Difference between revisions of "Gentoo hardened profile"
| Line 5: | Line 5: | ||
lets part this for .. for example 5 parts ... | lets part this for .. for example 5 parts ... | ||
| − | 1st part. difference | + | 1st part. difference |
2nd part. hardened toolchain. | 2nd part. hardened toolchain. | ||
| Line 20: | Line 20: | ||
main system was like that before everything: | main system was like that before everything: | ||
| − | {{Root|<nowiki>#paxtest blackhat | + | {{Root|<nowiki> |
| + | #paxtest blackhat | ||
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> | PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> | ||
Released under the GNU Public Licence version 2 or later | Released under the GNU Public Licence version 2 or later | ||
| Line 103: | Line 104: | ||
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte. | Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte. | ||
Return to function (memcpy, PIE) : Vulnerable | Return to function (memcpy, PIE) : Vulnerable | ||
| − | + | </nowiki>}} | |
its "app-admin/paxtest". | its "app-admin/paxtest". | ||
it can show - that "its working". | it can show - that "its working". | ||
| Line 112: | Line 113: | ||
for using hardened system - you will need to change your portage profile to the hardened one. | for using hardened system - you will need to change your portage profile to the hardened one. | ||
like that | like that | ||
| − | + | {{Root|<nowiki> | |
#ln -sfn /usr/portage/profiles/hardened/linux/2.6/amd64/10.0 /etc/make.profile | #ln -sfn /usr/portage/profiles/hardened/linux/2.6/amd64/10.0 /etc/make.profile | ||
#env-update && source /etc/profile | #env-update && source /etc/profile | ||
| − | + | </nowiki>}} | |
but we will _NOT_ do that ;3 | but we will _NOT_ do that ;3 | ||
( i was just stripped that part and made more user friendly way of that things via hardened overlay ) | ( i was just stripped that part and made more user friendly way of that things via hardened overlay ) | ||
now we need to clone and use hardened overlay. | now we need to clone and use hardened overlay. | ||
1st of all we need to make dir and clone overlay to it ... for example at the /overlay | 1st of all we need to make dir and clone overlay to it ... for example at the /overlay | ||
| − | + | {{Root|<nowiki> | |
#mkdir /overlay | #mkdir /overlay | ||
#cd /overlay | #cd /overlay | ||
#git clone git://github.com/damex/hardened.git | #git clone git://github.com/damex/hardened.git | ||
| − | + | </nowiki>}} | |
after that we need to make proper /etc/make.profile | after that we need to make proper /etc/make.profile | ||
| − | + | {{Root|<nowiki> | |
#rm /etc/make.profile | #rm /etc/make.profile | ||
#mkdir /etc/make.profile | #mkdir /etc/make.profile | ||
| Line 132: | Line 133: | ||
#echo /usr/portage/profiles/default/linux/amd64/2008.0 /etc/make.profile/parent | #echo /usr/portage/profiles/default/linux/amd64/2008.0 /etc/make.profile/parent | ||
#echo /overlay/hardened/profiles /etc/make.profile/parent | #echo /overlay/hardened/profiles /etc/make.profile/parent | ||
| − | + | </nowiki>}} | |
1st echo - for your current profile. 2nd - for the overlay's. only that priority. | 1st echo - for your current profile. 2nd - for the overlay's. only that priority. | ||
now we'r need to add out overylay to the make.conf | now we'r need to add out overylay to the make.conf | ||
| − | + | {{Root|<nowiki> | |
/etc/make.conf | /etc/make.conf | ||
PORTDIR_OVERLAY="/overlay/hardened" | PORTDIR_OVERLAY="/overlay/hardened" | ||
| − | + | </nowiki>}} | |
and run | and run | ||
| − | + | {{Root|<nowiki> | |
#env-update && source /etc/profile | #env-update && source /etc/profile | ||
| − | + | </nowiki>}} | |
few new flags like 'hardened' will be used system wide now. | few new flags like 'hardened' will be used system wide now. | ||
current gcc (4.3x) have only PIE support (i mean those gcc's that funtoo tree have now ~_~).to use all features of hardened toolchain (PIE/SSP) - we will use gcc-4.4.3-r3 or gcc-4.4.4-r2 (they'r from overlay one). to use that gcc - we may need newer glibc - it must be automatically pickupped form overlay/portage tree. | current gcc (4.3x) have only PIE support (i mean those gcc's that funtoo tree have now ~_~).to use all features of hardened toolchain (PIE/SSP) - we will use gcc-4.4.3-r3 or gcc-4.4.4-r2 (they'r from overlay one). to use that gcc - we may need newer glibc - it must be automatically pickupped form overlay/portage tree. | ||
