Grsecurity/Runtime Configuration

From Wikibooks, open books for an open world
< Grsecurity
Jump to: navigation, search
Grsecurity
Additional Utilities Runtime Configuration Troubleshooting


The sysctl Interface[edit]

The sysctl command provides an interface for modifying kernel parameters at runtime. There is an option in the grsecurity kernel configuration to enable support for this interface (see Configuring grsecurity). In Linux, sysctl is simply a wrapper around filesystem routines that read and write contents of files in the /proc directory. This means that you can also set parameters by echoing values to files in /proc. See the Appendix for a list of all available sysctl options for grsecurity.

Usage[edit]

The sysctl command takes a list of variables or variable=value pairs and sets or reads their value. Variable is a path to a file in /proc/sys separated by periods or forward slashes. The value depends on the parameter in question. Most of grsecurity's options are either 1 (enabled) or 0 (disabled).

Sysctl's man page is available online at http://linux.die.net/man/8/sysctl.

Examples[edit]

If you want to know every available runtime option for grsecurity, list the contents of /proc/sys/kernel/grsecurity.

To enable mount auditing and disable chdir auditing in a single sysctl command, run:

# sysctl kernel.grsecurity.audit_mount=1 kernel.grsecurity.audit_chdir=0
kernel.grsecurity.audit_mount = 1
kernel.grsecurity.audit_chdir = 0

You can achieve the same result by echoing:

# echo 1 > /proc/sys/kernel/grsecurity/audit_mount
# echo 0 > /proc/sys/kernel/grsecurity/audit_chdir

Next Page: Troubleshooting | Previous Page: Additional Utilities

Home: Grsecurity