Skip to content
Snippets Groups Projects
Normal view Permalink
hardened.mdwn 1.17 KiB
Newer Older
  • Learn to ignore specific revisions
    • rhatto's avatar
    Adds research/hardened
    rhatto committed
    1 
    [[!meta title="Hardened OS"]]
    rhatto's avatar
    Some new research  
    rhatto committed
    2 
    [[!tag research hardened grsecurity security]]
    rhatto's avatar
    Adds research/hardened
    rhatto committed
    3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 
    
grsecurity
----------

Basic install:

    sudo apt-get -t jessie-backports install linux-image-4.9.0-2-grsec-amd64 linux-image-grsec-amd64
    sudo apt-get install paxtest
    sudo usermod -aG grsec-tpe `whoami`

As root:

    echo "kernel.grsecurity.rwxmap_logging = 0" > /etc/sysctl.d/kernel.grsecurity.rwxmap_logging.conf 
    echo "kernel.grsecurity.grsec_lock = 1"     > /etc/sysctl.d/kernel.grsecurity.grsec_lock.conf

As regular user, after reboot:

    paxctl -cm /usr/bin/git-annex
    paxctl -cm /usr/bin/qemu-img
    paxctl -cm /usr/bin/qemu-system-x86_64
    rhatto's avatar
    Some new research  
    rhatto committed
    24 25 26 27 28 29 30 31 32 
    Further research
----------------

LXC unprivileged containers for GUI applications:

* [LXC 1.0: GUI in containers [9/10] | Stéphane Graber's website](https://stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/).
* [Configuring Unprivileged LXC containers in Debian Jessie](https://myles.sh/configuring-lxc-unprivileged-containers-in-debian-jessie/).
* [LXC - Debian Wiki](https://wiki.debian.org/LXC).
    rhatto's avatar
    Adds research/hardened
    rhatto committed
    33 34 35 36 37 38 
    References
----------

* https://micahflee.com/2016/01/debian-grsecurity/
* https://nixaid.com/grsec-in-docker/
* https://hardenedlinux.github.io/