* [gentoo-dev] grsecurity support
@ 2001-12-13 17:52 Sebastian Werner
0 siblings, 0 replies; only message in thread
From: Sebastian Werner @ 2001-12-13 17:52 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 611 bytes --]
Hey
i like to protect my system against hackers. So i patched my kernel with
grsecurity (www.grsecurity.org). It is a patch like openwall++. I have
written a script to read a config-file in /etc and a init.d-script to
start this while booting (grsecurity could use sysctl - you need to
enable it to use these scripts!)
You could use 'grsec init' to create a config-file with all options
disabled. Enable the ones you like. Then start the init.d-script
'/etc/init.d/grsec start' or put it to your boot-runlevel 'rc-update add
grsec boot'
Ok, please try it and tell me suggestions,
Thanks
Sebastian Werner
[-- Attachment #2: grsec.conf --]
[-- Type: text/plain, Size: 667 bytes --]
# CFGFILE for GrSecurity - Kernel 2.4 Security Enhancement
# This entry must be set to enable(1) to work
grsec_lock=1
# These are the available option 1=enable, 0=disable
stealth_flags=0
stealth_igmp=1
stealth_icmp=1
stealth_udp=0
stealth_rst=0
rand_ttl_thresh=0
rand_ttl=0
altered_pings=0
rand_tcp_src_ports=1
rand_ip_ids=1
rand_pids=1
chroot_caps=0
chroot_restrict_nice=0
chroot_deny_ptrace=1
chroot_deny_mknod=1
chroot_deny_chmod=1
chroot_deny_chdir=1
chroot_deny_chroot=1
chroot_deny_mount=1
chroot_restrict_sigs=0
rand_net=0
secure_kbmap=1
coredump=1
execve_limiting=0
secure_fds=0
fifo_restrictions=1
linking_restrictions=1
[-- Attachment #3: grsec --]
[-- Type: text/plain, Size: 297 bytes --]
#!/sbin/runscript
# apply grsecurity options in /etc/grsec.conf
# with sysctl to the kernel
depend() {
need clock localmount
}
start() {
ebegin "Enable advanced network and system-protection (grsec)"
grsec start 2>&1 | /usr/bin/logger -t "grsec" -p daemon.notice
eend $?
}
[-- Attachment #4: grsec --]
[-- Type: text/x-sh, Size: 2757 bytes --]
#!/bin/bash
CFGFILE="/etc/grsec.conf"
PROCPATH="/proc/sys/kernel/grsecurity/"
CTLFLAG="grsec_lock"
if [ `id -u` != 0 ]; then
echo "ERROR:"
echo "You must be root to set grsec vars!"
exit 1
fi
if [ ! -d $PROCPATH ]; then
echo "ERROR:"
echo "It seems that grsecurity sysctl option isn't enabled"
exit 1
fi
if [ "e$1" = "e" ]; then
echo "ERROR:"
echo "Please call me: $0 [start|init]"
exit 1
fi
if [ "`cat ${PROCPATH}/${CTLFLAG}`" = "1" -a "$1" = "start" ]; then
echo "ERROR:"
echo "Sorry: $CTLFLAG is set to 1. Changes not possible!"
exit 1
fi
if [ "$1" = "init" ]; then
if [ -e $CFGFILE ]; then
echo -n "Are you sure to overwrite current config-file: $CFGFILE? [y|n] "
read input
if [ "$input" = "y" ]; then
echo "Creating backup of old file -> ${CFGFILE}_`date +'%d%m%y%k%M%S'`"
cp $CFGFILE ${CFGFILE}_`date +"%d%m%y%k%M%S"`
else
exit
fi
fi
echo "Creating new config file: ${CFGFILE}"
echo "# CFGFILE for GrSecurity - Kernel 2.4 Security Enhancement" > $CFGFILE
echo " " >> $CFGFILE
echo "# This entry must be set to enable(1) to work" >> $CFGFILE
echo "${CTLFLAG}=0" >> $CFGFILE
echo " " >> $CFGFILE
echo "# These are the available option 1=enable, 0=disable" >> $CFGFILE
for entry in `find $PROCPATH ! -type d`
do
Ename=`basename $entry`
if [ "$Ename" != "grsec_lock" ]; then
echo "`basename $entry`=0" >> $CFGFILE
fi
done
fi
if [ "$1" = "stop" ]; then
echo "Sorry there is no stop possible."
echo "After set $CTLFLAG all options are readonly."
echo "Change settings in config-file and reboot!"
fi
if [ "$1" = "start" ]; then
for entry in `find $PROCPATH ! -type d`
do
Ename=`basename $entry`
if [ $Ename != "$CTLFLAG" ]; then
Evalue=`grep -v "#" $CFGFILE | grep "${Ename}=" | cut -d= -f2`
if [ $Evalue = 0 ]; then
echo -n "Disabling $Ename: "
echo 0 > ${PROCPATH}/$Ename
if [ $? = 0 ]; then
echo "ok"
else
echo "error"
fi
elif [ $Evalue = 1 ]; then
echo -n "Enabling $Ename: "
echo 1 > ${PROCPATH}/$Ename
if [ $? = 0 ]; then
echo "ok"
else
echo "error"
fi
else
echo "Unknown option for $Ename"
fi
else
Enable=`grep -v "#" $CFGFILE | grep "${Ename}=" | cut -d= -f2`
fi
done
echo " "
if [ "$Enable" = "1" ]; then
echo -n "Enabling GrSecurity: "
echo 1 > ${PROCPATH}/${CTLFLAG}
if [ $? = 0 ]; then
echo "ok"
else
echo "error"
fi
else
echo "Please set $CTLFLAG to 1 to enable"
fi
fi
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2001-12-13 17:56 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2001-12-13 17:52 [gentoo-dev] grsecurity support Sebastian Werner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox