This is an old revision of the document!
Linux / grsecurity kernel patch
Grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GPL. It offers among many other features:
- An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
- Change root (chroot) hardening
- /tmp race prevention
- Extensive auditing
- Prevention of entire classes of exploits related to address space bugs (from the PaX project)
- Additional randomness in the TCP/IP stack
- A restriction that allows a user to only view his/her processes
- Every security alert or audit contains the IP address of the person that caused the event
taken from GrSecHomepage :)
Links
Instalation
dowload grsecurity patch for your kernel (2.6.x / 2.4.x) from the site. You might need to wait a bit for a grsecurity patch for latest kernel.
Kernel patching
server@/usr/src/linux# zcat ../grsecurity-2.XXX.patch.gz |patch -p1
gradm install from source
# gradm-xxxx.tar.gz # cd gradm # ./configure # make && make install ... Setting up grsecurity ACL password Password: Re-enter Password: Password written to /etc/grsec/pw.
kernel 2.4.x tips
kernel 2.6.x tips
Configuration
putting all Grsec sysctl options into sysctl.conf
sysctl -a |grep grsec >> /etc/sysctl.conf
sysctl
kernel.grsecurity.destroy_unused_shm = 1 kernel.grsecurity.chroot_findtask = 1 kernel.grsecurity.dmesg = 0 kernel.grsecurity.audit_ipc = 1 kernel.grsecurity.audit_mount = 0 kernel.grsecurity.audit_chdir = 0 kernel.grsecurity.audit_gid = 33 kernel.grsecurity.audit_group = 1 kernel.grsecurity.rand_tcp_src_ports = 1 kernel.grsecurity.rand_pids = 1 kernel.grsecurity.tpe_restrict_all = 0 kernel.grsecurity.tpe_gid = 0 kernel.grsecurity.tpe = 0 kernel.grsecurity.chroot_deny_sysctl = 1 kernel.grsecurity.chroot_caps = 1 kernel.grsecurity.chroot_execlog = 1 kernel.grsecurity.chroot_restrict_nice = 1 kernel.grsecurity.chroot_deny_mknod = 1 kernel.grsecurity.chroot_deny_chmod = 1 kernel.grsecurity.chroot_enforce_chdir = 1 kernel.grsecurity.chroot_deny_pivot = 1 kernel.grsecurity.chroot_deny_chroot = 1 kernel.grsecurity.chroot_deny_fchdir = 1 kernel.grsecurity.chroot_deny_mount = 1 kernel.grsecurity.chroot_deny_unix = 1 kernel.grsecurity.chroot_deny_shmat = 1 kernel.grsecurity.timechange_logging = 1 kernel.grsecurity.forkfail_logging = 1 kernel.grsecurity.signal_logging = 1 kernel.grsecurity.exec_logging = 0 kernel.grsecurity.execve_limiting = 1 kernel.grsecurity.fifo_restrictions = 1 kernel.grsecurity.linking_restrictions = 1 kernel.pax.softmode = 1 kernel.grsecurity.grsec_lock = 0
PaX
install pax utils:
apt-get install chpax paxctl paxtest
Testing the PAX default settings with paxtest
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> Released under the GNU Public Licence version 2 or later Mode: kiddie|blackhat Linux xxxx Executable anonymous mapping : Vulnerable Executable bss : Vulnerable Executable data : Vulnerable Executable heap : Vulnerable Executable stack : Vulnerable Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect) : Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable Executable shared library bss (mprotect) : Vulnerable Executable shared library data (mprotect): Vulnerable Executable stack (mprotect) : Vulnerable Anonymous mapping randomisation test : 9 bits (guessed) Heap randomisation test (ET_EXEC) : 13 bits (guessed) Heap randomisation test (ET_DYN) : 13 bits (guessed) Main executable randomisation (ET_EXEC) : No randomisation Main executable randomisation (ET_DYN) : No randomisation Shared library randomisation test : 8 bits (guessed) Stack randomisation test (SEGMEXEC) : 19 bits (guessed) Stack randomisation test (PAGEEXEC) : 19 bits (guessed) Return to function (strcpy) : Vulnerable Return to function (strcpy, RANDEXEC) : Vulnerable Return to function (memcpy) : Vulnerable Return to function (memcpy, RANDEXEC) : Vulnerable Executable shared library bss : Vulnerable Executable shared library data : Vulnerable Writable text segments : Vulnerable
gdadm
The gradm utility controls only grsecurity's RBAC system; it cannot alter the behavior of grsecurity's there features. In a grsecurity-enabled kernel, gradm installs with a simple make; make install. You can set an admin password for gradm, which is a good idea, as once RBAC is enabled, even root's power will be restricted, and to get it back, you need to assume the admin role. You also need a password to shut down RBAC. Set the admin password with the command:
gradm -P admin
Once you've set up a password, you can log into gradm as admin with the command:
gradm -a
An innovative way to set up RBAC is to use grsecurity's learning mode. In learning mode, grsecurity watches for processes that run with root privileges, access the Internet, or write to key system files or directories. Grsecurity then generates an access control list (ACL) that instructs grsecurity to run these processes using the least privilege approach mentioned earlier. To enable learning mode, run:
gradm -F -L /etc/grsec/learning.log
Let this mode run for a day or two to catch any time-sensitive processes. Avoid any administrative tasks during this time – remember, the root account is no longer trusted. After grsecurity has had enough time to recognize normal system usage, shut down learning mode and log into gradm as admin. Shutting down learning mode is necessary because grsecurity hides its configuration files when RBAC is running, as it is during learning mode. This means that the system will display an error message about not being able to find learning.log. In fact, the directory /etc/grsec will not appear to exist, even to root.
To write the ACL to disk, run the command:
gradm -F -L /etc/grsec/learning.log -O /etc/grsec/acl
To start RBAC with your new ACL, run:
gradm -E
You can now enjoy the security advantages of processes running with the least amount of privileges necessary.
If you encounter any problems, disable RBAC by first logging in with the admin password and then running:
gradm -D
grsec iptables patch
TODO