Security

grsecurity – add critical hardening to the Linux kernel

grsecurity is an innovative set of patches for the Linux kernel with an emphasis on strengthening the security of a computer system.

grsecurity allows the system administrator to, among other things, define a least privilege policy for the system, in which every process and user have only the lowest privileges needed to function. It is typically used when hosts need to permit remote connections from untrusted sources, such as ssh and web servers.

It prevents most forms of address space modification, confines programs via its Role-Based Access Control system, hardens syscalls, provides full-featured auditing, and implements many of the OpenBSD randomness features. Development of grsecurity is sponsored by a number of organisations including Prometheus Global.

Features include:

    • Written for performance, security and ease-of use.
    • Utilizes a multi-layered detection, prevention, and containment model.
    • Buffer overflow exploitation prevention.
    • An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration. The RBAC system lets an administrator to restrict access to files, capabilities, resources, or sockets to all users, including root. This is similar to a Mandatory Access Control (MAC) model.
    • /tmp race vulnerability prevention.
    • Extensive auditing:
      • Option to specify single group to audit.
      • Exec logging with arguments.
      • Denied resource logging.
      • Chdir logging.
      • Mount and unmount logging.
      • IPC creation/removal logging.
      • Signal logging.
      • Failed fork logging.
      • Time change logging.
      • RWX map logging.
    • Trusted path execution.
    • Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc).
    • Prevention of arbitrary code execution in the kernel.
    • Randomization of the stack, library, and heap bases.
    • Kernel stack base randomization.
    • Protection against exploitable null-pointer dereference bugs in the kernel.
    • Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs.
    • A restriction that allows a user to only view his/her processes.
    • Security alerts and audits that contain the IP address of the person causing the alert.
    • /proc restrictions that don’t leak information about process owners.
    • Symlink/hardlink restrictions to prevent /tmp races.
    • FIFO restrictions.
    • Dmesg restriction.
    • Enhanced implementation of Trusted Path Execution.
    • GID-based socket restrictions.
    • Nearly all options are sysctl-tunable, with a locking mechanism.
    • All alerts and audits support a feature that logs the IP address of the attacker with the log.
    • Stream connections across unix domain sockets carry the attacker’s IP address with them (on 2.4 only).
    • Detection of local connections: copies attacker’s IP address to the other task.
    • Automatic deterrence of exploit brute-forcing.
    • Low, Medium, High, and Custom security levels.
    • Tunable flood-time and burst for logging.
    • Change root (chroot) hardening:
      • No attaching shared memory outside of chroot.
      • No kill outside of chroot.
      • No ptrace outside of chroot (architecture independent).
      • No capget outside of chroot.
      • No setpgid outside of chroot.
      • No getpgid outside of chroot.
      • No getsid outside of chroot.
      • No sending of signals by fcntl outside of chroot.
      • No viewing of any process outside of chroot, even if /proc is mounted.
      • No mounting or remounting.
      • No pivot_root.
      • No double chroot.
      • No fchdir out of chroot.
      • Enforced chdir(“/”) upon chroot.
      • No (f)chmod +s.
      • No mknod.
      • No sysctl writes.
      • No raising of scheduler priority.
      • No connecting to abstract unix domain sockets outside of chroot.
      • Removal of harmful privileges via cap.

Website: grsecurity.net
Support:
Developer: Brad Spengler
License: GNU General Public License

Return to MAC/RBAC Tools


Popular series
Free and Open Source SoftwareThe largest compilation of the best free and open source software in the universe. Each article is supplied with a legendary ratings chart helping you to make informed decisions.
ReviewsHundreds of in-depth reviews offering our unbiased and expert opinion on software. We offer helpful and impartial information.
The Big List of Active Linux Distros is a large compilation of actively developed Linux distributions.
Alternatives to Proprietary SoftwareReplace proprietary software with open source alternatives: Google, Microsoft, Apple, Adobe, IBM, Autodesk, Oracle, Atlassian, Corel, Cisco, Intuit, and SAS.
GamesAwesome Free Linux Games Tools showcases a series of tools that making gaming on Linux a more pleasurable experience. This is a new series.
Artificial intelligence iconMachine Learning explores practical applications of machine learning and deep learning from a Linux perspective. We've written reviews of more than 40 self-hosted apps. All are free and open source.
Guide to LinuxNew to Linux? Read our Linux for Starters series. We start right at the basics and teach you everything you need to know to get started with Linux.
Alternatives to popular CLI tools showcases essential tools that are modern replacements for core Linux utilities.
System ToolsEssential Linux system tools focuses on small, indispensable utilities, useful for system administrators as well as regular users.
ProductivityLinux utilities to maximise your productivity. Small, indispensable tools, useful for anyone running a Linux machine.
AudioSurveys popular streaming services from a Linux perspective: Amazon Music Unlimited, Myuzi, Spotify, Deezer, Tidal.
Saving Money with LinuxSaving Money with Linux looks at how you can reduce your energy bills running Linux.
Home ComputersHome computers became commonplace in the 1980s. Emulate home computers including the Commodore 64, Amiga, Atari ST, ZX81, Amstrad CPC, and ZX Spectrum.
Now and ThenNow and Then examines how promising open source software fared over the years. It can be a bumpy ride.
Linux at HomeLinux at Home looks at a range of home activities where Linux can play its part, making the most of our time at home, keeping active and engaged.
Linux CandyLinux Candy reveals the lighter side of Linux. Have some fun and escape from the daily drudgery.
DockerGetting Started with Docker helps you master Docker, a set of platform as a service products that delivers software in packages called containers.
Android AppsBest Free Android Apps. We showcase free Android apps that are definitely worth downloading. There's a strict eligibility criteria for inclusion in this series.
Programming BooksThese best free books accelerate your learning of every programming language. Learn a new language today!
Programming TutorialsThese free tutorials offer the perfect tonic to our free programming books series.
Linux Around The WorldLinux Around The World showcases usergroups that are relevant to Linux enthusiasts. Great ways to meet up with fellow enthusiasts.
Stars and StripesStars and Stripes is an occasional series looking at the impact of Linux in the USA.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Please read our Comment FAQ before posting a comment.

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments