4. Cambios propuestos a la configuración por defecto de Debian

[Important]Importante

Los cambios que se muestran a continuación, han de ser discutidos y mejorados por los desarrolladores de metadistros:

4.1. Uso de shadow passwords y claves md5

Todo sistema basado en metadistros, debería llevar activas las shadow passwords y las claves con encriptación md5.

Para obtener las shadow passwords, si no se hace con la instalación oficial de Debian, se ha de ejecutar: pwconv, grpconv y finalmente shadowconfig on

Si queremos utilizar las claves md5, hemos de añadir a los archivos /etc/pam.d/login y /etc/pam.d/passwd, la palabra md5 en la siguiente línea:

password   required   pam_unix.so nullok obscure min=4 max=8

4.2. Eurocastellanizar el sistema

Si se trata de una distribución destinada a usuarios hispanoparlantes, ejecutar el script eurocastellanizar. Una vez realizado esto, añadir las siguientes locales al archivo '/etc/locales.gen' y ejecutar locale-gen.

ca_ES.ISO-8859-1
[email protected]
es_ES.ISO-8859-1
[email protected]
eu_ES.ISO-8859-1
[email protected]
gl_ES.ISO-8859-1
[email protected]

4.3. Eliminar servicios no importantes de /etc/inetd.conf

Quitar los servicios “discard”, “daytime”, “time” del archivo de configuración del superservidor inetd (update-inetd) - si es necesario sustituirlo por xinetd.

4.4. Posibles opciones para el /etc/fstab

Algunas opciones que me parecen interesantes para el /etc/fstab

# /etc/fstab: Información estática del sistema de ficheros.
#
# <Sis. ficheros>               <Punto montaje>     <Tipo>      <Opciones>              <volcado> <pasada>
/dev/ide/host0/bus0/target0/lun0/part5  /           reiserfs    rw,nosuid,  dev,  exec,auto,nouser,async 0 0
/dev/ide/host0/bus0/target0/lun0/part1  /boot       reiserfs    ro,nosuid,nodev,noexec,auto,nouser,async 0 0
/dev/disco/root                         /root       reiserfs    rw,nosuid,nodev,  exec,auto,nouser,async 0 0
/dev/disco/home                         /home       reiserfs    rw,nosuid,nodev,noexec,auto,nouser,async 0 0
/dev/disco/tmp                          /tmp        reiserfs    rw,nosuid,nodev,  exec,auto,nouser,async 0 0
/dev/disco/usr                          /usr        reiserfs    ro,nosuid,nodev,  exec,auto,nouser,async 0 0
/dev/disco/var                          /var        reiserfs    rw,nosuid,nodev,noexec,auto,nouser,async 0 0
/dev/disco/log                          /var/log    reiserfs    rw,nosuid,nodev,noexec,auto,nouser,async 0 0
/dev/disco/spool                        /var/spool  reiserfs    rw,nosuid,nodev,noexec,auto,nouser,async 0 0
/dev/sandisco/setuid                    /mnt/setuid reiserfs    ro,  suid,nodev,  exec,auto,nouser,async 0 0

/dev/ide/host0/bus0/target0/lun0/part2  none    swap            sw,pri=1                0       0

proc                                    /proc   proc            defaults                0       0
/dev/floppy/0                           /floppy auto            rw,nosuid,nodev,noexec,auto,  user,async 0 0
/dev/ide/host0/bus1/target0/lun0/cd     /cdrom  iso9660         ro,nosuid,nodev,noexec,auto,  user,async 0 0

4.5. /etc/apt/apt.conf

Si se han aplicado las opciones del archivo /etc/fstab, sería conveniente incluir estas en el archivo /etc/apt/apt.conf.

DPkg
{
    Pre-Invoke  { "mount /     -o remount,rw" };
    Pre-Invoke  { "mount /usr  -o remount,rw" };
    Pre-Invoke  { "mount /boot -o remount,rw" };
    Pre-Invoke  { "mount /tmp  -o remount,exec" };
    Pre-Invoke  { "mount /var  -o remount,exec" };
    Post-Invoke { "mount /     -o remount,ro" };
    Post-Invoke { "mount /usr  -o remount,ro" };
    Post-Invoke { "mount /boot -o remount,ro" };
    Post-Invoke { "mount /tmp  -o remount,noexec" };
    Post-Invoke { "mount /var  -o remount,noexec" };
};

4.6. /etc/console-tools/config

Añadimos soporte para el Euro en consola.

