Projects / grsecurity

grsecurity

grsecurity is a complete security system for Linux 2.4 and 2.6 that implements a detection/prevention/containment strategy. It prevents most forms of address space modification, confines programs via its Role-Based Access Control system, hardens syscalls, provides full-featured auditing, and implements many of the OpenBSD randomness features. It was written for performance, ease-of-use, and security. The RBAC system has an intelligent learning mode that can generate least privilege policies for the entire system with no configuration. All of grsecurity supports a feature that logs the IP of the attacker that causes an alert or audit.

Tags
Licenses
Operating Systems
Implementation

Recent releases

  •  13 Dec 2007 19:22

    Release Notes: Fixes to PaX flag support in RBAC system. PaX updates for non-x86 architectures in 2.4.34 patch. A setpgid in chroot problem has been fixed. The randomized PIDs feature has been removed. This release fixes /proc usage in a chroot in 2.6 patch. It adds an admin role to generated policy from full learning. It resynchronizes the PaX code in the 2.4 patch. It has been updated to Linux 2.4.34 and 2.6.19.2.

    •  14 Aug 2006 03:24

      Release Notes: Changes include RBAC system bugfixes and two new PaX features, one which deters physical memory forensics by an attacker, and another that prevents an entire class of kernel vulnerabilities from being exploited. Updated to the 2.4.33 and 2.6.17.8 Linux kernels.

      •  15 Jan 2006 20:45

        Release Notes: Changes in this release include new PaX flag support in the RBAC system, interface support for RBAC network policies, additional gradm analysis, a sysctl variable for disabling the ability to load or unload kernel modules at runtime, PaX updates, and a fix for a serious RBAC bug where an admin role could be left on a restarted service if the admin exited his shell without unauthenticating from the role first.

        •  13 Nov 2005 22:25

          Release Notes: This release for the 2.4.32-rc3 and 2.6.14.2 Linux kernels overhauls the internals of the RBAC system, converting searching and storing of policy information to chained hash tables. Several important bugs have been fixed, and PaX has been updated for this release.

          •  05 Mar 2005 10:18

            Release Notes: This release removes some unnecessary features, adds hostname support in RBAC policy configuration, improves log consistency, and fixes a critical PaX vulnerability.

            Recent comments

            10 Oct 2003 21:06 tjh

            Grsec is amazing
            This is now something I use by default on all my systems. It's totally stable and gives you that extra layer of security needed these days.

            I can't recommend GrSecurity enough. It should be in the default kernel.

            Tim

            25 Apr 2003 06:02 searchsavi

            help me ... i am in confusion????
            Actually... how is acl can view and even auditing without a front end??? just tell me something how to see the alert in auditing and whether this support the webmin

            19 Feb 2003 12:05 spender

            Re: extremely powerful and easy to configure

            > Grsecurity is a great linux kernel patch
            > that implements PaX protection (sort of
            > like openwall)


            This kind of comparison is similar to comparing a small hut to a skyscraper. Openwall's non-executable stack is a tiny subset of the full capabilities of PaX. The PaX team has recently released documentation available at http://pageexec.virtualave.net/docs/ that should clear up any misconceptions regarding its design and effectiveness.

            19 Feb 2003 11:50 tgkx

            extremely powerful and easy to configure

            Grsecurity is a great linux kernel patch that implements PaX protection (sort of like openwall), MAC (mandatory access control), and control of the network subsystem.

            Setting up MAC with this is much easier than alternative security kits because of its auto learning feature that basically can write the acl's for you.

            Try it!

            24 Nov 2001 10:34 TomekLutel

            Wow! Good work ! :-)
            This patch is amazing in terms of security. I'm using it by default in all my systems, and it's going perfectly well. THANKS!

            Screenshot

            Project Spotlight

            OpenStack4j

            A Fluent OpenStack client API for Java.

            Screenshot

            Project Spotlight

            TurnKey TWiki Appliance

            A TWiki appliance that is easy to use and lightweight.