Linux / grsecurity kernel patch

Grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GPL. It offers among many other features:

  • An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
  • Change root (chroot) hardening
  • /tmp race prevention
  • Extensive auditing
  • Prevention of entire classes of exploits related to address space bugs (from the PaX project)
  • Additional randomness in the TCP/IP stack
  • A restriction that allows a user to only view his/her processes
  • Every security alert or audit contains the IP address of the person that caused the event

taken from GrSecHomepage :)

Instalation

dowload grsecurity patch for your kernel (2.6.x / 2.4.x) from the site. You might need to wait a bit for a grsecurity patch for latest kernel.

Kernel patching

server@/usr/src/linux# zcat ../grsecurity-2.XXX.patch.gz |patch -p1

gradm install from source

# gradm-xxxx.tar.gz
# cd gradm
# ./configure
# make && make install
...
Setting up grsecurity ACL password
Password:
Re-enter Password:
Password written to /etc/grsec/pw.

kernel 2.4.x tips

kernel 2.6.x tips

What to include in 2.6 with GRSecurity (Safeway)

taken from: here

There are some problems with some applications with parts of the patch. For example, turning on the non-executeable stack will break anything that uses an executeable stack. ie: X, java, or wine, now you can use chpax and give each of these a non executable stack. There are also some problems with the way grsecurity gets a little to restrictive with things like restericting filesystems ect. All of these can be overcome, however, you need to do some magic to get some of these things to work, and frankly, some of it really isnt worth it.

There are several options inside the grsecurity patch that you can choose.

What you can safely turn on in GRsecurity without breaking anything is:

  • Address Space Protection
  • Address Space Layout Randomization
    • Randomize kernel stack base
    • Randomize user stack base
    • Randomize mmap() base
  • Filesystem Protections
    • Everything under this option is safe to include
  • Kernel Auditing
    • Everything under this option is safe to include
  • Executable Protections
    • Everything under this option is safe to incude except: Partially restrict non-root users
  • Network Protections
    • Everything under this option is safe to include
  • Sysctl support This is usefull to enable, but not necesary

Compile everything staticly and you shold be fine.

I have tested this on production servers, and desktop boxes in mass and its come out fine for x86 and sparc. I havent tried it on ppc but for the most part it is safe, and it is also safe for production envoirnments.

Using Pax and Grsecurity features

First get a grsecurity patch kernel ready go in your menuconfig > Security > Pax Funnctions

Enable various PaX features

[*] Support soft mode
[*] Use legacy ELF header marking
[*] Use ELF program header marking
MAC system integration (direct)  —>

Non-executable pages

[*] Enforce non-executable pages
[*]   Paging based non-executable pages
[*]   Segmentation based non-executable pages
[*] Emulate trampolines
[*] Restrict mprotect()
[ ]   Disallow ELF text relocations
[*] Enforce non-executable kernel pages

[*] Address Space Layout Randomization
[*]   Randomize kernel stack base
[*]   Randomize user stack base
[*]   Randomize mmap() base

And for Miscellaneous hardening features I advise not to select any.

Once you got your pax and gr security kernel setup and have booted into it the first thing you will have to do is disable some pax functions on php binaries. NOTICE: php will work with pax functions enabled but will nbot be able to load anything like zend optimizer

Configuration

putting all Grsec sysctl options into sysctl.conf

sysctl -a |grep grsec >> /etc/sysctl.conf

sysctl

kernel.grsecurity.destroy_unused_shm = 1
kernel.grsecurity.chroot_findtask = 1
kernel.grsecurity.dmesg = 0
kernel.grsecurity.audit_ipc = 1
kernel.grsecurity.audit_mount = 0
kernel.grsecurity.audit_chdir = 0
kernel.grsecurity.audit_gid = 33
kernel.grsecurity.audit_group = 1
kernel.grsecurity.rand_tcp_src_ports = 1
kernel.grsecurity.rand_pids = 1
kernel.grsecurity.tpe_restrict_all = 0
kernel.grsecurity.tpe_gid = 0
kernel.grsecurity.tpe = 0
kernel.grsecurity.chroot_deny_sysctl = 1
kernel.grsecurity.chroot_caps = 1
kernel.grsecurity.chroot_execlog = 1
kernel.grsecurity.chroot_restrict_nice = 1
kernel.grsecurity.chroot_deny_mknod = 1
kernel.grsecurity.chroot_deny_chmod = 1
kernel.grsecurity.chroot_enforce_chdir = 1
kernel.grsecurity.chroot_deny_pivot = 1
kernel.grsecurity.chroot_deny_chroot = 1
kernel.grsecurity.chroot_deny_fchdir = 1
kernel.grsecurity.chroot_deny_mount = 1
kernel.grsecurity.chroot_deny_unix = 1
kernel.grsecurity.chroot_deny_shmat = 1
kernel.grsecurity.timechange_logging = 1
kernel.grsecurity.forkfail_logging = 1
kernel.grsecurity.signal_logging = 1
kernel.grsecurity.exec_logging = 0
kernel.grsecurity.execve_limiting = 1
kernel.grsecurity.fifo_restrictions = 1
kernel.grsecurity.linking_restrictions = 1
kernel.pax.softmode = 1
kernel.grsecurity.grsec_lock = 0

