Núcleo de las distribuciones basadas en Metadistros

# diff -u 2.4.20.metadistros-servidor.conf 2.4.20.metadistros-usuario.conf

--- 2.4.20.metadistros-servidor.conf	2003-04-13 20:33:54.000000000 +0200
+++ 2.4.20.metadistros-usuario.conf	2003-04-13 20:38:44.000000000 +0200
@@ -20,6 +20,8 @@
 #
 # Processor type and features
 #
+CONFIG_LOLAT=y
+CONFIG_LOLAT_SYSCTL=y
 CONFIG_M386=y
 # CONFIG_M486 is not set
 # CONFIG_M586 is not set
@@ -55,16 +57,18 @@
 # CONFIG_HIGHMEM is not set
 CONFIG_MATH_EMULATION=y
 CONFIG_MTRR=y
-CONFIG_SMP=y
-# CONFIG_MULTIQUAD is not set
+# CONFIG_SMP is not set
+CONFIG_PREEMPT=y
+CONFIG_X86_UP_APIC=y
+# CONFIG_X86_UP_IOAPIC is not set
+CONFIG_X86_LOCAL_APIC=y
 # CONFIG_X86_TSC_DISABLE is not set
 
 #
 # General setup
 #
+CONFIG_HZ=500
 CONFIG_NET=y
-CONFIG_X86_IO_APIC=y
-CONFIG_X86_LOCAL_APIC=y
 CONFIG_PCI=y
 # CONFIG_PCI_GOBIOS is not set
 # CONFIG_PCI_GODIRECT is not set
@@ -92,7 +96,6 @@
 CONFIG_HOTPLUG_PCI=m
 CONFIG_HOTPLUG_PCI_COMPAQ=m
 # CONFIG_HOTPLUG_PCI_COMPAQ_NVRAM is not set
-CONFIG_HOTPLUG_PCI_IBM=m
 # CONFIG_HOTPLUG_PCI_ACPI is not set
 CONFIG_SYSVIPC=y
 CONFIG_BSD_PROCESS_ACCT=y
@@ -103,7 +106,6 @@
 CONFIG_BINFMT_ELF=y
 CONFIG_BINFMT_MISC=m
 CONFIG_PM=y
-# CONFIG_ACPI is not set
 CONFIG_APM=m
 # CONFIG_APM_IGNORE_USER_SUSPEND is not set
 CONFIG_APM_DO_ENABLE=y
@@ -114,6 +116,11 @@
 # CONFIG_APM_REAL_MODE_POWER_OFF is not set
 
 #
+# ACPI Support
+#
+# CONFIG_ACPI is not set
+
+#
 # Memory Technology Devices (MTD)
 #
 # CONFIG_MTD is not set
@@ -176,6 +183,7 @@
 CONFIG_CISS_SCSI_TAPE=y
 CONFIG_BLK_DEV_DAC960=m
 CONFIG_BLK_DEV_UMEM=m
+# CONFIG_CDROM_PKTCDVD is not set
 CONFIG_BLK_DEV_LOOP=m
 CONFIG_BLK_DEV_NBD=m
 CONFIG_BLK_DEV_RAM=y
@@ -406,7 +414,7 @@
 CONFIG_IPSEC_ALG_BLOWFISH=m
 CONFIG_IPSEC_ALG_CAST=m
 CONFIG_IPSEC_ALG_CRYPTOAPI=m
-# CONFIG_IPSEC_ALG_NON_LIBRE is not set
+CONFIG_IPSEC_ALG_NON_LIBRE=y
 CONFIG_IPSEC_ALG_NULL=m
 CONFIG_IPSEC_ALG_SERPENT=m
 CONFIG_IPSEC_ALG_TWOFISH=m
@@ -512,7 +520,6 @@
 CONFIG_BLK_DEV_SR_VENDOR=y
 CONFIG_SR_EXTRA_DEVS=2
 CONFIG_CHR_DEV_SG=m
-# CONFIG_SCSI_DEBUG_QUEUES is not set
 # CONFIG_SCSI_MULTI_LUN is not set
 CONFIG_SCSI_CONSTANTS=y
 # CONFIG_SCSI_LOGGING is not set
@@ -779,7 +786,7 @@
 CONFIG_NS83820=m
 CONFIG_HAMACHI=m
 CONFIG_YELLOWFIN=m
-CONFIG_SK98LIN=m
+# CONFIG_SK98LIN is not set
 CONFIG_TIGON3=m
 CONFIG_FDDI=y
 CONFIG_DEFXX=m
@@ -1266,7 +1273,7 @@
 CONFIG_INTEL_RNG=m
 CONFIG_AMD_PM768=m
 CONFIG_NVRAM=m
-CONFIG_RTC=y
+CONFIG_RTC=m
 CONFIG_DTLK=m
 CONFIG_R3964=m
 CONFIG_APPLICOM=m
@@ -1380,6 +1387,7 @@
 CONFIG_REISERFS_FS=y
 # CONFIG_REISERFS_CHECK is not set
 # CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_SUPERMOUNT is not set
 CONFIG_ADFS_FS=m
 CONFIG_ADFS_FS_RW=y
 CONFIG_AFFS_FS=m
@@ -1550,8 +1558,9 @@
 CONFIG_FB_PM3=m
 CONFIG_FB_CYBER2000=m
 CONFIG_FB_VESA=y
+CONFIG_LPP=y
 CONFIG_FB_VGA16=m
-CONFIG_FB_HGA=m
+# CONFIG_FB_HGA is not set
 CONFIG_VIDEO_SELECT=y
 CONFIG_FB_MATROX=m
 CONFIG_FB_MATROX_MILLENIUM=y
@@ -1574,6 +1583,7 @@
 CONFIG_FB_VOODOO1=m
 CONFIG_FB_TRIDENT=m
 # CONFIG_FB_VIRTUAL is not set
+# CONFIG_FBCON_SPLASHSCREEN is not set
 CONFIG_FBCON_ADVANCED=y
 CONFIG_FBCON_MFB=m
 CONFIG_FBCON_CFB2=y
@@ -1809,9 +1819,6 @@
 CONFIG_MAGIC_SYSRQ=y
 # CONFIG_DEBUG_SPINLOCK is not set
 # CONFIG_FRAME_POINTER is not set
-# CONFIG_KDB is not set
-# CONFIG_KDB_MODULES is not set
-# CONFIG_KALLSYMS is not set
 
