Grsecurity features grsecurity 2.0 RBAC features _________________________________________________________________ * Role-Based Access Control * User, group, and special roles * Role transition tables * IP-based roles * Non-root access to special roles * Special roles that require no authentication * Nested subjects * Variable support in configuration * And, or, and difference set operations on variables in configuration * Object mode that controls the creation of setuid and setgid files * Create and delete object modes * Kernel interpretation of inheritance * Real-time regular-expression resolution * Ability to deny ptraces to specific processes * User and group transition checking and enforcement on an inclusive or exclusive basis * /dev/grsec entry for kernel authentication and learning logs * Next-generation code that produces least-privilege policies for the entire system with no configuration * Full pathnames for offending process and parent process * RBAC status function for gradm * /proc//ipaddr gives the remote address of the person who started a given process * All other features of grsecurity 1.9.x MAC system grsecurity 1.9.x MAC system features _________________________________________________________________ * Process-based Mandatory Access Control * Secure policy enforcement * Supports read, write, append, execute, view, and read-only ptrace object permissions * Supports hide, protect, and override subject flags * Supports the PaX flags * Shared memory protection feature * Integrated local attack response on all alerts * Subject flag that ensures a process can never execute trojaned code * Intelligent learning mode that produces least-privilege ACLs with no configuration * Full-featured fine-grained auditing * Resource ACLs * Socket ACLs * File/process ACLs * Capabilities * Protection against exploit bruteforcing * /proc/pid filedescriptor/memory protection * ACLs can be placed on non-existent files/processes * ACL regeneration on subjects and objects * Administrative mode to use for regular sysadmin tasks * ACL system is resealed up admin logout * Globbing support on ACL objects * Configurable log suppression * Configurable process accounting * Human-readable configuration * Not filesystem dependent * Not architecture dependent * Scales well: supports as many ACLs as memory can handle * No runtime memory allocation * SMP safe * O(1) time efficiency for most operations * Include directive for specifying additional ACLs * Enable, disable, reload capabilities * Userspace option to test permissions on an ACL * Option to hide kernel processes Chroot restrictions _________________________________________________________________ * No attaching shared memory outside of chroot * No kill outside of chroot * No ptrace outside of chroot (architecture independent) * No capget outside of chroot * No setpgid outside of chroot * No getpgid outside of chroot * No getsid outside of chroot * No sending of signals by fcntl outside of chroot * No viewing of any process outside of chroot, even if /proc is mounted * No mounting or remounting * No pivot_root * No double chroot * No fchdir out of chroot * Enforced chdir("/") upon chroot * No (f)chmod +s * No mknod * No sysctl writes * No raising of scheduler priority * No connecting to abstract unix domain sockets outside of chroot * Removal of harmful privileges via capabilities * Exec logging within chroot Address space modification protection _________________________________________________________________ * PaX: Page-based implementation of non-executable user pages for i386, sparc, sparc64, alpha, parisc, amd64, ia64, and ppc * PaX: Segmentation-based implementation of non-executable user pages for i386 with negligible performance hit * PaX: Segmentation-based implementation of non-executable KERNEL pages for i386 * PaX: Mprotect restrictions prevent new code from entering a task * PaX: Randomization of stack and mmap base for i386, sparc, sparc64, alpha, parisc, amd64, ia64, ppc, and mips * PaX: Randomization of heap base for i386, sparc, sparc64, alpha, parisc, amd64, ia64, ppc, and mips * PaX: Randomization of executable base for i386, sparc, sparc64, alpha, parisc, amd64, ia64, and ppc * PaX: Randomization of kernel stack * PaX: Automatically emulate sigreturn trampolines (for libc5, glibc 2.0, uClibc, Modula-3 compatibility) * PaX: No ELF .text relocations * PaX: Trampoline emulation (GCC and linux sigreturn) * PaX: PLT emulation for non-i386 archs * No kernel modification via /dev/mem, /dev/kmem, or /dev/port * Option to disable use of raw I/O * Removal of addresses from /proc//[maps|stat] Auditing features _________________________________________________________________ * Option to specify single group to audit * Exec logging with arguments * Denied resource logging * Chdir logging * Mount and unmount logging * IPC creation/removal logging * Signal logging * Failed fork logging * Time change logging Randomization features _________________________________________________________________ * Larger entropy pools * Randomized TCP Initial Sequence Numbers * Randomized IP IDs * Randomized TCP source ports * Randomized RPC XIDs Other features _________________________________________________________________ * /proc restrictions that don't leak information about process owners * Symlink/hardlink restrictions to prevent /tmp races * FIFO restrictions * Dmesg(8) restriction * Enhanced implementation of Trusted Path Execution * GID-based socket restrictions * Nearly all options are sysctl-tunable, with a locking mechanism * All alerts and audits support a feature that logs the IP of the attacker with the log * Stream connections across unix domain sockets carry the attacker's IP with them * Detection of local connections: copies attacker's IP to the other task * Low, Medium, High, and Custom security levels * Tunable flood-time and burst for logging