kernel.grsecurity.linking_restrictions = 1
kernel.grsecurity.enforce_symlinksifowner = 1
kernel.grsecurity.deter_bruteforce = 1
kernel.grsecurity.fifo_restrictions = 1
kernel.grsecurity.ptrace_readexec = 1
kernel.grsecurity.consistent_setxid = 1

kernel.grsecurity.ip_blackhole = 1
kernel.grsecurity.lastack_retries = 4

kernel.grsecurity.chroot_deny_shmat = 1
kernel.grsecurity.chroot_deny_unix = 1
kernel.grsecurity.chroot_deny_mount = 1
kernel.grsecurity.chroot_deny_fchdir = 1
kernel.grsecurity.chroot_deny_chroot = 1
kernel.grsecurity.chroot_deny_pivot = 1
kernel.grsecurity.chroot_enforce_chdir = 1
kernel.grsecurity.chroot_deny_chmod = 1
kernel.grsecurity.chroot_deny_mknod = 1
kernel.grsecurity.chroot_restrict_nice = 1
kernel.grsecurity.chroot_caps = 1
kernel.grsecurity.chroot_deny_sysctl = 1
kernel.grsecurity.chroot_findtask = 1

# TPE : Trusted Path Execution. 
kernel.grsecurity.tpe = 1
# Drastique. Plus d exec dans le home
kernel.grsecurity.tpe_restrict_all = 1

#kernel.grsecurity.socket_all = 1
#kernel.grsecurity.socket_client = 1
#kernel.grsecurity.socket_server = 1
kernel.grsecurity.harden_ptrace = 1

# For mplayer2 with x11 drivers (full screen)
# else "vo=x11,sdl" => "vo=xv,directfb" in /etc/mplayer2/mplayer.conf
kernel.grsecurity.harden_ipc = 0

# Drastique. Rebbot necessaire pour revenir en arriere
# Empeche ecryptfs de fonctionner
#kernel.grsecurity.romount_protect = 1

## Desactiv
kernel.grsecurity.dmesg = 0
kernel.grsecurity.deny_new_usb = 0

## Groupes
#kernel.grsecurity.socket_all_gid = 1004
#kernel.grsecurity.socket_client_gid = 1003
#kernel.grsecurity.socket_server_gid = 1002
#kernel.grsecurity.audit_gid = 1007
kernel.grsecurity.tpe_gid = 1005
#kernel.grsecurity.symlinkown_gid = 1006

## Audit
#kernel.grsecurity.audit_group = 1

# Si activé vraiment bavard
kernel.grsecurity.audit_chdir = 0

kernel.grsecurity.audit_mount = 1
kernel.grsecurity.audit_ptrace = 1


## Logging
#kernel.grsecurity.exec_logging = 1
#kernel.grsecurity.rwxmap_logging = 1
kernel.grsecurity.signal_logging = 1
kernel.grsecurity.forkfail_logging = 1
kernel.grsecurity.timechange_logging = 1
#kernel.grsecurity.chroot_execlog = 1
#kernel.grsecurity.resource_logging = 1

# Test
kernel.grsecurity.disable_priv_io = 1

## Dernier parametre
# Drastique. Interdit toutes modifications de ces parametres. Reboot necessaire pour rechanger
#kernel.grsecurity.grsec_lock = 1