# GR Security toggles.
#
# Note: chpax support has been removed from this init script.
# Configure /etc/conf.d/chpax instead

# Check your running kernel for valid options.
# "sysctl -a | grep kernel.grsecurity. | cut -d '.' -f 3  | awk '{print $1}'"
# 
# Some of the kernel options may be:
#
# allow_ptrace_group
# alt_ipc_perms
# altered_pings
# audit_chdir
# audit_gid
# audit_group
# audit_ipc
# audit_mount
# audit_ptrace
# chroot_caps
# chroot_deny_chdir
# chroot_deny_chmod
# chroot_deny_chroot
# chroot_deny_fchdir
# chroot_deny_mknod
# chroot_deny_mount
# chroot_deny_pivot
# chroot_deny_ptrace
# chroot_deny_shmat
# chroot_deny_sysctl
# chroot_deny_unix
# chroot_enforce_chdir
# chroot_execlog
# chroot_findtask
# chroot_restrict_nice
# chroot_restrict_sigs
# coredump
# deny_phys_root
# deny_pseudo_root
# deny_serial_root
# dmesg
# exec_logging
# execve_limiting
# fifo_restrictions
# fork_bomb_prot
# forkfail_logging
# grsec_lock
# linking_restrictions
# rand_ip_ids
# rand_isns
# rand_pids
# rand_rpc
# rand_tcp_src_ports
# rand_ttl
# restrict_ptrace
# secure_fds
# secure_kbmap
# signal_logging
# socket_all
# socket_client
# socket_server
# suid_logging
# suid_root_logging
# timechange_logging
# tpe
# tpe_glibc
# tpe_restrict_all

# Strict set with negligible performance impact:
#ENABLED="audit_chdir audit_group audit_ipc audit_mount chroot_caps \
#         chroot_deny_chmod chroot_deny_chroot chroot_deny_fchdir \
#         chroot_deny_mknod chroot_deny_mount chroot_deny_pivot \
#         chroot_deny_shmat chroot_deny_sysctl chroot_deny_unix \
#         chroot_enforce_chdir chroot_execlog chroot_findtask \
#         chroot_restrict_nice dmesg exec_logging execve_limiting \
#         fifo_restrictions forkfail_logging linking_restrictions rand_isns \
#         rand_ip_ids rand_pids rand_rpc rand_tcp_src_ports signal_logging \
#         socket_all socket_client socket_server timechange_logging tpe"

ENABLED=""

# Set when audit_group is enabled
audit_gid=1007

# Set when allow_ptrace_group is enabled
ptrace_gid=10

# Set when tpe is enabled
tpe_gid=1005

# Set when fork_bomb_prot is enabled
fork_bomb_gid=1006
fork_bomb_sec=40
fork_bomb_max=20

# Set when one of socket_* is enabled
socket_all_gid=1004
socket_client_gid=1003
socket_server_gid=1002

# Lock the above settings on boot
LOCK=0