diff options
| -rw-r--r-- | core/apparmor.html | 26 | ||||
| -rw-r--r-- | core/grsecurity.html | 307 | ||||
| -rw-r--r-- | core/hardening.html | 15 | ||||
| -rw-r--r-- | core/index.html | 2 | ||||
| -rw-r--r-- | core/ports/linux-gnu/Pkgfile | 4 | ||||
| -rw-r--r-- | core/ports/linux-gnu/post-install | 5 |
6 files changed, 40 insertions, 319 deletions
diff --git a/core/apparmor.html b/core/apparmor.html new file mode 100644 index 0000000..2d9c117 --- /dev/null +++ b/core/apparmor.html @@ -0,0 +1,26 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>2.2.1. AppArmor</title> + </head> + <body> + + <a href="index.html">Core OS Index</a> + + <h1>2.2.1. AppArmor</h1> + + <p>Install <a href="hardening.html">apparmor</a>, kernel + configuration is based on + <a href="reboot.html#linux">linux-gnu</a> kernel port, for + manual configuration check <a href="linux.html">kernel linux</a>.</p> + + <a href="index.html">Core OS Index</a> + <p>This is part of the c9 Manual. + Copyright (C) 2018 + c9 team. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + + </body> +</html> diff --git a/core/grsecurity.html b/core/grsecurity.html deleted file mode 100644 index 48ac2b2..0000000 --- a/core/grsecurity.html +++ /dev/null @@ -1,307 +0,0 @@ -<!DOCTYPE html> -<html dir="ltr" lang="en"> - <head> - <meta charset='utf-8'> - <title>2.2.1. Grsecurity</title> - </head> - <body> - - <a href="index.html">Core OS Index</a> - - <h1>2.2.1. Grsecurity</h1> - - <p>Install grsecurity <a href="hardening.html">utilities</a>, kernel - configuration is based on - <a href="../core/reboot.html#linux">port kernel</a>, for manual - configuration check <a href="linux.html">linux kernel</a>. Configuration - is not enable by default, groups with special permissions and other - protections are set with <a href="sysctl.html">sysctl</a>;</p> - - <dl> - - <dt>proc</dt> - <dd>GID 4 - adm group</dd> - <dd>If you say Y here, you will be able to select a group that will be - able to view all processes and network-related information. - GRKERNSEC_HIDESYM is enabled, kernel and symbol information may still - remain hidden.</dd> - - <dt>symlinks owner match</dt> - <dd>GID 15 - www group</dd> - <dd>Kernel-enforced SymlinksIfOwnerMatch group.</dd> - - <dt>group for auditing</dt> - <dd>GID 99 - nobody group</dd> - <dd>This option is recommended if you only want to watch certain - users exec and chdir logging features instead of having a large - amount of logs from the entire system</dd> - - <dt>tpe</dt> - <dd>GID 100 - users</dd> - <dd>Supplementary groups of users you want to mark as "untrusted". - Invert gid option causes to not apply tpe protection to this group, - allowing to build software with partially restrict all non-root users - enable.</dd> - - <dt>socket all</dt> - <dd>GID 200 - non existent</dd> - <dd>Deny sockets to this group.</dd> - - <dt>socket client</dt> - <dd>GID 15 - www group</dd> - <dd>Deny client sockets to this group.</dd> - - <dt>socket server</dt> - <dd>GID 99 - nobody group</dd> - <dd>Deny server sockets to this group.