diff options
| author | Silvino Silva <silvino@bk.ru> | 2017-02-25 20:17:55 +0000 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2017-02-25 20:17:55 +0000 |
| commit | 4cc6765e1332b7bbef89091a3a3d4f055a60cebf (patch) | |
| tree | a01007b92a67c201f147644c1faa98849f1c4700 /core | |
| parent | d26a4e12deafade205d37a9fda748a6b78dfdb6a (diff) | |
| download | doc-4cc6765e1332b7bbef89091a3a3d4f055a60cebf.tar.gz | |
core index correction
Diffstat (limited to 'core')
| -rw-r--r-- | core/grsecurity.html | 6 | ||||
| -rw-r--r-- | core/hardening.html | 157 | ||||
| -rw-r--r-- | core/index.html | 8 | ||||
| -rw-r--r-- | core/linux.html | 608 | ||||
| -rw-r--r-- | core/scripts/backup-system.sh | 79 | ||||
| -rw-r--r-- | core/sysctl.html | 627 | ||||
| -rw-r--r-- | core/toolchain.html | 165 |
7 files changed, 868 insertions, 782 deletions
diff --git a/core/grsecurity.html b/core/grsecurity.html index cda9bfb..adfd292 100644 --- a/core/grsecurity.html +++ b/core/grsecurity.html @@ -6,7 +6,7 @@ </head> <body> - <a href="index.html">Tools Index</a> + <a href="index.html">Core OS Index</a> <h1>Grsecurity</h1> @@ -74,8 +74,8 @@ # gradm -E </pre> - <a href="index.html">Tools Index</a> - <p>This is part of the c9-doc Manual. + <a href="index.html">Core OS Index</a> + <p>This is part of the c9 Manual. Copyright (C) 2017 c9 team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> diff --git a/core/hardening.html b/core/hardening.html index 478c911..024c4c9 100644 --- a/core/hardening.html +++ b/core/hardening.html @@ -2,20 +2,20 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>Hardening</title> + <title>2.2. Hardening</title> </head> <body> - <a href="index.html">Tools Index</a> + <a href="index.html">Core OS Index</a> - <h1>Hardening</h1> + <h1>2.2. Hardening</h1> <p>Kernel in ports have upstream linux kernel and grsecurity patch, it should break some functionality for the user and pkgmk user if tpe protection is active.</p> <pre> - $ sudo prt-get depinst gradm paxtest paxd checksec lynis + $ sudo prt-get depinst gradm paxtest paxctld checksec lynis </pre> <p>Check <a href="grsecurity.html">grsecurity</a> on how to setup @@ -40,154 +40,9 @@ <p>Add unnecessary tests to profile to have less noise.</p> - <h2 id="toolchain">Rebuild Toolchain</h2> - <p>Add flags to pkgmk configuration and change specific ports that - don't build with hardening flags. More information about - <a href="https://wiki.archlinux.org/index.php/DeveloperWiki:Security">arch security</a>, - gentoo security, - <a href="http://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#Instrumentation-Options">gcc</a> instrumentation-options - and <a href="http://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html">glibc</a> - configuring and compiling. Edit /etc/pkgmk.conf;</p> - - <pre> - export CPPFLAGS="-D_FORTIFY_SOURCE=2" - export CFLAGS="-O2 -march=native -mtune=native -fstack-protector-strong --param=ssp-buffer-size=4" - export CXXFLAGS="${CFLAGS}" - export LDFLAGS="-z relro" - </pre> - - <h3>Core</h3> - - <p>Ports in core collection that need to be changed in order - to build with pkgmk harden configuration.</p> - - <h4>Glibc</h4> - - <ul> - <li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/glibc.html">lfs</a></li> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/glibc">arch</a></li> - </ul> - - <pre> - export CPPFLAGS="" - export CFLAGS="-O2 -march=native -mtune=native" - export CXXFLAGS="${CFLAGS}" - export LDFLAGS="" - </pre> - - <pre> - ../$name-${version:0:4}/configure --prefix=/usr \ - --libexecdir=/usr/lib \ - --with-headers=$PKG/usr/include \ - --enable-kernel=3.12 \ - --enable-add-ons \ - --enable-static-nss \ - --disable-profile \ - --disable-werror \ - --without-gd \ - --enable-obsolete-rpc \ - --enable-multi-arch \ - --enable-stackguard-randomization \ - --enable-stack-protector=strong - </pre> - - <h4>Gcc</h4> - - <ul> - <li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/gcc.html">lfs</a></li> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gcc">arch</a></li> - </ul> - - <pre> - export CPPFLAGS="" - export CFLAGS="-O2 -march=native -mtune=native" - export CXXFLAGS="${CFLAGS}" - export LDFLAGS="" - </pre> - - <h4>libcap</h4> - - <ul> - <li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/libcap.html">lfs</a></li> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/libcap">arch</a></li> - </ul> - - <h4>bzip2</h4> - - <ul> - <li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/bzip2.html">lfs</a></li> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/bzip2">arch</a></li> - </ul> - - <h4>hdparm</h4> - - <ul> - <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/hdparm.html">lfs</a></li> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/hdparm">arch</a></li> - </ul> - - <h3>Opt</h3> - - <h4>lsof</h4> - - <ul> - <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/lsof.html">lfs</a></li> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/lsof">arch</a></li> - </ul> - - <h4>python</h4> - - <ul> - <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/python2.html">lfs</a></li> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/python2">arch</a></li> - </ul> - - <h4>zip</h4> - - <ul> - <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/zip.html">lfs</a></li> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/zip">arch</a></li> - </ul> - - <h4>glew</h4> - - <ul> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/glew">arch</a></li> - </ul> - - <h4>dmenu</h4> - - <ul> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/dmenu">arch</a></li> - </ul> - - <h4>Boost</h4> - - <ul> - <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/boost.html">lfs</a></li> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/boost">arch</a></li> - </ul> - - <pre> - export CPPFLAGS="" - export CFLAGS="-O2 -march=native -mtune=native" - export CXXFLAGS="${CFLAGS}" - export LDFLAGS="" - </pre> - - <h3>Contrib</h3> - - <h4>gsl</h4> - - <ul> - <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/gsl.html">lfs</a></li> - <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gsl">arch</a></li> - </ul> - - - <a href="index.html">Tools Index</a> - <p>This is part of the c9-doc Manual. + <a href="index.html">Core OS Index</a> + <p>This is part of the c9 Manual. Copyright (C) 2017 c9 team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> diff --git a/core/index.html b/core/index.html index 97376f4..8274630 100644 --- a/core/index.html +++ b/core/index.html @@ -5,6 +5,7 @@ <title>c9 Core OS</title> </head> <body> + <a href="../index.html">Documentation Index</a> <h1>c9 Core OS</h1> @@ -76,13 +77,14 @@ <li><a href="linux.html#kinstall">2.1.2. Manual install</a></li> <li><a href="linux.html#kuninstall">2.1.3. Manual remove</a></li> <li><a href="linux.html#dracut">2.1.4. Dracut</a></li> - <li><a href="linux.html#sysctl">2.1.5. Sysctl</a></li> </ul> </li> <li><a href="hardening.html">2.2. Hardening</a> <ul> - <li><a href="grsecurity.html">2.2.1 Grsecurity</a></li> - <li><a href="samhain.html">2.2.2 Samhain</a></li> + <li><a href="toolchain.html">2.2.1. Toolchain</a></li> + <li><a href="grsecurity.html">2.2.2. Grsecurity</a></li> + <li><a href="sysctl.html">2.2.3. Sysctl</a></li> + <li><a href="samhain.html">2.2.4. Samhain</a></li> </ul> </li> <li><a href="network.html">2.3. Network</a> diff --git a/core/linux.html b/core/linux.html index 888b916..5138676 100644 --- a/core/linux.html +++ b/core/linux.html @@ -144,614 +144,6 @@ # dracut -v /boot/initramfs-4.9.11-blob.img 4.9.11-blob </pre> - <h2 id="sysctl">2.1.4. Sysctl</h2> - - <p>Sysctl references - <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>, - <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>, - <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>, - <a href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">Grsecurity and PaX Configuration</a>.