grsecurity grsecurity is a complete security system for Linux 2.4.
Download

grsecurity Ranking & Summary

grsecurity Tags

security detection security system grsecurity detection strategy

grsecurity Description

grsecurity is a complete security system for Linux 2.4. grsecurity is a complete security system for Linux 2.4 that implements a detection/prevention/containment strategy. It prevents most forms of address space modification, confines programs via its Role-Based Access Control system, hardens syscalls, provides full-featured auditing, and implements many of the OpenBSD randomness features.It was written for performance, ease-of-use, and security. The RBAC system has an intelligent learning mode that can generate least privilege policies for the entire system with no configuration. All of grsecurity supports a feature that logs the IP of the attacker that causes an alert or audit.Here are some key features of "grsecurity":Main Futures:· Role-Based Access Control· User, group, and special roles· Domain support for users and groups· Role transition tables· IP-based roles· Non-root access to special roles· Special roles that require no authentication· Nested subjects· Variable support in configuration· And, or, and difference set operations on variables in configuration· Object mode that controls the creation of setuid and setgid files· Create and delete object modes· Kernel interpretation of inheritance· Real-time regular-expression resolution· Ability to deny ptraces to specific processes· User and group transition checking and enforcement on an inclusive or exclusive basis· /dev/grsec entry for kernel authentication and learning logs· Next-generation code that produces least-privilege policies for the entire system with no configuration· Policy statistics for gradm· Inheritance-based learning· Learning configuration file that allows the administrator to enable inheritance-based learning or disable learning on specific paths· Full pathnames for offending process and parent process· RBAC status function for gradm· /proc//ipaddr gives the remote address of the person who started a given process· Secure policy enforcement· Supports read, write, append, execute, view, and read-only ptrace object permissions· Supports hide, protect, and override subject flags· Supports the PaX flags· Shared memory protection feature· Integrated local attack response on all alerts· Subject flag that ensures a process can never execute trojaned code· Full-featured fine-grained auditing· Resource, socket, and capability support· Protection against exploit bruteforcing· /proc/pid filedescriptor/memory protection· Rules can be placed on non-existent files/processes· Policy regeneration on subjects and objects· Configurable log suppression· Configurable process accounting· Human-readable configuration· Not filesystem or architecture dependent· Scales well: supports as many policies as memory can handle with the same performance hit· No runtime memory allocation· SMP safe· O time efficiency for most operations· Include directive for specifying additional policies· Enable, disable, reload capabilities· Option to hide kernel processes Chroot restrictions· No attaching shared memory outside of chroot· No kill outside of chroot· No ptrace outside of chroot (architecture independent)· No capget outside of chroot· No setpgid outside of chroot· No getpgid outside of chroot· No getsid outside of chroot· No sending of signals by fcntl outside of chroot· No viewing of any process outside of chroot, even if /proc is mounted· No mounting or remounting· No pivot_root· No double chroot· No fchdir out of chroot· Enforced chdir("/") upon chroot· No (f)chmod +s· No mknod· No sysctl writes· No raising of scheduler priority· No connecting to abstract unix domain sockets outside of chroot· Removal of harmful privileges via capabilities· Exec logging within chroot Address space modification protection · PaX: Page-based implementation of non-executable user pages for i386, sparc, sparc64, alpha, parisc, amd64, ia64, and ppc; negligible performance hit on all i386 CPUs but Pentium 4· PaX: Segmentation-based implementation of non-executable user pages for i386 with no performance hit· PaX: Segmentation-based implementation of non-executable KERNEL pages for i386· PaX: Mprotect restrictions prevent new code from entering a task· PaX: Randomization of stack and mmap base for i386, sparc, sparc64, alpha, parisc, amd64, ia64, ppc, and mips· PaX: Randomization of heap base for i386, sparc, sparc64, alpha, parisc, amd64, ia64, ppc, and mips· PaX: Randomization of executable base for i386, sparc, sparc64, alpha, parisc, amd64, ia64, and ppc· PaX: Randomization of kernel stack· PaX: Automatically emulate sigreturn trampolines (for libc5, glibc 2.0, uClibc, Modula-3 compatibility)· PaX: No ELF .text relocations· PaX: Trampoline emulation (GCC and linux sigreturn)· PaX: PLT emulation for non-i386 archs· No kernel modification via /dev/mem, /dev/kmem, or /dev/port· Option to disable use of raw I/O· Removal of addresses from /proc// Auditing features · Option to specify single group to audit· Exec logging with arguments· Denied resource logging· Chdir logging· Mount and unmount logging· IPC creation/removal logging· Signal logging· Failed fork logging· Time change logging Randomization features · Larger entropy pools· Randomized TCP Initial Sequence Numbers· Randomized PIDs· Randomized IP IDs· Randomized TCP source ports· Randomized RPC XIDs Other features · /proc restrictions that don't leak information about process owners· Symlink/hardlink restrictions to prevent /tmp races· FIFO restrictions· Dmesg(8) restriction· Enhanced implementation of Trusted Path Execution· GID-based socket restrictions· Nearly all options are sysctl-tunable, with a locking mechanism· All alerts and audits support a feature that logs the IP address of the attacker with the log· Stream connections across unix domain sockets carry the attacker's IP address with them (on 2.4 only)· Detection of local connections: copies attacker's IP address to the other task· Automatic deterrence of exploit bruteforcing· Low, Medium, High, and Custom security levels· Tunable flood-time and burst for loggingWhat's New in This Release:· Fixes to PaX flag support in RBAC system.· PaX updates for non-x86 architectures in 2.4.34 patch.· A setpgid in chroot problem has been fixed.· The randomized PIDs feature has been removed.· This release fixes /proc usage in a chroot in 2.6 patch.· It adds an admin role to generated policy from full learning.· It resynchronizes the PaX code in the 2.4 patch.· It has been updated to Linux 2.4.34 and 2.6.19.2.

grsecurity Related Software