now we can emerge our toolchain | now we can emerge our toolchain | ||
| − | + | {{Root|<nowiki> | |
#sudo emerge -av linux-headers gcc libtool | #sudo emerge -av linux-headers gcc libtool | ||
| − | + | </nowiki>}} | |
now we need to enable our new gcc: | now we need to enable our new gcc: | ||
| − | + | {{Root|<nowiki> | |
#gcc-config -l | #gcc-config -l | ||
[1] x86_64-pc-linux-gnu-4.4.3 | [1] x86_64-pc-linux-gnu-4.4.3 | ||
| Line 159: | Line 160: | ||
#gcc-config x86_64-pc-linux-gnu-4.4.3 | #gcc-config x86_64-pc-linux-gnu-4.4.3 | ||
#env-update&&source /etc/profile | #env-update&&source /etc/profile | ||
| − | + | </nowiki>}} | |
now just emerge other part of toolchain | now just emerge other part of toolchain | ||
| − | + | {{Root|<nowiki> | |
#sudo emerge -av linux-headers glibc binutils libtool | #sudo emerge -av linux-headers glibc binutils libtool | ||
| − | + | </nowiki>}} | |
now its time to run | now its time to run | ||
| − | + | {{Root|<nowiki> | |
#sudo etc-update | #sudo etc-update | ||
| − | + | </nowiki>}} | |
and recheck your config files. | and recheck your config files. | ||
after config check - its time to remerge whole world. | after config check - its time to remerge whole world. | ||
| − | + | {{Root|<nowiki> | |
#sudo emerge -uDeav world | #sudo emerge -uDeav world | ||
| − | + | </nowiki>}} | |
dont forget to make sure that you have all use flags that you want enabled. it will take too long so you can just go away from keyboard. | dont forget to make sure that you have all use flags that you want enabled. it will take too long so you can just go away from keyboard. | ||
| Line 179: | Line 180: | ||
3rd part. hardened-sources. | 3rd part. hardened-sources. | ||
it can be emerged va | it can be emerged va | ||
| − | + | {{Root|<nowiki> | |
#emerge -av hardened-sources | #emerge -av hardened-sources | ||
| − | + | </nowiki>}} | |
i'd prefer latest sources so if you too (hope you'd prefer) - just add | i'd prefer latest sources so if you too (hope you'd prefer) - just add | ||
| − | + | {{Root|<nowiki> | |
/etc/portage/package.keywords | /etc/portage/package.keywords | ||
sys-kernel/hardened-sources | sys-kernel/hardened-sources | ||
| − | + | </nowiki>}} | |
its "vanilla-sources" with hardened patches. | its "vanilla-sources" with hardened patches. | ||
its including atleast pax and grsecurity patches now. i will show example of configuring it via | its including atleast pax and grsecurity patches now. i will show example of configuring it via | ||
| − | + | {{Root|<nowiki> | |
#make menuconfig | #make menuconfig | ||
| − | + | </nowiki>}} | |
wich is working fine for me at the desktop pc. | wich is working fine for me at the desktop pc. | ||
its placing at the | its placing at the | ||
| − | + | {{Root|<nowiki> | |
Security options ---> | Security options ---> | ||
Grsecurity ---> | Grsecurity ---> | ||
PaX ---> | PaX ---> | ||
| − | + | </nowiki>}} | |
i will show now configure of pax and then grsecurity | i will show now configure of pax and then grsecurity | ||
| − | + | {{Root|<nowiki> | |
PaX ---> | PaX ---> | ||
[*] Enable various PaX features | [*] Enable various PaX features | ||
| Line 224: | Line 225: | ||
[ ] Prevent various kernel object reference counter overflows | [ ] Prevent various kernel object reference counter overflows | ||
[ ] Bounds check heap object copies between kernel and userland | [ ] Bounds check heap object copies between kernel and userland | ||
| − | + | </nowiki>}} | |
| − | + | {{Root|<nowiki> | |
Grsecurity ---> | Grsecurity ---> | ||
[*] Grsecurity | [*] Grsecurity | ||
| Line 292: | Line 293: | ||
(10) Seconds in between log messages (minimum) | (10) Seconds in between log messages (minimum) | ||
(4) Number of messages in a burst (maximum) | (4) Number of messages in a burst (maximum) | ||
| − | + | </nowiki>}} | |
if you dont need xorg system - then you can enable | if you dont need xorg system - then you can enable | ||
| − | + | {{Root|<nowiki> | |
