Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
linux:grsec [2006/02/19 20:04] 193.77.56.193 created document |
linux:grsec [2009/05/25 00:35] (current) |
||
---|---|---|---|
Line 12: | Line 12: | ||
* Every security alert or audit contains the IP address of the person that caused the event | * Every security alert or audit contains the IP address of the person that caused the event | ||
- | taked from GrSecHomepage :) | + | taken from GrSecHomepage :) |
==== Links ==== | ==== Links ==== | ||
* [[http:// | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
===== Instalation ===== | ===== Instalation ===== | ||
Line 24: | Line 26: | ||
server@/ | server@/ | ||
+ | |||
+ | ==== gradm install from source ==== | ||
+ | |||
+ | # gradm-xxxx.tar.gz | ||
+ | # cd gradm | ||
+ | # ./configure | ||
+ | # make && make install | ||
+ | ... | ||
+ | Setting up grsecurity ACL password | ||
+ | Password: | ||
+ | Re-enter Password: | ||
+ | Password written to / | ||
+ | |||
==== kernel 2.4.x tips ==== | ==== kernel 2.4.x tips ==== | ||
+ | |||
+ | |||
==== kernel 2.6.x tips ==== | ==== kernel 2.6.x tips ==== | ||
+ | |||
+ | |||
+ | === What to include in 2.6 with GRSecurity (Safeway) === | ||
+ | **taken from: [[http:// | ||
+ | ** | ||
+ | |||
+ | There are some problems with some applications with parts of the patch. For | ||
+ | example, turning on the non-executeable stack will break anything that uses | ||
+ | an executeable stack. ie: X, java, or wine, now you can use chpax and give | ||
+ | each of these a non executable stack. There are also some problems with the | ||
+ | way grsecurity gets a little to restrictive with things like restericting | ||
+ | filesystems ect. All of these can be overcome, however, you need to do some | ||
+ | magic to get some of these things to work, and frankly, some of it really | ||
+ | isnt worth it. | ||
+ | |||
+ | There are several options inside the grsecurity patch that you can choose. | ||
+ | |||
+ | What you can safely turn on in GRsecurity without breaking anything is: | ||
+ | * **'' | ||
+ | * **'' | ||
+ | * **'' | ||
+ | * **'' | ||
+ | * **'' | ||
+ | |||
+ | * **Filesystem Protections** | ||
+ | * // | ||
+ | |||
+ | * **'' | ||
+ | * // | ||
+ | |||
+ | * **'' | ||
+ | * // | ||
+ | |||
+ | * **'' | ||
+ | * // | ||
+ | |||
+ | * **'' | ||
+ | // | ||
+ | |||
+ | Compile everything staticly and you shold be fine. | ||
+ | |||
+ | I have tested this on production servers, and desktop boxes in mass and its | ||
+ | come out fine for x86 and sparc. I havent tried it on ppc but for the most | ||
+ | part it is safe, and it is also safe for production envoirnments. | ||
+ | |||
+ | === Using Pax and Grsecurity features === | ||
+ | |||
+ | First get a grsecurity patch kernel ready go in your **'' | ||
+ | |||
+ | < | ||
+ | Enable various PaX features | ||
+ | |||
+ | [*] Support soft mode | ||
+ | [*] Use legacy ELF header marking | ||
+ | [*] Use ELF program header marking | ||
+ | MAC system integration (direct) | ||
+ | |||
+ | Non-executable pages | ||
+ | |||
+ | [*] Enforce non-executable pages | ||
+ | [*] | ||
+ | [*] | ||
+ | [*] Emulate trampolines | ||
+ | [*] Restrict mprotect() | ||
+ | [ ] | ||
+ | [*] Enforce non-executable kernel pages | ||
+ | |||
+ | [*] Address Space Layout Randomization | ||
+ | [*] | ||
+ | [*] | ||
+ | [*] | ||
+ | </ | ||
+ | And for Miscellaneous hardening features I advise not to select any. | ||
+ | |||
+ | <note important> | ||
===== Configuration ===== | ===== Configuration ===== | ||
+ | |||
+ | putting all Grsec sysctl options into sysctl.conf | ||
+ | |||
+ | sysctl -a |grep grsec >> / | ||
+ | |||
==== sysctl ==== | ==== sysctl ==== | ||
+ | |||
+ | kernel.grsecurity.destroy_unused_shm = 1 | ||
+ | kernel.grsecurity.chroot_findtask = 1 | ||
+ | kernel.grsecurity.dmesg = 0 | ||
+ | kernel.grsecurity.audit_ipc = 1 | ||
+ | kernel.grsecurity.audit_mount = 0 | ||
+ | kernel.grsecurity.audit_chdir = 0 | ||
+ | kernel.grsecurity.audit_gid = 33 | ||
+ | kernel.grsecurity.audit_group = 1 | ||
+ | kernel.grsecurity.rand_tcp_src_ports = 1 | ||
+ | kernel.grsecurity.rand_pids = 1 | ||
+ | kernel.grsecurity.tpe_restrict_all = 0 | ||
+ | kernel.grsecurity.tpe_gid = 0 | ||
+ | kernel.grsecurity.tpe = 0 | ||
+ | kernel.grsecurity.chroot_deny_sysctl = 1 | ||
+ | kernel.grsecurity.chroot_caps = 1 | ||
+ | kernel.grsecurity.chroot_execlog = 1 | ||
+ | kernel.grsecurity.chroot_restrict_nice = 1 | ||
+ | kernel.grsecurity.chroot_deny_mknod = 1 | ||
+ | kernel.grsecurity.chroot_deny_chmod = 1 | ||
+ | kernel.grsecurity.chroot_enforce_chdir = 1 | ||
+ | kernel.grsecurity.chroot_deny_pivot = 1 | ||
+ | kernel.grsecurity.chroot_deny_chroot = 1 | ||
+ | kernel.grsecurity.chroot_deny_fchdir = 1 | ||
+ | kernel.grsecurity.chroot_deny_mount = 1 | ||
+ | kernel.grsecurity.chroot_deny_unix = 1 | ||
+ | kernel.grsecurity.chroot_deny_shmat = 1 | ||
+ | kernel.grsecurity.timechange_logging = 1 | ||
+ | kernel.grsecurity.forkfail_logging = 1 | ||
+ | kernel.grsecurity.signal_logging = 1 | ||
+ | kernel.grsecurity.exec_logging = 0 | ||
+ | kernel.grsecurity.execve_limiting = 1 | ||
+ | kernel.grsecurity.fifo_restrictions = 1 | ||
+ | kernel.grsecurity.linking_restrictions = 1 | ||
+ | kernel.pax.softmode = 1 | ||
+ | kernel.grsecurity.grsec_lock = 0 | ||
+ | |||
+ | |||
+ | ==== PaX ==== | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | install pax utils: | ||
+ | | ||
+ | |||
+ | **Testing the PAX default settings** with '' | ||
+ | |||
+ | PaXtest - Copyright(c) 2003,2004 by Peter Busser < | ||
+ | Released under the GNU Public Licence version 2 or later | ||
+ | | ||
+ | Mode: kiddie|blackhat | ||
+ | Linux xxxx | ||
+ | | ||
+ | Executable anonymous mapping | ||
+ | Executable bss : Vulnerable | ||
+ | Executable data : Vulnerable | ||
+ | Executable heap : Vulnerable | ||
+ | Executable stack : Vulnerable | ||
+ | Executable anonymous mapping (mprotect) | ||
+ | Executable bss (mprotect) | ||
+ | Executable data (mprotect) | ||
+ | Executable heap (mprotect) | ||
+ | Executable shared library bss (mprotect) : Vulnerable | ||
+ | Executable shared library data (mprotect): Vulnerable | ||
+ | Executable stack (mprotect) | ||
+ | Anonymous mapping randomisation test : 9 bits (guessed) | ||
+ | Heap randomisation test (ET_EXEC) | ||
+ | Heap randomisation test (ET_DYN) | ||
+ | Main executable randomisation (ET_EXEC) | ||
+ | Main executable randomisation (ET_DYN) | ||
+ | Shared library randomisation test : 8 bits (guessed) | ||
+ | Stack randomisation test (SEGMEXEC) | ||
+ | Stack randomisation test (PAGEEXEC) | ||
+ | Return to function (strcpy) | ||
+ | Return to function (strcpy, RANDEXEC) | ||
+ | Return to function (memcpy) | ||
+ | Return to function (memcpy, RANDEXEC) | ||
+ | Executable shared library bss : Vulnerable | ||
+ | Executable shared library data : Vulnerable | ||
+ | Writable text segments | ||
+ | |||
+ | ==== Hardening Webservers ==== | ||
+ | |||
+ | For example | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | |||
+ | You can even use wildcards like'' | ||
+ | |||
+ | Also make sure you do the** '' | ||
+ | |||
==== gdadm ==== | ==== gdadm ==== | ||
- | | + | |
+ | The **gradm** utility controls only grsecurity' | ||
+ | |||
+ | | ||
+ | |||
+ | Once you've set up a password, you can log into gradm as admin with the command: | ||
+ | |||
+ | gradm -a | ||
+ | |||
+ | An innovative way to set up RBAC is to use grsecurity' | ||
+ | |||
+ | gradm -F -L / | ||
+ | |||
+ | Let this mode run for a day or two to catch any time-sensitive processes. Avoid any administrative tasks during this time -- remember, the root account is no longer trusted. After grsecurity has had enough time to recognize normal system usage, shut down learning mode and log into gradm as admin. Shutting down learning mode is necessary because grsecurity hides its configuration files when RBAC is running, as it is during learning mode. This means that the system will display an error message about not being able to find learning.log. In fact, the directory /etc/grsec will not appear to exist, even to root. | ||
+ | |||
+ | To write the ACL to disk, run the command: | ||
+ | |||
+ | gradm -F -L / | ||
+ | |||
+ | To start RBAC with your new ACL, run: | ||
+ | |||
+ | gradm -E | ||
+ | |||
+ | You can now enjoy the security advantages of processes running with the least amount of privileges necessary. | ||
+ | |||
+ | If you encounter any problems, disable RBAC by first logging in with the admin password and then running: | ||
+ | |||
+ | gradm -D | ||
==== grsec iptables patch ==== | ==== grsec iptables patch ==== | ||
- | | + | FIXME TODO |
+ | |||
+ | ===== Tips / troubleshooting ===== | ||
+ | |||
+ | ==== complaints of grsecurity-kernel about RLIMIT_CORE being 0 ==== | ||
+ | |||
+ | If, while running program x, a segmentation fault occurs in program x and syslog outputs the following string: | ||
+ | Apr 17 11:55:06 yyy kernel: grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by (x:z) UID(y) EUID(y), parent (y:y) UID(y) EUID(y) | ||
+ | then kernel tried to write a core-file for the program x to disk, BUT the max size of the core file is set to 0. | ||
+ | Growing the maximum size of a core file: | ||
+ | |||
+ | # ulimit -S -c 8192 | ||
+ |