Кто уже сталкивался с Grsecurity наверняка помнит, что можно выставлять разные уровни защиты (Low, Medium, Hight) или Custom, т.е. вручную ставить все чего душа желает! Так вот, искал я в Интернете толковую таблицу для сравнения опций по каждом уровне защиты, но так и не нашел. Пришлось делать все самому. Надеюсь эта информация Вам как-то поможет и будет полезной!
| Сравнение уровней защиты | |||
| Custom | Low | Medium | High |
| Address Space Protection | |||
| Deny writing to /dev/kmem, /dev/mem, and /dev/port | + | ||
| Restrict VM86 mode | + | ||
| Disable privileged I/O | |||
| Remove addresses from /proc/<pid>/[smaps|maps|stat] | + | + | |
| Deter exploit bruteforcing | + | ||
| Harden module auto-loading | + | ||
| Runtime module disabling | |||
| Hide kernel symbols | + | ||
| Active kernel exploit response | + | ||
| Role Based Access Control Options | |||
| Disable RBAC system | |||
| Hide kernel processes | |||
| Maximum tries before password lockout | 3 | 3 | 3 |
| Time to wait after max password tries, in seconds | 30 | 30 | 30 |
| Filesystem Protections | |||
| Proc restrictions | + | + | |
| Restrict /proc to user only | |||
| Allow special group | + | + | |
| Additional restrictions | + | ||
| Linking restrictions | + | + | + |
| FIFO restrictions | + | + | + |
| Sysfs/debugfs restriction | + | ||
| Runtime read-only mount protection | |||
| Chroot jail restrictions | + | + | + |
| Deny mounts | + | + | |
| Deny double-chroots | + | + | |
| Deny pivot_root in chroot | + | + | |
| Enforce chdir(«/») on all chroots | + | + | + |
| Deny (f)chmod +s | + | ||
| Deny fchdir out of chroot | + | ||
| Deny mknod | + | + | |
| Deny shmat() out of chroot | + | ||
| Deny access to abstract AF_UNIX sockets out of chroot | + | + | |
| Protect outside processes | + | ||
| Restrict priority changes | + | ||
| Deny sysctl writes | + | + | |
| Capability restrictions | + | ||
| Kernel auditing | |||
| Single group for auditing | |||
| Exec logging | |||
| Resource logging | + | ||
| Log execs within chroot | |||
| Ptrace logging | |||
| Chdir logging | |||
| (Un)mount logging | + | ||
| Signal logging | + | + | |
| Fork failure logging | + | + | |
| Time change logging | + | + | |
| /proc/<pid>/ipaddr support | |||
| Denied RWX mmap/mprotect logging | |||
| ELF text relocations logging (READ HELP) | |||
| Executable Protections | |||
| Enforce RLMIT_NPROC on execs | + | ||
| Dmesg(8) restriction | + | + | + |
| Deter ptrace-based process snooping | + | ||
| Trusted Path Execution (TPE) | |||
| Partially restrict non-root users | |||
| Invert GID options | |||
| Network Protections | |||
| Larger entropy pools | + | + | + |
| TCP/UDP blackhole | |||
| Socket restrictions | |||
| Deny any sockets to group | |||
| Deny client sockets to group | |||
| Deny server sockets to group | |||
| Sysctl support | |||
| Sysctl support | |||
| Extra sysctl support for distro makers | |||
| Turn on features by default | |||
| Logging Options | |||
| Seconds in between log messages (minimum) | 10 | 10 | 10 |
| Number of messages in a burst (maximum) | 6 | 6 | 6 |
| PaX Kernel Configuration Options | |||
| PaX Control | |||
| Support soft mode | |||
| Use legacy ELF header marking | + | + | |
| Use ELF program header marking | + | + | |
| MAC system integration | |||
| Non-executable pages | |||
| Enforce non-executable pages | + | ||
| Paging based non-executable pages | + | ||
| Segmentation based non-executable pages | + | ||
| Emulate trampolines | |||
| Restrict mprotect() | + | ||
| Use legacy/compat protection demoting | |||
| Allow ELF text relocations | + | ||
| Enforce non-executable kernel pages | + | ||
| Address Space Layout Randomization | |||
| Address Space Layout Randomization | + | + | |
| Randomize kernel stack base | + | ||
| Randomize user stack base | + | + | |
| Randomize mmap() base | + | + | |
| Miscellaneous hardening features | |||
| Sanitize all freed memory | |||
| Sanitize all freed memory | |||
| Prevent invalid userland pointer dereferences | + | ||
| Prevent various kernel object reference counter overflows | + | + | |
| Harden heap object copies between kernel and userland | + | + | |
Done 🙂