[*] Disable privileged I/O | [*] Disable privileged I/O | ||
| − | + | </nowiki>}} | |
but make sure that you have your hw clock and other things working fine. | but make sure that you have your hw clock and other things working fine. | ||
if you'r going to enable | if you'r going to enable | ||
| − | + | {{Root|<nowiki> | |
[*] Harden module auto-loading | [*] Harden module auto-loading | ||
| − | + | </nowiki>}} | |
then you can find that your adobe flash and few things more will't functioning | then you can find that your adobe flash and few things more will't functioning | ||
if you need RBAC - then just disable that option | if you need RBAC - then just disable that option | ||
| − | + | {{Root|<nowiki> | |
[ ] Disable RBAC system | [ ] Disable RBAC system | ||
| − | + | </nowiki>}} | |
if your intended to use RBAC - you can find that your Gajim will not work (can't run). | if your intended to use RBAC - you can find that your Gajim will not work (can't run). | ||
to fix that - you will need updated python (its the same one... but with one important patch), wich you can get just by adding | to fix that - you will need updated python (its the same one... but with one important patch), wich you can get just by adding | ||
| − | + | {{Root|<nowiki> | |
/etc/portage/package.keywords | /etc/portage/package.keywords | ||
dev-lang/python | dev-lang/python | ||
| − | + | </nowiki>}} | |
its revision will always be like portage's rX+1 if its supported. | its revision will always be like portage's rX+1 if its supported. | ||
like now portage have "dev-lang/python-2.6.5-r3" and overlay "dev-lang/python-2.6.5-r4" | like now portage have "dev-lang/python-2.6.5-r3" and overlay "dev-lang/python-2.6.5-r4" | ||
if you "newbie" to all that then good point is to enable | if you "newbie" to all that then good point is to enable | ||
| − | + | {{Root|<nowiki> | |
[*] Support soft mode | [*] Support soft mode | ||
| − | + | </nowiki>}} | |
to not have enforce pax features. | to not have enforce pax features. | ||
| Line 325: | Line 326: | ||
all kernel configuration && installing will always will be like that: | all kernel configuration && installing will always will be like that: | ||
| − | + | {{Root|<nowiki> | |
#make menuconfig | #make menuconfig | ||
#mount /boot //if needed// | #mount /boot //if needed// | ||
#make && make install && make modules_install | #make && make install && make modules_install | ||
#boot-update //if needed// | #boot-update //if needed// | ||
| − | + | </nowiki>}} | |
better dont compile that sources with many treads (im compiling em with -j1 and sometimes -j2/-j3). | better dont compile that sources with many treads (im compiling em with -j1 and sometimes -j2/-j3). | ||
if you will need to be able run boot-update under your PAX enabled system then you will need to disable PAGEEXEC and MPROTECT for */sbin/grub-mkdevicemap* and */sbin/grub-probe* like that | if you will need to be able run boot-update under your PAX enabled system then you will need to disable PAGEEXEC and MPROTECT for */sbin/grub-mkdevicemap* and */sbin/grub-probe* like that | ||
| − | + | {{Root|<nowiki> | |
paxctl -pm /sbin/grub-mkdevicemap | paxctl -pm /sbin/grub-mkdevicemap | ||
paxctl -pm /sbin/grub-probe | paxctl -pm /sbin/grub-probe | ||
| − | + | </nowiki>}} | |
next time we will see more examples of pax and little overview of it :3 | next time we will see more examples of pax and little overview of it :3 | ||
| Line 344: | Line 345: | ||
4th part. pax & co. | 4th part. pax & co. | ||
| − | + | {{Root|<nowiki> | |
#paxctl -h | #paxctl -h | ||
PaX control v0.5 | PaX control v0.5 | ||
| Line 363: | Line 364: | ||
-c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!) | -c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!) | ||
-C: create PT_PAX_FLAGS (see manpage!) | -C: create PT_PAX_FLAGS (see manpage!) | ||
| − | + | </nowiki>}} | |
it (dis~)allows running different features if hardened (w/ pax support) kernel used. | it (dis~)allows running different features if hardened (w/ pax support) kernel used. | ||
above descripted each option and i will show few examples with using it on the desktop. | above descripted each option and i will show few examples with using it on the desktop. | ||
| Line 371: | Line 372: | ||
\"every application that will want something enabled/disabled out of pax features\" - will spam at the dmesg around with others features that pax prevents to be used. | \"every application that will want something enabled/disabled out of pax features\" - will spam at the dmesg around with others features that pax prevents to be used. | ||
that can be like that | that can be like that | ||
| − | + | {{Root|<nowiki> | |
_showing part of dmesg_ | _showing part of dmesg_ | ||
PAX: execution attempt in: <anonymous mapping>, 2efaa2e8000-2efaa2eb000 2efaa2e8000 | PAX: execution attempt in: <anonymous mapping>, 2efaa2e8000-2efaa2eb000 2efaa2e8000 | ||
| Line 392: | Line 393: | ||
PAX: bytes at PC: c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | PAX: bytes at PC: c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
PAX: bytes at SP-8: 000003ed07962cd0 000000298077bfa8 0000000000000000 000000298077bf65 000003296c266710 0000000000000000 0000000000000000 000003296c285d6d 0000000000000000 000003ed07962cd8 000000010000000 | PAX: bytes at SP-8: 000003ed07962cd0 000000298077bfa8 0000000000000000 000000298077bf65 000003296c266710 0000000000000000 0000000000000000 000003296c285d6d 0000000000000000 000003ed07962cd8 000000010000000 | ||
| − | + | </nowiki>}} | |
to get few application fully working you will need to do like that: | to get few application fully working you will need to do like that: | ||
firefox (will not run?): | firefox (will not run?): | ||
| − | + | {{Root|<nowiki> | |
paxctl -m /usr/bin/firefox | paxctl -m /usr/bin/firefox | ||
| − | + | </nowiki>}} | |
wine (will not run anything?): | wine (will not run anything?): | ||
| − | + | {{Root|<nowiki> | |
paxctl -pemr /usr/bin/wine* | paxctl -pemr /usr/bin/wine* | ||
| − | + | </nowiki>}} | |
kde4 (will not able to use screensaver and few other things?) | kde4 (will not able to use screensaver and few other things?) | ||
| − | + | {{Root|<nowiki> | |
paxctl -m /usr/bin/kwin | paxctl -m /usr/bin/kwin | ||
paxctl -m /usr/bin/knotify4 | paxctl -m /usr/bin/knotify4 | ||
| Line 413: | Line 414: | ||
paxctl -m /usr/bin/*.kss | paxctl -m /usr/bin/*.kss | ||
paxctl -m /usr/lib/misc/xscreensaver/* | paxctl -m /usr/lib/misc/xscreensaver/* | ||
| − | + | </nowiki>}} | |
xorg-x11 (in few cases X org may not be runned ... rly?) | xorg-x11 (in few cases X org may not be runned ... rly?) | ||
| − | + | {{Root|<nowiki> | |
paxctl -m /usr/bin/X | paxctl -m /usr/bin/X | ||
| − | + | </nowiki>}} | |
mplayer (case of using with too old gcc's?) | mplayer (case of using with too old gcc's?) | ||
| − | + | {{Root|<nowiki> | |
paxctl -m /usr/bin/mplayer | paxctl -m /usr/bin/mplayer | ||
| − | + | </nowiki>}} | |
boot-update (wont run?) | boot-update (wont run?) | ||
| − | + | {{Root|<nowiki> | |
paxctl -pm /sbin/grub-mkdevicemap | paxctl -pm /sbin/grub-mkdevicemap | ||
paxctl -pm /sbin/grub-probe | paxctl -pm /sbin/grub-probe | ||
| − | + | </nowiki>}} | |
most other graphic apps may need too disabling mprotect(). | most other graphic apps may need too disabling mprotect(). | ||
to revert paxctl things to the default - use | to revert paxctl things to the default - use | ||
| − | + | {{Root|<nowiki> | |
paxctl -z /path/to/the/my/binary | paxctl -z /path/to/the/my/binary | ||
| − | + | </nowiki>}} | |
after remerging apps - you will need to reapply rules and im using for that purposes bash script. maybe you will want try it too ^_^ | after remerging apps - you will need to reapply rules and im using for that purposes bash script. maybe you will want try it too ^_^ | ||
like that?: | like that?: | ||
| − | + | {{Root|<nowiki> | |
#!/bin/bash | #!/bin/bash | ||
paxctl -m /usr/bin/firefox | paxctl -m /usr/bin/firefox | ||
paxctl -pemr /usr/bin/wine* | paxctl -pemr /usr/bin/wine* | ||
| − | + | </nowiki>}} | |
Revision as of 04:59, 16 November 2010
here is little overview of that things: [url]http://www.gentoo.org/proj/en/hardened/primer.xml[/url] i was using funtoo x86_64 stable with few unmasked things for everything - about that things we will talk later. _DONT_FORGET_: thats only for testing purposes ... lets part this for .. for example 5 parts ...
