Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux:grsec [2006/06/09 00:40] a gradm install |
linux:grsec [2009/05/25 00:35] (current) |
||
---|---|---|---|
Line 41: | Line 41: | ||
==== kernel 2.4.x tips ==== | ==== kernel 2.4.x tips ==== | ||
+ | |||
+ | |||
==== kernel 2.6.x tips ==== | ==== kernel 2.6.x tips ==== | ||
+ | |||
+ | |||
+ | === What to include in 2.6 with GRSecurity (Safeway) === | ||
+ | **taken from: [[http:// | ||
+ | ** | ||
+ | |||
+ | There are some problems with some applications with parts of the patch. For | ||
+ | example, turning on the non-executeable stack will break anything that uses | ||
+ | an executeable stack. ie: X, java, or wine, now you can use chpax and give | ||
+ | each of these a non executable stack. There are also some problems with the | ||
+ | way grsecurity gets a little to restrictive with things like restericting | ||
+ | filesystems ect. All of these can be overcome, however, you need to do some | ||
+ | magic to get some of these things to work, and frankly, some of it really | ||
+ | isnt worth it. | ||
+ | |||
+ | There are several options inside the grsecurity patch that you can choose. | ||
+ | |||
+ | What you can safely turn on in GRsecurity without breaking anything is: | ||
+ | * **'' | ||
+ | * **'' | ||
+ | * **'' | ||
+ | * **'' | ||
+ | * **'' | ||
+ | |||
+ | * **Filesystem Protections** | ||
+ | * // | ||
+ | |||
+ | * **'' | ||
+ | * // | ||
+ | |||
+ | * **'' | ||
+ | * // | ||
+ | |||
+ | * **'' | ||
+ | * // | ||
+ | |||
+ | * **'' | ||
+ | // | ||
+ | |||
+ | Compile everything staticly and you shold be fine. | ||
+ | |||
+ | I have tested this on production servers, and desktop boxes in mass and its | ||
+ | come out fine for x86 and sparc. I havent tried it on ppc but for the most | ||
+ | part it is safe, and it is also safe for production envoirnments. | ||
+ | |||
+ | === Using Pax and Grsecurity features === | ||
+ | |||
+ | First get a grsecurity patch kernel ready go in your **'' | ||
+ | |||
+ | < | ||
+ | Enable various PaX features | ||
+ | |||
+ | [*] Support soft mode | ||
+ | [*] Use legacy ELF header marking | ||
+ | [*] Use ELF program header marking | ||
+ | MAC system integration (direct) | ||
+ | |||
+ | Non-executable pages | ||
+ | |||
+ | [*] Enforce non-executable pages | ||
+ | [*] | ||
+ | [*] | ||
+ | [*] Emulate trampolines | ||
+ | [*] Restrict mprotect() | ||
+ | [ ] | ||
+ | [*] Enforce non-executable kernel pages | ||
+ | |||
+ | [*] Address Space Layout Randomization | ||
+ | [*] | ||
+ | [*] | ||
+ | [*] | ||
+ | </ | ||
+ | And for Miscellaneous hardening features I advise not to select any. | ||
+ | |||
+ | <note important> | ||
===== Configuration ===== | ===== Configuration ===== | ||
Line 86: | Line 163: | ||
kernel.pax.softmode = 1 | kernel.pax.softmode = 1 | ||
kernel.grsecurity.grsec_lock = 0 | kernel.grsecurity.grsec_lock = 0 | ||
+ | |||
==== PaX ==== | ==== PaX ==== | ||
* [[http:// | * [[http:// | ||
+ | |||
+ | install pax utils: | ||
+ | | ||
+ | |||
+ | **Testing the PAX default settings** with '' | ||
+ | |||
+ | PaXtest - Copyright(c) 2003,2004 by Peter Busser < | ||
+ | Released under the GNU Public Licence version 2 or later | ||
+ | | ||
+ | Mode: kiddie|blackhat | ||
+ | Linux xxxx | ||
+ | | ||
+ | Executable anonymous mapping | ||
+ | Executable bss : Vulnerable | ||
+ | Executable data : Vulnerable | ||
+ | Executable heap : Vulnerable | ||
+ | Executable stack : Vulnerable | ||
+ | Executable anonymous mapping (mprotect) | ||
+ | Executable bss (mprotect) | ||
+ | Executable data (mprotect) | ||
+ | Executable heap (mprotect) | ||
+ | Executable shared library bss (mprotect) : Vulnerable | ||
+ | Executable shared library data (mprotect): Vulnerable | ||
+ | Executable stack (mprotect) | ||
+ | Anonymous mapping randomisation test : 9 bits (guessed) | ||
+ | Heap randomisation test (ET_EXEC) | ||
+ | Heap randomisation test (ET_DYN) | ||
+ | Main executable randomisation (ET_EXEC) | ||
+ | Main executable randomisation (ET_DYN) | ||
+ | Shared library randomisation test : 8 bits (guessed) | ||
+ | Stack randomisation test (SEGMEXEC) | ||
+ | Stack randomisation test (PAGEEXEC) | ||
+ | Return to function (strcpy) | ||
+ | Return to function (strcpy, RANDEXEC) | ||
+ | Return to function (memcpy) | ||
+ | Return to function (memcpy, RANDEXEC) | ||
+ | Executable shared library bss : Vulnerable | ||
+ | Executable shared library data : Vulnerable | ||
+ | Writable text segments | ||
+ | |||
+ | ==== Hardening Webservers ==== | ||
+ | |||
+ | For example | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | |||
+ | You can even use wildcards like'' | ||
+ | |||
+ | Also make sure you do the** '' | ||
==== gdadm ==== | ==== gdadm ==== | ||
Line 120: | Line 249: | ||
gradm -D | gradm -D | ||
+ | |||
==== grsec iptables patch ==== | ==== grsec iptables patch ==== | ||
- | | + | FIXME TODO |
+ | |||
+ | ===== Tips / troubleshooting ===== | ||
+ | |||
+ | ==== complaints of grsecurity-kernel about RLIMIT_CORE being 0 ==== | ||
+ | |||
+ | If, while running program x, a segmentation fault occurs in program x and syslog outputs the following string: | ||
+ | Apr 17 11:55:06 yyy kernel: grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by (x:z) UID(y) EUID(y), parent (y:y) UID(y) EUID(y) | ||
+ | then kernel tried to write a core-file for the program x to disk, BUT the max size of the core file is set to 0. | ||
+ | Growing the maximum size of a core file: | ||
+ | |||
+ | # ulimit -S -c 8192 | ||
+ |