/etc/grsec2/learn_config is in gradm2 3.1~201701031918-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 | #This configuration file aids the learning process by tweaking
#the learning algorithm for specific paths.
#
#It accepts lines in the form of <command> <pathname>
#Where <command> can be inherit-learn, no-learn, inherit-no-learn,
#high-reduce-path, dont-reduce-path, protected-path, high-protected-path,
#read-protected-path, and always-reduce-path
#
#inherit-learn, no-learn, and inherit-no-learn operate only with
#full learning
#
#high-reduce-path, dont-reduce-path, always-reduce-path, protected-path,
#and high-protected-path operate on both full and and regular learning
#(subject and role learning)
#
#inherit-learn changes the learning process for the specified path
#by throwing all learned accesses for every binary executed by the
#processes contained in the pathname into the subject specified
#by the pathname. This is useful for cron in the case of full
#system learning, so that scripts that eventually end up executing
#mv or rm with privilege don't cause the root policy to grant
#that privilege to mv or rm in all cases.
#
#no-learn allows processes within the path to perform any operation
#that normal system usage would allow without restriction. If
#a process is generating a huge number of learning logs, it may be
#best to use this command on that process and configure its policy
#manually.
#
#inherit-no-learn combines the above two cases, such that processes
#within the specified path will be able to perform any normal system
#operation without restriction as will any binaries executed by
#these processes.
#
#high-reduce-path modifies the heuristics of the learning process
#to weight in favor of reducing accesses for this path
#
#dont-reduce-path modifies the heuristics of the learning process
#so that it will never reduce accesses for this path
#
#always-reduce-path modifies the heuristics of the learning process
#so that the path specified will always have all files and directories
#within it reduced to the path specified.
#
#protected-path specifies a path on your system that is considered an
#important resource. Any process that modifies one of these paths
#is given its own subject in the learning process, facilitating
#a secure policy.
#
#read-protected-path specifies a path on your system that contains
#sensitive information. Any process that reads one of these paths is
#given its own subject in the learning process, facilitating a secure
#policy.
#
#high-protected-path specifies a path that should be hidden from
#all processes but those that access it directly. It is recommended
#to use highly sensitive files for this command.
#
#regular expressions are not supported for pathnames in this config file
#
#
# uncomment this next line if you don't wish to generate a policy that
# restricts roles to specific IP ranges:
# dont-learn-allowed-ips
#
# to write out your generated policy such that roles are split into separate
# files by the name of the role (within user/group directories), uncomment
# the next line:
# split-roles
always-reduce-path /dev/pts
always-reduce-path /var/spool/qmailscan/tmp
always-reduce-path /var/spool/exim4
always-reduce-path /var/run/screen
always-reduce-path /usr/share/locale
always-reduce-path /usr/share/zoneinfo
always-reduce-path /usr/share/terminfo
always-reduce-path /usr/portage
always-reduce-path /tmp
always-reduce-path /var/tmp
high-reduce-path /dev/.udev
high-reduce-path /dev/mapper
high-reduce-path /dev/snd
high-reduce-path /proc
high-reduce-path /lib
high-reduce-path /lib32
high-reduce-path /libx32
high-reduce-path /lib64
high-reduce-path /lib/tls
high-reduce-path /lib32/tls
high-reduce-path /libx32/tls
high-reduce-path /lib64/tls
high-reduce-path /lib/security
high-reduce-path /lib/modules
high-reduce-path /lib32/modules
high-reduce-path /lib64/modules
high-reduce-path /usr/lib
high-reduce-path /usr/lib32
high-reduce-path /usr/libx32
high-reduce-path /usr/lib64
high-reduce-path /usr/lib/tls
high-reduce-path /usr/lib32/tls
high-reduce-path /usr/libx32/tls
high-reduce-path /usr/lib64/tls
high-reduce-path /usr/lib64/openoffice
high-reduce-path /var/lib
high-reduce-path /usr/bin
high-reduce-path /usr/sbin
high-reduce-path /sbin
high-reduce-path /bin
high-reduce-path /usr/local/share
high-reduce-path /usr/local/bin
high-reduce-path /usr/local/sbin
high-reduce-path /usr/local/etc
high-reduce-path /usr/local/lib
high-reduce-path /usr/share
high-reduce-path /usr/X11R6/lib
high-reduce-path /var/lib/openldap-data
high-reduce-path /var/lib/krb5kdc
dont-reduce-path /
dont-reduce-path /home
dont-reduce-path /dev
dont-reduce-path /usr
dont-reduce-path /var
dont-reduce-path /opt
protected-path /etc
protected-path /lib
protected-path /boot
protected-path /run
protected-path /usr
protected-path /opt
protected-path /var
protected-path /dev/log
protected-path /root
protected-path /sys
read-protected-path /etc/ssh
read-protected-path /proc/kallsyms
read-protected-path /proc/kcore
read-protected-path /proc/slabinfo
read-protected-path /proc/modules
read-protected-path /lib/modules
read-protected-path /lib64/modules
read-protected-path /boot
read-protected-path /etc/shadow
read-protected-path /etc/shadow-
read-protected-path /etc/gshadow
read-protected-path /etc/gshadow-
read-protected-path /sys
high-protected-path /etc/ssh
high-protected-path /proc/kcore
high-protected-path /proc/sys
high-protected-path /proc/bus
high-protected-path /proc/slabinfo
high-protected-path /proc/modules
high-protected-path /proc/kallsyms
high-protected-path /etc/passwd
high-protected-path /etc/shadow
high-protected-path /var/backups
high-protected-path /etc/shadow-
high-protected-path /etc/gshadow
high-protected-path /etc/gshadow-
high-protected-path /var/log
high-protected-path /dev/mem
high-protected-path /dev/kmem
high-protected-path /dev/port
high-protected-path /dev/log
high-protected-path /sys
high-protected-path /etc/ppp
high-protected-path /etc/samba/smbpasswd
# to protect kernel images
high-protected-path /boot
high-protected-path /lib/modules
high-protected-path /lib64/modules
high-protected-path /usr/src
inherit-learn /etc/cron.d
inherit-learn /etc/cron.hourly
inherit-learn /etc/cron.daily
inherit-learn /etc/cron.weekly
inherit-learn /etc/cron.monthly
#It is important that software updates be performed manually by someone in
#an admin role, not performed automatically via cron jobs
#With just the /etc/cron.daily rule above, a policy will be generated that
#allows the automatic package updater script to update services and
#restart them. With its inherit rules, this would also cause the services
#to be restarted with the ability to update packages, etc.
#This rule below makes sure for the case of apt-based auto-updates that
#no learning is performed for this behavior, to force the admin to deal with
#this in some way
inherit-no-learn /etc/cron.daily/apt
# the below lines are for catching the occasional use of init.d scripts at runtime
# comment them out if you are starting learning before services are started by init
# (a highly non-recommended choice)
inherit-learn /etc/init.d
inherit-learn /etc/rc.d/init.d
|