Grsecurity | ||
Additional Utilities | Runtime Configuration | Troubleshooting |
Thesysctl command provides an interface for modifying kernel parameters at runtime. There is an option in the grsecurity kernel configuration to enable support for this interface (seeConfiguring grsecurity). In Linux,sysctl is simply a wrapper around filesystem routines that read and write contents of files in the/proc directory. This means that you can also set parameters by echoing values to files in/proc. See theAppendix for a list of all available sysctl options for grsecurity.
Thesysctl command takes a list ofvariables orvariable=value pairs and sets or reads their value. Variable is a path to a file in/proc/sys separated by periods or forward slashes. The value depends on the parameter in question. Most of grsecurity's options are either 1 (enabled) or 0 (disabled).
Sysctl's man page is available online athttp://linux.die.net/man/8/sysctl.
If you want to know every available runtime option for grsecurity, list the contents of/proc/sys/kernel/grsecurity.
To enable mount auditing and disable chdir auditing in a singlesysctl command, run:
# sysctl kernel.grsecurity.audit_mount=1 kernel.grsecurity.audit_chdir=0kernel.grsecurity.audit_mount = 1kernel.grsecurity.audit_chdir = 0
You can achieve the same result by echoing:
# echo 1 > /proc/sys/kernel/grsecurity/audit_mount# echo 0 > /proc/sys/kernel/grsecurity/audit_chdir