#
# Soporte para el Euro -> ¤
#
SCREEN_FONT=lat0-sun16
APP_CHARSET_MAP=iso15
#
#DO_VCSTIME=yes
#
# Forget this one unless you _know_ it is necessary for your font:
#
# Soporte para el Euro -> ¤
#
SCREEN_FONT_vc1=lat0-sun16
SCREEN_FONT_vc2=lat0-sun16
SCREEN_FONT_vc3=lat0-sun16
SCREEN_FONT_vc4=lat0-sun16
SCREEN_FONT_vc5=lat0-sun16
SCREEN_FONT_vc6=lat0-sun16

4.7. /etc/dpkg/dselect.cfg

Añadir la palabra 'expert' a /etc/dpkg/dselect.cfg.

4.8. /etc/network/

Añadir el archivo 'interfaces-secure', con el siguiente contenido:

# Script-name: /etc/network/interface-secure
# Modifies some default behaviour in order to secure against
# some TCP/IP spoofing & attacks
#
# Contributed by Dariusz Puchalak
#
  echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# broadcast echo protection enabled
  echo 0 > /proc/sys/net/ipv4/ip_forward     # ip forwarding disabled
  echo 1 > /proc/sys/net/ipv4/tcp_syncookies # TCP syn cookie protection enabled

# Log packets with impossible addresses
# but be careful with this on heavy loaded web servers
  echo 1 >/proc/sys/net/ipv4/conf/all/log_martians

#  defragging protection always enabled
  echo 1 > /proc/sys/net/ipv4/ip_always_defrag

# bad error message protection enabled
  echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# now ip spoofing protection
  for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
  done

# and finally some more things:
# Disable ICMP Redirect Acceptance
  for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $f
  done

  for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo 0 > $f
  done

# Disable Source Routed Packets
  for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo 0 > $f
  done

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
  for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 1 > $f
  done
[Note]Nota

Para interfaces que se configuran vía DHCP, hacer lo siguiente:

crear un nuevo archivo denominado '/etc/network/interfaces-arranque' en el cual se ha de añadir la siguiente línea a la configuración de la tarjeta de red de Internet, por ejemplo:

pre-up /etc/network/interface-secure

Una vez hecho esto, se edita el archivo '/etc/network/interfaces' y se añade lo siguiente a la definición de una interfaz de red:

pre-up /etc/network/interface-secure

up /etc/init.d/rc_firewall start

Siendo rc_firewall, el cortafuegos.

finalmente, modificar el archivo '/etc/init.d/networking' para que se llame al archivo /etc/network/interfaces-arranque en lugar de al /etc/network/interfaces, en al arranque.

[Note]Nota

Para interfaces con direcciones fijas, hacer lo siguiente:

Añadir la siguiente línea al archivo '/etc/network/interfaces':

pre-up /etc/network/interface-secure

4.9. PAM

Comentarios a la configuración por defecto de las PAM:

  • Añadir los grupos 'wheel' y 'nosu'. En el primero irán los usuarios a los que les está permitido hacer uso de 'su', y a los que no le está permitido, añadirlos a 'nosu'.

  • chfn, chsh y cron: quitar la entrada 'nullok'

  • login

    * Descomentar las líneas:
    
    		auth       required   pam_issue.so issue=/etc/issue
    		auth       optional   pam_group.so
    		account    requisite  pam_time.so
    		account  required       pam_access.so
    		session    required   pam_limits.so
    
    * Eliminar las entradas 'nullok'
    
    * Comentar la línea:
    
    		# password   required   pam_unix.so nullok obscure min=4 max=8 md5
    
    * Descomentar y modificar las líneas siguientes, para que queden:
    
    		password required       pam_cracklib.so retry=3 minlen=8 difok=4
    		password required       pam_unix.so use_authtok md5
  • other

    * Comentar o borrar las líneas por defecto y añadir las siguientes:
    
    auth     required       pam_securetty.so
    auth     required       pam_unix_auth.so
    auth     required       pam_warn.so
    auth     required       pam_deny.so
    account  required       pam_unix_acct.so
    account  required       pam_warn.so
    account  required       pam_deny.so
    password required       pam_unix_passwd.so
    password required       pam_warn.so
    password required       pam_deny.so
    session  required       pam_unix_session.so
    session  required       pam_warn.so
    session  required       pam_deny.so
  • passwd

    * Comentar la línea:
    
    		password   required   pam_unix.so nullok obscure min=4 max=8 md5
    
    * Descomentar y modificar las dos últimas líneas para que aparezcan como:
    
    		password required       pam_cracklib.so retry=3 minlen=8 difok=4
    		password required       pam_unix.so use_authtok md5
    
