Grsecurity

grsecurity is a set of patches for the Linux kernel with an emphasis on enhancing security. It allows the system administrator to, among other things, define a least privilege policy for the system, in which every process and user have only the lowest privileges needed to function.

This book is intended as a comprehensive up-to-date user guide about setting up and administrating a grsecurity-enabled system.

Introduction

 * Overview
 * Terminology
 * How to Contribute

Installation

 * Obtaining Required Components
 * Downloading grsecurity
 * Downloading gradm
 * Downloading the Linux Kernel
 * Verifying the Downloads
 * Configuring and Installing grsecurity
 * Patching Your Kernel with grsecurity
 * Configuring the Kernel
 * Compiling and Installing the Kernel

Administration

 * The Administration Utility (gradm)
 * Installation
 * Usage
 * Learning Mode
 * Additional Utilities
 * Controlling PaX Flags (paxctl)
 * Displaying Program Capabilities (pspax)
 * Managing the Executable Stack of Binaries (execstack)
 * Runtime Configuration Through sysctl
 * Troubleshooting

Policy Configuration

 * The RBAC System in grsecurity
 * What Is an RBAC System?
 * Limitations of any Access Control System
 * Policy Structure
 * Rules for Policies
 * Roles


 * Subjects
 * Domains
 * Capability Restrictions
 * Resource Restrictions
 * Socket Policies
 * PaX Flags
 * Flow of Matches
 * Policy Recommendations
 * Sample Policies

Application-specific Settings

 * Show full list / Add Application
 * ATI Catalyst (fglrx)
 * cPanel jailshell
 * Firefox/Iceweasel
 * Google Chrome
 * Grub
 * GUFW/UFW firewalls or Update Manager
 * IOQuake3
 * ISC DHCP Server
 * Java
 * Nagios
 * Node.js
 * Openoffice.org
 * PHP and other applications that set their own resource limits
 * X.org

Reporting Bugs

 * Reporting bugs
 * Contacts
 * Requirements

Lists

 * Grsecurity and PaX Configuration Options

Tables

 * Role Modes
 * Role Attributes
 * Subject Modes
 * Subject Attributes
 * Object Modes
 * PaX Flags
 * Capability Names and Descriptions
 * System Resources
 * Sysctl Options

Credits and Permissions
See Credits and Permissions for details about copyright and references of this document.