PaX

install pax utils:

 apt-get install chpax paxctl paxtest

Testing the PAX default settings with paxtest

PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Mode: kiddie|blackhat
Linux xxxx

Executable anonymous mapping             : Vulnerable
Executable bss                           : Vulnerable
Executable data                          : Vulnerable
Executable heap                          : Vulnerable
Executable stack                         : Vulnerable
Executable anonymous mapping (mprotect)  : Vulnerable
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect)              : Vulnerable
Anonymous mapping randomisation test     : 9 bits (guessed)
Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
Heap randomisation test (ET_DYN)         : 13 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (ET_DYN)   : No randomisation
Shared library randomisation test        : 8 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 19 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 19 bits (guessed)
Return to function (strcpy)              : Vulnerable
Return to function (strcpy, RANDEXEC)    : Vulnerable
Return to function (memcpy)              : Vulnerable
Return to function (memcpy, RANDEXEC)    : Vulnerable
Executable shared library bss            : Vulnerable
Executable shared library data           : Vulnerable
Writable text segments                   : Vulnerable

Hardening Webservers

For example

 paxctl -c /usr/local/bin/php
 paxctl -permxs /usr/local/bin/php

You can even use wildcards like /usr/bin/php*

Also make sure you do the sapi/cli/cgi module of your web server the same way. On some webservers like litespeed you will have to do the binaries on it as well. Do not disable binaries too freely, only try to do it if it is the only option to make it work.

gdadm

The gradm utility controls only grsecurity's RBAC system; it cannot alter the behavior of grsecurity's there features. In a grsecurity-enabled kernel, gradm installs with a simple make; make install. You can set an admin password for gradm, which is a good idea, as once RBAC is enabled, even root's power will be restricted, and to get it back, you need to assume the admin role. You also need a password to shut down RBAC. Set the admin password with the command:

 gradm -P admin

Once you've set up a password, you can log into gradm as admin with the command:

 gradm -a

An innovative way to set up RBAC is to use grsecurity's learning mode. In learning mode, grsecurity watches for processes that run with root privileges, access the Internet, or write to key system files or directories. Grsecurity then generates an access control list (ACL) that instructs grsecurity to run these processes using the least privilege approach mentioned earlier. To enable learning mode, run:

 gradm -F -L /etc/grsec/learning.log

Let this mode run for a day or two to catch any time-sensitive processes. Avoid any administrative tasks during this time – remember, the root account is no longer trusted. After grsecurity has had enough time to recognize normal system usage, shut down learning mode and log into gradm as admin. Shutting down learning mode is necessary because grsecurity hides its configuration files when RBAC is running, as it is during learning mode. This means that the system will display an error message about not being able to find learning.log. In fact, the directory /etc/grsec will not appear to exist, even to root.

To write the ACL to disk, run the command:

 gradm -F -L /etc/grsec/learning.log -O /etc/grsec/acl

To start RBAC with your new ACL, run:

gradm -E

You can now enjoy the security advantages of processes running with the least amount of privileges necessary.

If you encounter any problems, disable RBAC by first logging in with the admin password and then running:

 gradm -D 

grsec iptables patch

FIXME TODO

Tips / troubleshooting

complaints of grsecurity-kernel about RLIMIT_CORE being 0

If, while running program x, a segmentation fault occurs in program x and syslog outputs the following string:

 Apr 17 11:55:06 yyy kernel: grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by (x:z) UID(y) EUID(y), parent (y:y) UID(y) EUID(y) 

then kernel tried to write a core-file for the program x to disk, BUT the max size of the core file is set to 0. Growing the maximum size of a core file:

# ulimit -S -c 8192
linux/grsec.txt · Last modified: 2009/05/25 00:35 (external edit)
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready