More News >>  

Install Stable:
2.2.0-2.6.32.19
Last updated: 08/19/10

Test:
2.2.0-2.6.34.4
Last updated: 08/19/10
grsecurity 2.0 RBAC features
  • Role-Based Access Control
  • User, group, and special roles
  • Domain support for users and groups
  • Role transition tables
  • IP-based roles
  • Non-root access to special roles
  • Special roles that require no authentication
  • Nested subjects
  • Variable support in configuration
  • And, or, and difference set operations on variables in configuration
  • Object mode that controls the creation of setuid and setgid files
  • Create and delete object modes
  • Kernel interpretation of inheritance
  • Real-time regular-expression resolution
  • Ability to deny ptraces to specific processes
  • User and group transition checking and enforcement on an inclusive or exclusive basis
  • /dev/grsec entry for kernel authentication and learning logs
  • Next-generation code that produces least-privilege policies for the entire system with no configuration
  • Policy statistics for gradm
  • Inheritance-based learning
  • Learning configuration file that allows the administrator to enable inheritance-based learning or disable learning on specific paths
  • Full pathnames for offending process and parent process
  • RBAC status function for gradm
  • /proc/<pid>/ipaddr gives the remote address of the person who started a given process
  • Secure policy enforcement
  • Supports read, write, append, execute, view, and read-only ptrace object permissions
  • Supports hide, protect, and override subject flags
  • Supports the PaX flags
  • Shared memory protection feature
  • Integrated local attack response on all alerts
  • Subject flag that ensures a process can never execute trojaned code
  • Full-featured fine-grained auditing
  • Resource, socket, and capability support
  • Protection against exploit bruteforcing
  • /proc/pid filedescriptor/memory protection
  • Rules can be placed on non-existent files/processes
  • Policy regeneration on subjects and objects
  • Configurable log suppression
  • Configurable process accounting
  • Human-readable configuration
  • Not filesystem or architecture dependent
  • Scales well: supports as many policies as memory can handle with the same performance hit
  • No runtime memory allocation
  • SMP safe
  • O(1) time efficiency for most operations
  • Include directive for specifying additional policies
  • Enable, disable, reload capabilities
  • Option to hide kernel processes
  • Force applications to use specified source IPs (useful for chrooted environments
Chroot restrictions
  • No attaching shared memory outside of chroot
  • No kill outside of chroot
  • No ptrace outside of chroot (architecture independent)
  • No capget outside of chroot
  • No setpgid outside of chroot
  • No getpgid outside of chroot
  • No getsid outside of chroot
  • No sending of signals by fcntl outside of chroot
  • No viewing of any process outside of chroot, even if /proc is mounted
  • No mounting or remounting
  • No pivot_root
  • No double chroot
  • No fchdir out of chroot
  • Enforced chdir("/") upon chroot
  • No (f)chmod +s
  • No mknod
  • No sysctl writes
  • No raising of scheduler priority
  • No connecting to abstract unix domain sockets outside of chroot
  • Removal of harmful privileges via capabilities
  • Exec logging within chroot
Address space modification protection
  • PaX: Page-based implementation of non-executable user pages for i386, sparc, sparc64, alpha, parisc, amd64, ia64, ppc, svr32, and arm; negligible performance hit on all i386 CPUs but Pentium 4
  • PaX: Segmentation-based implementation of non-executable user pages for i386 with no performance hit
  • PaX: Segmentation-based implementation of non-executable KERNEL pages for i386
  • PaX: Mprotect restrictions prevent new code from entering a task
  • PaX: Randomization of stack and mmap base for i386, sparc, sparc64, alpha, parisc, amd64, ia64, ppc, mips, and arm
  • PaX: Randomization of heap base for i386, sparc, sparc64, alpha, parisc, amd64, ia64, ppc, mips, and arm
  • PaX: Randomization of kernel stack
  • PaX: Protection against exploitation of all null ptr dereference bugs
  • PaX: Protection against exploitation of refcount overflow bugs
  • PaX: Physical memory sanitization to reduce severity of kernel infoleaks and deter some heap exploitation vectors
  • PaX: Bounds checking on kernel objects when copying to/from userland
  • PaX: Automatically emulate sigreturn trampolines (for libc5, glibc 2.0, uClibc, Modula-3 compatibility)
  • PaX: No ELF .text relocations
  • PaX: Trampoline emulation (GCC and linux sigreturn)
  • PaX: PLT emulation for non-i386 archs
  • No kernel modification via /dev/mem, /dev/kmem, or /dev/port
  • Option to disable use of raw I/O
  • Removal of addresses from /proc/<pid>/[maps|stat]
Auditing features
  • Option to specify single group to audit
  • Exec logging with arguments
  • Denied resource logging
  • Chdir logging
  • Mount and unmount logging
  • IPC creation/removal logging
  • Signal logging
  • Failed fork logging
  • Time change logging
Other features
  • /proc restrictions that don't leak information about process owners
  • Symlink/hardlink restrictions to prevent /tmp races
  • FIFO restrictions
  • Dmesg(8) restriction
  • Enhanced implementation of Trusted Path Execution
  • TCP/UDP Blackholing
  • Prevention of ptrace-based malicious process/tty sniffers
  • Module auto-loading restrictions for non-root users
  • Hiding of kernel symbols from non-root users, as well as auto-lockdown of common paths containing symbol mappings or kernel images
  • GID-based socket restrictions
  • Nearly all options are sysctl-tunable, with a locking mechanism
  • All alerts and audits support a feature that logs the IP address of the attacker with the log
  • Stream connections across unix domain sockets carry the attacker's IP address with them (on 2.4 only)
  • Detection of local connections: copies attacker's IP address to the other task
  • Automatic deterrence of exploit bruteforcing
  • Low, Medium, High, and Custom security levels
  • Tunable flood-time and burst for logging

Site design by Hal Bergman