    * Eliminar las entradas 'nullok'
  • ssh

    * Comentar la línea:
    
    		password   required     pam_unix.so
    
    * Descomentar y modificar las dos últimas líneas para que aparezcan como:
    
    		password required       pam_cracklib.so retry=3 minlen=8 difok=4
    		password required       pam_unix.so use_authtok md5
  • su

    * Descomentar y modificar las líneas:
    
    		auth       required   pam_wheel.so group=wheel debug
    		auth       required   pam_wheel.so deny group=nosu
    		account    requisite  pam_time.so
    		session    required   pam_limits.so

4.10. /etc/security/limits.conf

Configuración propuesta:

*               hard    core            0
*               soft    nofile          100
*               hard    rss             10000
*               hard    nproc           150
*               soft    fsize           50000
www-data        soft    nofile          100000
@usuarios       hard    core            0
@usuarios       hard    rss             2000
@usuarios       hard    nproc           15
@usuarios       hard    cpu             2
@usuarios       hard    nofile          30
@usuarios       hard    fsize           10000
@usuarios       hard    memlock         5000
@usuarios       hard    data            1000
@usuarios       hard    maxlogins       4
@usuarios       hard    priority        17

Si en nuestro sistema tenemos un usuario, podríamos añadir:

#nombreusuario          soft    fsize           3000000
nombreusuario          hard    nofile          10000000

4.11. /etc/ssh/

Configuracion propuesta para estos archivos:

  • ssh_config: añadir lo siguiente:

    Host *
      Protocol 2
      Ciphers   blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
      Compression yes
      HostKeyAlgorithms ssh-dss,ssh-rsa
  • sshd_config: añadir lo siguiente:

    AllowGroups ssh
    Ciphers blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour

4.12. /etc/group

Si tenemos instalado el parche de grsecurity, y utilizamos la configuración del los núcleos de metadistros, tendríamos que añadir los siguientes grupos:

privileged:x:2000:
trustedpath:x:2002:
socketall:x:2004:
socketclient:x:2005:
socketserver:x:2006:
auditar:x:2007:
[Warning]Aviso

El nombre de los grupos es orientativo, lo que es importate es hacer coincidir los “gid” con aquellos que se añadieron en la configuración de grsecurity cuando se compiló en kernel.

4.13. /etc/hosts.allow

Añadir “sshd: ALL” si es necesario.

4.14. /etc/hosts.deny

Lineas propuestas para incorporarlas a este archivo:

# Desautorizar a todos los hosts con nombre sospechoso
ALL: PARANOID

# Desautorizar a todos los hosts
ALL:ALL

4.15. /etc/inittab

Comentar la línea:

#ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now

4.16. /etc/issue, /etc/issue.net y /etc/motd

Añadir la información que se crea conveniente...

4.17. /etc/sysctl.conf

Opciones propuestas:

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See sysctl.conf (5) for information.
#
#

##
# Activamos low-latency
#

# kernel.lowlatency=1



#############################################
# Mejorando el rendimiento del servidor web #
#############################################


#
# Máximo número de archivos abiertos
#

fs/file-max=150000


#
# Aumentamos el número de en la tabla de conexiones
#

net/ipv4/ip_conntrack_max=524288


#
# Aumentamos la cola de backlog
#

net/ipv4/tcp_max_syn_backlog=4096


##############################
# Buffer Overflow Protection #
##############################

# _______________________
# Read-only kernel memory
#
# 	root will not be able to modify the contents of
#	kernel memory.  If module support is removed in addition to enabling
#	this option, the ability of an attacker to insert foreign code into
#	a running kernel is removed.
#

# kernel/grsecurity/read_only_kmem=1


# _______________________
# Fixed mmap restrictions
#
#	If you say Y here, it will be impossible for an attacker to bypass the
#	PaX buffer overflow protection by mmaping an executable memory region
#	with a specific address set.
#

# kernel/grsecurity/mmap_fixed_restrict=1



##########################
# Filesystem protections #
##########################


# ____________________
# Linking restrictions
#
#	/tmp race exploits will be prevented, since users
#	will no longer be able to follow symlinks owned by other users in
#	world-writeable +t directories (i.e. /tmp), unless the owner of the
#	symlink is the owner of the directory. users will also not be
#	able to hardlink to files they do not own.
#

kernel/grsecurity/linking_restrictions=1


# _________________
# FIFO restrictions
#
#	Users will not be able to write to FIFOs they don't
#	own in world-writeable +t directories (i.e. /tmp), unless the owner of
#	the FIFO is the same owner of the directory it's held in.
#

kernel/grsecurity/fifo_restrictions=1


# _______________________
# Secure file descriptors
#
#	set*id binaries will be protected from data spoofing
#	attacks (eg. making a program read /etc/shadow).  The patches do this
#	by opening up /dev/null to any of the stdin, stdout, stderr file descriptors
#	for set*id binaries that are open and run by a user that is not the owner
#	of the file.
#

# kernel/grsecurity/secure_fds=1


# ________________________
# Chroot jail restrictions
#
#
#	* Restricted signals
#
#		Processes inside a chroot will not be able to send
#		signals outside of the chroot.  The only signals allowed are null
#		signals which perform no action, and the parent process sending
#		a certain signal to its child.
#

##kernel/grsecurity/chroot_restrict_sigs=1

#
#	* Deny mounts
#
#		Processes inside a chroot will not be able to
#		mount or remount filesystems.
#

kernel/grsecurity/chroot_deny_mount=1

#
#	* Deny double-chroots
#
#		Processes inside a chroot will not be able to chroot
#		again.  This is a widely used method of breaking out of a chroot jail
#		and should not be allowed.
#

kernel/grsecurity/chroot_deny_chroot=1

#
#	* Enforce chdir("/") on all chroots
#
#		The current working directory of all newly-chrooted
#		applications will be set to the the root directory of the chroot.
#		The man page on chroot(2) states:
#		Note that this call does not change  the  current  working
#		directory,  so  that `.' can be outside the tree rooted at
#		`/'.  In particular, the  super-user  can  escape  from  a
#		`chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
#
#		It is recommended that you say Y here, since it's not known to break
#		any software.
#

#kernel/grsecurity/chroot_deny_chdir=1

#
#	* Deny (f)chmod +s
#
#		Processes inside a chroot will not be able to chmod
#		or fchmod files to make them have suid or sgid bits.  This protects
#		against another published method of breaking a chroot.
#

kernel/grsecurity/chroot_deny_chmod=1

#
#	* Deny mknod
#
#		Processes inside a chroot will not be allowed to
#		mknod.  The problem with using mknod inside a chroot is that it
#		would allow an attacker to create a device entry that is the same
#		as one on the physical root of your system, which could range from
#		anyhing from the console device to a device for your harddrive (which
#		they could then use to wipe the drive or steal data).  It is recommended
#		that you say Y here, unless you run into software incompatibilities.
#

kernel/grsecurity/chroot_deny_mknod=1

#
#	* Deny ptraces
#
#		Processes inside a chroot will not be able to ptrace
#		other processes.  Ptracing a process allows one to attach and alter the
#		flow of execution for the process.  It is strongly recommended that you
#		say Y here.
#

##kernel/grsecurity/chroot_deny_ptrace=1

#
#	* Restrict priority changes
#
#		Processes inside a chroot will not be able to raise
#		the priority of processes in the chroot, or alter the priority of
#		processes outside the chroot.  This provides more security than simply
#		removing CAP_SYS_NICE from the process' capability set.
#

kernel/grsecurity/chroot_restrict_nice=1


# _____________________________________
# Capability restrictions within chroot
#
#	The capabilities on all root processes within a
#	chroot jail will be lowered to stop module insertion, raw i/o,
#	system and net admin tasks, transferring capabilities, and
#	tty configuration tasks.  This is left an option because it breaks
#	some apps.  Disable this if your chrooted apps are having
#	problems performing those kinds of tasks.
#

kernel/grsecurity/chroot_caps=1


# _____________________
# Secure keymap loading
#
#	KDSKBENT and KDSKBSENT ioctl calls being
#	called by unprivileged users will be denied. If you answer N,
#	everyone with access to the console will be able to modify keyboard
#	bindings.
#

# kernel/grsecurity/secure_kbmap=1



####################
# Security Logging #
####################


# _________________________
# Single group for auditing
#
#	the exec, chdir, (un)mount, and ipc logging features
#	will only operate on a group you specify.  This option is recommended
#	if you only want to watch certain users instead of having a large
#	amount of logs from the entire system.
#

kernel/grsecurity/audit_group=1



#
#	* GID for auditing
#			
#		Here you can choose the GID that will be the target of
#		kernel auditing. Remember to add the users you want to log
#		to the GID specified here. If the sysctl option is
#		enabled, whatever you choose here won't matter. You'll have to
#		specify the GID in your bootup script by echoing the GID to
#		the proper /proc entry.  View the help on the sysctl option for
#		more information.
#

kernel/grsecurity/audit_gid=2007


# ____________
# Exec logging
#
#	All execve() calls will be logged (since the
#	other exec*() calls are frontends to execve(), all execution
#	will be logged).  Useful for shell-servers that like to keep track
#	of their users.
#
#	WARNING: This option when enabled will produce a LOT of logs, especially
#	on an active system.
#

kernel/grsecurity/exec_logging=0


# _______________________
# Log execs within chroot
#
#	All executions inside a chroot jail will be logged
#	to syslog.
#

kernel/grsecurity/chroot_execlog=1


# _____________
# Chdir logging
#
#	All chdir() calls will be logged.
#

kernel/grsecurity/audit_chdir=0


# _________________
# (Un)Mount logging
#
#	All mounts and unmounts will be logged.
#

kernel/grsecurity/audit_mount=1


# ___________
# IPC logging
#
#	creation and removal of message queues, semaphores,
#	and shared memory will be logged.
#

kernel/grsecurity/audit_ipc=1


# ______________
# Ptrace logging
#
#	All successful ptraces will be logged. Ptraces are
#	special operations performed when programs like strace or gdb are run.
#	They have also been the focus of some kernel vulnerabilities.
#

###kernel/grsecurity/audit_ptrace=1


# ______________
# Signal logging
#
#	Certain important signals will be logged, such as
#	SIGSEGV, which will as a result inform you of when a error in a program
#	occurred, which in some cases could mean a possible exploit attempt.
#

kernel/grsecurity/signal_logging=0


# ____________________
# Fork failure logging
#
#	All failed fork() attempts will be logged.
#	This could suggest a fork bomb, or someone attempting to overstep
#	their process limit.
#

kernel/grsecurity/forkfail_logging=1


# ____________________________
# Set*id logging for all users
#
#	All set*id() calls will be logged.  Such information
#	could be useful when detecting a possible intrusion attempt.  This
#	option can produce a lot of logs on an active system.
#

# kernel/grsecurity/suid_logging=0


# ___________________
# Time change logging
#
#	Any changes of the system clock will be logged.
#

kernel/grsecurity/timechange_logging=0



##########################
# Executable Protections #
##########################


# _____________________
# Exec process limiting
#
#	Users with a resource limit on processes will
#	have the value checked during execve() calls.  The current system
#	only checks the system limit during fork() calls.
#

kernel/grsecurity/execve_limiting=1


# ___________________________
# Dmesg(8) restriction
#
#	Non-root users will not be able to use dmesg(8)
#	to view up to the last 4kb of messages in the kernel's log buffer.
#

kernel/grsecurity/dmesg=1


# _______________
# Randomized PIDs
#
#	All PIDs created on the system will be
#	pseudo-randomly generated.  This is extremely effective along
#	with the /proc restrictions to disallow an attacker from guessing
#	pids of daemons, etc.  PIDs are also used in some cases as part
#	of a naming system for temporary files, so this option would keep
#	those filenames from being predicted as well.  We also use code
#	to make sure that PID numbers aren't reused too soon.
#

kernel/grsecurity/rand_pids=1


# _____________________________
# Limit uid/gid changes to root
#
#	You will be able choose from three option that
#	will allow you to restrict access to the root account by console
#	type.  These options should only be enabled if you are sure of what
#	you're doing.  Also note that they only apply to processes that have
#	ttys, which generally involves some kind of user-interaction.  The
#	options are basically in place to keep users on a system who have a
#	(stolen) password for root from using it unless their console
#	credentials match.
#


#
#	* Deny physical consoles (tty)
#
#		Access to root from physical consoles will be
#		denied. This is only recommended for rare cases where you will
#		never need to be physically at the machine.
#

# kernel/grsecurity/deny_phys_root=0

#
#	* Deny serial consoles (ttyS)
#
#		Access to root from serial consoles will be
#		denied. Most people can say Y here, since most don't use serial
#		devices for their console access.  If you are unsure, say N.

# kernel/grsecurity/deny_serial_root=1

#
#	* Deny pseudo consoles (pty)
#
#		Access to root from pseudo consoles will be
#		denied. Pseudo consoles include consoles from telnet, ssh, or any other
#		kind of interactive shell initiated from the network.  Pseudo consoles
#		also include any terminals you use in XFree86.  If you will only be
#		accessing the machine for root access from the physical console, you
#		can say Y here.  Only say Y here if you're sure of what you're doing.

# kernel/grsecurity/deny_pseudo_root=0


# ____________________
# Fork-bomb protection
#
#	You will be able to configure a group to add to users
#	on your system that you want to be unable to fork-bomb the system.
#	You will be able to specify a maximum process limit for the user and
#	set a rate limit for all forks under their uid. (Fork-bombing is a
#	tactic used by attackers that can be enacted in two ways, (1) loading
#	up thousands of processes until the system can't take any more (this
#	method can be stopped outside of the kernel with PAM, however we place
#	protection for it in the kernel to be more complete and reduce overhead),
#	and (2), by forking processes at a rapid rate, and then killing them
#	off, which cannot be protected against in the same way at tactic 1)
#	The rate limit is specified in forks allowed per second.  Set this
#	limit low enough to stop tactic 2, but high enough to allow for
#	normal operation.  The protection will kill the offending process.
#

# kernel/grsecurity/fork_bomb_prot=1

#
#	* GID for restricted users
#
#		Here you can choose the GID to enable fork-bomb protection for.
#		Remember to add the users you want protection enabled for to the GID
#		specified here.  If the sysctl option is enabled, whatever you choose
#		here won't matter. You'll have to specify the GID in your bootup
#		script by echoing the GID to the proper /proc entry.  View the help
#		on the sysctl option for more information.
#

# kernel/grsecurity/fork_bomb_gid=2001

#
#	* Forks allowed per second
#
#		Here you can specify the maximum number of forks allowed per second.
#		You don't want to set this value too low, or else you'll hinder
#		normal operation of your system.  The default value should be fine for
#		most users.
#

# kernel/grsecurity/fork_bomb_sec=40

#
#	* Maximum processes allowed
#
#	Here you can configure the maximum number of processes users in the
#	fork-bomb protected group can run.  I would not recommend setting a
#	value lower than 8, since some programs like man(1) spawn up to 8
#	processes to run.  The default value should be fine for most purposes.
#

# kernel/grsecurity/fork_bomb_max=20


# ______________________
# Trusted path execution
#
#	You will be able to choose a gid to add to the
#	supplementary groups of users you want to mark as "untrusted."
#	These users will not be able to execute any files that are not in
#	root-owned directories writeable only by root.
#
kernel/grsecurity/tpe=1

#
#	* Glibc protection
#
#		All non-root users will not be able to execute
#		any files while glibc specific environment variables such as
#		LD_PRELOAD are set, which could be used to evade the trusted path
#		execution protection.  It also protects against evasion through
#		/lib/ld-2.*  It is recommended you say Y here also.
#

###kernel/grsecurity/tpe_glibc=1

#
#	* Partially restrict non-root users
#
#		All other non-root users will only be allowed to
#		execute files in directories they own that are not group or
#		world-writeable, or in directories owned by root and writeable only by
#		root.
#

kernel/grsecurity/tpe_restrict_all=1

#
#		- GID for untrusted users:
#
#			Here you can choose the GID to enable trusted path protection for.
#			Remember to add the users you want protection enabled for to the GID
#			specified here.  If the sysctl option is enabled, whatever you choose
#			here won't matter. You'll have to specify the GID in your bootup
#			script by echoing the GID to the proper /proc entry.  View the help
#			on the sysctl option for more information.
#

kernel/grsecurity/tpe_gid=2002


# _________________
# Restricted ptrace
#
#	No one but root will be able to ptrace processes.
#	Tracing syscalls inside the kernel will also be disabled.  All allowed
#	ptraces will be logged when this option is enabled.
#

# kernel/grsecurity/restrict_ptrace=1

#
#	* Allow ptrace for group
#
#	You will be able to choose a GID of whose users
#	will be able to ptrace.
#

# kernel/grsecurity/allow_ptrace_group=1

#
#		- GID for ptrace
#
#			Here you can choose the GID of whose users will be able to ptrace.
#			Remember to add the users you want ptrace enabled for to the GID
#			specified here.  If the sysctl option is enabled, whatever you choose
#			here won't matter. You'll have to specify the GID in your bootup
#			script by echoing the GID to the proper /proc entry.  View the help
#			on the sysctl option for more information.
#