 #
 # Library routines
@@ -1831,22 +1838,12 @@
 #
 # Address Space Protection
 #
-CONFIG_GRKERNSEC_PAX_NOEXEC=y
-CONFIG_GRKERNSEC_PAX_PAGEEXEC=y
-CONFIG_GRKERNSEC_PAX_SEGMEXEC=y
-CONFIG_GRKERNSEC_PAX_EMUTRAMP=y
-CONFIG_GRKERNSEC_PAX_EMUSIGRT=y
-CONFIG_GRKERNSEC_PAX_MPROTECT=y
-CONFIG_GRKERNSEC_PAX_NOELFRELOCS=y
-CONFIG_GRKERNSEC_PAX_ASLR=y
-CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
-CONFIG_GRKERNSEC_PAX_RANDMMAP=y
-CONFIG_GRKERNSEC_PAX_RANDEXEC=y
-CONFIG_GRKERNSEC_KMEM=y
-CONFIG_GRKERNSEC_IO=y
-CONFIG_RTC=y
-CONFIG_GRKERNSEC_PROC_MEMMAP=y
-CONFIG_GRKERNSEC_HIDESYM=y
+# CONFIG_GRKERNSEC_PAX_NOEXEC is not set
+# CONFIG_GRKERNSEC_PAX_ASLR is not set
+# CONFIG_GRKERNSEC_KMEM is not set
+# CONFIG_GRKERNSEC_IO is not set
+# CONFIG_GRKERNSEC_PROC_MEMMAP is not set
+# CONFIG_GRKERNSEC_HIDESYM is not set
 
 #
 # ACL options
@@ -1861,49 +1858,33 @@
 CONFIG_GRKERNSEC_PROC=y
 # CONFIG_GRKERNSEC_PROC_USER is not set
 CONFIG_GRKERNSEC_PROC_USERGROUP=y
-CONFIG_GRKERNSEC_PROC_GID=2000
+CONFIG_GRKERNSEC_PROC_GID=2001
 CONFIG_GRKERNSEC_PROC_ADD=y
 CONFIG_GRKERNSEC_LINK=y
 CONFIG_GRKERNSEC_FIFO=y
-CONFIG_GRKERNSEC_CHROOT=y
-CONFIG_GRKERNSEC_CHROOT_MOUNT=y
-CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
-CONFIG_GRKERNSEC_CHROOT_PIVOT=y
-CONFIG_GRKERNSEC_CHROOT_CHDIR=y
-CONFIG_GRKERNSEC_CHROOT_CHMOD=y
-CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
-CONFIG_GRKERNSEC_CHROOT_MKNOD=y
-CONFIG_GRKERNSEC_CHROOT_SHMAT=y
-CONFIG_GRKERNSEC_CHROOT_UNIX=y
-CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
-CONFIG_GRKERNSEC_CHROOT_NICE=y
-CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
-CONFIG_GRKERNSEC_CHROOT_CAPS=y
+# CONFIG_GRKERNSEC_CHROOT is not set
 
 #
 # Kernel Auditing
 #
-CONFIG_GRKERNSEC_AUDIT_GROUP=y
-CONFIG_GRKERNSEC_AUDIT_GID=2007
-CONFIG_GRKERNSEC_EXECLOG=y
-CONFIG_GRKERNSEC_RESLOG=y
-CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
-CONFIG_GRKERNSEC_AUDIT_CHDIR=y
-CONFIG_GRKERNSEC_AUDIT_MOUNT=y
-CONFIG_GRKERNSEC_AUDIT_IPC=y
-CONFIG_GRKERNSEC_SIGNAL=y
-CONFIG_GRKERNSEC_FORKFAIL=y
-CONFIG_GRKERNSEC_TIME=y
+# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
+# CONFIG_GRKERNSEC_EXECLOG is not set
+# CONFIG_GRKERNSEC_RESLOG is not set
+# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
+# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
+# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
+# CONFIG_GRKERNSEC_AUDIT_IPC is not set
+# CONFIG_GRKERNSEC_SIGNAL is not set
+# CONFIG_GRKERNSEC_FORKFAIL is not set
+# CONFIG_GRKERNSEC_TIME is not set
 
 #
 # Executable Protections
 #
-CONFIG_GRKERNSEC_EXECVE=y
+# CONFIG_GRKERNSEC_EXECVE is not set
 CONFIG_GRKERNSEC_DMESG=y
 CONFIG_GRKERNSEC_RANDPID=y
-CONFIG_GRKERNSEC_TPE=y
-CONFIG_GRKERNSEC_TPE_ALL=y
-CONFIG_GRKERNSEC_TPE_GID=2005
+# CONFIG_GRKERNSEC_TPE is not set
 