</p> - - <p>Since kernels on c9-ports have <a href="pax.grsecurity.net">PaX</a> - and <a href="http://grsecurity.net/announce.php">grsecurity</a>, - <a href="conf/sysctl.conf">/etc/sysctl.conf</a> can have follow - values;</p> - - <pre> - # - # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5) - # - - kernel.printk = 7 1 1 4 - kernel.randomize_va_space = 2 - # Shared Memory - #kernel.shmmax = 500000000 - # Total allocated file handlers that can be allocated - # fs.file-nr= - vm.mmap_min_addr=65536 - # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 - kernel.pid_max = 65536 - - # - # Memory Protections - # - - # If you say Y here, all ioperm and iopl calls will return an error. - # Ioperm and iopl can be used to modify the running kernel. - # Unfortunately, some programs need this access to operate properly, - # the most notable of which are XFree86 and hwclock. hwclock can be - # remedied by having RTC support in the kernel, so real-time - # clock support is enabled if this option is enabled, to ensure - # that hwclock operates correctly. - # - # If you're using XFree86 or a version of Xorg from 2012 or earlier, - # you may not be able to boot into a graphical environment with this - # option enabled. In this case, you should use the RBAC system instead. - kernel.grsecurity.disable_priv_io = 0 - - # If you say Y here, attempts to bruteforce exploits against forking - # daemons such as apache or sshd, as well as against suid/sgid binaries - # will be deterred. When a child of a forking daemon is killed by PaX - # or crashes due to an illegal instruction or other suspicious signal, - # the parent process will be delayed 30 seconds upon every subsequent - # fork until the administrator is able to assess the situation and - # restart the daemon. - # In the suid/sgid case, the attempt is logged, the user has all their - # existing instances of the suid/sgid binary terminated and will - # be unable to execute any suid/sgid binaries for 15 minutes. - # - # It is recommended that you also enable signal logging in the auditing - # section so that logs are generated when a process triggers a suspicious - # signal. - # If the sysctl option is enabled, a sysctl option with name - # "deter_bruteforce" is created. - kernel.grsecurity.deter_bruteforce = 1 - - # - # Filesystem Protections - # - - # Optimization for port usefor LBs - # Increase system file descriptor limit - fs.file-max = 65535 - - # If you say Y here, /tmp race exploits will be prevented, since users - # will no longer be able to follow symlinks owned by other users in - # world-writable +t directories (e.g. /tmp), unless the owner of the - # symlink is the owner of the directory. users will also not be - # able to hardlink to files they do not own. If the sysctl option is - # enabled, a sysctl option with name "linking_restrictions" is created. - kernel.grsecurity.linking_restrictions = 0 - - - # Apache's SymlinksIfOwnerMatch option has an inherent race condition - # that prevents it from being used as a security feature. As Apache - # verifies the symlink by performing a stat() against the target of - # the symlink before it is followed, an attacker can setup a symlink - # to point to a same-owned file, then replace the symlink with one - # that targets another user's file just after Apache "validates" the - # symlink -- a classic TOCTOU race. If you say Y here, a complete, - # race-free replacement for Apache's "SymlinksIfOwnerMatch" option - # will be in place for the group you specify. If the sysctl option - # is enabled, a sysctl option with name "enforce_symlinksifowner" is - # created. - kernel.grsecurity.enforce_symlinksifowner = 0 - #kernel.grsecurity.symlinkown_gid = 33 - - # if you say Y here, users will not be able to write to FIFOs they don't - # own in world-writable +t directories (e.g. /tmp), unless the owner of - # the FIFO is the same owner of the directory it's held in. If the sysctl - # option is enabled, a sysctl option with name "fifo_restrictions" is - # created. - kernel.grsecurity.fifo_restrictions = 0 - - # If you say Y here, a sysctl option with name "romount_protect" will - # be created. By setting this option to 1 at runtime, filesystems - # will be protected in the following ways: - # * No new writable mounts will be allowed - # * Existing read-only mounts won't be able to be remounted read/write - # * Write operations will be denied on all block devices - # This option acts independently of grsec_lock: once it is set to 1, - # it cannot be turned off. Therefore, please be mindful of the resulting - # behavior if this option is enabled in an init script on a read-only - # filesystem. - # Also be aware that as with other root-focused features, GRKERNSEC_KMEM - # and GRKERNSEC_IO should be enabled and module loading disabled via - # config or at runtime. - # This feature is mainly intended for secure embedded systems. - #kernel.grsecurity.romount_protect = 0 - - # if you say Y here, the capabilities on all processes within a - # chroot jail will be lowered to stop module insertion, raw i/o, - # system and net admin tasks, rebooting the system, modifying immutable - # files, modifying IPC owned by another, and changing the system time. - # This is left an option because it can break some apps. Disable this - # if your chrooted apps are having problems performing those kinds of - # tasks. If the sysctl option is enabled, a sysctl option with - # name "chroot_caps" is created. - kernel.grsecurity.chroot_caps = 1 - - #kernel.grsecurity.chroot_deny_bad_rename = 1 - - # If you say Y here, processes inside a chroot will not be able to chmod - # or fchmod files to make them have suid or sgid bits. This protects - # against another published method of breaking a chroot. If the sysctl - # option is enabled, a sysctl option with name "chroot_deny_chmod" is - # created. - kernel.grsecurity.chroot_deny_chmod = 1 - - # If you say Y here, processes inside a chroot will not be able to chroot - # again outside the chroot. This is a widely used method of breaking - # out of a chroot jail and should not be allowed. If the sysctl - # option is enabled, a sysctl option with name - # "chroot_deny_chroot" is created. - kernel.grsecurity.chroot_deny_chroot = 1 - - # If you say Y here, a well-known method of breaking chroots by fchdir'ing - # to a file descriptor of the chrooting process that points to a directory - # outside the filesystem will be stopped. If the sysctl option - # is enabled, a sysctl option with name "chroot_deny_fchdir" is created. - kernel.grsecurity.chroot_deny_fchdir = 1 - - # If you say Y here, processes inside a chroot will not be allowed to - # mknod. The problem with using mknod inside a chroot is that it - # would allow an attacker to create a device entry that is the same - # as one on the physical root of your system, which could range from - # anything from the console device to a device for your harddrive (which - # they could then use to wipe the drive or steal data). It is recommended - # that you say Y here, unless you run into software incompatibilities. - # If the sysctl option is enabled, a sysctl option with name - # "chroot_deny_mknod" is created. - kernel.grsecurity.chroot_deny_mknod = 1 - - # If you say Y here, processes inside a chroot will not be able to - # mount or remount filesystems. If the sysctl option is enabled, a - # sysctl option with name "chroot_deny_mount" is created. - kernel.grsecurity.chroot_deny_mount = 1 - - # If you say Y here, processes inside a chroot will not be able to use - # a function called pivot_root() that was introduced in Linux 2.3.41. It - # works similar to chroot in that it changes the root filesystem. This - # function could be misused in a chrooted process to attempt to break out - # of the chroot, and therefore should not be allowed. If the sysctl - # option is enabled, a sysctl option with name "chroot_deny_pivot" is - # created. - kernel.grsecurity.chroot_deny_pivot = 1 - - # If you say Y here, processes inside a chroot will not be able to attach - # to shared memory segments that were created outside of the chroot jail. - # It is recommended that you say Y here. If the sysctl option is enabled, - # a sysctl option with name "chroot_deny_shmat" is created. - kernel.grsecurity.chroot_deny_shmat = 1 - - # If you say Y here, an attacker in a chroot will not be able to - # write to sysctl entries, either by sysctl(2) or through a /proc - # interface. It is strongly recommended that you say Y here. If the - # sysctl option is enabled, a sysctl option with name - # "chroot_deny_sysctl" is created. - kernel.grsecurity.chroot_deny_sysctl = 1 - - # If you say Y here, processes inside a chroot will not be able to - # connect to abstract (meaning not belonging to a filesystem) Unix - # domain sockets that were bound outside of a chroot. It is recommended - # that you say Y here. If the sysctl option is enabled, a sysctl option - # with name "chroot_deny_unix" is created. - kernel.grsecurity.chroot_deny_unix = 1 - - # If you say Y here, the current working directory of all newly-chrooted - # applications will be set to the the root directory of the chroot. - # The man page on chroot(2) states: - # Note that usually chhroot does not change the current working - # directory, so that `.' can be outside the tree rooted at - # `/'. In particular, the super-user can escape from a - # `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. - # - # It is recommended that you say Y here, since it's not known to break - # any software. If the sysctl option is enabled, a sysctl option with - # name "chroot_enforce_chdir" is created. - kernel.grsecurity.chroot_enforce_chdir = 1 - - # If you say Y here, processes inside a chroot will not be able to - # kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, - # getsid, or view any process outside of the chroot. If the sysctl - # option is enabled, a sysctl option with name "chroot_findtask" is - # created. - kernel.grsecurity.chroot_findtask = 1 - - # If you say Y here, processes inside a chroot will not be able to raise - # the priority of processes in the chroot, or alter the priority of - # processes outside the chroot. This provides more security than simply - # removing CAP_SYS_NICE from the process' capability set. If the - # sysctl option is enabled, a sysctl option with name "chroot_restrict_nice" - # is created. - kernel.grsecurity.chroot_restrict_nice = 1 - - # - # Kernel Auditing - # - - # If you say Y here, the exec and chdir logging features will only operate - # on a group you specify. This option is recommended if you only want to - # watch certain users instead of having a large amount of logs from the - # entire system. If the sysctl option is enabled, a sysctl option with - # name "audit_group" is created. - kernel.grsecurity.audit_group = 0 - - # If you say Y here, the exec and chdir logging features will only operate - # on a group you specify. This option is recommended if you only want to - # watch certain users instead of having a large amount of logs from the - # entire system. If the sysctl option is enabled, a sysctl option with - # name "audit_group" is created. - #kernel.grsecurity.audit_gid = 201 - - # If you say Y here, all execve() calls will be logged (since the - # other exec*() calls are frontends to execve(), all execution - # will be logged). Useful for shell-servers that like to keep track - # of their users. If the sysctl option is enabled, a sysctl option with - # name "exec_logging" is created. - # WARNING: This option when enabled will produce a LOT of logs, especially - # on an active system. - kernel.grsecurity.exec_logging = 0 - - # If you say Y here, all attempts to overstep resource limits will - # be logged with the resource name, the requested size, and the current - # limit. It is highly recommended that you say Y here. If the sysctl - # option is enabled, a sysctl option with name "resource_logging" is - # created. If the RBAC system is enabled, the sysctl value is ignored. - kernel.grsecurity.resource_logging = 1 - - # If you say Y here, all executions inside a chroot jail will be logged - # to syslog. This can cause a large amount of logs if certain - # applications (eg. djb's daemontools) are installed on the system, and - # is therefore left as an option. If the sysctl option is enabled, a - # sysctl option with name "chroot_execlog" is created. - kernel.grsecurity.chroot_execlog = 0 - - # If you say Y here, all attempts to attach to a process via ptrace - # will be logged. If the sysctl option is enabled, a sysctl option - # with name "audit_ptrace" is created. - kernel.grsecurity.audit_ptrace = 1 - - # If you say Y here, all attempts to attach to a process via ptrace - # will be logged. If the sysctl option is enabled, a sysctl option - # with name "audit_ptrace" is created. - kernel.grsecurity.audit_chdir = 0 - - # If you say Y here, all mounts and unmounts will be logged. If the - # sysctl option is enabled, a sysctl option with name "audit_mount" is - # created. - kernel.grsecurity.audit_mount = 1 - - # If you say Y here, certain important signals will be logged, such as - # SIGSEGV, which will as a result inform you of when a error in a program - # occurred, which in some cases could mean a possible exploit attempt. - # If the sysctl option is enabled, a sysctl option with name - # "signal_logging" is created. - kernel.grsecurity.signal_logging = 1 - - # If you say Y here, all failed fork() attempts will be logged. - # This could suggest a fork bomb, or someone attempting to overstep - # their process limit. If the sysctl option is enabled, a sysctl option - # with name "forkfail_logging" is created. - #kernel.grsecurity.forkfail_logging = 1 - kernel.grsecurity.forkfail_logging = 1 - - # If you say Y here, any changes of the system clock will be logged. - # If the sysctl option is enabled, a sysctl option with name - # "timechange_logging" is created. - kernel.grsecurity.timechange_logging = 1 - - # if you say Y here, calls to mmap() and mprotect() with explicit - # usage of PROT_WRITE and PROT_EXEC together will be logged when - # denied by the PAX_MPROTECT feature. This feature will also - # log other problematic scenarios that can occur when PAX_MPROTECT - # is enabled on a binary, like textrels and PT_GNU_STACK. If the - # sysctl option is enabled, a sysctl option with name "rwxmap_logging" - # is created. - kernel.grsecurity.rwxmap_logging = 1 - - # - # Executable Protections - # - - - # if you say Y here, non-root users will not be able to use dmesg(8) - # to view the contents of the kernel's circular log buffer. - # The kernel's log buffer often contains kernel addresses and other - # identifying information useful to an attacker in fingerprinting a - # system for a targeted exploit. - # If the sysctl option is enabled, a sysctl option with name "dmesg" is - # created. - kernel.grsecurity.dmesg = 1 - - # Hide symbol addresses in /proc/kallsyms - #kernel.kptr_restrict = 2 - - # If you say Y here, TTY sniffers and other malicious monitoring - # programs implemented through ptrace will be defeated. If you - # have been using the RBAC system, this option has already been - # enabled for several years for all users, with the ability to make - # fine-grained exceptions. - # - # This option only affects the ability of non-root users to ptrace - # processes that are not a descendent of the ptracing process. - # This means that strace ./binary and gdb ./binary will still work, - # but attaching to arbitrary processes will not. If the sysctl - # option is enabled, a sysctl option with name "harden_ptrace" is - # created. - kernel.grsecurity.harden_ptrace = 1 - - # If you say Y here, unprivileged users will not be able to ptrace unreadable - # binaries. This option is useful in environments that - # remove the read bits (e.g. file mode 4711) from suid binaries to - # prevent infoleaking of their contents. This option adds - # consistency to the use of that file mode, as the binary could normally - # be read out when run without privileges while ptracing. - # - # If the sysctl option is enabled, a sysctl option with name "ptrace_readexec" - # is created. - kernel.grsecurity.ptrace_readexec = 1 - - # If you say Y here, a change from a root uid to a non-root uid - # in a multithreaded application will cause the resulting uids, - # gids, supplementary groups, and capabilities in that thread - # to be propagated to the other threads of the process. In most - # cases this is unnecessary, as glibc will emulate this behavior - # on behalf of the application. Other libcs do not act in the - # same way, allowing the other threads of the process to continue - # running with root privileges. If the sysctl option is enabled, - # a sysctl option with name "consistent_setxid" is created. - kernel.grsecurity.consistent_setxid = 0 - - # If you say Y here, access to overly-permissive IPC objects (shared - # memory, message queues, and semaphores) will be denied for processes - # given the following criteria beyond normal permission checks: - # 1) If the IPC object is world-accessible and the euid doesn't match - # that of the creator or current uid for the IPC object - # 2) If the IPC object is group-accessible and the egid doesn't - # match that of the creator or current gid for the IPC object - # It's a common error to grant too much permission to these objects, - # with impact ranging from denial of service and information leaking to - # privilege escalation. This feature was developed in response to - # research by Tim Brown: - # http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ - # who found hundreds of such insecure usages. Processes with - # CAP_IPC_OWNER are still permitted to access these IPC objects. - # If the sysctl option is enabled, a sysctl option with name - # "harden_ipc" is created. - kernel.grsecurity.harden_ipc = 0 - - # If you say Y here, you will be able to choose a gid to add to the - # supplementary groups of users you want to mark as "untrusted." - # These users will not be able to execute any files that are not in - # root-owned directories writable only by root. If the sysctl option - # is enabled, a sysctl option with name "tpe" is created. - kernel.grsecurity.tpe = 1 - kernel.grsecurity.tpe_gid = 4 - - # If you say Y here, the group you specify in the TPE configuration will - # decide what group TPE restrictions will be *disabled* for. This - # option is useful if you want TPE restrictions to be applied to most - # users on the system. If the sysctl option is enabled, a sysctl option - # with name "tpe_invert" is created. Unlike other sysctl options, this - # entry will default to on for backward-compatibility. - kernel.grsecurity.tpe_invert = 1 - - # If you say Y here, all non-root users will be covered under - # a weaker TPE restriction. This is separate from, and in addition to, - # the main TPE options that you have selected elsewhere. Thus, if a - # "trusted" GID is chosen, this restriction applies to even that GID. - # Under this restriction, all non-root users will only be allowed to - # execute files in directories they own that are not group or - # world-writable, or in directories owned by root and writable only by - # root. If the sysctl option is enabled, a sysctl option with name - # "tpe_restrict_all" is created. - kernel.grsecurity.tpe_restrict_all = 1 - - - kernel.grsecurity.harden_tty = 1 - - # - # Network Protections - # - - # Increase Linux auto tuning TCP buffer limits - # min, default, and max number of bytes to use - # set max to at least 4MB, or higher if you use very high BDP paths - # Tcp Windows etc - net.core.rmem_max = 8388608 - net.core.wmem_max = 8388608 - net.core.netdev_max_backlog = 5000 - net.ipv4.tcp_window_scaling = 1 - - # Both ports linux-blob and linux-libre don't build with ipv6 - # Disable ipv6 - net.ipv6.conf.all.disable_ipv6 = 1 - net.ipv6.conf.default.disable_ipv6 = 1 - net.ipv6.conf.lo.disable_ipv6 = 1 - - # Tuen IPv6 - #net.ipv6.conf.default.router_solicitations = 0 - #net.ipv6.conf.default.accept_ra_rtr_pref = 0 - #net.ipv6.conf.default.accept_ra_pinfo = 0 - #net.ipv6.conf.default.accept_ra_defrtr = 0 - #net.ipv6.conf.default.autoconf = 0 - #net.ipv6.conf.default.dad_transmits = 0 - #net.ipv6.conf.default.max_addresses = 0 - - # Avoid a smurf attack, ping scanning - net.ipv4.icmp_echo_ignore_broadcasts = 1 - - # Turn on protection for bad icmp error messages - net.ipv4.icmp_ignore_bogus_error_responses = 1 - - # Turn on syncookies for SYN flood attack protection - net.ipv4.tcp_syncookies = 1 - - ## protect against tcp time-wait assassination hazards - ## drop RST packets for sockets in the time-wait state - ## (not widely supported outside of linux, but conforms to RFC) - net.ipv4.tcp_rfc1337 = 1 - - ## tcp timestamps - ## + protect against wrapping sequence numbers (at gigabit speeds) - ## + round trip time calculation implemented in TCP - ## - causes extra overhead and allows uptime detection by scanners like nmap - ## enable @ gigabit speeds - net.ipv4.tcp_timestamps = 0 - #net.ipv4.tcp_timestamps = 1 - - # Turn on and log spoofed, source routed, and redirect packets - net.ipv4.conf.all.log_martians = 1 - net.ipv4.conf.default.log_martians = 1 - - ## ignore echo broadcast requests to prevent being part of smurf attacks (default) - net.ipv4.icmp_echo_ignore_broadcasts = 1 - - ## sets the kernels reverse path filtering mechanism to value 1(on) - ## will do source validation of the packet's recieved from all the interfaces on the machine - ## protects from attackers that are using ip spoofing methods to do harm - net.ipv4.conf.all.rp_filter = 1 - net.ipv4.conf.default.rp_filter = 1 - #net.ipv6.conf.default.rp_filter = 1 - #net.ipv6.conf.all.rp_filter = 1 - - - # Make sure no one can alter the routing tables - # Act as a router, necessary for Access Point - net.ipv4.conf.all.accept_redirects = 0 - net.ipv4.conf.default.accept_redirects = 0 - net.ipv4.conf.all.secure_redirects = 0 - net.ipv4.conf.default.secure_redirects = 0 - # No source routed packets here - # Discard packets with source routes, ip spoofing - net.ipv4.conf.all.accept_source_route = 0 - net.ipv4.conf.default.accept_source_route = 0 - - - net.ipv4.conf.all.send_redirects = 0 - net.ipv4.conf.default.send_redirects = 0 - - net.ipv4.ip_forward = 0 - - # Increase system IP port limits - net.ipv4.ip_local_port_range = 2000 65000 - - # Increase TCP max buffer size setable using setsockopt() - net.ipv4.tcp_rmem = 4096 87380 8388608 - net.ipv4.tcp_wmem = 4096 87380 8388608 - - # Disable proxy_arp - net.ipv4.conf.default.proxy_arp = 0 - net.ipv4.conf.all.proxy_arp = 0 - - # Disable bootp_relay - net.ipv4.conf.default.bootp_relay = 0 - net.ipv4.conf.all.bootp_relay = 0 - - # Decrease TCP fin timeout - net.ipv4.tcp_fin_timeout = 30 - # Decrease TCP keep alive time - net.ipv4.tcp_keepalive_time = 1800 - # Sen SynAck retries to 3 - net.ipv4.tcp_synack_retries = 3 - - # If you say Y here, neither TCP resets nor ICMP - # destination-unreachable packets will be sent in response to packets - # sent to ports for which no associated listening process exists. - # This feature supports both IPV4 and IPV6 and exempts the - # loopback interface from blackholing. Enabling this feature - # makes a host more resilient to DoS attacks and reduces network - # visibility against scanners. - # - # The blackhole feature as-implemented is equivalent to the FreeBSD - # blackhole feature, as it prevents RST responses to all packets, not - # just SYNs. Under most application behavior this causes no - # problems, but applications (like haproxy) may not close certain - # connections in a way that cleanly terminates them on the remote - # end, leaving the remote host in LAST_ACK state. Because of this - # side-effect and to prevent intentional LAST_ACK DoSes, this - # feature also adds automatic mitigation against such attacks. - # The mitigation drastically reduces the amount of time a socket - # can spend in LAST_ACK state. If you're using haproxy and not - # all servers it connects to have this option enabled, consider - # disabling this feature on the haproxy host. - # - # If the sysctl option is enabled, two sysctl options with names - # "ip_blackhole" and "lastack_retries" will be created. - # While "ip_blackhole" takes the standard zero/non-zero on/off - # toggle, "lastack_retries" uses the same kinds of values as - # "tcp_retries1" and "tcp_retries2". The default value of 4 - # prevents a socket from lasting more than 45 seconds in LAST_ACK - # state. - kernel.grsecurity.ip_blackhole = 1 - kernel.grsecurity.lastack_retries = 4 - - # If you say Y here, you will be able to choose a GID of whose users will - # be unable to connect to other hosts from your machine or run server - # applications from your machine. If the sysctl option is enabled, a - # sysctl option with name "socket_all" is created. - kernel.grsecurity.socket_all = 0 - - # Here you can choose the GID to disable socket access for. Remember to - # add the users you want socket access disabled for to the GID - # specified here. If the sysctl option is enabled, a sysctl option - # with name "socket_all_gid" is created. - #kernel.grsecurity.socket_all_gid = 202 - - # If you say Y here, you will be able to choose a GID of whose users will - # be unable to connect to other hosts from your machine, but will be - # able to run servers. If this option is enabled, all users in the group - # you specify will have to use passive mode when initiating ftp transfers - # from the shell on your machine. If the sysctl option is enabled, a - # sysctl option with name "socket_client" is created. - kernel.grsecurity.socket_client = 1 - - # Here you can choose the GID to disable client socket access for. - # Remember to add the users you want client socket access disabled for to - # the GID specified here. If the sysctl option is enabled, a sysctl - # option with name "socket_client_gid" is created. - kernel.grsecurity.socket_client_gid = 15 - - # If you say Y here, you will be able to choose a GID of whose users will - # be unable to connect to other hosts from your machine, but will be - # able to run servers. If this option is enabled, all users in the group - # you specify will have to use passive mode when initiating ftp transfers - # from the shell on your machine. If the sysctl option is enabled, a - # sysctl option with name "socket_client" is created. - kernel.grsecurity.socket_server = 1 - - # Here you can choose the GID to disable server socket access for. - # Remember to add the users you want server socket access disabled for to - # the GID specified here. If the sysctl option is enabled, a sysctl - # option with name "socket_server_gid" is created. - kernel.grsecurity.socket_server_gid = 99 - - # - # Physical Protections - # - - # If you say Y here, a new sysctl option with name "deny_new_usb" - # will be created. Setting its value to 1 will prevent any new - # USB devices from being recognized by the OS. Any attempted USB - # device insertion will be logged. This option is intended to be - # used against custom USB devices designed to exploit vulnerabilities - # in various USB device drivers. - # - # For greatest effectiveness, this sysctl should be set after any - # relevant init scripts. This option is safe to enable in distros - # as each user can choose whether or not to toggle the sysctl. - kernel.grsecurity.deny_new_usb = 0 - - # - # Restrict grsec sysctl changes after this was set - # - kernel.grsecurity.grsec_lock = 0 - - # End of file - </pre> - - <a href="index.html">Core OS Index</a> <p>This is part of the c9-doc Manual. Copyright (C) 2017 diff --git a/core/scripts/backup-system.sh b/core/scripts/backup-system.sh index 854a221..379e449 100644 --- a/core/scripts/backup-system.sh +++ b/core/scripts/backup-system.sh @@ -6,20 +6,65 @@ read ROOT_DIR echo -n "where you want to save (/home/user): " read DEST_DIR -echo $DES_DIR -echo $ROOT_DIR - -tar --xattrs -zcpf $DEST_DIR/system-backup-`date '+%Y-%j-%H-%M-%S'`.tar.gz \ - --directory=$ROOT_DIR \ - --exclude=usr/ports \ - --exclude=usr/src \ - --exclude=var/run \ - --exclude=var/lock \ - --exclude=srv \ - --exclude=mnt \ - --exclude=home \ - --exclude=dev \ - --exclude=run \ - --exclude=tmp \ - --exclude=proc \ - --exclude=sys . +bk_coll() { + col=$1 + # make copy of packages + mkdir ${BKDIR}/${col} + while read line; do + if [ ! -f /usr/ports/packages/${line} ]; then + echo "Building package: ${line};\n" + name=$(echo ${line} | cut -d "#" -f 1) + sudo prt-get update -fr ${name} + fi + + if [ -f /usr/ports/packages/${line} ]; then + echo "Backing up package: ${line}" + echo ${line} >> ${BKDIR}/backup.pkg + cp /usr/ports/packages/${line} ${BKDIR}/${col}/ + else + echo "Package not found: ${line}" + echo ${line} >> ${BKDIR}/${col}-notfound.pkg + fi + done < $BKDIR/${col}.pkg +} + +# Temporary directory +BKDIR=$(pwd)/bkdir +mkdir -p ${BKDIR} + +# must be using gwak instead of sed, xargs and echo +prt-get listinst -v | sed -s s/" "/#/g | xargs -i echo {}.pkg.tar.gz > ${BKDIR}/installed.pkg + +# make list and copy installed core packages +prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/core" | cut -d " " -f 3 > ${BKDIR}/core.pkg +bk_coll "core" + + +prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/opt" | cut -d " " -f 3 > $BKDIR/opt.pkg +bk_coll "opt" + +prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/contrib" | cut -d " " -f 3 > $BKDIR/contrib.pkg +bk_coll "contrib" + +prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep "yes /usr/ports/xorg" | cut -d " " -f 3 > $BKDIR/xorg.pkg +bk_coll "xorg" + +prt-get printf "%i %p %n#%v-%r.pkg.tar.gz\n" | grep -v "yes /usr/ports/core" | grep -v "yes /usr/ports/opt" | grep -v "yes /usr/ports/contrib" | grep -v "yes /usr/ports/xorg" | grep "yes " | cut -d " " -f 3 > $BKDIR/other.pkg + +#echo $DES_DIR +#echo $ROOT_DIR +# +#tar --xattrs -zcpf $DEST_DIR/system-backup-`date '+%Y-%j-%H-%M-%S'`.tar.gz \ +# --directory=$ROOT_DIR \ +# --exclude=usr/ports \ +# --exclude=usr/src \ +# --exclude=var/run \ +# --exclude=var/lock \ +# --exclude=srv \ +# --exclude=mnt \ +# --exclude=home \ +# --exclude=dev \ +# --exclude=run \ +# --exclude=tmp \ +# --exclude=proc \ +# --exclude=sys . diff --git a/core/sysctl.html b/core/sysctl.html new file mode 100644 index 0000000..4e13209 --- /dev/null +++ b/core/sysctl.html @@ -0,0 +1,627 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>2.2.3. Sysctl</title> + </head> + <body> + + <a href="index.html">Core OS Index</a> + + <h1 id="sysctl">2.2.3. Sysctl</h1> + + <p>Sysctl references + <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>, + <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>, + <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>, + <a href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">Grsecurity and PaX Configuration</a>.</p> + + <p>Since kernels on c9-ports have <a href="pax.grsecurity.net">PaX</a> + and <a href="http://grsecurity.net/announce.php">grsecurity</a>, + <a href="conf/sysctl.conf">/etc/sysctl.conf</a> can have follow + values;</p> + + <pre> + # + # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5) + # + + kernel.printk = 7 1 1 4 + kernel.randomize_va_space = 2 + # Shared Memory + #kernel.shmmax = 500000000 + # Total allocated file handlers that can be allocated + # fs.file-nr= + vm.mmap_min_addr=65536 + # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 + kernel.pid_max = 65536 + + # + # Memory Protections + # + + # If you say Y here, all ioperm and iopl calls will return an error. + # Ioperm and iopl can be used to modify the running kernel. + # Unfortunately, some programs need this access to operate properly, + # the most notable of which are XFree86 and hwclock. hwclock can be + # remedied by having RTC support in the kernel, so real-time + # clock support is enabled if this option is enabled, to ensure + # that hwclock operates correctly. + # + # If you're using XFree86 or a version of Xorg from 2012 or earlier, + # you may not be able to boot into a graphical environment with this + # option enabled. In this case, you should use the RBAC system instead. + kernel.grsecurity.disable_priv_io = 0 + + # If you say Y here, attempts to bruteforce exploits against forking + # daemons such as apache or sshd, as well as against suid/sgid binaries + # will be deterred. When a child of a forking daemon is killed by PaX + # or crashes due to an illegal instruction or other suspicious signal, + # the parent process will be delayed 30 seconds upon every subsequent + # fork until the administrator is able to assess the situation and + # restart the daemon. + # In the suid/sgid case, the attempt is logged, the user has all their + # existing instances of the suid/sgid binary terminated and will + # be unable to execute any suid/sgid binaries for 15 minutes. + # + # It is recommended that you also enable signal logging in the auditing + # section so that logs are generated when a process triggers a suspicious + # signal. + # If the sysctl option is enabled, a sysctl option with name + # "deter_bruteforce" is created. + kernel.grsecurity.deter_bruteforce = 1 + + # + # Filesystem Protections + # + + # Optimization for port usefor LBs + # Increase system file descriptor limit + fs.file-max = 65535 + + # If you say Y here, /tmp race exploits will be prevented, since users + # will no longer be able to follow symlinks owned by other users in + # world-writable +t directories (e.g. /tmp), unless the owner of the + # symlink is the owner of the directory. users will also not be + # able to hardlink to files they do not own. If the sysctl option is + # enabled, a sysctl option with name "linking_restrictions" is created. + kernel.grsecurity.linking_restrictions = 0 + + + # Apache's SymlinksIfOwnerMatch option has an inherent race condition + # that prevents it from being used as a security feature. As Apache + # verifies the symlink by performing a stat() against the target of + # the symlink before it is followed, an attacker can setup a symlink + # to point to a same-owned file, then replace the symlink with one + # that targets another user's file just after Apache "validates" the + # symlink -- a classic TOCTOU race. If you say Y here, a complete, + # race-free replacement for Apache's "SymlinksIfOwnerMatch" option + # will be in place for the group you specify. If the sysctl option + # is enabled, a sysctl option with name "enforce_symlinksifowner" is + # created. + kernel.grsecurity.enforce_symlinksifowner = 0 + #kernel.grsecurity.symlinkown_gid = 33 + + # if you say Y here, users will not be able to write to FIFOs they don't + # own in world-writable +t directories (e.g. /tmp), unless the owner of + # the FIFO is the same owner of the directory it's held in. If the sysctl + # option is enabled, a sysctl option with name "fifo_restrictions" is + # created. + kernel.grsecurity.fifo_restrictions = 0 + + # If you say Y here, a sysctl option with name "romount_protect" will + # be created. By setting this option to 1 at runtime, filesystems + # will be protected in the following ways: + # * No new writable mounts will be allowed + # * Existing read-only mounts won't be able to be remounted read/write + # * Write operations will be denied on all block devices + # This option acts independently of grsec_lock: once it is set to 1, + # it cannot be turned off. Therefore, please be mindful of the resulting + # behavior if this option is enabled in an init script on a read-only + # filesystem. + # Also be aware that as with other root-focused features, GRKERNSEC_KMEM + # and GRKERNSEC_IO should be enabled and module loading disabled via + # config or at runtime. + # This feature is mainly intended for secure embedded systems. + #kernel.grsecurity.romount_protect = 0 + + # if you say Y here, the capabilities on all processes within a + # chroot jail will be lowered to stop module insertion, raw i/o, + # system and net admin tasks, rebooting the system, modifying immutable + # files, modifying IPC owned by another, and changing the system time. + # This is left an option because it can break some apps. Disable this + # if your chrooted apps are having problems performing those kinds of + # tasks. If the sysctl option is enabled, a sysctl option with + # name "chroot_caps" is created. + kernel.grsecurity.chroot_caps = 1 + + #kernel.grsecurity.chroot_deny_bad_rename = 1 + + # If you say Y here, processes inside a chroot will not be able to chmod + # or fchmod files to make them have suid or sgid bits. This protects + # against another published method of breaking a chroot. If the sysctl + # option is enabled, a sysctl option with name "chroot_deny_chmod" is + # created. + kernel.grsecurity.chroot_deny_chmod = 1 + + # If you say Y here, processes inside a chroot will not be able to chroot + # again outside the chroot. This is a widely used method of breaking + # out of a chroot jail and should not be allowed. If the sysctl + # option is enabled, a sysctl option with name + # "chroot_deny_chroot" is created. + kernel.grsecurity.chroot_deny_chroot = 1 + + # If you say Y here, a well-known method of breaking chroots by fchdir'ing + # to a file descriptor of the chrooting process that points to a directory + # outside the filesystem will be stopped. If the sysctl option + # is enabled, a sysctl option with name "chroot_deny_fchdir" is created. + kernel.grsecurity.chroot_deny_fchdir = 1 + + # If you say Y here, processes inside a chroot will not be allowed to + # mknod. The problem with using mknod inside a chroot is that it + # would allow an attacker to create a device entry that is the same + # as one on the physical root of your system, which could range from + # anything from the console device to a device for your harddrive (which + # they could then use to wipe the drive or steal data). It is recommended + # that you say Y here, unless you run into software incompatibilities. + # If the sysctl option is enabled, a sysctl option with name + # "chroot_deny_mknod" is created. + kernel.grsecurity.chroot_deny_mknod = 1 + + # If you say Y here, processes inside a chroot will not be able to + # mount or remount filesystems. If the sysctl option is enabled, a + # sysctl option with name "chroot_deny_mount" is created. + kernel.grsecurity.chroot_deny_mount = 1 + + # If you say Y here, processes inside a chroot will not be able to use + # a function called pivot_root() that was introduced in Linux 2.3.41. It + # works similar to chroot in that it changes the root filesystem. This + # function could be misused in a chrooted process to attempt to break out + # of the chroot, and therefore should not be allowed. If the sysctl + # option is enabled, a sysctl option with name "chroot_deny_pivot" is + # created. + kernel.grsecurity.chroot_deny_pivot = 1 + + # If you say Y here, processes inside a chroot will not be able to attach + # to shared memory segments that were created outside of the chroot jail. + # It is recommended that you say Y here. If the sysctl option is enabled, + # a sysctl option with name "chroot_deny_shmat" is created. + kernel.grsecurity.chroot_deny_shmat = 1 + + # If you say Y here, an attacker in a chroot will not be able to + # write to sysctl entries, either by sysctl(2) or through a /proc + # interface. It is strongly recommended that you say Y here. If the + # sysctl option is enabled, a sysctl option with name + # "chroot_deny_sysctl" is created. + kernel.grsecurity.chroot_deny_sysctl = 1 + + # If you say Y here, processes inside a chroot will not be able to + # connect to abstract (meaning not belonging to a filesystem) Unix + # domain sockets that were bound outside of a chroot. It is recommended + # that you say Y here. If the sysctl option is enabled, a sysctl option + # with name "chroot_deny_unix" is created. + kernel.grsecurity.chroot_deny_unix = 1 + + # If you say Y here, the current working directory of all newly-chrooted + # applications will be set to the the root directory of the chroot. + # The man page on chroot(2) states: + # Note that usually chhroot does not change the current working + # directory, so that `.' can be outside the tree rooted at + # `/'. In particular, the super-user can escape from a + # `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. + # + # It is recommended that you say Y here, since it's not known to break + # any software. If the sysctl option is enabled, a sysctl option with + # name "chroot_enforce_chdir" is created. + kernel.grsecurity.chroot_enforce_chdir = 1 + + # If you say Y here, processes inside a chroot will not be able to + # kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, + # getsid, or view any process outside of the chroot. If the sysctl + # option is enabled, a sysctl option with name "chroot_findtask" is + # created. + kernel.grsecurity.chroot_findtask = 1 + + # If you say Y here, processes inside a chroot will not be able to raise + # the priority of processes in the chroot, or alter the priority of + # processes outside the chroot. This provides more security than simply + # removing CAP_SYS_NICE from the process' capability set. If the + # sysctl option is enabled, a sysctl option with name "chroot_restrict_nice" + # is created. + kernel.grsecurity.chroot_restrict_nice = 1 + + # + # Kernel Auditing + # + + # If you say Y here, the exec and chdir logging features will only operate + # on a group you specify. This option is recommended if you only want to + # watch certain users instead of having a large amount of logs from the + # entire system. If the sysctl option is enabled, a sysctl option with + # name "audit_group" is created. + kernel.grsecurity.audit_group = 0 + + # If you say Y here, the exec and chdir logging features will only operate + # on a group you specify. This option is recommended if you only want to + # watch certain users instead of having a large amount of logs from the + # entire system. If the sysctl option is enabled, a sysctl option with + # name "audit_group" is created. + #kernel.grsecurity.audit_gid = 201 + + # If you say Y here, all execve() calls will be logged (since the + # other exec*() calls are frontends to execve(), all execution + # will be logged). Useful for shell-servers that like to keep track + # of their users. If the sysctl option is enabled, a sysctl option with + # name "exec_logging" is created. + # WARNING: This option when enabled will produce a LOT of logs, especially + # on an active system. + kernel.grsecurity.exec_logging = 0 + + # If you say Y here, all attempts to overstep resource limits will + # be logged with the resource name, the requested size, and the current + # limit. It is highly recommended that you say Y here. If the sysctl + # option is enabled, a sysctl option with name "resource_logging" is + # created. If the RBAC system is enabled, the sysctl value is ignored. + kernel.grsecurity.resource_logging = 1 + + # If you say Y here, all executions inside a chroot jail will be logged + # to syslog. This can cause a large amount of logs if certain + # applications (eg. djb's daemontools) are installed on the system, and + # is therefore left as an option. If the sysctl option is enabled, a + # sysctl option with name "chroot_execlog" is created. + kernel.grsecurity.chroot_execlog = 0 + + # If you say Y here, all attempts to attach to a process via ptrace + # will be logged. If the sysctl option is enabled, a sysctl option + # with name "audit_ptrace" is created. + kernel.grsecurity.audit_ptrace = 1 + + # If you say Y here, all attempts to attach to a process via ptrace + # will be logged. If the sysctl option is enabled, a sysctl option + # with name "audit_ptrace" is created. + kernel.grsecurity.audit_chdir = 0 + + # If you say Y here, all mounts and unmounts will be logged. If the + # sysctl option is enabled, a sysctl option with name "audit_mount" is + # created. + kernel.grsecurity.audit_mount = 1 + + # If you say Y here, certain important signals will be logged, such as + # SIGSEGV, which will as a result inform you of when a error in a program + # occurred, which in some cases could mean a possible exploit attempt. + # If the sysctl option is enabled, a sysctl option with name + # "signal_logging" is created. + kernel.grsecurity.signal_logging = 1 + + # If you say Y here, all failed fork() attempts will be logged. + # This could suggest a fork bomb, or someone attempting to overstep + # their process limit. If the sysctl option is enabled, a sysctl option + # with name "forkfail_logging" is created. + #kernel.grsecurity.forkfail_logging = 1 + kernel.grsecurity.forkfail_logging = 1 + + # If you say Y here, any changes of the system clock will be logged. + # If the sysctl option is enabled, a sysctl option with name + # "timechange_logging" is created. + kernel.grsecurity.timechange_logging = 1 + + # if you say Y here, calls to mmap() and mprotect() with explicit + # usage of PROT_WRITE and PROT_EXEC together will be logged when + # denied by the PAX_MPROTECT feature. This feature will also + # log other problematic scenarios that can occur when PAX_MPROTECT + # is enabled on a binary, like textrels and PT_GNU_STACK. If the + # sysctl option is enabled, a sysctl option with name "rwxmap_logging" + # is created. + kernel.grsecurity.rwxmap_logging = 1 + + # + # Executable Protections + # + + + # if you say Y here, non-root users will not be able to use dmesg(8) + # to view the contents of the kernel's circular log buffer. + # The kernel's log buffer often contains kernel addresses and other + # identifying information useful to an attacker in fingerprinting a + # system for a targeted exploit. + # If the sysctl option is enabled, a sysctl option with name "dmesg" is + # created. + kernel.grsecurity.dmesg = 1 + + # Hide symbol addresses in /proc/kallsyms + #kernel.kptr_restrict = 2 + + # If you say Y here, TTY sniffers and other malicious monitoring + # programs implemented through ptrace will be defeated. If you + # have been using the RBAC system, this option has already been + # enabled for several years for all users, with the ability to make + # fine-grained exceptions. + # + # This option only affects the ability of non-root users to ptrace + # processes that are not a descendent of the ptracing process. + # This means that strace ./binary and gdb ./binary will still work, + # but attaching to arbitrary processes will not. If the sysctl + # option is enabled, a sysctl option with name "harden_ptrace" is + # created. + kernel.grsecurity.harden_ptrace = 1 + + # If you say Y here, unprivileged users will not be able to ptrace unreadable + # binaries. This option is useful in environments that + # remove the read bits (e.g. file mode 4711) from suid binaries to + # prevent infoleaking of their contents. This option adds + # consistency to the use of that file mode, as the binary could normally + # be read out when run without privileges while ptracing. + # + # If the sysctl option is enabled, a sysctl option with name "ptrace_readexec" + # is created. + kernel.grsecurity.ptrace_readexec = 1 + + # If you say Y here, a change from a root uid to a non-root uid + # in a multithreaded application will cause the resulting uids, + # gids, supplementary groups, and capabilities in that thread + # to be propagated to the other threads of the process. In most + # cases this is unnecessary, as glibc will emulate this behavior + # on behalf of the application. Other libcs do not act in the + # same way, allowing the other threads of the process to continue + # running with root privileges. If the sysctl option is enabled, + # a sysctl option with name "consistent_setxid" is created. + kernel.grsecurity.consistent_setxid = 0 + + # If you say Y here, access to overly-permissive IPC objects (shared + # memory, message queues, and semaphores) will be denied for processes + # given the following criteria beyond normal permission checks: + # 1) If the IPC object is world-accessible and the euid doesn't match + # that of the creator or current uid for the IPC object + # 2) If the IPC object is group-accessible and the egid doesn't + # match that of the creator or current gid for the IPC object + # It's a common error to grant too much permission to these objects, + # with impact ranging from denial of service and information leaking to + # privilege escalation. This feature was developed in response to + # research by Tim Brown: + # http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ + # who found hundreds of such insecure usages. Processes with + # CAP_IPC_OWNER are still permitted to access these IPC objects. + # If the sysctl option is enabled, a sysctl option with name + # "harden_ipc" is created. + kernel.grsecurity.harden_ipc = 0 + + # If you say Y here, you will be able to choose a gid to add to the + # supplementary groups of users you want to mark as "untrusted." + # These users will not be able to execute any files that are not in + # root-owned directories writable only by root. If the sysctl option + # is enabled, a sysctl option with name "tpe" is created. + kernel.grsecurity.tpe = 1 + kernel.grsecurity.tpe_gid = 4 + + # If you say Y here, the group you specify in the TPE configuration will + # decide what group TPE restrictions will be *disabled* for. This + # option is useful if you want TPE restrictions to be applied to most + # users on the system. If the sysctl option is enabled, a sysctl option + # with name "tpe_invert" is created. Unlike other sysctl options, this + # entry will default to on for backward-compatibility. + kernel.grsecurity.tpe_invert = 1 + + # If you say Y here, all non-root users will be covered under + # a weaker TPE restriction. This is separate from, and in addition to, + # the main TPE options that you have selected elsewhere. Thus, if a + # "trusted" GID is chosen, this restriction applies to even that GID. + # Under this restriction, all non-root users will only be allowed to + # execute files in directories they own that are not group or + # world-writable, or in directories owned by root and writable only by + # root. If the sysctl option is enabled, a sysctl option with name + # "tpe_restrict_all" is created. + kernel.grsecurity.tpe_restrict_all = 1 + + + kernel.grsecurity.harden_tty = 1 + + # + # Network Protections + # + + # Increase Linux auto tuning TCP buffer limits + # min, default, and max number of bytes to use + # set max to at least 4MB, or higher if you use very high BDP paths + # Tcp Windows etc + net.core.rmem_max = 8388608 + net.core.wmem_max = 8388608 + net.core.netdev_max_backlog = 5000 + net.ipv4.tcp_window_scaling = 1 + + # Both ports linux-blob and linux-libre don't build with ipv6 + # Disable ipv6 + net.ipv6.conf.all.disable_ipv6 = 1 + net.ipv6.conf.default.disable_ipv6 = 1 + net.ipv6.conf.lo.disable_ipv6 = 1 + + # Tuen IPv6 + #net.ipv6.conf.default.router_solicitations = 0 + #net.ipv6.conf.default.accept_ra_rtr_pref = 0 + #net.ipv6.conf.default.accept_ra_pinfo = 0 + #net.ipv6.conf.default.accept_ra_defrtr = 0 + #net.ipv6.conf.default.autoconf = 0 + #net.ipv6.conf.default.dad_transmits = 0 + #net.ipv6.conf.default.max_addresses = 0 + + # Avoid a smurf attack, ping scanning + net.ipv4.icmp_echo_ignore_broadcasts = 1 + + # Turn on protection for bad icmp error messages + net.ipv4.icmp_ignore_bogus_error_responses = 1 + + # Turn on syncookies for SYN flood attack protection + net.ipv4.tcp_syncookies = 1 + + ## protect against tcp time-wait assassination hazards + ## drop RST packets for sockets in the time-wait state + ## (not widely supported outside of linux, but conforms to RFC) + net.ipv4.tcp_rfc1337 = 1 + + ## tcp timestamps + ## + protect against wrapping sequence numbers (at gigabit speeds) + ## + round trip time calculation implemented in TCP + ## - causes extra overhead and allows uptime detection by scanners like nmap + ## enable @ gigabit speeds + net.ipv4.tcp_timestamps = 0 + #net.ipv4.tcp_timestamps = 1 + + # Turn on and log spoofed, source routed, and redirect packets + net.ipv4.conf.all.log_martians = 1 + net.ipv4.conf.default.log_martians = 1 + + ## ignore echo broadcast requests to prevent being part of smurf attacks (default) + net.ipv4.icmp_echo_ignore_broadcasts = 1 + + ## sets the kernels reverse path filtering mechanism to value 1(on) + ## will do source validation of the packet's recieved from all the interfaces on the machine + ## protects from attackers that are using ip spoofing methods to do harm + net.ipv4.conf.all.rp_filter = 1 + net.ipv4.conf.default.rp_filter = 1 + #net.ipv6.conf.default.rp_filter = 1 + #net.ipv6.conf.all.rp_filter = 1 + + + # Make sure no one can alter the routing tables + # Act as a router, necessary for Access Point + net.ipv4.conf.all.accept_redirects = 0 + net.ipv4.conf.default.accept_redirects = 0 + net.ipv4.conf.all.secure_redirects = 0 + net.ipv4.conf.default.secure_redirects = 0 + # No source routed packets here + # Discard packets with source routes, ip spoofing + net.ipv4.conf.all.accept_source_route = 0 + net.ipv4.conf.default.accept_source_route = 0 + + + net.ipv4.conf.all.send_redirects = 0 + net.ipv4.conf.default.send_redirects = 0 + + net.ipv4.ip_forward = 0 + + # Increase system IP port limits + net.ipv4.ip_local_port_range = 2000 65000 + + # Increase TCP max buffer size setable using setsockopt() + net.ipv4.tcp_rmem = 4096 87380 8388608 + net.ipv4.tcp_wmem = 4096 87380 8388608 + + # Disable proxy_arp + net.ipv4.conf.default.proxy_arp = 0 + net.ipv4.conf.all.proxy_arp = 0 + + # Disable bootp_relay + net.ipv4.conf.default.bootp_relay = 0 + net.ipv4.conf.all.bootp_relay = 0 + + # Decrease TCP fin timeout + net.ipv4.tcp_fin_timeout = 30 + # Decrease TCP keep alive time + net.ipv4.tcp_keepalive_time = 1800 + # Sen SynAck retries to 3 + net.ipv4.tcp_synack_retries = 3 + + # If you say Y here, neither TCP resets nor ICMP + # destination-unreachable packets will be sent in response to packets + # sent to ports for which no associated listening process exists. + # This feature supports both IPV4 and IPV6 and exempts the + # loopback interface from blackholing. Enabling this feature + # makes a host more resilient to DoS attacks and reduces network + # visibility against scanners. + # + # The blackhole feature as-implemented is equivalent to the FreeBSD + # blackhole feature, as it prevents RST responses to all packets, not + # just SYNs. Under most application behavior this causes no + # problems, but applications (like haproxy) may not close certain + # connections in a way that cleanly terminates them on the remote + # end, leaving the remote host in LAST_ACK state. Because of this + # side-effect and to prevent intentional LAST_ACK DoSes, this + # feature also adds automatic mitigation against such attacks. + # The mitigation drastically reduces the amount of time a socket + # can spend in LAST_ACK state. If you're using haproxy and not + # all servers it connects to have this option enabled, consider + # disabling this feature on the haproxy host. + # + # If the sysctl option is enabled, two sysctl options with names + # "ip_blackhole" and "lastack_retries" will be created. + # While "ip_blackhole" takes the standard zero/non-zero on/off + # toggle, "lastack_retries" uses the same kinds of values as + # "tcp_retries1" and "tcp_retries2". The default value of 4 + # prevents a socket from lasting more than 45 seconds in LAST_ACK + # state. + kernel.grsecurity.ip_blackhole = 1 + kernel.grsecurity.lastack_retries = 4 + + # If you say Y here, you will be able to choose a GID of whose users will + # be unable to connect to other hosts from your machine or run server + # applications from your machine. If the sysctl option is enabled, a + # sysctl option with name "socket_all" is created. + kernel.grsecurity.socket_all = 0 + + # Here you can choose the GID to disable socket access for. Remember to + # add the users you want socket access disabled for to the GID + # specified here. If the sysctl option is enabled, a sysctl option + # with name "socket_all_gid" is created. + #kernel.grsecurity.socket_all_gid = 202 + + # If you say Y here, you will be able to choose a GID of whose users will + # be unable to connect to other hosts from your machine, but will be + # able to run servers. If this option is enabled, all users in the group + # you specify will have to use passive mode when initiating ftp transfers + # from the shell on your machine. If the sysctl option is enabled, a + # sysctl option with name "socket_client" is created. + kernel.grsecurity.socket_client = 1 + + # Here you can choose the GID to disable client socket access for. + # Remember to add the users you want client socket access disabled for to + # the GID specified here. If the sysctl option is enabled, a sysctl + # option with name "socket_client_gid" is created. + kernel.grsecurity.socket_client_gid = 15 + + # If you say Y here, you will be able to choose a GID of whose users will + # be unable to connect to other hosts from your machine, but will be + # able to run servers. If this option is enabled, all users in the group + # you specify will have to use passive mode when initiating ftp transfers + # from the shell on your machine. If the sysctl option is enabled, a + # sysctl option with name "socket_client" is created. + kernel.grsecurity.socket_server = 1 + + # Here you can choose the GID to disable server socket access for. + # Remember to add the users you want server socket access disabled for to + # the GID specified here. If the sysctl option is enabled, a sysctl + # option with name "socket_server_gid" is created. + kernel.grsecurity.socket_server_gid = 99 + + # + # Physical Protections + # + + # If you say Y here, a new sysctl option with name "deny_new_usb" + # will be created. Setting its value to 1 will prevent any new + # USB devices from being recognized by the OS. Any attempted USB + # device insertion will be logged. This option is intended to be + # used against custom USB devices designed to exploit vulnerabilities + # in various USB device drivers. + # + # For greatest effectiveness, this sysctl should be set after any + # relevant init scripts. This option is safe to enable in distros + # as each user can choose whether or not to toggle the sysctl. + kernel.grsecurity.deny_new_usb = 0 + + # + # Restrict grsec sysctl changes after this was set + # + kernel.grsecurity.grsec_lock = 0 + + # End of file + </pre> + + + <a href="index.html">Core OS Index</a> + <p>This is part of the c9 Manual. + Copyright (C) 2017 + c9 team. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + + </body> +</html> diff --git a/core/toolchain.html b/core/toolchain.html new file mode 100644 index 0000000..e4a8f84 --- /dev/null +++ b/core/toolchain.html @@ -0,0 +1,165 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>2.2.1. Toolchain</title> + </head> + <body> + + <a href="index.html">Core OS Index</a> + + <h1 id="toolchain">2.2.1. Toolchain</h1> + + <p>Add flags to pkgmk configuration and change specific ports that + don't build with hardening flags. More information about + <a href="https://wiki.archlinux.org/index.php/DeveloperWiki:Security">arch security</a>, + gentoo security, + <a href="http://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#Instrumentation-Options">gcc</a> instrumentation-options + and <a href="http://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html">glibc</a> + configuring and compiling. Edit /etc/pkgmk.conf;</p> + + <pre> + export CPPFLAGS="-D_FORTIFY_SOURCE=2" + export CFLAGS="-O2 -march=native -mtune=native -fstack-protector-strong --param=ssp-buffer-size=4" + export CXXFLAGS="${CFLAGS}" + export LDFLAGS="-z relro" + </pre> + + <h3>Core</h3> + + <p>Ports in core collection that need to be changed in order + to build with pkgmk harden configuration.</p> + + <h4>Glibc</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/glibc.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/glibc">arch</a></li> + </ul> + + <pre> + export CPPFLAGS="" + export CFLAGS="-O2 -march=native -mtune=native" + export CXXFLAGS="${CFLAGS}" + export LDFLAGS="" + </pre> + + <pre> + ../$name-${version:0:4}/configure --prefix=/usr \ + --libexecdir=/usr/lib \ + --with-headers=$PKG/usr/include \ + --enable-kernel=3.12 \ + --enable-add-ons \ + --enable-static-nss \ + --disable-profile \ + --disable-werror \ + --without-gd \ + --enable-obsolete-rpc \ + --enable-multi-arch \ + --enable-stackguard-randomization \ + --enable-stack-protector=strong + </pre> + + <h4>Gcc</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/gcc.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gcc">arch</a></li> + </ul> + + <pre> + export CPPFLAGS="" + export CFLAGS="-O2 -march=native -mtune=native" + export CXXFLAGS="${CFLAGS}" + export LDFLAGS="" + </pre> + + <h4>libcap</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/libcap.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/libcap">arch</a></li> + </ul> + + <h4>bzip2</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/bzip2.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/bzip2">arch</a></li> + </ul> + + <h4>hdparm</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/hdparm.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/hdparm">arch</a></li> + </ul> + + <h3>Opt</h3> + + <h4>lsof</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/lsof.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/lsof">arch</a></li> + </ul> + + <h4>python</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/python2.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/python2">arch</a></li> + </ul> + + <h4>zip</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/zip.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/zip">arch</a></li> + </ul> + + <h4>glew</h4> + + <ul> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/glew">arch</a></li> + </ul> + + <h4>dmenu</h4> + + <ul> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/dmenu">arch</a></li> + </ul> + + <h4>Boost</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/boost.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/boost">arch</a></li> + </ul> + + <pre> + export CPPFLAGS="" + export CFLAGS="-O2 -march=native -mtune=native" + export CXXFLAGS="${CFLAGS}" + export LDFLAGS="" + </pre> + + <h3>Contrib</h3> + + <h4>gsl</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/gsl.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gsl">arch</a></li> + </ul> + + + <a href="index.html">Core OS Index</a> + <p>This is part of the c9 Manual. + Copyright (C) 2017 + c9 team. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + + </body> +</html> |