00 for gentoo-dev@gentoo.org; Thu, 13 Dec 2001 18:56:56 +0100 Received: from p5082af05.dip.t-dialin.net ([80.130.175.5]) by mrvdom03.kundenserver.de with esmtp (Exim 2.12 #2) id 16Ea6K-0005DU-00 for gentoo-dev@gentoo.org; Thu, 13 Dec 2001 18:56:56 +0100 From: Sebastian Werner To: gentoo-dev@gentoo.org Content-Type: multipart/mixed; boundary="=-1gW0Nn6pg9JqlCjzemx3" X-Mailer: Evolution/1.0 (Preview Release) Date: 13 Dec 2001 18:52:54 +0100 Message-Id: <1008265978.20651.4.camel@wp.smile> Mime-Version: 1.0 Subject: [gentoo-dev] grsecurity support Sender: gentoo-dev-admin@gentoo.org Errors-To: gentoo-dev-admin@gentoo.org X-BeenThere: gentoo-dev@gentoo.org X-Mailman-Version: 2.0.6 Precedence: bulk Reply-To: gentoo-dev@gentoo.org List-Help: List-Post: List-Subscribe: , List-Id: Developer discussion list List-Unsubscribe: , List-Archive: X-Archives-Salt: a75dabd4-ad2b-47bf-8cfb-f038479d8818 X-Archives-Hash: 4e495ebaca211586da54f4b147987ac4 --=-1gW0Nn6pg9JqlCjzemx3 Content-Type: text/plain Content-Transfer-Encoding: 7bit Hey i like to protect my system against hackers. So i patched my kernel with grsecurity (www.grsecurity.org). It is a patch like openwall++. I have written a script to read a config-file in /etc and a init.d-script to start this while booting (grsecurity could use sysctl - you need to enable it to use these scripts!) You could use 'grsec init' to create a config-file with all options disabled. Enable the ones you like. Then start the init.d-script '/etc/init.d/grsec start' or put it to your boot-runlevel 'rc-update add grsec boot' Ok, please try it and tell me suggestions, Thanks Sebastian Werner --=-1gW0Nn6pg9JqlCjzemx3 Content-Disposition: attachment; filename=grsec.conf Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=ISO-8859-15 # CFGFILE for GrSecurity - Kernel 2.4 Security Enhancement =20 # This entry must be set to enable(1) to work grsec_lock=3D1 =20 # These are the available option 1=3Denable, 0=3Ddisable stealth_flags=3D0 stealth_igmp=3D1 stealth_icmp=3D1 stealth_udp=3D0 stealth_rst=3D0 rand_ttl_thresh=3D0 rand_ttl=3D0 altered_pings=3D0 rand_tcp_src_ports=3D1 rand_ip_ids=3D1 rand_pids=3D1 chroot_caps=3D0 chroot_restrict_nice=3D0 chroot_deny_ptrace=3D1 chroot_deny_mknod=3D1 chroot_deny_chmod=3D1 chroot_deny_chdir=3D1 chroot_deny_chroot=3D1 chroot_deny_mount=3D1 chroot_restrict_sigs=3D0 rand_net=3D0 secure_kbmap=3D1 coredump=3D1 execve_limiting=3D0 secure_fds=3D0 fifo_restrictions=3D1 linking_restrictions=3D1 --=-1gW0Nn6pg9JqlCjzemx3 Content-Disposition: attachment; filename=grsec Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=ISO-8859-15 #!/sbin/runscript # apply grsecurity options in /etc/grsec.conf=20 # with sysctl to the kernel depend() { need clock localmount } start() { ebegin "Enable advanced network and system-protection (grsec)" grsec start 2>&1 | /usr/bin/logger -t "grsec" -p daemon.notice eend $? } --=-1gW0Nn6pg9JqlCjzemx3 Content-Disposition: attachment; filename=grsec Content-Transfer-Encoding: quoted-printable Content-Type: text/x-sh; charset=ISO-8859-15 #!/bin/bash CFGFILE=3D"/etc/grsec.conf" PROCPATH=3D"/proc/sys/kernel/grsecurity/" CTLFLAG=3D"grsec_lock" if [ `id -u` !=3D 0 ]; then echo "ERROR:" echo "You must be root to set grsec vars!" exit 1 fi if [ ! -d $PROCPATH ]; then echo "ERROR:" echo "It seems that grsecurity sysctl option isn't enabled" exit 1 fi if [ "e$1" =3D "e" ]; then echo "ERROR:" echo "Please call me: $0 [start|init]" exit 1 fi if [ "`cat ${PROCPATH}/${CTLFLAG}`" =3D "1" -a "$1" =3D "start" ]; then echo "ERROR:" echo "Sorry: $CTLFLAG is set to 1. Changes not possible!" exit 1 fi if [ "$1" =3D "init" ]; then if [ -e $CFGFILE ]; then echo -n "Are you sure to overwrite current config-file: $CFGFILE? [y|n]= " read input if [ "$input" =3D "y" ]; then echo "Creating backup of old file -> ${CFGFILE}_`date +'%d%m%y%k%M%S'= `" cp $CFGFILE ${CFGFILE}_`date +"%d%m%y%k%M%S"` else exit fi fi echo "Creating new config file: ${CFGFILE}" =20 echo "# CFGFILE for GrSecurity - Kernel 2.4 Security Enhancement" > $CFGF= ILE echo " " >> $CFGFILE echo "# This entry must be set to enable(1) to work" >> $CFGFILE echo "${CTLFLAG}=3D0" >> $CFGFILE echo " " >> $CFGFILE echo "# These are the available option 1=3Denable, 0=3Ddisable" >> $CFGFI= LE for entry in `find $PROCPATH ! -type d` do Ename=3D`basename $entry` if [ "$Ename" !=3D "grsec_lock" ]; then echo "`basename $entry`=3D0" >> $CFGFILE fi done fi if [ "$1" =3D "stop" ]; then echo "Sorry there is no stop possible." echo "After set $CTLFLAG all options are readonly." echo "Change settings in config-file and reboot!" fi if [ "$1" =3D "start" ]; then =20 for entry in `find $PROCPATH ! -type d` do Ename=3D`basename $entry` if [ $Ename !=3D "$CTLFLAG" ]; then Evalue=3D`grep -v "#" $CFGFILE | grep "${Ename}=3D" | cut -d=3D -f2` if [ $Evalue =3D 0 ]; then echo -n "Disabling $Ename: " echo 0 > ${PROCPATH}/$Ename if [ $? =3D 0 ]; then echo "ok" else echo "error" fi elif [ $Evalue =3D 1 ]; then echo -n "Enabling $Ename: " echo 1 > ${PROCPATH}/$Ename if [ $? =3D 0 ]; then echo "ok" else echo "error" fi else echo "Unknown option for $Ename" fi else Enable=3D`grep -v "#" $CFGFILE | grep "${Ename}=3D" | cut -d=3D -f2` fi done echo " " if [ "$Enable" =3D "1" ]; then echo -n "Enabling GrSecurity: " echo 1 > ${PROCPATH}/${CTLFLAG} if [ $? =3D 0 ]; then echo "ok" else echo "error" fi else echo "Please set $CTLFLAG to 1 to enable" fi =20 fi --=-1gW0Nn6pg9JqlCjzemx3--