by spender » Fri Mar 08, 2002 8:32 am
here's your answer, straight from the features page:
Low additional security
-----------------------------------------------------------------------
If you choose this option, several of the grsecurity options will
be enabled that will give you greater protection against a number
of attacks, while assuring that none of your software will have any
conflicts with the additional security measures. If you run a lot of
unusual software, or you are having problems with the higher security
levels, you should say Y here. With this option, the following features
are enabled:
linking restrictions
fifo restrictions
secure fds
random pids
enforcing nproc on execve()
restricted dmesg
random ip ids
enforced chdir("/") on chroot
secure keymap loading
Medium additional security
-----------------------------------------------------------------------
If you say Y here, several features in addition to those included in the
low additional security level will be enabled. These features provide
even more security to your system, though in rare cases they may
be incompatible with very old or poorly written software. If you
enable this option, make sure that your auth service (identd) is
running as gid 10 (usually group wheel). With this option the following
features (in addition to those provided in the low additional security
level) will be enabled:
random tcp source ports
altered ping ids
failed fork logging
time change logging
signal logging
deny mounts in chroot
deny double chrooting
deny mknod in chroot
/proc restrictions with special gid set to 10 (usually wheel)
pax's random mmap
High additional security
----------------------------------------------------------------------
If you say Y here, many of the features of grsecurity will be enabled,
that will protect you against virtually all kinds of attacks against
your system. The much hightened security comes at a cost of an
increased chance of incompatabilities with rare software on your
machine. It is highly recommended that you view
and read about each option. Since
this security level enabled PaX, you should also view
and read about the PaX project. While
you are there, download chpax.c and run chpax -p on binaries that cause
problems with PaX. Also remember that since the /proc restrictions are
enabled, you must run your identd as group wheel (gid 10). The
grsecurity ACL system is also enabled in this level. To learn how to
correctly configure it, view the ACL documentation on
. This security level enables the following
features in addition to those listed in the low and medium security
levels:
grsecurity ACL system
additional /proc restrictions
signal restrictions in chroot
chmod restrictions in chroot
no ptrace in chroot
priority restrictions in chroot
PaX - random mmap, noexec on all memory pages, restricted mprotect
fixed mmap restrictions
mount/unmount/remount logging
restricted ptrace (only root and users in group wheel (gid 10) are
allowed to ptrace)