 #
 # Network Protections
@@ -1914,13 +1895,7 @@
 CONFIG_GRKERNSEC_RANDSRC=y
 CONFIG_GRKERNSEC_RANDRPC=y
 CONFIG_GRKERNSEC_RANDPING=y
-CONFIG_GRKERNSEC_SOCKET=y
-CONFIG_GRKERNSEC_SOCKET_ALL=y
-CONFIG_GRKERNSEC_SOCKET_ALL_GID=2004
-CONFIG_GRKERNSEC_SOCKET_CLIENT=y
-CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=2003
-CONFIG_GRKERNSEC_SOCKET_SERVER=y
-CONFIG_GRKERNSEC_SOCKET_SERVER_GID=2002
+# CONFIG_GRKERNSEC_SOCKET is not set
 
 #
 # Sysctl support

Source: metadistros-nucleo-sb
Section: misc
Priority: optional
Maintainer: Sergio González González <[email protected]>
Standards-Version: 3.2.1

Package: metadistros-nucleo-sb
Architecture: any
Depends: ${shlibs:Depends}, metadistros-nucleo-kernel, adduser, apt, apt-utils, at,
base-config, base-files, base-passwd, bash, bsdmainutils, bsdutils, console-common,
 console-data, console-tools, console-tools-libs, cpio, cron, debconf, debianutils,
dhcp-client, diff, dpkg, e2fsprogs, ed, exim, fdutils, fileutils, findutils, gettext-base,
grep, groff-base, gzip, hostname, ifupdown, info, ipchains, iptables, klogd, libc6,
libcap1, libdb2, libdb3, libgdbmg1, libident, libldap2, liblockfile1, libncurses5,
libnewt0, libpam-modules, libpam-runtime, libpam0g, libpcap0, libpcre3, libpopt0,
libreadline4, libsasl7, libstdc++2.10-glibc2.2, libwrap0, lilo, login, logrotate,
mailx, makedev, man-db, manpages, mawk, mbr, modconf, modutils, mount, nano, ncurses-base,
ncurses-bin, net-tools, netbase, netkit-inetd, netkit-ping, nvi, passwd, pciutils,
pcmcia-cs, perl-base, ppp, pppconfig, pppoe, pppoeconf, procps, psmisc, sed, setserial,
shellutils, slang1, sysklogd, syslinux, sysvinit, tar, tasksel, tcpd,
textutils, util-linux, whiptail
Description: Sistema Base de Metadistros (SBM)
 Metapaquete que tiene como dependencias los archivos que
 conforman el sistema base de metadistros. Este coincide
 con el sistema base de Debian.
 .
 Metadistros es un proyecto de HispaLinux que pretende crear una
 infraestructura para poder crear distribuciones basadas en Debian
 personalizadas de una manera fácil. Para más información:
 .
 http://metadistros.hispalinux.es/

Source: metadistros-nucleo-se
Section: misc
Priority: optional
Maintainer: Sergio González González <[email protected]>
Standards-Version: 3.2.1

Package: metadistros-nucleo-se
Architecture: any
Depends: ${shlibs:Depends}, metadistros-nucleo-sb, metadistros-nucleo-i18n, bc,
biff, bind9-host, dc, dnsutils, doc-debian, doc-linux-text, file, finger,
gnupg, gnupg-doc, less, libdns5, libisc4, liblwres1, libssl0.9.6, lsof,
lynx-ssl, manpages-dev, mime-support, mpack, mtools, mutt, patch, procmail,
python, python-newt, python2.1, reportbug, sharutils, ssh, strace, texinfo,
time, util-linux-locales, vacation, whois, zlib1g, attr, binutils, bzip2,
 cloop-utils, dmapi, eject, ext2resize, gpart, hotplug, hotplug-utils, hwdata,
kudzu, kudzu-vesa, libattr1, libbz2-1.0, libparted1.4, lvm-common, lvm10,
mdadm, mdetect, nparted, parted, reiserfsprogs, sudo, usbutils, vim,
libgpmg1, xfsdump, xfsprogs, telnet-ssl, ftp-ssl, raidtools2, dvhtool, locales
Conflicts: ftp, telnet
Description: Sistema Extendido de Metadistros (SEM)
 Metapaquete que tiene como dependencias los archivos que
 conforman el sistema extendido de metadistros.
 .
 Metadistros es un proyecto de HispaLinux que pretende crear una
 infraestructura para poder crear distribuciones basadas en Debian
 personalizadas de una manera fácil. Para más información:
 .
 http://metadistros.hispalinux.es/

ource: metadistros-nucleo-i18n-es
Section: misc
Priority: optional
Maintainer: Sergio González González <[email protected]>
Standards-Version: 3.2.1

Package: metadistros-nucleo-i18n-es
Architecture: any
Provides: metadistros-nucleo-i18n
Depends: ${shlibs:Depends}, manpages-es, manpages-es-extra, user-euro-es
Description: Internacionalización (i18n) española (es) para metadistros
 Metapaquete que tiene como dependencias programas y
 documentación para usuarios hispano parlantes.
 .
 Metadistros es un proyecto de HispaLinux que pretende crear una
 infraestructura para poder crear distribuciones basadas en Debian
 personalizadas de una manera fácil. Para más información:
 .
 http://metadistros.hispalinux.es/

password   required   pam_unix.so nullok obscure min=4 max=8

ca_ES.ISO-8859-1
[email protected]
es_ES.ISO-8859-1
[email protected]
eu_ES.ISO-8859-1
[email protected]
gl_ES.ISO-8859-1
[email protected]

