[[linux:grsec]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux:grsec [2006/12/16 00:48]
a 		linux:grsec [2009/05/25 00:35] (current)
Line 41: Line 41:
  
 ==== kernel 2.4.x tips ==== ==== kernel 2.4.x tips ====
 +
  
 ==== kernel 2.6.x tips ==== ==== kernel 2.6.x tips ====
Line 87: Line 88:
 come out fine for x86 and sparc. I havent tried it on ppc but for the most  come out fine for x86 and sparc. I havent tried it on ppc but for the most 
 part it is safe, and it is also safe for production envoirnments. part it is safe, and it is also safe for production envoirnments.
 +
 +=== Using Pax and Grsecurity features ===
 +
 +First get a grsecurity patch kernel ready go in your **''menuconfig > Security > Pax Funnctions''**
 +
 +<code>
 +Enable various PaX features
 +
 +[*] Support soft mode
 +[*] Use legacy ELF header marking
 +[*] Use ELF program header marking
 +MAC system integration (direct)  —>
 +
 +Non-executable pages
 +
 +[*] Enforce non-executable pages
 +[*]   Paging based non-executable pages
 +[*]   Segmentation based non-executable pages
 +[*] Emulate trampolines
 +[*] Restrict mprotect()
 +[ ]   Disallow ELF text relocations
 +[*] Enforce non-executable kernel pages
 +
 +[*] Address Space Layout Randomization
 +[*]   Randomize kernel stack base
 +[*]   Randomize user stack base
 +[*]   Randomize mmap() base
 +</code>
 +And for Miscellaneous hardening features I advise not to select any.
 +
 +<note important>Once you got your pax and gr security kernel setup and have booted into it the first thing you will have to do is disable some pax functions on php binaries. **NOTICE: php will work with pax functions enabled but will nbot be able to load anything like zend optimizer**</note>
  
 ===== Configuration ===== ===== Configuration =====
Line 131: Line 163:
   kernel.pax.softmode = 1   kernel.pax.softmode = 1
   kernel.grsecurity.grsec_lock = 0   kernel.grsecurity.grsec_lock = 0
 +
  
 ==== PaX ==== ==== PaX ====
Line 174: Line 207:
   Executable shared library data           : Vulnerable   Executable shared library data           : Vulnerable
   Writable text segments                   : Vulnerable   Writable text segments                   : Vulnerable
 +
 +==== Hardening Webservers ====
 +
 +For example
 +
 +   paxctl -c /usr/local/bin/php
 +
 +   paxctl -permxs /usr/local/bin/php
 +
 +You can even use wildcards like'' /usr/bin/php*''
 +
 +Also make sure you do the** ''sapi/cli/cgi''** module of your web server the same way. On some webservers like litespeed you will have to do the binaries on it as well. Do not disable binaries too freely, only try to do it if it is the only option to make it work.
  
 ==== gdadm ==== ==== gdadm ====
Line 204: Line 249:
  
    gradm -D     gradm -D 
 +
  
 ==== grsec iptables patch ==== ==== grsec iptables patch ====
 FIXME TODO FIXME TODO
 +
 +===== Tips / troubleshooting =====
 +
 +==== complaints of grsecurity-kernel about RLIMIT_CORE being 0 ====
 +
 +If, while running program x, a segmentation fault occurs in program x and syslog outputs the following string:
 +   Apr 17 11:55:06 yyy kernel: grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by (x:z) UID(y) EUID(y), parent (y:y) UID(y) EUID(y) 
 +then kernel tried to write a core-file for the program x to disk, BUT the max size of the core file is set to 0.
 +Growing the maximum size of a core file:
 +
 +  # ulimit -S -c 8192
 +
  
linux/grsec.1166226531.txt.gz · Last modified: 2009/05/25 00:34 (external edit)
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready