fiasko's home page

Debian Kernel Repository

 Home... | Deutsch | English
Overview
 |
2.4.31-fiasko
2.4.31-fiasko-nf
 |
2.6.16-fiasko
2.6.23-fiasko

Grsecurity extension

The 2.4.*-fiasko and 2.6.*-fiasko kernel are patched with the grsecurity extension. It is highly recommended that you read the grsecurity documentation before using the kernel!

The common kernel configuration activates the PaX extension and security mechanisms configurable through the SYSCTL interface. There is no /proc filesystem restrictions for members of the adm(4) group.

SYSCTL interface

The Grsecurity configuration can be managed by the SYSCTL interface (kernel.grsecurity.*) at runtime. This example activates most options.

CAUTION: The last entry for grsec_lock switchs the configuration permanent - without this you could deactivate these options without needing reboot!

Sample lines for /etc/sysctl.conf: 

### logging
kernel.grsecurity.audit_mount=1
kernel.grsecurity.forkfail_logging=1
kernel.grsecurity.signal_logging=1
kernel.grsecurity.timechange_logging=1

### harden chroot
kernel.grsecurity.chroot_caps=1
kernel.grsecurity.chroot_deny_chmod=1
kernel.grsecurity.chroot_deny_chroot=1
kernel.grsecurity.chroot_deny_fchdir=1
kernel.grsecurity.chroot_deny_mknod=1
kernel.grsecurity.chroot_deny_mount=1
kernel.grsecurity.chroot_deny_pivot=1
kernel.grsecurity.chroot_deny_shmat=1
kernel.grsecurity.chroot_deny_sysctl=1
kernel.grsecurity.chroot_deny_unix=1
kernel.grsecurity.chroot_enforce_chdir=1
kernel.grsecurity.chroot_findtask=1
kernel.grsecurity.chroot_restrict_nice=1
	    
### prohibit DMESG access
kernel.grsecurity.dmesg=1
	    
### force ressources limits on execve calls
kernel.grsecurity.execve_limiting=1
    
### restricted access on +t directories
kernel.grsecurity.fifo_restrictions=1
kernel.grsecurity.linking_restrictions=1

### ID creation randomization
kernel.grsecurity.rand_pids=1
kernel.grsecurity.rand_tcp_src_ports=1

### IMPORTANT: make this permanent until next reboot
kernel.grsecurity.grsec_lock=1

PaX

Some programs may stop working with the new kernel due the changes in the address space layout through the PaX extension. Programs as Java, OpenOffice, wine and XFree 4.x are affected.

With the package chpax-apt there is a way to automaticly set flags in well known problematic binaries which deactivates the security functions for these binaries.

For programs which are not handled by chpax-apt you can adjust these flags with the package chpax.

There is the posibility to switch the PaX extension into softmode using the kernel parameter pax_softmode=1. In softmode only binaries marked on compile time are protected by the PaX extension. Since there are no marked packages in Debian, this deactivates the PaX extension in some way.

04-06-06, Thomas Liske
n/a		 Valid XHTML 1.0! Viewable With Any Browser PGP: Privacy now! Powered by Debian GNU/Linux