# /etc/fstab: Información estática del sistema de ficheros.
#
# <Sis. ficheros>               <Punto montaje>     <Tipo>      <Opciones>              <volcado> <pasada>
/dev/ide/host0/bus0/target0/lun0/part5  /           reiserfs    rw,nosuid,  dev,  exec,auto,nouser,async 0 0
/dev/ide/host0/bus0/target0/lun0/part1  /boot       reiserfs    ro,nosuid,nodev,noexec,auto,nouser,async 0 0
/dev/disco/root                         /root       reiserfs    rw,nosuid,nodev,  exec,auto,nouser,async 0 0
/dev/disco/home                         /home       reiserfs    rw,nosuid,nodev,noexec,auto,nouser,async 0 0
/dev/disco/tmp                          /tmp        reiserfs    rw,nosuid,nodev,  exec,auto,nouser,async 0 0
/dev/disco/usr                          /usr        reiserfs    ro,nosuid,nodev,  exec,auto,nouser,async 0 0
/dev/disco/var                          /var        reiserfs    rw,nosuid,nodev,noexec,auto,nouser,async 0 0
/dev/disco/log                          /var/log    reiserfs    rw,nosuid,nodev,noexec,auto,nouser,async 0 0
/dev/disco/spool                        /var/spool  reiserfs    rw,nosuid,nodev,noexec,auto,nouser,async 0 0
/dev/sandisco/setuid                    /mnt/setuid reiserfs    ro,  suid,nodev,  exec,auto,nouser,async 0 0

/dev/ide/host0/bus0/target0/lun0/part2  none    swap            sw,pri=1                0       0

proc                                    /proc   proc            defaults                0       0
/dev/floppy/0                           /floppy auto            rw,nosuid,nodev,noexec,auto,  user,async 0 0
/dev/ide/host0/bus1/target0/lun0/cd     /cdrom  iso9660         ro,nosuid,nodev,noexec,auto,  user,async 0 0

DPkg
{
    Pre-Invoke  { "mount /     -o remount,rw" };
    Pre-Invoke  { "mount /usr  -o remount,rw" };
    Pre-Invoke  { "mount /boot -o remount,rw" };
    Pre-Invoke  { "mount /tmp  -o remount,exec" };
    Pre-Invoke  { "mount /var  -o remount,exec" };
    Post-Invoke { "mount /     -o remount,ro" };
    Post-Invoke { "mount /usr  -o remount,ro" };
    Post-Invoke { "mount /boot -o remount,ro" };
    Post-Invoke { "mount /tmp  -o remount,noexec" };
    Post-Invoke { "mount /var  -o remount,noexec" };
};

#
# Soporte para el Euro -> ¤
#
SCREEN_FONT=lat0-sun16
APP_CHARSET_MAP=iso15
#
#DO_VCSTIME=yes
#
# Forget this one unless you _know_ it is necessary for your font:
#
# Soporte para el Euro -> ¤
#
SCREEN_FONT_vc1=lat0-sun16
SCREEN_FONT_vc2=lat0-sun16
SCREEN_FONT_vc3=lat0-sun16
SCREEN_FONT_vc4=lat0-sun16
SCREEN_FONT_vc5=lat0-sun16
SCREEN_FONT_vc6=lat0-sun16

# Script-name: /etc/network/interface-secure
# Modifies some default behaviour in order to secure against
# some TCP/IP spoofing & attacks
#
# Contributed by Dariusz Puchalak
#
  echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# broadcast echo protection enabled
  echo 0 > /proc/sys/net/ipv4/ip_forward     # ip forwarding disabled
  echo 1 > /proc/sys/net/ipv4/tcp_syncookies # TCP syn cookie protection enabled

# Log packets with impossible addresses
# but be careful with this on heavy loaded web servers
  echo 1 >/proc/sys/net/ipv4/conf/all/log_martians

#  defragging protection always enabled
  echo 1 > /proc/sys/net/ipv4/ip_always_defrag

# bad error message protection enabled
  echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# now ip spoofing protection
  for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
  done

# and finally some more things:
# Disable ICMP Redirect Acceptance
  for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $f
  done

  for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo 0 > $f
  done

# Disable Source Routed Packets
  for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo 0 > $f
  done

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
  for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 1 > $f
  done

*               hard    core            0
*               soft    nofile          100
*               hard    rss             10000
*               hard    nproc           150
*               soft    fsize           50000
www-data        soft    nofile          100000
@usuarios       hard    core            0
@usuarios       hard    rss             2000
@usuarios       hard    nproc           15
@usuarios       hard    cpu             2
@usuarios       hard    nofile          30
@usuarios       hard    fsize           10000
@usuarios       hard    memlock         5000
@usuarios       hard    data            1000
@usuarios       hard    maxlogins       4
@usuarios       hard    priority        17

#nombreusuario          soft    fsize           3000000
nombreusuario          hard    nofile          10000000

privileged:x:2000:
trustedpath:x:2002:
socketall:x:2004:
socketclient:x:2005:
socketserver:x:2006:
auditar:x:2007:

# Desautorizar a todos los hosts con nombre sospechoso
ALL: PARANOID

# Desautorizar a todos los hosts
ALL:ALL

#ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See sysctl.conf (5) for information.
#
#

##
# Activamos low-latency
#

# kernel.lowlatency=1



#############################################
# Mejorando el rendimiento del servidor web #
#############################################


#
# Máximo número de archivos abiertos
#

fs/file-max=150000


#
# Aumentamos el número de en la tabla de conexiones
#

net/ipv4/ip_conntrack_max=524288


#
# Aumentamos la cola de backlog
#

net/ipv4/tcp_max_syn_backlog=4096


##############################
# Buffer Overflow Protection #
##############################

# _______________________
# Read-only kernel memory
#
# 	root will not be able to modify the contents of
#	kernel memory.  If module support is removed in addition to enabling
#	this option, the ability of an attacker to insert foreign code into
#	a running kernel is removed.
#

# kernel/grsecurity/read_only_kmem=1


# _______________________
# Fixed mmap restrictions
#
#	If you say Y here, it will be impossible for an attacker to bypass the
#	PaX buffer overflow protection by mmaping an executable memory region
#	with a specific address set.
#