# kernel/grsecurity/ptrace_gid=2003



#######################
# Network Protections #
#######################


# _________________
# Randomized IP IDs
#
#	All the id field on all outgoing packets
#	will be randomized.  This hinders os fingerprinters and
#	keeps your machine from being used as a bounce for an untraceable
#	portscan.  Ids are used for fragmented packets, fragments belonging
#	to the same packet have the same id.  By default linux only
#	increments the id value on each packet sent to an individual host.
#	We use a port of the OpenBSD random ip id code to achieve the
#	randomness, while keeping the possibility of id duplicates to
#	near none.
#

kernel/grsecurity/rand_ip_ids=1


# ___________________________
# Randomized TCP source ports
#
#	Situations where a source port is generated on the
#	fly for the TCP protocol (ie. with connect() ) will be altered so that
#	the source port is generated at random, instead of a simple incrementing
#	algorithm.
#

kernel/grsecurity/rand_tcp_src_ports=1

# ___________________________
# Randomized RPC XIDs
#
#	The method of determining XIDs for RPC requests will
#	be randomized, instead of using linux's default behavior of simply
#	incrementing the XID.
#

kernel/grsecurity/rand_rpc=1


# ________________
# Altered Ping IDs
#
#	The way Linux handles echo replies will be changed
#	so that the reply uses an ID equal to the ID of the echo request.
#	This will help in confusing OS detection.
#

kernel/grsecurity/altered_pings=1


# ______________
# Randomized TTL
#
#	Your TTL (time to live) for packets will be set at
#	random, with a base level you specify, to further confuse OS detection.
#

# kernel/grsecurity/rand_ttl=1


#
#	* TTL starting point:
#
#		Here you can choose a base TTL for the randomization.  The default value
#		for this setting is the Linux default TTL.  Most users will want to
#		leave this setting as-is.  The higher you set the base level (note that
#		you can't set it above 255) the more hops your packets will live.
#		If the sysctl option is enabled, whatever you choose here won't matter.
#		You'll have to specify the threshold in your bootup script by echoing
#		the threshold to the proper /proc entry.  View the help on the sysctl
#		option for more information.
#

#kernel/grsecurity/rand_ttl_thresh=64


# ___________________________
# Enhanced network randomness
#
#	The functions controlling the randomness
#	of the Linux IP stack will be enhanced to decrease the chances
#	of being able to predict certain packets that require some
#	amount of randomness.
#

### kernel/grsecurity/rand_net=1


# ___________________
# Socket restrictions
#
#	You will be able to choose from several options.
#	If you assign a GID on your system and add it to the supplementary
#	groups of users you want to restrict socket access to, this patch
#	will perform up to three things, based on the option(s) you choose.


#
#	* Deny any sockets to group
#
#		You will be able to choose a GID of whose users will
#		be unable to connect to other hosts from your machine or run server
#		applications from your machine.
#

kernel/grsecurity/socket_all=1

#
#		- GID to deny all sockets for:
#
#			Here you can choose the GID to disable socket access for. Remember to
#			add the users you want socket access disabled for to the GID
#			specified here.  If the sysctl option is enabled, whatever you choose
#			here won't matter. You'll have to specify the GID in your bootup
#			script by echoing the GID to the proper /proc entry.  View the help
#			on the sysctl option for more information.
#

kernel/grsecurity/socket_all_gid=2004

#
#	* Deny client sockets to group
#
#		You will be able to choose a GID of whose users will
#		be unable to connect to other hosts from your machine, but will be
#		able to run servers.  If this option is enabled, all users in the group
#		you specify will have to use passive mode when initiating ftp transfers
#		from the shell on your machine.
#

kernel/grsecurity/socket_client=1

#
#		- GID to deny client sockets for:
#
#			Here you can choose the GID to disable client socket access for.
#			Remember to add the users you want client socket access disabled for to
#			the GID specified here.  If the sysctl option is enabled, whatever you
#			choose here won't matter. You'll have to specify the GID in your bootup
#			script by echoing the GID to the proper /proc entry.  View the help
#			on the sysctl option for more information.
#

kernel/grsecurity/socket_client_gid=2005

#
#	* Deny server sockets to group
#
#		You will be able to choose a GID of whose users will
#		be unable to run server applications from your machine.
#

kernel/grsecurity/socket_server=1

#
#		- GID to deny server sockets for:
#
#			Here you can choose the GID to disable server socket access for.
#			Remember to add the users you want server socket access disabled for to
#			the GID specified here.  If the sysctl option is enabled, whatever you
#			choose here won't matter. You'll have to specify the GID in your bootup
#			script by echoing the GID to the proper /proc entry.  View the help
#			on the sysctl option for more information.
#

kernel/grsecurity/socket_server_gid=2006


# __________________
# Stealth networking
#
#	You will enable several enhancements that will
#	improve your system's protection against portscans.
#	Enabling these options and filtering all open ports should make
#	your machine very hard to detect, while not interfering with (most)
#	normal operation.  All the stealth options break RFC, so there's always the
#	possibility that it might affect how certain network applications react
#	to your system.

