about summary refs log tree commit diff stats
path: root/core/grsecurity.html
diff options
context:
space:
mode:
Diffstat (limited to 'core/grsecurity.html')
-rw-r--r--core/grsecurity.html307
1 files changed, 307 insertions, 0 deletions
diff --git a/core/grsecurity.html b/core/grsecurity.html
new file mode 100644
index 0000000..48ac2b2
--- /dev/null
+++ b/core/grsecurity.html
@@ -0,0 +1,307 @@
+<!DOCTYPE html>
+<html dir="ltr" lang="en">
+    <head>
+        <meta charset='utf-8'>
+        <title>2.2.1. Grsecurity</title>
+    </head>
+    <body>
+
+        <a href="index.html">Core OS Index</a>
+
+        <h1>2.2.1. Grsecurity</h1>
+
+        <p>Install grsecurity <a href="hardening.html">utilities</a>, kernel
+        configuration is based on
+        <a href="../core/reboot.html#linux">port kernel</a>, for manual
+        configuration check <a href="linux.html">linux kernel</a>. Configuration
+        is not enable by default, groups with special permissions and other
+        protections are set with <a href="sysctl.html">sysctl</a>;</p>
+
+        <dl>
+
+        <dt>proc</dt>
+        <dd>GID 4 - adm group</dd>
+        <dd>If you say Y here, you will be able to select a group that will be
+        able to view all processes and network-related information.
+        GRKERNSEC_HIDESYM is enabled, kernel and symbol information may still
+        remain hidden.</dd>
+
+        <dt>symlinks owner match</dt>
+        <dd>GID 15 - www group</dd>
+        <dd>Kernel-enforced SymlinksIfOwnerMatch group.</dd>
+
+        <dt>group for auditing</dt>
+        <dd>GID 99 - nobody group</dd>
+        <dd>This option is recommended if you only want to watch certain
+        users exec and chdir logging features instead of having a large
+        amount of logs from the entire system</dd>
+
+        <dt>tpe</dt>
+        <dd>GID 100 - users</dd>
+        <dd>Supplementary groups of users you want to mark as "untrusted".
+        Invert gid option causes to not apply tpe protection to this group,
+        allowing to build software with partially restrict all non-root users
+        enable.</dd>
+
+        <dt>socket all</dt>
+        <dd>GID 200 - non existent</dd>
+        <dd>Deny sockets to this group.</dd>
+
+        <dt>socket client</dt>
+        <dd>GID 15 - www group</dd>
+        <dd>Deny client sockets to this group.</dd>
+
+        <dt>socket server</dt>
+        <dd>GID 99 - nobody group</dd>
+        <dd>Deny server sockets to this group.</dd>
+
+        </dl>
+        <p>At run time you can change some configurations;</p>
+
+        <pre>
+        # cat /proc/sys/kernel/grsecurity/what_ever_setting
+        </pre>
+
+        <p>Kernel configuration related to grsecurity;</p>
+
+        <pre>
+        #
+        # Grsecurity
+        #
+        CONFIG_PAX_PER_CPU_PGD=y
+        CONFIG_TASK_SIZE_MAX_SHIFT=42
+        CONFIG_GRKERNSEC=y
+        # CONFIG_GRKERNSEC_CONFIG_AUTO is not set
+        CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
+        CONFIG_GRKERNSEC_PROC_GID=4
+        CONFIG_GRKERNSEC_TPE_TRUSTED_GID=100
+        CONFIG_GRKERNSEC_SYMLINKOWN_GID=15
+
+        #
+        # PaX
+        #
+        CONFIG_PAX=y
+
+        #
+        # PaX Control
+        #
+        # CONFIG_PAX_SOFTMODE is not set
+        # CONFIG_PAX_EI_PAX is not set
+        CONFIG_PAX_PT_PAX_FLAGS=y
+        CONFIG_PAX_XATTR_PAX_FLAGS=y
+        # CONFIG_PAX_NO_ACL_FLAGS is not set
+        CONFIG_PAX_HAVE_ACL_FLAGS=y
+        # CONFIG_PAX_HOOK_ACL_FLAGS is not set
+
+        #
+        # Non-executable pages
+        #
+        CONFIG_PAX_NOEXEC=y
+        CONFIG_PAX_PAGEEXEC=y
+        CONFIG_PAX_EMUTRAMP=y
+        CONFIG_PAX_MPROTECT=y
+        # CONFIG_PAX_MPROTECT_COMPAT is not set
+        # CONFIG_PAX_ELFRELOCS is not set
+        CONFIG_PAX_KERNEXEC=y
+        CONFIG_PAX_KERNEXEC_PLUGIN=y
+        # CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set
+        CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
+
+        #
+        # Address Space Layout Randomization
+        #
+        CONFIG_PAX_ASLR=y
+        CONFIG_PAX_RANDKSTACK=y
+        CONFIG_PAX_RANDUSTACK=y
+        CONFIG_PAX_RANDMMAP=y
+
+        #
+        # Miscellaneous hardening features
+        #
+        CONFIG_PAX_MEMORY_SANITIZE=y
+        CONFIG_PAX_MEMORY_STACKLEAK=y
+        CONFIG_PAX_MEMORY_STRUCTLEAK=y
+        CONFIG_PAX_MEMORY_UDEREF=y
+        CONFIG_PAX_REFCOUNT=y
+        CONFIG_PAX_USERCOPY=y
+        CONFIG_PAX_CONSTIFY_PLUGIN=y
+        # CONFIG_PAX_USERCOPY_DEBUG is not set
+        CONFIG_PAX_SIZE_OVERFLOW=y
+        CONFIG_PAX_SIZE_OVERFLOW_EXTRA=y
+        # CONFIG_PAX_INITIFY is not set
+        CONFIG_HAVE_PAX_INITIFY_INIT_EXIT=y
+        CONFIG_PAX_LATENT_ENTROPY=y
+        CONFIG_PAX_RAP=y
+
+        #
+        # Memory Protections
+        #
+        CONFIG_GRKERNSEC_KMEM=y
+        CONFIG_GRKERNSEC_IO=y
+        CONFIG_GRKERNSEC_BPF_HARDEN=y
+        CONFIG_GRKERNSEC_PERF_HARDEN=y
+        CONFIG_GRKERNSEC_RAND_THREADSTACK=y
+        CONFIG_GRKERNSEC_PROC_MEMMAP=y
+        CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
+        CONFIG_GRKERNSEC_BRUTE=y
+        CONFIG_GRKERNSEC_MODHARDEN=y
+        CONFIG_GRKERNSEC_HIDESYM=y
+        CONFIG_GRKERNSEC_RANDSTRUCT=y
+        CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y
+        CONFIG_GRKERNSEC_KERN_LOCKOUT=y
+
+        #
+        # Role Based Access Control Options
+        #
+        # CONFIG_GRKERNSEC_NO_RBAC is not set
+        CONFIG_GRKERNSEC_ACL_HIDEKERN=y
+        CONFIG_GRKERNSEC_ACL_MAXTRIES=3
+        CONFIG_GRKERNSEC_ACL_TIMEOUT=30
+
+        #
+        # Filesystem Protections
+        #
+        CONFIG_GRKERNSEC_PROC=y
+        # CONFIG_GRKERNSEC_PROC_USER is not set
+        CONFIG_GRKERNSEC_PROC_USERGROUP=y
+        CONFIG_GRKERNSEC_PROC_ADD=y
+        CONFIG_GRKERNSEC_LINK=y
+        CONFIG_GRKERNSEC_SYMLINKOWN=y
+        CONFIG_GRKERNSEC_FIFO=y
+        # CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
+        CONFIG_GRKERNSEC_ROFS=y
+        CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
+        CONFIG_GRKERNSEC_CHROOT=y
+        CONFIG_GRKERNSEC_CHROOT_MOUNT=y
+        CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
+        CONFIG_GRKERNSEC_CHROOT_PIVOT=y
+        CONFIG_GRKERNSEC_CHROOT_CHDIR=y
+        CONFIG_GRKERNSEC_CHROOT_CHMOD=y
+        CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
+        CONFIG_GRKERNSEC_CHROOT_MKNOD=y
+        CONFIG_GRKERNSEC_CHROOT_SHMAT=y
+        CONFIG_GRKERNSEC_CHROOT_UNIX=y
+        CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
+        CONFIG_GRKERNSEC_CHROOT_NICE=y
+        CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
+        CONFIG_GRKERNSEC_CHROOT_RENAME=y
+        CONFIG_GRKERNSEC_CHROOT_CAPS=y
+        CONFIG_GRKERNSEC_CHROOT_INITRD=y
+
+        #
+        # Kernel Auditing
+        #
+        CONFIG_GRKERNSEC_AUDIT_GROUP=y
+        CONFIG_GRKERNSEC_AUDIT_GID=99
+        CONFIG_GRKERNSEC_EXECLOG=y
+        CONFIG_GRKERNSEC_RESLOG=y
+        CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
+        CONFIG_GRKERNSEC_AUDIT_PTRACE=y
+        CONFIG_GRKERNSEC_AUDIT_CHDIR=y
+        CONFIG_GRKERNSEC_AUDIT_MOUNT=y
+        CONFIG_GRKERNSEC_SIGNAL=y
+        CONFIG_GRKERNSEC_FORKFAIL=y
+        CONFIG_GRKERNSEC_TIME=y
+        CONFIG_GRKERNSEC_PROC_IPADDR=y
+        CONFIG_GRKERNSEC_RWXMAP_LOG=y
+
+        #
+        # Executable Protections
+        #
+        CONFIG_GRKERNSEC_DMESG=y
+        CONFIG_GRKERNSEC_HARDEN_PTRACE=y
+        CONFIG_GRKERNSEC_PTRACE_READEXEC=y
+        CONFIG_GRKERNSEC_SETXID=y
+        CONFIG_GRKERNSEC_HARDEN_IPC=y
+        CONFIG_GRKERNSEC_HARDEN_TTY=y
+        CONFIG_GRKERNSEC_TPE=y
+        CONFIG_GRKERNSEC_TPE_ALL=y
+        CONFIG_GRKERNSEC_TPE_INVERT=y
+        CONFIG_GRKERNSEC_TPE_GID=100
+
+        #
+        # Network Protections
+        #
+        CONFIG_GRKERNSEC_BLACKHOLE=y
+        CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
+        CONFIG_GRKERNSEC_SOCKET=y
+        CONFIG_GRKERNSEC_SOCKET_ALL=y
+        CONFIG_GRKERNSEC_SOCKET_ALL_GID=200
+        CONFIG_GRKERNSEC_SOCKET_CLIENT=y
+        CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=15
+        CONFIG_GRKERNSEC_SOCKET_SERVER=y
+        CONFIG_GRKERNSEC_SOCKET_SERVER_GID=99
+
+        #
+        # Physical Protections
+        #
+        CONFIG_GRKERNSEC_DENYUSB=y
+        # CONFIG_GRKERNSEC_DENYUSB_FORCE is not set
+
+        #
+        # Sysctl Support
+        #
+        CONFIG_GRKERNSEC_SYSCTL=y
+        CONFIG_GRKERNSEC_SYSCTL_DISTRO=y
+        # CONFIG_GRKERNSEC_SYSCTL_ON is not set
+
+        </pre>
+
+        <h2 id="pax">Pax</h2>
+
+        <p>Grub uses nested functions and thus needs either PAX_EMUTRAMP enabled in the kernel and EMUTRAMP enabled on affected binaries, or if PAX_EMUTRAMP is not enabled in the kernel, needs MPROTECT disabled on affected binaries. Depending on the version of grub in use, some of the following files may not exist, but you should mark all those that exist. To add EMUTRAMP, use the '-CE' argument to paxctl. To remove MPROTECT, use '-Cm'.</p>
+
+        /usr/bin/grub-script-check
+        /usr/sbin/grub-probe
+        /usr/sbin/grub-mkdevicemap
+
+        <h2 id="gradm">Gradm</h2>
+
+        <p>Gradm is grsecurity access control lists administration utility. Gradm
+        have a
+        <a href="https://en.wikibooks.org/wiki/Grsecurity/The_Administration_Utility#Learning_Mode">learning mode</a>
+        per-subject, per-role or system-wide. Learning mode gather information that
+        RBAC system supports, it reduces policy size, increase readability and enforces
+        that is configurable. Protected resources can be added to /etc/grsec/learn_cong
+        to learning system.</p>
+
+        <p>Entering in learning mode;</p>
+
+        <pre>
+        # gradm -F -L /etc/grsec/learning.log
+        </pre>
+
+        <p>To perform administrative tasks while system learning is running,
+        authenticate to admin role;</p>
+
+        <pre>
+        # gradm -a admin
+        </pre>
+
+        <p>When learning system have gather sufficient data disable RBAC system;</p>
+
+        <pre>
+        # gradm -D
+        </pre>
+
+        <p>Now that RBAC is disable data collected can be used to generate ACLs;</p>
+
+        <pre>
+        # gradm -F -L /etc/grsec/learning.logs -O /etc/grset/policy
+        </pre>
+
+        <p>Start RBAC with policy;</p>
+
+        <pre>
+        # gradm -E
+        </pre>
+
+        <a href="index.html">Core OS Index</a>
+        <p>This is part of the c9 Manual.
+        Copyright (C) 2017
+        c9 team.
+        See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
+        for copying conditions.</p>
+
+    </body>
+</html>