Сравнение уровней защиты Grsecurity

Кто уже сталкивался с Grsecurity наверняка помнит, что можно выставлять разные уровни защиты (Low, Medium, Hight) или Custom, т.е. вручную ставить все чего душа желает! Так вот, искал я в Интернете толковую таблицу для сравнения опций по каждом уровне защиты,  но так и не нашел. Пришлось делать все самому. Надеюсь эта информация Вам как-то поможет и будет полезной!

Сравнение уровней защиты
Custom Low Medium High
Address Space Protection
Deny writing to /dev/kmem, /dev/mem, and /dev/port +
Restrict VM86 mode +
Disable privileged I/O
Remove addresses from /proc/<pid>/[smaps|maps|stat] + +
Deter exploit bruteforcing +
Harden module auto-loading +
Runtime module disabling
Hide kernel symbols +
Active kernel exploit response +
Role Based Access Control Options
Disable RBAC system
Hide kernel processes
Maximum tries before password lockout 3 3 3
Time to wait after max password tries, in seconds 30 30 30
Filesystem Protections
Proc restrictions + +
Restrict /proc to user only
Allow special group + +
Additional restrictions +
Linking restrictions + + +
FIFO restrictions + + +
Sysfs/debugfs restriction +
Runtime read-only mount protection
Chroot jail restrictions + + +
Deny mounts + +
Deny double-chroots + +
Deny pivot_root in chroot + +
Enforce chdir(«/») on all chroots + + +
Deny (f)chmod +s +
Deny fchdir out of chroot +
Deny mknod + +
Deny shmat() out of chroot +
Deny access to abstract AF_UNIX sockets out of chroot + +
Protect outside processes +
Restrict priority changes +
Deny sysctl writes + +
Capability restrictions +
Kernel auditing
Single group for auditing
Exec logging
Resource logging +
Log execs within chroot
Ptrace logging
Chdir logging
(Un)mount logging +
Signal logging + +
Fork failure logging + +
Time change logging + +
/proc/<pid>/ipaddr support
Denied RWX mmap/mprotect logging
ELF text relocations logging (READ HELP)
Executable Protections
Enforce RLMIT_NPROC on execs +
Dmesg(8) restriction + + +
Deter ptrace-based process snooping +
Trusted Path Execution (TPE)
Partially restrict non-root users
Invert GID options
Network Protections
Larger entropy pools + + +
TCP/UDP blackhole
Socket restrictions
Deny any sockets to group
Deny client sockets to group
Deny server sockets to group
Sysctl support
Sysctl support
Extra sysctl support for distro makers
Turn on features by default
Logging Options
Seconds in between log messages (minimum) 10 10 10
Number of messages in a burst (maximum) 6 6 6
PaX Kernel Configuration Options
PaX Control
Support soft mode
Use legacy ELF header marking + +
Use ELF program header marking + +
MAC system integration
Non-executable pages
Enforce non-executable pages +
Paging based non-executable pages +
Segmentation based non-executable pages +
Emulate trampolines
Restrict mprotect() +
Use legacy/compat protection demoting
Allow ELF text relocations +
Enforce non-executable kernel pages +
Address Space Layout Randomization
Address Space Layout Randomization + +
Randomize kernel stack base +
Randomize user stack base + +
Randomize mmap() base + +
Miscellaneous hardening features
Sanitize all freed memory
Sanitize all freed memory
Prevent invalid userland pointer dereferences +
Prevent various kernel object reference counter overflows + +
Harden heap object copies between kernel and userland + +

Done 🙂

Автор: admin, 25 февраля 2012
Рубрики: Linux, Безопасность
Метки: ,

Написать комментарий

Последние статьи

Яндекс.Метрика
?>