#
#	* Do not send RSTs on unserved TCP
#
#		Your machine will not send RSTs (connection resets)
#		on unserved TCP ports.  This will slow down portscanners a great deal,
#		since it has the same effect as dropping all packets to unserved TCP
#		ports.  It will also force clients connecting to a non-open port to
#		time out instead of immediately stating "connection refused."
#

# kernel/grsecurity/stealth_rst=0

#
#	* Do not reply to UDP with ICMP unreachables
#
#		Your machine will not reply with ICMP unreachable
#		packets (type 3) on UDP ports not waiting for data.  This hinders
#		portscanners from scanning your UDP ports.  Enabling the UDP stealth
#		options is known to slow down SSH connection times, and may also
#		interfere with other protocols as well.  Packets travelling across the
#		local loopback interface will not be tampered with.
#

# kernel/grsecurity/stealth_udp=0

#
#	* Do not process ICMP packets
#
#		Your machine will drop all ICMP packets but
#		echo-reply (Which allows you to ping from your machine, while not
#		allowing your machine to be pinged).  Since ICMP packets can be spoofed
#		and are commonly used in Denial of Service attacks, it is recommended
#		that you say Y here.  Theoretically, it is possible that this option
#		could hinder your ability to connect to certain hosts since it also
#		blocks "packet too large" icmp messages, though in reality this
#		occurance is rare.  Packets travelling across the local loopback
#		interface will not be tampered with.
#

# kernel/grsecurity/stealth_icmp=0

#
#	* Do not reply to IGMP requests
#
#		Your machine will drop all IGMP packets.  IGMP
#		stands for Internet Group Management Protocol.  Most users should
#		enable this option, unless you are actually connected to a multicast
#		network, which IGMP is used for.
#

# kernel/grsecurity/stealth_igmp=1

#
#	* Drop packets with illegitimate flags
#
#		Your machine will drop packets with TCP flags that
#		are never used in normal communication.  Such packets are used in
#		"stealth" scans, and should not be allowed.  It is recommended that
#		you say Y here.
#

# kernel/grsecurity/stealth_flags=0


###################
# Network Logging #
###################


# __________________________________
# Log requests to unserved TCP ports
#
#	Your machine will log requests to unserved TCP ports.
#

### kernel/grsecurity/stealth_rst_log=0

# __________________________________
# Log requests to unserved UDP ports
#
#	Your machine will log packets to UDP ports on your
#	system that are not waiting for data. Packets travelling across the
#	local loopback interface will not be logged.
#

### kernel/grsecurity/stealth_udp_log=0

# ________________
# Log ICMP packets
#
#	Your machine will log all ICMP packets but
#	echo-reply.  Packets travelling across the local loopback interface
#	will not be logged.
#

### kernel/grsecurity/stealth_icmp_log=0

# ___________________________________
# Log packets with illegitimate flags
#
#	Your machine will log packets with TCP flags that
#	are never used in normal communication.  Such packets are used in
#	"stealth" scans, and should not be allowed.
#

### kernel/grsecurity/stealth_flags_log=0



##############################
# Miscellaneous Enhancements #
##############################

# ___________________
# BSD-style coredumps
#
#	Linux will use a style similar to BSD for
#	coredumps, core.processname.  Not a security feature, just
#	a useful one.
#

# kernel/grsecurity/coredump=1



##################
# Sysctl support #
##################

# ______________
# Sysctl support
#
#	You will be able to change the options that
#	grsecurity runs with at bootup, without having to recompile your
#	kernel.  You can echo values to files in /proc/sys/kernel/grsecurity
#	to enable (1) or disable (0) various features.  All the sysctl entries
#	are mutable until the "grsec_lock" entry is set to a non-zero value.
#	All features are disabled by default. Please note that this option could
#	reduce the effectiveness of the added security of this patch if an ACL
#	system is not put in place.  Your init scripts should be read-only, and
#	root should not have access to adding modules or performing raw i/o
#	operations.  All options should be set at startup, and the grsec_lock
#	entry should be set to a non-zero value after all the options are set.
#	*THIS IS EXTREMELY IMPORTANT*
#

kernel/grsecurity/grsec_lock=0