# kernel/grsecurity/mmap_fixed_restrict=1



##########################
# Filesystem protections #
##########################


# ____________________
# Linking restrictions
#
#	/tmp race exploits will be prevented, since users
#	will no longer be able to follow symlinks owned by other users in
#	world-writeable +t directories (i.e. /tmp), unless the owner of the
#	symlink is the owner of the directory. users will also not be
#	able to hardlink to files they do not own.
#

kernel/grsecurity/linking_restrictions=1


# _________________
# FIFO restrictions
#
#	Users will not be able to write to FIFOs they don't
#	own in world-writeable +t directories (i.e. /tmp), unless the owner of
#	the FIFO is the same owner of the directory it's held in.
#

kernel/grsecurity/fifo_restrictions=1


# _______________________
# Secure file descriptors
#
#	set*id binaries will be protected from data spoofing
#	attacks (eg. making a program read /etc/shadow).  The patches do this
#	by opening up /dev/null to any of the stdin, stdout, stderr file descriptors
#	for set*id binaries that are open and run by a user that is not the owner
#	of the file.
#

# kernel/grsecurity/secure_fds=1


# ________________________
# Chroot jail restrictions
#
#
#	* Restricted signals
#
#		Processes inside a chroot will not be able to send
#		signals outside of the chroot.  The only signals allowed are null
#		signals which perform no action, and the parent process sending
#		a certain signal to its child.
#

##kernel/grsecurity/chroot_restrict_sigs=1

#
#	* Deny mounts
#
#		Processes inside a chroot will not be able to
#		mount or remount filesystems.
#

kernel/grsecurity/chroot_deny_mount=1

#
#	* Deny double-chroots
#
#		Processes inside a chroot will not be able to chroot
#		again.  This is a widely used method of breaking out of a chroot jail
#		and should not be allowed.
#

kernel/grsecurity/chroot_deny_chroot=1

#
#	* Enforce chdir("/") on all chroots
#
#		The current working directory of all newly-chrooted
#		applications will be set to the the root directory of the chroot.
#		The man page on chroot(2) states:
#		Note that this call does not change  the  current  working
#		directory,  so  that `.' can be outside the tree rooted at
#		`/'.  In particular, the  super-user  can  escape  from  a
#		`chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
#
#		It is recommended that you say Y here, since it's not known to break
#		any software.
#

#kernel/grsecurity/chroot_deny_chdir=1

#
#	* Deny (f)chmod +s
#
#		Processes inside a chroot will not be able to chmod
#		or fchmod files to make them have suid or sgid bits.  This protects
#		against another published method of breaking a chroot.
#

kernel/grsecurity/chroot_deny_chmod=1

#
#	* Deny mknod
#
#		Processes inside a chroot will not be allowed to
#		mknod.  The problem with using mknod inside a chroot is that it
#		would allow an attacker to create a device entry that is the same
#		as one on the physical root of your system, which could range from
#		anyhing from the console device to a device for your harddrive (which
#		they could then use to wipe the drive or steal data).  It is recommended
#		that you say Y here, unless you run into software incompatibilities.
#

kernel/grsecurity/chroot_deny_mknod=1

#
#	* Deny ptraces
#
#		Processes inside a chroot will not be able to ptrace
#		other processes.  Ptracing a process allows one to attach and alter the
#		flow of execution for the process.  It is strongly recommended that you
#		say Y here.
#

##kernel/grsecurity/chroot_deny_ptrace=1

#
#	* Restrict priority changes
#
#		Processes inside a chroot will not be able to raise
#		the priority of processes in the chroot, or alter the priority of
#		processes outside the chroot.  This provides more security than simply
#		removing CAP_SYS_NICE from the process' capability set.
#

kernel/grsecurity/chroot_restrict_nice=1


# _____________________________________
# Capability restrictions within chroot
#
#	The capabilities on all root processes within a
#	chroot jail will be lowered to stop module insertion, raw i/o,
#	system and net admin tasks, transferring capabilities, and
#	tty configuration tasks.  This is left an option because it breaks
#	some apps.  Disable this if your chrooted apps are having
#	problems performing those kinds of tasks.
#

kernel/grsecurity/chroot_caps=1


# _____________________
# Secure keymap loading
#
#	KDSKBENT and KDSKBSENT ioctl calls being
#	called by unprivileged users will be denied. If you answer N,
#	everyone with access to the console will be able to modify keyboard
#	bindings.
#

# kernel/grsecurity/secure_kbmap=1



####################
# Security Logging #
####################


# _________________________
# Single group for auditing
#
#	the exec, chdir, (un)mount, and ipc logging features
#	will only operate on a group you specify.  This option is recommended
#	if you only want to watch certain users instead of having a large
#	amount of logs from the entire system.
#

kernel/grsecurity/audit_group=1



#
#	* GID for auditing
#			
#		Here you can choose the GID that will be the target of
#		kernel auditing. Remember to add the users you want to log
#		to the GID specified here. If the sysctl option is
#		enabled, whatever you choose here won't matter. You'll have to
#		specify the GID in your bootup script by echoing the GID to
#		the proper /proc entry.  View the help on the sysctl option for
#		more information.
#

kernel/grsecurity/audit_gid=2007


# ____________
# Exec logging
#
#	All execve() calls will be logged (since the
#	other exec*() calls are frontends to execve(), all execution
#	will be logged).  Useful for shell-servers that like to keep track
#	of their users.
#
#	WARNING: This option when enabled will produce a LOT of logs, especially
#	on an active system.
#

kernel/grsecurity/exec_logging=0


# _______________________
# Log execs within chroot
#
#	All executions inside a chroot jail will be logged
#	to syslog.
#

kernel/grsecurity/chroot_execlog=1


# _____________
# Chdir logging
#
#	All chdir() calls will be logged.
#

kernel/grsecurity/audit_chdir=0


# _________________
# (Un)Mount logging
#
#	All mounts and unmounts will be logged.
#

kernel/grsecurity/audit_mount=1


# ___________
# IPC logging
#
#	creation and removal of message queues, semaphores,
#	and shared memory will be logged.
#

kernel/grsecurity/audit_ipc=1


# ______________
# Ptrace logging
#
#	All successful ptraces will be logged. Ptraces are
#	special operations performed when programs like strace or gdb are run.
#	They have also been the focus of some kernel vulnerabilities.
#

###kernel/grsecurity/audit_ptrace=1


# ______________
# Signal logging
#
#	Certain important signals will be logged, such as
#	SIGSEGV, which will as a result inform you of when a error in a program
#	occurred, which in some cases could mean a possible exploit attempt.
#

kernel/grsecurity/signal_logging=0


# ____________________
# Fork failure logging
#
#	All failed fork() attempts will be logged.
#	This could suggest a fork bomb, or someone attempting to overstep
#	their process limit.
#

kernel/grsecurity/forkfail_logging=1


# ____________________________
# Set*id logging for all users
#
#	All set*id() calls will be logged.  Such information
#	could be useful when detecting a possible intrusion attempt.  This
#	option can produce a lot of logs on an active system.
#

# kernel/grsecurity/suid_logging=0


# ___________________
# Time change logging
#
#	Any changes of the system clock will be logged.
#

kernel/grsecurity/timechange_logging=0



##########################
# Executable Protections #
##########################


# _____________________
# Exec process limiting
#
#	Users with a resource limit on processes will
#	have the value checked during execve() calls.  The current system
#	only checks the system limit during fork() calls.
#

kernel/grsecurity/execve_limiting=1


# ___________________________
# Dmesg(8) restriction
#
#	Non-root users will not be able to use dmesg(8)
#	to view up to the last 4kb of messages in the kernel's log buffer.
#

kernel/grsecurity/dmesg=1


# _______________
# Randomized PIDs
#
#	All PIDs created on the system will be
#	pseudo-randomly generated.  This is extremely effective along
#	with the /proc restrictions to disallow an attacker from guessing
#	pids of daemons, etc.  PIDs are also used in some cases as part
#	of a naming system for temporary files, so this option would keep
#	those filenames from being predicted as well.  We also use code
#	to make sure that PID numbers aren't reused too soon.
#

kernel/grsecurity/rand_pids=1


# _____________________________
# Limit uid/gid changes to root
#
#	You will be able choose from three option that
#	will allow you to restrict access to the root account by console
#	type.  These options should only be enabled if you are sure of what
#	you're doing.  Also note that they only apply to processes that have
#	ttys, which generally involves some kind of user-interaction.  The
#	options are basically in place to keep users on a system who have a
#	(stolen) password for root from using it unless their console
#	credentials match.
#


#
#	* Deny physical consoles (tty)
#
#		Access to root from physical consoles will be
#		denied. This is only recommended for rare cases where you will
#		never need to be physically at the machine.
#

# kernel/grsecurity/deny_phys_root=0

#
#	* Deny serial consoles (ttyS)
#
#		Access to root from serial consoles will be
#		denied. Most people can say Y here, since most don't use serial
#		devices for their console access.  If you are unsure, say N.

# kernel/grsecurity/deny_serial_root=1

#
#	* Deny pseudo consoles (pty)
#
#		Access to root from pseudo consoles will be
#		denied. Pseudo consoles include consoles from telnet, ssh, or any other
#		kind of interactive shell initiated from the network.  Pseudo consoles
#		also include any terminals you use in XFree86.  If you will only be
#		accessing the machine for root access from the physical console, you
#		can say Y here.  Only say Y here if you're sure of what you're doing.

# kernel/grsecurity/deny_pseudo_root=0


# ____________________
# Fork-bomb protection
#
#	You will be able to configure a group to add to users
#	on your system that you want to be unable to fork-bomb the system.
#	You will be able to specify a maximum process limit for the user and
#	set a rate limit for all forks under their uid. (Fork-bombing is a
#	tactic used by attackers that can be enacted in two ways, (1) loading
#	up thousands of processes until the system can't take any more (this
#	method can be stopped outside of the kernel with PAM, however we place
#	protection for it in the kernel to be more complete and reduce overhead),
#	and (2), by forking processes at a rapid rate, and then killing them
#	off, which cannot be protected against in the same way at tactic 1)
#	The rate limit is specified in forks allowed per second.  Set this
#	limit low enough to stop tactic 2, but high enough to allow for
#	normal operation.  The protection will kill the offending process.
#

# kernel/grsecurity/fork_bomb_prot=1

#
#	* GID for restricted users
#
#		Here you can choose the GID to enable fork-bomb protection for.
#		Remember to add the users you want protection enabled for to the GID
#		specified here.  If the sysctl option is enabled, whatever you choose
#		here won't matter. You'll have to specify the GID in your bootup
#		script by echoing the GID to the proper /proc entry.  View the help
#		on the sysctl option for more information.
#

# kernel/grsecurity/fork_bomb_gid=2001

#
#	* Forks allowed per second
#
#		Here you can specify the maximum number of forks allowed per second.
#		You don't want to set this value too low, or else you'll hinder
#		normal operation of your system.  The default value should be fine for
#		most users.
#

# kernel/grsecurity/fork_bomb_sec=40

#
#	* Maximum processes allowed
#
#	Here you can configure the maximum number of processes users in the
#	fork-bomb protected group can run.  I would not recommend setting a
#	value lower than 8, since some programs like man(1) spawn up to 8
#	processes to run.  The default value should be fine for most purposes.
#

# kernel/grsecurity/fork_bomb_max=20


# ______________________
# Trusted path execution
#
#	You will be able to choose a gid to add to the
#	supplementary groups of users you want to mark as "untrusted."
#	These users will not be able to execute any files that are not in
#	root-owned directories writeable only by root.
#
kernel/grsecurity/tpe=1

#
#	* Glibc protection
#
#		All non-root users will not be able to execute
#		any files while glibc specific environment variables such as
#		LD_PRELOAD are set, which could be used to evade the trusted path
#		execution protection.  It also protects against evasion through
#		/lib/ld-2.*  It is recommended you say Y here also.
#

###kernel/grsecurity/tpe_glibc=1

#
#	* Partially restrict non-root users
#
#		All other non-root users will only be allowed to
#		execute files in directories they own that are not group or
#		world-writeable, or in directories owned by root and writeable only by
#		root.
#

kernel/grsecurity/tpe_restrict_all=1

#
#		- GID for untrusted users:
#
#			Here you can choose the GID to enable trusted path protection for.
#			Remember to add the users you want protection enabled for to the GID
#			specified here.  If the sysctl option is enabled, whatever you choose
#			here won't matter. You'll have to specify the GID in your bootup
#			script by echoing the GID to the proper /proc entry.  View the help
#			on the sysctl option for more information.
#

kernel/grsecurity/tpe_gid=2002


# _________________
# Restricted ptrace
#
#	No one but root will be able to ptrace processes.
#	Tracing syscalls inside the kernel will also be disabled.  All allowed
#	ptraces will be logged when this option is enabled.
#

# kernel/grsecurity/restrict_ptrace=1

#
#	* Allow ptrace for group
#
#	You will be able to choose a GID of whose users
#	will be able to ptrace.
#

# kernel/grsecurity/allow_ptrace_group=1

#
#		- GID for ptrace
#
#			Here you can choose the GID of whose users will be able to ptrace.
#			Remember to add the users you want ptrace enabled for to the GID
#			specified here.  If the sysctl option is enabled, whatever you choose
#			here won't matter. You'll have to specify the GID in your bootup
#			script by echoing the GID to the proper /proc entry.  View the help
#			on the sysctl option for more information.
#

# kernel/grsecurity/ptrace_gid=2003



#######################
# Network Protections #
#######################


# _________________
# Randomized IP IDs
#
#	All the id field on all outgoing packets
#	will be randomized.  This hinders os fingerprinters and
#	keeps your machine from being used as a bounce for an untraceable
#	portscan.  Ids are used for fragmented packets, fragments belonging
#	to the same packet have the same id.  By default linux only
#	increments the id value on each packet sent to an individual host.
#	We use a port of the OpenBSD random ip id code to achieve the
#	randomness, while keeping the possibility of id duplicates to
#	near none.
#

kernel/grsecurity/rand_ip_ids=1


# ___________________________
# Randomized TCP source ports
#
#	Situations where a source port is generated on the
#	fly for the TCP protocol (ie. with connect() ) will be altered so that
#	the source port is generated at random, instead of a simple incrementing
#	algorithm.
#

kernel/grsecurity/rand_tcp_src_ports=1

# ___________________________
# Randomized RPC XIDs
#
#	The method of determining XIDs for RPC requests will
#	be randomized, instead of using linux's default behavior of simply
#	incrementing the XID.
#

kernel/grsecurity/rand_rpc=1


# ________________
# Altered Ping IDs
#
#	The way Linux handles echo replies will be changed
#	so that the reply uses an ID equal to the ID of the echo request.
#	This will help in confusing OS detection.
#

kernel/grsecurity/altered_pings=1


# ______________
# Randomized TTL
#
#	Your TTL (time to live) for packets will be set at
#	random, with a base level you specify, to further confuse OS detection.
#

# kernel/grsecurity/rand_ttl=1


#
#	* TTL starting point:
#
#		Here you can choose a base TTL for the randomization.  The default value
#		for this setting is the Linux default TTL.  Most users will want to
#		leave this setting as-is.  The higher you set the base level (note that
#		you can't set it above 255) the more hops your packets will live.
#		If the sysctl option is enabled, whatever you choose here won't matter.
#		You'll have to specify the threshold in your bootup script by echoing
#		the threshold to the proper /proc entry.  View the help on the sysctl
#		option for more information.
#

#kernel/grsecurity/rand_ttl_thresh=64


# ___________________________
# Enhanced network randomness
#
#	The functions controlling the randomness
#	of the Linux IP stack will be enhanced to decrease the chances
#	of being able to predict certain packets that require some
#	amount of randomness.
#

### kernel/grsecurity/rand_net=1


# ___________________
# Socket restrictions
#
#	You will be able to choose from several options.
#	If you assign a GID on your system and add it to the supplementary
#	groups of users you want to restrict socket access to, this patch
#	will perform up to three things, based on the option(s) you choose.


#
#	* Deny any sockets to group
#
#		You will be able to choose a GID of whose users will
#		be unable to connect to other hosts from your machine or run server
#		applications from your machine.
#

kernel/grsecurity/socket_all=1

#
#		- GID to deny all sockets for:
#
#			Here you can choose the GID to disable socket access for. Remember to
#			add the users you want socket access disabled for to the GID
#			specified here.  If the sysctl option is enabled, whatever you choose
#			here won't matter. You'll have to specify the GID in your bootup
#			script by echoing the GID to the proper /proc entry.  View the help
#			on the sysctl option for more information.
#

kernel/grsecurity/socket_all_gid=2004

#
#	* Deny client sockets to group
#
#		You will be able to choose a GID of whose users will
#		be unable to connect to other hosts from your machine, but will be
#		able to run servers.  If this option is enabled, all users in the group
#		you specify will have to use passive mode when initiating ftp transfers
#		from the shell on your machine.
#

kernel/grsecurity/socket_client=1

#
#		- GID to deny client sockets for:
#
#			Here you can choose the GID to disable client socket access for.
#			Remember to add the users you want client socket access disabled for to
#			the GID specified here.  If the sysctl option is enabled, whatever you
#			choose here won't matter. You'll have to specify the GID in your bootup
#			script by echoing the GID to the proper /proc entry.  View the help
#			on the sysctl option for more information.
#

kernel/grsecurity/socket_client_gid=2005

#
#	* Deny server sockets to group
#
#		You will be able to choose a GID of whose users will
#		be unable to run server applications from your machine.
#

kernel/grsecurity/socket_server=1

#
#		- GID to deny server sockets for:
#
#			Here you can choose the GID to disable server socket access for.
#			Remember to add the users you want server socket access disabled for to
#			the GID specified here.  If the sysctl option is enabled, whatever you
#			choose here won't matter. You'll have to specify the GID in your bootup
#			script by echoing the GID to the proper /proc entry.  View the help
#			on the sysctl option for more information.
#

kernel/grsecurity/socket_server_gid=2006


# __________________
# Stealth networking
#
#	You will enable several enhancements that will
#	improve your system's protection against portscans.
#	Enabling these options and filtering all open ports should make
#	your machine very hard to detect, while not interfering with (most)
#	normal operation.  All the stealth options break RFC, so there's always the
#	possibility that it might affect how certain network applications react
#	to your system.

#
#	* Do not send RSTs on unserved TCP
#
#		Your machine will not send RSTs (connection resets)
#		on unserved TCP ports.  This will slow down portscanners a great deal,
#		since it has the same effect as dropping all packets to unserved TCP
#		ports.  It will also force clients connecting to a non-open port to
#		time out instead of immediately stating "connection refused."
#

# kernel/grsecurity/stealth_rst=0

#
#	* Do not reply to UDP with ICMP unreachables
#
#		Your machine will not reply with ICMP unreachable
#		packets (type 3) on UDP ports not waiting for data.  This hinders
#		portscanners from scanning your UDP ports.  Enabling the UDP stealth
#		options is known to slow down SSH connection times, and may also
#		interfere with other protocols as well.  Packets travelling across the
#		local loopback interface will not be tampered with.
#

# kernel/grsecurity/stealth_udp=0

#
#	* Do not process ICMP packets
#
#		Your machine will drop all ICMP packets but
#		echo-reply (Which allows you to ping from your machine, while not
#		allowing your machine to be pinged).  Since ICMP packets can be spoofed
#		and are commonly used in Denial of Service attacks, it is recommended
#		that you say Y here.  Theoretically, it is possible that this option
#		could hinder your ability to connect to certain hosts since it also
#		blocks "packet too large" icmp messages, though in reality this
#		occurance is rare.  Packets travelling across the local loopback
#		interface will not be tampered with.
#

# kernel/grsecurity/stealth_icmp=0

#
#	* Do not reply to IGMP requests
#
#		Your machine will drop all IGMP packets.  IGMP
#		stands for Internet Group Management Protocol.  Most users should
#		enable this option, unless you are actually connected to a multicast
#		network, which IGMP is used for.
#

# kernel/grsecurity/stealth_igmp=1

#
#	* Drop packets with illegitimate flags
#
#		Your machine will drop packets with TCP flags that
#		are never used in normal communication.  Such packets are used in
#		"stealth" scans, and should not be allowed.  It is recommended that
#		you say Y here.
#

# kernel/grsecurity/stealth_flags=0


###################
# Network Logging #
###################


# __________________________________
# Log requests to unserved TCP ports
#
#	Your machine will log requests to unserved TCP ports.
#

### kernel/grsecurity/stealth_rst_log=0

# __________________________________
# Log requests to unserved UDP ports
#
#	Your machine will log packets to UDP ports on your
#	system that are not waiting for data. Packets travelling across the
#	local loopback interface will not be logged.
#

### kernel/grsecurity/stealth_udp_log=0

# ________________
# Log ICMP packets
#
#	Your machine will log all ICMP packets but
#	echo-reply.  Packets travelling across the local loopback interface
#	will not be logged.
#

### kernel/grsecurity/stealth_icmp_log=0

# ___________________________________
# Log packets with illegitimate flags
#
#	Your machine will log packets with TCP flags that
#	are never used in normal communication.  Such packets are used in
#	"stealth" scans, and should not be allowed.
#

### kernel/grsecurity/stealth_flags_log=0



##############################
# Miscellaneous Enhancements #
##############################

# ___________________
# BSD-style coredumps
#
#	Linux will use a style similar to BSD for
#	coredumps, core.processname.  Not a security feature, just
#	a useful one.
#

# kernel/grsecurity/coredump=1



##################
# Sysctl support #
##################

# ______________
# Sysctl support
#
#	You will be able to change the options that
#	grsecurity runs with at bootup, without having to recompile your
#	kernel.  You can echo values to files in /proc/sys/kernel/grsecurity
#	to enable (1) or disable (0) various features.  All the sysctl entries
#	are mutable until the "grsec_lock" entry is set to a non-zero value.
#	All features are disabled by default. Please note that this option could
#	reduce the effectiveness of the added security of this patch if an ACL
#	system is not put in place.  Your init scripts should be read-only, and
#	root should not have access to adding modules or performing raw i/o
#	operations.  All options should be set at startup, and the grsec_lock
#	entry should be set to a non-zero value after all the options are set.
#	*THIS IS EXTREMELY IMPORTANT*
#

kernel/grsecurity/grsec_lock=0