blob: 48ac2b29f966bd07a92a20dae8f24eedb013332c (
plain) (
tree)
|
|
<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<meta charset='utf-8'>
<title>2.2.1. Grsecurity</title>
</head>
<body>
<a href="index.html">Core OS Index</a>
<h1>2.2.1. Grsecurity</h1>
<p>Install grsecurity <a href="hardening.html">utilities</a>, kernel
configuration is based on
<a href="../core/reboot.html#linux">port kernel</a>, for manual
configuration check <a href="linux.html">linux kernel</a>. Configuration
is not enable by default, groups with special permissions and other
protections are set with <a href="sysctl.html">sysctl</a>;</p>
<dl>
<dt>proc</dt>
<dd>GID 4 - adm group</dd>
<dd>If you say Y here, you will be able to select a group that will be
able to view all processes and network-related information.
GRKERNSEC_HIDESYM is enabled, kernel and symbol information may still
remain hidden.</dd>
<dt>symlinks owner match</dt>
<dd>GID 15 - www group</dd>
<dd>Kernel-enforced SymlinksIfOwnerMatch group.</dd>
<dt>group for auditing</dt>
<dd>GID 99 - nobody group</dd>
<dd>This option is recommended if you only want to watch certain
users exec and chdir logging features instead of having a large
amount of logs from the entire system</dd>
<dt>tpe</dt>
<dd>GID 100 - users</dd>
<dd>Supplementary groups of users you want to mark as "untrusted".
Invert gid option causes to not apply tpe protection to this group,
allowing to build software with partially restrict all non-root users
enable.</dd>
<dt>socket all</dt>
<dd>GID 200 - non existent</dd>
<dd>Deny sockets to this group.</dd>
<dt>socket client</dt>
<dd>GID 15 - www group</dd>
<dd>Deny client sockets to this group.</dd>
<dt>socket server</dt>
<dd>GID 99 - nobody group</dd>
<dd>Deny server sockets to this group.</dd>
</dl>
<p>At run time you can change some configurations;</p>
<pre>
# cat /proc/sys/kernel/grsecurity/what_ever_setting
</pre>
<p>Kernel configuration related to grsecurity;</p>
<pre>
#
# Grsecurity
#
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_TASK_SIZE_MAX_SHIFT=42
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
CONFIG_GRKERNSEC_PROC_GID=4
CONFIG_GRKERNSEC_TPE_TRUSTED_GID=100
CONFIG_GRKERNSEC_SYMLINKOWN_GID=15
#
# PaX
#
CONFIG_PAX=y
#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_XATTR_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_PLUGIN=y
# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
#
# Miscellaneous hardening features
#
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_STACKLEAK=y
CONFIG_PAX_MEMORY_STRUCTLEAK=y
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y
CONFIG_PAX_CONSTIFY_PLUGIN=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
CONFIG_PAX_SIZE_OVERFLOW=y
CONFIG_PAX_SIZE_OVERFLOW_EXTRA=y
# CONFIG_PAX_INITIFY is not set
CONFIG_HAVE_PAX_INITIFY_INIT_EXIT=y
CONFIG_PAX_LATENT_ENTROPY=y
CONFIG_PAX_RAP=y
#
# Memory Protections
#
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_BPF_HARDEN=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_RANDSTRUCT=y
CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y
CONFIG_GRKERNSEC_KERN_LOCKOUT=y
#
# Role Based Access Control Options
#
# CONFIG_GRKERNSEC_NO_RBAC is not set
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_SYMLINKOWN=y
CONFIG_GRKERNSEC_FIFO=y
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
CONFIG_GRKERNSEC_ROFS=y
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_RENAME=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_CHROOT_INITRD=y
#
# Kernel Auditing
#
CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=99
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_PTRACE=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
#
# Executable Protections
#
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
CONFIG_GRKERNSEC_HARDEN_IPC=y
CONFIG_GRKERNSEC_HARDEN_TTY=y
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_TPE_INVERT=y
CONFIG_GRKERNSEC_TPE_GID=100
#
# Network Protections
#
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
CONFIG_GRKERNSEC_SOCKET=y
CONFIG_GRKERNSEC_SOCKET_ALL=y
CONFIG_GRKERNSEC_SOCKET_ALL_GID=200
CONFIG_GRKERNSEC_SOCKET_CLIENT=y
CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=15
CONFIG_GRKERNSEC_SOCKET_SERVER=y
CONFIG_GRKERNSEC_SOCKET_SERVER_GID=99
#
# Physical Protections
#
CONFIG_GRKERNSEC_DENYUSB=y
# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set
#
# Sysctl Support
#
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_DISTRO=y
# CONFIG_GRKERNSEC_SYSCTL_ON is not set
</pre>
<h2 id="pax">Pax</h2>
<p>Grub uses nested functions and thus needs either PAX_EMUTRAMP enabled in the kernel and EMUTRAMP enabled on affected binaries, or if PAX_EMUTRAMP is not enabled in the kernel, needs MPROTECT disabled on affected binaries. Depending on the version of grub in use, some of the following files may not exist, but you should mark all those that exist. To add EMUTRAMP, use the '-CE' argument to paxctl. To remove MPROTECT, use '-Cm'.</p>
/usr/bin/grub-script-check
/usr/sbin/grub-probe
/usr/sbin/grub-mkdevicemap
<h2 id="gradm">Gradm</h2>
<p>Gradm is grsecurity access control lists administration utility. Gradm
have a
<a href="https://en.wikibooks.org/wiki/Grsecurity/The_Administration_Utility#Learning_Mode">learning mode</a>
per-subject, per-role or system-wide. Learning mode gather information that
RBAC system supports, it reduces policy size, increase readability and enforces
that is configurable. Protected resources can be added to /etc/grsec/learn_cong
to learning system.</p>
<p>Entering in learning mode;</p>
<pre>
# gradm -F -L /etc/grsec/learning.log
</pre>
<p>To perform administrative tasks while system learning is running,
authenticate to admin role;</p>
<pre>
# gradm -a admin
</pre>
<p>When learning system have gather sufficient data disable RBAC system;</p>
<pre>
# gradm -D
</pre>
<p>Now that RBAC is disable data collected can be used to generate ACLs;</p>
<pre>
# gradm -F -L /etc/grsec/learning.logs -O /etc/grset/policy
</pre>
<p>Start RBAC with policy;</p>
<pre>
# gradm -E
</pre>
<a href="index.html">Core OS Index</a>
<p>This is part of the c9 Manual.
Copyright (C) 2017
c9 team.
See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
for copying conditions.</p>
</body>
</html>
|