Open conorsch opened 6 years ago
Funny, was thinking about this recently. Here's /etc/sysctl.d/grsec.conf
from linux-grsec-base (note, some of these, like socket restrictions and TPE are not provided by the automatic config strategy):
## Address Space Protection
# Disable privileged io: iopl(2) and ioperm(2)
# Warning: Xorg without modesetting needs it to be 0
kernel.grsecurity.disable_priv_io = 1
kernel.grsecurity.deter_bruteforce = 1
kernel.grsecurity.deny_new_usb = 0
kernel.grsecurity.harden_ipc = 1
## Filesystem Protections
# Prevent symlinks/hardlinks exploits (don't follow symlink on world-writable +t
# folders)
kernel.grsecurity.linking_restrictions = 1
# Prevent writing to fifo not owned in world-writable +t folders
kernel.grsecurity.fifo_restrictions = 1
# Chroot restrictions
kernel.grsecurity.chroot_deny_bad_rename = 1
kernel.grsecurity.chroot_deny_mount = 1
kernel.grsecurity.chroot_deny_chroot = 1
kernel.grsecurity.chroot_deny_pivot = 1
kernel.grsecurity.chroot_enforce_chdir = 1
kernel.grsecurity.chroot_deny_chmod = 1
kernel.grsecurity.chroot_deny_fchdir = 1
kernel.grsecurity.chroot_deny_mknod = 1
kernel.grsecurity.chroot_deny_shmat = 1
kernel.grsecurity.chroot_deny_unix = 1
kernel.grsecurity.chroot_findtask = 1
kernel.grsecurity.chroot_restrict_nice = 1
kernel.grsecurity.chroot_deny_sysctl = 1
kernel.grsecurity.chroot_caps = 1
## Kernel Auditing
kernel.grsecurity.exec_logging = 1
kernel.grsecurity.audit_chdir = 1
# By default exec_logging and audit_chdir only target members of audit_gid, you
# can change that by setting audit_group to 0
kernel.grsecurity.audit_group = 1
# You can also override audit_gid to use another group
kernel.grsecurity.audit_gid = 0
kernel.grsecurity.resource_logging = 1
kernel.grsecurity.chroot_execlog = 1
kernel.grsecurity.audit_ptrace = 1
kernel.grsecurity.audit_mount = 1
kernel.grsecurity.signal_logging = 1
kernel.grsecurity.forkfail_logging = 1
kernel.grsecurity.timechange_logging = 1
kernel.grsecurity.rwxmap_logging = 1
## Executable Protections
kernel.grsecurity.dmesg = 1
kernel.grsecurity.consistent_setxid = 1
# Trusted execution
# Add users to the 64040 (grsec-tpe) group to enable them to execute binaries
# from untrusted directories
kernel.grsecurity.tpe = 1
kernel.grsecurity.tpe_invert = 1
kernel.grsecurity.tpe_restrict_all = 1
kernel.grsecurity.tpe_gid = 64040
## Kernel-enforce SymlinkIfOwnerMatch
kernel.grsecurity.enforce_symlinksifowner = 1
kernel.grsecurity.symlinkown_gid = 33
## Network Protections
kernel.grsecurity.ip_blackhole = 1
kernel.grsecurity.lastack_retries = 4
# Socket restrictions
# If the setting is enabled and an user is added to relevant group, she won't
# be able to open this kind of socket
kernel.grsecurity.socket_all = 1
kernel.grsecurity.socket_all_gid = 64041
kernel.grsecurity.socket_client = 1
kernel.grsecurity.socket_client_gid = 64042
kernel.grsecurity.socket_server = 1
kernel.grsecurity.socket_server_gid = 64043
# Ptrace
kernel.grsecurity.harden_ptrace = 1
kernel.grsecurity.ptrace_readexec = 1
# Protect mounts
# don't try to set it to 0, it'll fail, just let it commented
# kernel.grsecurity.romount_protect = 1
# PAX
kernel.pax.softmode = 0
# Disable module loading
# This is not a grsecurity anymore, but you might still want to disable module
# loading so no code is inserted into the kernel
# kernel.modules_disabled=1
# Once you're satisfied with settings, set grsec_lock to 1 so noone can change
# grsec sysctl on a running system
kernel.grsecurity.grsec_lock = 1
# vim: filetype=conf:
Just wanted to push on this since I think it should be prioritized. As I pointed out long ago, FPF pretty much follows a "compile-and-forget" strategy as regards grsecurity (I'm thinking of SecureDrop), when you have a number of logging options, TPE, socket restrictions, and a couple of hardening flags at your disposal, so you're not getting the most mileage. How are you considering implementing? I'm personally a fan of dropping a file in /etc/sysctl.d
(perhaps a template if necessary) rather than variablizing everything and using the sysctl module, but I'd understand the objections.
There are a number of grsecurity-specific kernel options that should be set by the install role. In the spirit of sane defaults, let's enable the high-security options as default, and provide a dict that can be overridden for different site configurations.
This issue was ported from the old repo at https://github.com/freedomofpress/ansible-role-grsecurity/issues/39