IdentifiantMot de passe
Mot de passe oublié ?Je m'inscris ! (gratuit)

Installation et sécurisation d'une station Debian 3.0 stable


Installation et sécurisation d'une station Debian 3.0 stable

15/05/2004

[ Précédent ] [ Sommaire ] [ Suivant ] [ Télécharger ]

ANNEXE 12. Configuration Sysctl de GrSecurity


ANNEXE 12. Configuration Sysctl de GrSecurity


/etc/sysctl.conf.grsecurity : 

### Restrictions Grsecurity
# Mettez a jour ce script selon vos besoins (au moins pour les gids) puis testez
# le avec sysctl -p /etc/sysctl.conf.grsecurity

# Protection du systeme de fichiers

kernel/grsecurity/chroot_caps=1
kernel/grsecurity/chroot_deny_chmod=1
kernel/grsecurity/chroot_deny_chroot=1
kernel/grsecurity/chroot_deny_fchdir=1
kernel/grsecurity/chroot_deny_mknod=1
kernel/grsecurity/chroot_deny_mount=1
kernel/grsecurity/chroot_deny_pivot=1
kernel/grsecurity/chroot_deny_shmat=1
kernel/grsecurity/chroot_deny_sysctl=1
kernel/grsecurity/chroot_deny_unix=1
kernel/grsecurity/chroot_enforce_chdir=1
kernel/grsecurity/chroot_findtask=1
kernel/grsecurity/chroot_restrict_nice=1

kernel/grsecurity/fifo_restrictions=1
kernel/grsecurity/linking_restrictions=1

# Protection des executables

kernel/grsecurity/dmesg=1

kernel/grsecurity/execve_limiting=1

# Execution dans des repertoires WR_ONLY_FOR_ROOT ?
kernel/grsecurity/tpe=1
# Pour ce groupe
kernel/grsecurity/tpe_gid=1006
# Pour tous les autres : non WR groupe/tlm et WR_ONLY_FOR_ROOT ?
kernel/grsecurity/tpe_restrict_all=0

kernel/grsecurity/rand_pids=1

# Protection reseau

kernel/grsecurity/rand_ip_ids=1
kernel/grsecurity/rand_isns=1
kernel/grsecurity/rand_rpc=1
kernel/grsecurity/rand_tcp_src_ports=1

kernel/grsecurity/socket_all=1        # Pas de serveur / Pas de connect ?
kernel/grsecurity/socket_all_gid=1007 # Pour ce groupe

kernel/grsecurity/socket_client=1        # Pas de connect ?
kernel/grsecurity/socket_client_gid=1008 # Pour ce groupe

kernel/grsecurity/socket_server=1        # Pas de serveur ?
kernel/grsecurity/socket_server_gid=1009 # Pour ce groupe

# Remontee d'informations via les logs du kernel

kernel/grsecurity/audit_group=1  # Activation ?
kernel/grsecurity/audit_gid=1010 # Pour ce groupe
kernel/grsecurity/exec_logging=1
kernel/grsecurity/audit_chdir=1
kernel/grsecurity/audit_mount=1
kernel/grsecurity/audit_ipc=1

kernel/grsecurity/signal_logging=0
kernel/grsecurity/forkfail_logging=1
kernel/grsecurity/timechange_logging=1
kernel/grsecurity/chroot_execlog=1

# Activations des listes de controle d'acces

kernel/grsecurity/acl=1

# Activation de la securite (Attention a ce que vous faites !!!)

kernel/grsecurity/grsec_lock=0
[ Précédent ] [ Sommaire ] [ Suivant ] [ Télécharger ]
Copyright (c) 2003 Simon Castro, scastro [ at ] entreelibre.com.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
You must have received a copy of the license with this document and it should be présent in the fdl.txt file.
If you did not receive this file or if you don't think this fdl.txt license is correct, have a look on the official http://www.fsf.org/licenses/fdl.txt licence file.
Copyright (c) 2003 Simon Castro, scastro [ at ] entreelibre.com.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
You must have received a copy of the license with this document and it should be présent in the fdl.txt file.
If you did not receive this file or if you don't think this fdl.txt license is correct, have a look on the official http://www.fsf.org/licenses/fdl.txt licence file.