grsecurity 2.1.9 review

by on

grsecurity is a complete security system for Linux 2.4 that implements a detection/prevention/containment strategy

License: GPL (GNU General Public License)
File size: 60K
Developer: spender
0 stars award from

grsecurity is a complete security system for Linux 2.4 that implements a detection/prevention/containment strategy. It prevents most forms of address space modification, confines programs via its Role-Based Access Control system, hardens syscalls, provides full-featured auditing, and implements many of the OpenBSD randomness features.

It was written for performance, ease-of-use, and security. The RBAC system has an intelligent learning mode that can generate least privilege policies for the entire system with no configuration. All of grsecurity supports a feature that logs the IP of the attacker that causes an alert or audit.

Here are some key features of "grsecurity":
Main Futures:

Role-Based Access Control
User, group, and special roles
Domain support for users and groups
Role transition tables
IP-based roles
Non-root access to special roles
Special roles that require no authentication
Nested subjects
Variable support in configuration
And, or, and difference set operations on variables in configuration
Object mode that controls the creation of setuid and setgid files
Create and delete object modes
Kernel interpretation of inheritance
Real-time regular-expression resolution
Ability to deny ptraces to specific processes
User and group transition checking and enforcement on an inclusive or exclusive basis
/dev/grsec entry for kernel authentication and learning logs
Next-generation code that produces least-privilege policies for the entire system with no configuration
Policy statistics for gradm
Inheritance-based learning
Learning configuration file that allows the administrator to enable inheritance-based learning or disable learning on specific paths
Full pathnames for offending process and parent process
RBAC status function for gradm
/proc//ipaddr gives the remote address of the person who started a given process
Secure policy enforcement
Supports read, write, append, execute, view, and read-only ptrace object permissions
Supports hide, protect, and override subject flags
Supports the PaX flags
Shared memory protection feature
Integrated local attack response on all alerts
Subject flag that ensures a process can never execute trojaned code
Full-featured fine-grained auditing
Resource, socket, and capability support
Protection against exploit bruteforcing
/proc/pid filedescriptor/memory protection
Rules can be placed on non-existent files/processes
Policy regeneration on subjects and objects
Configurable log suppression
Configurable process accounting
Human-readable configuration
Not filesystem or architecture dependent
Scales well: supports as many policies as memory can handle with the same performance hit
No runtime memory allocation
SMP safe
O time efficiency for most operations
Include directive for specifying additional policies
Enable, disable, reload capabilities
Option to hide kernel processes

Chroot restrictions

No attaching shared memory outside of chroot
No kill outside of chroot
No ptrace outside of chroot (architecture independent)
No capget outside of chroot
No setpgid outside of chroot
No getpgid outside of chroot
No getsid outside of chroot
No sending of signals by fcntl outside of chroot
No viewing of any process outside of chroot, even if /proc is mounted
No mounting or remounting
No pivot_root
No double chroot
No fchdir out of chroot
Enforced chdir("/") upon chroot
No (f)chmod +s
No mknod
No sysctl writes
No raising of scheduler priority
No connecting to abstract unix domain sockets outside of chroot
Removal of harmful privileges via capabilities
Exec logging within chroot

Address space modification protection

PaX: Page-based implementation of non-executable user pages for i386, sparc, sparc64, alpha, parisc, amd64, ia64, and ppc; negligible performance hit on all i386 CPUs but Pentium 4
PaX: Segmentation-based implementation of non-executable user pages for i386 with no performance hit
PaX: Segmentation-based implementation of non-executable KERNEL pages for i386
PaX: Mprotect restrictions prevent new code from entering a task
PaX: Randomization of stack and mmap base for i386, sparc, sparc64, alpha, parisc, amd64, ia64, ppc, and mips
PaX: Randomization of heap base for i386, sparc, sparc64, alpha, parisc, amd64, ia64, ppc, and mips
PaX: Randomization of executable base for i386, sparc, sparc64, alpha, parisc, amd64, ia64, and ppc
PaX: Randomization of kernel stack
PaX: Automatically emulate sigreturn trampolines (for libc5, glibc 2.0, uClibc, Modula-3 compatibility)
PaX: No ELF .text relocations
PaX: Trampoline emulation (GCC and linux sigreturn)
PaX: PLT emulation for non-i386 archs
No kernel modification via /dev/mem, /dev/kmem, or /dev/port
Option to disable use of raw I/O
Removal of addresses from /proc//[maps|stat]

Auditing features

Option to specify single group to audit
Exec logging with arguments
Denied resource logging
Chdir logging
Mount and unmount logging
IPC creation/removal logging
Signal logging
Failed fork logging
Time change logging

Randomization features

Larger entropy pools
Randomized TCP Initial Sequence Numbers
Randomized PIDs
Randomized IP IDs
Randomized TCP source ports
Randomized RPC XIDs

Other features

/proc restrictions that don't leak information about process owners
Symlink/hardlink restrictions to prevent /tmp races
FIFO restrictions
Dmesg(8) restriction
Enhanced implementation of Trusted Path Execution
GID-based socket restrictions
Nearly all options are sysctl-tunable, with a locking mechanism
All alerts and audits support a feature that logs the IP address of the attacker with the log
Stream connections across unix domain sockets carry the attacker's IP address with them (on 2.4 only)
Detection of local connections: copies attacker's IP address to the other task
Automatic deterrence of exploit bruteforcing
Low, Medium, High, and Custom security levels
Tunable flood-time and burst for logging

What's New in This Release:
Changes include RBAC system bugfixes and two new PaX features, one which deters physical memory forensics by an attacker, and another that prevents an entire class of kernel vulnerabilities from being exploited.
Updated to the 2.4.33 and Linux kernels.

grsecurity 2.1.9 search tags