path: root/app-admin/grsecurity-scripts/files/sysctl.conf

#
# Copyright 1999-2007 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
#
# Created by Wolfram Schlich <wschlich@gentoo.org>
# Feedback is greatly appreciated!
#

##
## GRsecurity sysctl options
##

#
# Misc Restrictions
#

#kernel.grsecurity.execve_limiting = 1
#kernel.grsecurity.fifo_restrictions = 1
#kernel.grsecurity.linking_restrictions = 1
#kernel.grsecurity.dmesg = 1

#
# Misc Protections
#

#kernel.grsecurity.destroy_unused_shm = 1

#
# Socket Restrictions
#

#kernel.grsecurity.socket_server_gid = 1002
#kernel.grsecurity.socket_server = 1
#kernel.grsecurity.socket_client_gid = 1003
#kernel.grsecurity.socket_client = 1
#kernel.grsecurity.socket_all_gid = 1004
#kernel.grsecurity.socket_all = 1

#
# Trusted Path Execution
#

#kernel.grsecurity.tpe_gid = 1005
#kernel.grsecurity.tpe = 1

#
# Chroot Restrictions
#

#kernel.grsecurity.chroot_findtask = 1
#kernel.grsecurity.chroot_deny_sysctl = 1
#kernel.grsecurity.chroot_caps = 1
#kernel.grsecurity.chroot_execlog = 1
#kernel.grsecurity.chroot_restrict_nice = 1
#kernel.grsecurity.chroot_deny_mknod = 1
#kernel.grsecurity.chroot_deny_chmod = 1
#kernel.grsecurity.chroot_enforce_chdir = 1
#kernel.grsecurity.chroot_deny_pivot = 1
#kernel.grsecurity.chroot_deny_chroot = 1
#kernel.grsecurity.chroot_deny_fchdir = 1
#kernel.grsecurity.chroot_deny_mount = 1
#kernel.grsecurity.chroot_deny_unix = 1
#kernel.grsecurity.chroot_deny_shmat = 1

#
# Auditing & Logging
#

kernel.grsecurity.audit_ipc = 1
kernel.grsecurity.audit_mount = 1

kernel.grsecurity.forkfail_logging = 1
kernel.grsecurity.resource_logging = 1
kernel.grsecurity.signal_logging = 1
kernel.grsecurity.timechange_logging = 1

#
# Disable the loading of modules
#

#kernel.grsecurity.disable_modules = 1

#
# Finally lock the sysctl settings
#

#kernel.grsecurity.grsec_lock = 1