#
# Notes
#
# disable_priv_io:		Useless if grsec_lock is not activated.
# symlinkown_gid:		Group http.
# romount_protect:		Deny rw mounts after boot.
# audit_group:			Restrict exec/chdir log to group.
# exec_logging:			Verbose!
# chroot_execlog:		Verbose!
# audit_chdir:			Verbose!
# dmesg:				Restrict dmesg to root.
# tpe_gid:				Group tpe-trusted.
# socket_all_gid:		Group socket-deny-all.
# socket_client_gid:	Group socket-deny-client.
# socket_server_gid:	Group socket-deny-server.
# deny_new_usb:			No new USB after boot.


#
# Memory Protections
#

#kernel.grsecurity.disable_priv_io = 1
#kernel.grsecurity.deter_bruteforce = 1

#
# Filesystem Protections
#

#kernel.grsecurity.linking_restrictions = 1
#kernel.grsecurity.enforce_symlinksifowner = 1
#kernel.grsecurity.symlinkown_gid = 33
#kernel.grsecurity.fifo_restrictions = 1
#kernel.grsecurity.romount_protect = 0
#kernel.grsecurity.chroot_caps = 1
#kernel.grsecurity.chroot_deny_chmod = 1
#kernel.grsecurity.chroot_deny_chroot = 1
#kernel.grsecurity.chroot_deny_fchdir = 1
#kernel.grsecurity.chroot_deny_mknod = 1
#kernel.grsecurity.chroot_deny_mount = 1
#kernel.grsecurity.chroot_deny_pivot = 1
#kernel.grsecurity.chroot_deny_shmat = 1
#kernel.grsecurity.chroot_deny_sysctl = 1
#kernel.grsecurity.chroot_deny_unix = 1
#kernel.grsecurity.chroot_enforce_chdir = 1
#kernel.grsecurity.chroot_findtask = 1
#kernel.grsecurity.chroot_restrict_nice = 1

#
# Kernel Auditing
#

kernel.grsecurity.audit_group = 0				
#kernel.grsecurity.audit_gid = 9994
kernel.grsecurity.exec_logging = 0				
#kernel.grsecurity.resource_logging = 1
kernel.grsecurity.chroot_execlog = 0			
#kernel.grsecurity.audit_ptrace = 1
kernel.grsecurity.audit_chdir = 0				
#kernel.grsecurity.audit_mount = 1
#kernel.grsecurity.signal_logging = 1
#kernel.grsecurity.forkfail_logging = 1
#kernel.grsecurity.timechange_logging = 1
#kernel.grsecurity.rwxmap_logging = 1

#
# Executable Protections
#

#kernel.grsecurity.dmesg = 1					
#kernel.grsecurity.harden_ptrace = 1
#kernel.grsecurity.ptrace_readexec = 1
#kernel.grsecurity.consistent_setxid = 1
#kernel.grsecurity.harden_ipc = 1
#kernel.grsecurity.tpe = 1
#kernel.grsecurity.tpe_gid = 9999				
#kernel.grsecurity.tpe_invert = 1
#kernel.grsecurity.tpe_restrict_all = 1

#
# Network Protections
#

#kernel.grsecurity.ip_blackhole = 1
#kernel.grsecurity.lastack_retries = 4
#kernel.grsecurity.socket_all = 1
#kernel.grsecurity.socket_all_gid = 9995
#kernel.grsecurity.socket_client = 1
#kernel.grsecurity.socket_client_gid = 9996
#kernel.grsecurity.socket_server = 1
#kernel.grsecurity.socket_server_gid = 9997

#
# Physical Protections
#

#kernel.grsecurity.deny_new_usb = 0

#
# Restrict grsec sysctl changes after this was set
#

kernel.grsecurity.grsec_lock = 1