LinuxLinks.com
Newbies What Next ? News Forums Calendar

Search





News Sections
Home
General News (3983/0)
Reviews (632/0)
Press Releases (465/0)
Distributions (193/0)
Software (895/0)
Hardware (527/0)
Security (192/0)
Tutorials (350/0)
Off Topic (181/0)


User Functions
Username:

Password:

Don't have an account yet? Sign up as a New User


Events
There are no upcoming events




grsecurity

grsecurity

grsecurity is an innovative set of patches for the Linux kernel with an emphasis on strengthening the security of a computer system.

grsecurity allows the system administrator to, among other things, define a least privilege policy for the system, in which every process and user have only the lowest privileges needed to function. It is typically used when hosts need to permit remote connections from untrusted sources, such as ssh and web servers.

It prevents most forms of address space modification, confines programs via its Role-Based Access Control system, hardens syscalls, provides full-featured auditing, and implements many of the OpenBSD randomness features. Development of grsecurity is sponsored by a number of organisations including Prometheus Global.

 grsecurity 3.0-3.2.59

Price
Free to download

Size
2.0MB
License

GNU GPL

Developer
Brad Spengler

Website
grsecurity.net

System Requirements
Matching version of gradm
Full source code of the Linux kernel

Support:
Wiki, Forums

Selected Reviews:
Cyberciti, Symantec, University of Virginia

Features include:

  • Written for performance, security and ease-of use
  • Utilizes a multi-layered detection, prevention, and containment model
  • Buffer overflow exploitation prevention
  • An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration. The RBAC system lets an administrator to restrict access to files, capabilities, resources, or sockets to all users, including root. This is similar to a Mandatory Access Control (MAC) model
  • /tmp race vulnerability prevention
  • Extensive auditing
    • Option to specify single group to audit
    • Exec logging with arguments
    • Denied resource logging
    • Chdir logging
    • Mount and unmount logging
    • IPC creation/removal logging
    • Signal logging
    • Failed fork logging
    • Time change logging
    • RWX map logging
  • Trusted path execution
  • Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
  • Prevention of arbitrary code execution in the kernel
  • Randomization of the stack, library, and heap bases
  • Kernel stack base randomization
  • Protection against exploitable null-pointer dereference bugs in the kernel
  • Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
  • A restriction that allows a user to only view his/her processes
  • Security alerts and audits that contain the IP address of the person causing the alert
  • /proc restrictions that don't leak information about process owners
  • Symlink/hardlink restrictions to prevent /tmp races
  • FIFO restrictions
  • Dmesg restriction
  • Enhanced implementation of Trusted Path Execution
  • GID-based socket restrictions
  • Nearly all options are sysctl-tunable, with a locking mechanism
  • All alerts and audits support a feature that logs the IP address of the attacker with the log
  • Stream connections across unix domain sockets carry the attacker's IP address with them (on 2.4 only)
  • Detection of local connections: copies attacker's IP address to the other task
  • Automatic deterrence of exploit brute-forcing
  • Low, Medium, High, and Custom security levels
  • Tunable flood-time and burst for logging
  • Change root (chroot) hardening
    • No attaching shared memory outside of chroot
    • No kill outside of chroot
    • No ptrace outside of chroot (architecture independent)
    • No capget outside of chroot
    • No setpgid outside of chroot
    • No getpgid outside of chroot
    • No getsid outside of chroot
    • No sending of signals by fcntl outside of chroot
    • No viewing of any process outside of chroot, even if /proc is mounted
    • No mounting or remounting
    • No pivot_root
    • No double chroot
    • No fchdir out of chroot
    • Enforced chdir("/") upon chroot
    • No (f)chmod +s
    • No mknod
    • No sysctl writes
    • No raising of scheduler priority
    • No connecting to abstract unix domain sockets outside of chroot
    • Removal of harmful privileges via cap
Return to MAC/RBAC Tools Home Page

Bookmark and Share


Last Updated Monday, May 26 2014 @ 12:26 PM EDT


We have written a range of guides highlighting excellent free books for popular programming languages. Check out the following guides: C, C++, C#, Java, JavaScript, CoffeeScript, HTML, Python, Ruby, Perl, Haskell, PHP, Lisp, R, Prolog, Scala, Scheme, Forth, SQL, Node.js (new), Fortran (new), Erlang (new), Pascal (new), and Ada (new).


Group Tests
All Group Tests

Top Free Software
5 Office Suites
7 Document Processors
6 Lean Desktops
6 Desktop Search
9 Project Management
9 Groupware Apps
14 File Managers
10 Databases
21 Backup Tools
21 DVD Tools
21 Window Managers
21 Productivity Tools
9 Terminal Emulators
21 Financial Tools
21 Text Editors
21 Video Emulators
21 Home Emulators
42 Graphics Apps
6 CAD Apps
42 Scientific Apps
10 Web Browsers
42 Email Apps
12 Instant Messaging
10 IRC Clients
7 Twitter Clients
12 News Aggregators
11 VoIP Apps
11 Remote Display Apps
42 Best Games
42 More Games
21 More Games
21 Notable Games (1)
21 Notable Games (2)
21 Notable Games (3)
8 ASCII Games
9 Educational Games
42 Audio Apps
42 Video Apps
6 Screencasting Apps
80 Security Apps
9 System Monitoring
6 Family History Apps
11 PDF Tools
6 Music Servers
6 Collection Managers
7 Calculator Apps
8 Geometry Apps
Free Console Apps
14 Multimedia
Programming
8 Compilers
9 IDEs
9 Debuggers
7 Revision Control Apps
6 Doc Generators
'Free' Proprietary
21 Closed-Source Apps
Top Commercial Apps
42 Games
Free Web Software
21 Web CMS
14 Wiki Engines
8 Blog Apps
6 eCommerce Apps
5 Human Resource Apps
10 ERP
10 CRM
6 Data Warehouse Apps
8 Business Intelligence
6 Point-of-Sale

All Group Tests

Other Articles
Migrating from Windows
Back up your data
Distribution Guide
Distro Portal Pages
20 Free Linux Books
Running Linux Under Windows


Older Stories
Friday 12/12
  • Alpine 3.1.0 released (0)
  • Empire: Total War Launches on Linux (0)

  • Thursday 12/11
  • 6-Way Winter 2014 Linux Distribution Comparison (0)
  • Review: 6 business-class Chromebooks test their mettle (0)

  • Wednesday 12/10
  • Canonical Launches “Snappy” Edition Of Ubuntu Core For Container Farms (0)
  • Puzzle GNU/Linux: Integrated Pieces Create an Intriguing OS (0)

  • Tuesday 12/09
  • Nginx Raises M to Advance Web Server Technology (0)
  • It’s Here! Announcing Fedora 21! (0)
  • The Ultimate Windows 8.1 And Ubuntu Dual Boot Guide (0)

  • Monday 12/08
  • How to Manually Install NVIDIA Beta Drivers in Ubuntu (0)


  • Vote

    What Linux distribution do you run on your main computer?

    Debian
    Fedora
    Mint
    Slackware
    openSuSE
    Arch
    Ubuntu
    Redhat
    Mageia
    CentOS
    FreeBSD
    Results
    48 votes | 3 comments

    Built with GeekLog and phpBB
    Comments to the webmaster are welcome
    Copyright 2009 LinuxLinks.com - All rights reserved