</dd> - - </dl> - <p>At run time you can change some configurations;</p> - - <pre> - # cat /proc/sys/kernel/grsecurity/what_ever_setting - </pre> - - <p>Kernel configuration related to grsecurity;</p> - - <pre> - # - # Grsecurity - # - CONFIG_PAX_PER_CPU_PGD=y - CONFIG_TASK_SIZE_MAX_SHIFT=42 - CONFIG_GRKERNSEC=y - # CONFIG_GRKERNSEC_CONFIG_AUTO is not set - CONFIG_GRKERNSEC_CONFIG_CUSTOM=y - CONFIG_GRKERNSEC_PROC_GID=4 - CONFIG_GRKERNSEC_TPE_TRUSTED_GID=100 - CONFIG_GRKERNSEC_SYMLINKOWN_GID=15 - - # - # PaX - # - CONFIG_PAX=y - - # - # PaX Control - # - # CONFIG_PAX_SOFTMODE is not set - # CONFIG_PAX_EI_PAX is not set - CONFIG_PAX_PT_PAX_FLAGS=y - CONFIG_PAX_XATTR_PAX_FLAGS=y - # CONFIG_PAX_NO_ACL_FLAGS is not set - CONFIG_PAX_HAVE_ACL_FLAGS=y - # CONFIG_PAX_HOOK_ACL_FLAGS is not set - - # - # Non-executable pages - # - CONFIG_PAX_NOEXEC=y - CONFIG_PAX_PAGEEXEC=y - CONFIG_PAX_EMUTRAMP=y - CONFIG_PAX_MPROTECT=y - # CONFIG_PAX_MPROTECT_COMPAT is not set - # CONFIG_PAX_ELFRELOCS is not set - CONFIG_PAX_KERNEXEC=y - CONFIG_PAX_KERNEXEC_PLUGIN=y - # CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set - CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y - - # - # Address Space Layout Randomization - # - CONFIG_PAX_ASLR=y - CONFIG_PAX_RANDKSTACK=y - CONFIG_PAX_RANDUSTACK=y - CONFIG_PAX_RANDMMAP=y - - # - # Miscellaneous hardening features - # - CONFIG_PAX_MEMORY_SANITIZE=y - CONFIG_PAX_MEMORY_STACKLEAK=y - CONFIG_PAX_MEMORY_STRUCTLEAK=y - CONFIG_PAX_MEMORY_UDEREF=y - CONFIG_PAX_REFCOUNT=y - CONFIG_PAX_USERCOPY=y - CONFIG_PAX_CONSTIFY_PLUGIN=y - # CONFIG_PAX_USERCOPY_DEBUG is not set - CONFIG_PAX_SIZE_OVERFLOW=y - CONFIG_PAX_SIZE_OVERFLOW_EXTRA=y - # CONFIG_PAX_INITIFY is not set - CONFIG_HAVE_PAX_INITIFY_INIT_EXIT=y - CONFIG_PAX_LATENT_ENTROPY=y - CONFIG_PAX_RAP=y - - # - # Memory Protections - # - CONFIG_GRKERNSEC_KMEM=y - CONFIG_GRKERNSEC_IO=y - CONFIG_GRKERNSEC_BPF_HARDEN=y - CONFIG_GRKERNSEC_PERF_HARDEN=y - CONFIG_GRKERNSEC_RAND_THREADSTACK=y - CONFIG_GRKERNSEC_PROC_MEMMAP=y - CONFIG_GRKERNSEC_KSTACKOVERFLOW=y - CONFIG_GRKERNSEC_BRUTE=y - CONFIG_GRKERNSEC_MODHARDEN=y - CONFIG_GRKERNSEC_HIDESYM=y - CONFIG_GRKERNSEC_RANDSTRUCT=y - CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y - CONFIG_GRKERNSEC_KERN_LOCKOUT=y - - # - # Role Based Access Control Options - # - # CONFIG_GRKERNSEC_NO_RBAC is not set - CONFIG_GRKERNSEC_ACL_HIDEKERN=y - CONFIG_GRKERNSEC_ACL_MAXTRIES=3 - CONFIG_GRKERNSEC_ACL_TIMEOUT=30 - - # - # Filesystem Protections - # - CONFIG_GRKERNSEC_PROC=y - # CONFIG_GRKERNSEC_PROC_USER is not set - CONFIG_GRKERNSEC_PROC_USERGROUP=y - CONFIG_GRKERNSEC_PROC_ADD=y - CONFIG_GRKERNSEC_LINK=y - CONFIG_GRKERNSEC_SYMLINKOWN=y - CONFIG_GRKERNSEC_FIFO=y - # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set - CONFIG_GRKERNSEC_ROFS=y - CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y - CONFIG_GRKERNSEC_CHROOT=y - CONFIG_GRKERNSEC_CHROOT_MOUNT=y - CONFIG_GRKERNSEC_CHROOT_DOUBLE=y - CONFIG_GRKERNSEC_CHROOT_PIVOT=y - CONFIG_GRKERNSEC_CHROOT_CHDIR=y - CONFIG_GRKERNSEC_CHROOT_CHMOD=y - CONFIG_GRKERNSEC_CHROOT_FCHDIR=y - CONFIG_GRKERNSEC_CHROOT_MKNOD=y - CONFIG_GRKERNSEC_CHROOT_SHMAT=y - CONFIG_GRKERNSEC_CHROOT_UNIX=y - CONFIG_GRKERNSEC_CHROOT_FINDTASK=y - CONFIG_GRKERNSEC_CHROOT_NICE=y - CONFIG_GRKERNSEC_CHROOT_SYSCTL=y - CONFIG_GRKERNSEC_CHROOT_RENAME=y - CONFIG_GRKERNSEC_CHROOT_CAPS=y - CONFIG_GRKERNSEC_CHROOT_INITRD=y - - # - # Kernel Auditing - # - CONFIG_GRKERNSEC_AUDIT_GROUP=y - CONFIG_GRKERNSEC_AUDIT_GID=99 - CONFIG_GRKERNSEC_EXECLOG=y - CONFIG_GRKERNSEC_RESLOG=y - CONFIG_GRKERNSEC_CHROOT_EXECLOG=y - CONFIG_GRKERNSEC_AUDIT_PTRACE=y - CONFIG_GRKERNSEC_AUDIT_CHDIR=y - CONFIG_GRKERNSEC_AUDIT_MOUNT=y - CONFIG_GRKERNSEC_SIGNAL=y - CONFIG_GRKERNSEC_FORKFAIL=y - CONFIG_GRKERNSEC_TIME=y - CONFIG_GRKERNSEC_PROC_IPADDR=y - CONFIG_GRKERNSEC_RWXMAP_LOG=y - - # - # Executable Protections - # - CONFIG_GRKERNSEC_DMESG=y - CONFIG_GRKERNSEC_HARDEN_PTRACE=y - CONFIG_GRKERNSEC_PTRACE_READEXEC=y - CONFIG_GRKERNSEC_SETXID=y - CONFIG_GRKERNSEC_HARDEN_IPC=y - CONFIG_GRKERNSEC_HARDEN_TTY=y - CONFIG_GRKERNSEC_TPE=y - CONFIG_GRKERNSEC_TPE_ALL=y - CONFIG_GRKERNSEC_TPE_INVERT=y - CONFIG_GRKERNSEC_TPE_GID=100 - - # - # Network Protections - # - CONFIG_GRKERNSEC_BLACKHOLE=y - CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y - CONFIG_GRKERNSEC_SOCKET=y - CONFIG_GRKERNSEC_SOCKET_ALL=y - CONFIG_GRKERNSEC_SOCKET_ALL_GID=200 - CONFIG_GRKERNSEC_SOCKET_CLIENT=y - CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=15 - CONFIG_GRKERNSEC_SOCKET_SERVER=y - CONFIG_GRKERNSEC_SOCKET_SERVER_GID=99 - - # - # Physical Protections - # - CONFIG_GRKERNSEC_DENYUSB=y - # CONFIG_GRKERNSEC_DENYUSB_FORCE is not set - - # - # Sysctl Support - # - CONFIG_GRKERNSEC_SYSCTL=y - CONFIG_GRKERNSEC_SYSCTL_DISTRO=y - # CONFIG_GRKERNSEC_SYSCTL_ON is not set - - </pre> - - <h2 id="pax">Pax</h2> - - <p>Grub uses nested functions and thus needs either PAX_EMUTRAMP enabled in the kernel and EMUTRAMP enabled on affected binaries, or if PAX_EMUTRAMP is not enabled in the kernel, needs MPROTECT disabled on affected binaries. Depending on the version of grub in use, some of the following files may not exist, but you should mark all those that exist. To add EMUTRAMP, use the '-CE' argument to paxctl. To remove MPROTECT, use '-Cm'.</p> - - /usr/bin/grub-script-check - /usr/sbin/grub-probe - /usr/sbin/grub-mkdevicemap - - <h2 id="gradm">Gradm</h2> - - <p>Gradm is grsecurity access control lists administration utility. Gradm - have a - <a href="https://en.wikibooks.org/wiki/Grsecurity/The_Administration_Utility#Learning_Mode">learning mode</a> - per-subject, per-role or system-wide. Learning mode gather information that - RBAC system supports, it reduces policy size, increase readability and enforces - that is configurable. Protected resources can be added to /etc/grsec/learn_cong - to learning system.</p> - - <p>Entering in learning mode;</p> - - <pre> - # gradm -F -L /etc/grsec/learning.log - </pre> - - <p>To perform administrative tasks while system learning is running, - authenticate to admin role;</p> - - <pre> - # gradm -a admin - </pre> - - <p>When learning system have gather sufficient data disable RBAC system;</p> - - <pre> - # gradm -D - </pre> - - <p>Now that RBAC is disable data collected can be used to generate ACLs;</p> - - <pre> - # gradm -F -L /etc/grsec/learning.logs -O /etc/grset/policy - </pre> - - <p>Start RBAC with policy;</p> - - <pre> - # gradm -E - </pre> - - <a href="index.html">Core OS Index</a> - <p>This is part of the c9 Manual. - Copyright (C) 2017 - c9 team. - See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> - for copying conditions.</p> - - </body> -</html> diff --git a/core/hardening.html b/core/hardening.html index 91cd8e9..8c100b2 100644 --- a/core/hardening.html +++ b/core/hardening.html @@ -10,18 +10,16 @@ <h1>2.2. Hardening</h1> - <p>Kernel in ports have upstream linux kernel and - grsecurity patch, it should break building some packages, - install follow tools;</p> + <p>Kernel <a href="ports/linux-gnu">linux-gnu</a> port have + <a href="apparmor.html">apparmor</a> default options. AppArmor + enforce rules on applications based on security policies. + User space tools are provided by apparmor port and its dependencies, + install them;</p> <pre> - $ sudo prt-get depinst gradm paxtest paxctld checksec lynis + $ sudo prt-get depinst checksec lynis apparmor </pre> - <p>Information about <a href="grsecurity.html">grsecurity</a> kernel - configuration, <a href="grsecurity.html#pax">pax</a> and - <a href="grsecurity.html#gradm">gradm</a>.</p> - <p>Lynis gives a view of system overall configuration, without changing default profile it runs irrelevant tests. Create a lynis profile by coping default one and run lynis;</p> @@ -41,7 +39,6 @@ <p>Add unnecessary tests to profile to have less noise.</p> - <a href="index.html">Core OS Index</a> <p>This is part of the c9 Manual. Copyright (C) 2017 diff --git a/core/index.html b/core/index.html index 5b6ec2d..217ae01 100644 --- a/core/index.html +++ b/core/index.html @@ -81,7 +81,7 @@ </li> <li><a href="hardening.html">2.2. Hardening</a> <ul> - <li><a href="grsecurity.html">2.2.1. Grsecurity</a></li> + <li><a href="apparmor.html">2.2.1. AppArmor</a></li> <li><a href="sysctl.html">2.2.2. Sysctl</a></li> <li><a href="toolchain.html">2.2.3. Toolchain</a></li> <li><a href="samhain.html">2.2.4. Samhain</a></li> diff --git a/core/ports/linux-gnu/Pkgfile b/core/ports/linux-gnu/Pkgfile index 24acdfb..efc201b 100644 --- a/core/ports/linux-gnu/Pkgfile +++ b/core/ports/linux-gnu/Pkgfile @@ -1,11 +1,11 @@ # Description: Linux libre kernel that comes without blobs # URL: http://linux-libre.fsfla.org # Maintainer: Silvino, silvino at bk dot ru -# Depends on: +# Depends on: dracut grub2 grub2-efi name=linux-gnu version=4.9.86 -release=2 +release=3 source=(http://linux-libre.fsfla.org/pub/linux-libre/releases/$version-gnu/linux-libre-$version-gnu.tar.xz \ cpu_optimizations.patch \ port-cpu.patch \ diff --git a/core/ports/linux-gnu/post-install b/core/ports/linux-gnu/post-install new file mode 100644 index 0000000..db1336b --- /dev/null +++ b/core/ports/linux-gnu/post-install @@ -0,0 +1,5 @@ +#!/bin/sh + +/usr/bin/dracut --kver 4.9.86-gnu + +/usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg |