grsecurity is a set of patches for the Linux kernel with an emphasis on enhancing security. It allows the system administrator to, among other things, define a least privilege policy for the system, in which every process and user have only the lowest privileges needed to function.

This book is intended as a comprehensive up-to-date user guide about setting up and administrating a grsecurity-enabled system.

Introduction

Overview

Terminology

How to Contribute

Installation

Obtaining Required Components

Downloading grsecurity

Downloading gradm

Downloading the Linux Kernel

Verifying the Downloads

Configuring and Installing grsecurity

Patching Your Kernel with grsecurity

Configuring the Kernel

Compiling and Installing the Kernel

Administration

The Administration Utility (gradm)

Installation

Usage

Learning Mode

Additional Utilities

Controlling PaX Flags (paxctl)

Displaying Program Capabilities (pspax)

Managing the Executable Stack of Binaries (execstack)

Runtime Configuration Through sysctl

Troubleshooting

Policy Configuration

The RBAC System in grsecurity

What Is an RBAC System?

Limitations of any Access Control System

Policy Structure

Rules for Policies

Roles

Subjects

Domains

Capability Restrictions

Resource Restrictions

Socket Policies

PaX Flags

Flow of Matches

Policy Recommendations

Sample Policies

Application-specific Settings

Show full list / Add Application

ATI Catalyst (fglrx)

cPanel jailshell

Firefox/Iceweasel

Google Chrome

Grub

GUFW/UFW firewalls or Update Manager

IOQuake3

ISC DHCP Server

Java

Nagios

Node.js

Openoffice.org

PHP and other applications that set their own resource limits

X.org

Reporting Bugs

Reporting bugs

Contacts

Requirements

Appendix

Credits and Permissions

See Credits and Permissions for details about copyright and references of this document.

External Links

• Official grsecurity website
• Official website of the PaX project