1st part. difference
2nd part. hardened toolchain.
3rd part. hardened-sources.
4th part. pax & co.
5th part. !?!?!
---
1st part. difference. main system was like that before everything:
but after all it can be like that:
- paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> Released under the GNU Public Licence version 2 or later
Writing output to paxtest.log It may take a while for the tests to complete Test results: PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> Released under the GNU Public Licence version 2 or later
Mode: blackhat Linux u2 2.6.35-hardened-r4 #1 SMP PREEMPT Thu Oct 21 00:29:06 MSD 2010 x86_64 Intel(R) Core(TM)2 Duo CPU E8300 @ 2.83GHz GenuineIntel GNU/Linux
Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable shared library bss : Killed Executable shared library data : Killed Executable anonymous mapping (mprotect) : Killed Executable bss (mprotect) : Killed Executable data (mprotect) : Killed Executable heap (mprotect) : Killed Executable stack (mprotect) : Killed Executable shared library bss (mprotect) : Killed Executable shared library data (mprotect): Killed Writable text segments : Killed Anonymous mapping randomisation test : 29 bits (guessed) Heap randomisation test (ET_EXEC) : 13 bits (guessed) Heap randomisation test (PIE) : 35 bits (guessed) Main executable randomisation (ET_EXEC) : No randomisation Main executable randomisation (PIE) : 27 bits (guessed) Shared library randomisation test : 29 bits (guessed) Stack randomisation test (SEGMEXEC) : 35 bits (guessed) Stack randomisation test (PAGEEXEC) : 35 bits (guessed) Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Vulnerable Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte. Return to function (memcpy, PIE) : Vulnerable </nowiki>}} its "app-admin/paxtest". it can show - that "its working".
2nd part. hardened toolchain.
for using hardened system - you will need to change your portage profile to the hardened one. like that
but we will _NOT_ do that ;3
( i was just stripped that part and made more user friendly way of that things via hardened overlay )
now we need to clone and use hardened overlay.
1st of all we need to make dir and clone overlay to it ... for example at the /overlay
after that we need to make proper /etc/make.profile
1st echo - for your current profile. 2nd - for the overlay's. only that priority.
now we'r need to add out overylay to the make.conf
and run
few new flags like 'hardened' will be used system wide now.
current gcc (4.3x) have only PIE support (i mean those gcc's that funtoo tree have now ~_~).to use all features of hardened toolchain (PIE/SSP) - we will use gcc-4.4.3-r3 or gcc-4.4.4-r2 (they'r from overlay one). to use that gcc - we may need newer glibc - it must be automatically pickupped form overlay/portage tree.
now we can emerge our toolchain
now we need to enable our new gcc:
now just emerge other part of toolchain
now its time to run
and recheck your config files.
after config check - its time to remerge whole world.
dont forget to make sure that you have all use flags that you want enabled. it will take too long so you can just go away from keyboard.
if something fails with remerge world - dont forget to report ^_^
3rd part. hardened-sources. it can be emerged va
i'd prefer latest sources so if you too (hope you'd prefer) - just add
its "vanilla-sources" with hardened patches.
its including atleast pax and grsecurity patches now. i will show example of configuring it via
wich is working fine for me at the desktop pc.
its placing at the
i will show now configure of pax and then grsecurity
if you dont need xorg system - then you can enable
but make sure that you have your hw clock and other things working fine.
if you'r going to enable
then you can find that your adobe flash and few things more will't functioning
if you need RBAC - then just disable that option
if your intended to use RBAC - you can find that your Gajim will not work (can't run).
to fix that - you will need updated python (its the same one... but with one important patch), wich you can get just by adding
its revision will always be like portage's rX+1 if its supported.
like now portage have "dev-lang/python-2.6.5-r3" and overlay "dev-lang/python-2.6.5-r4"
if you "newbie" to all that then good point is to enable
to not have enforce pax features.
other options isnt part of "hardened" patch set and you need to configure then by self.
all kernel configuration && installing will always will be like that:
better dont compile that sources with many treads (im compiling em with -j1 and sometimes -j2/-j3).
if you will need to be able run boot-update under your PAX enabled system then you will need to disable PAGEEXEC and MPROTECT for */sbin/grub-mkdevicemap* and */sbin/grub-probe* like that
next time we will see more examples of pax and little overview of it :3 cya and dont forget that all that still in progress :)
4th part. pax & co.
it (dis~)allows running different features if hardened (w/ pax support) kernel used.
above descripted each option and i will show few examples with using it on the desktop.
if we'r using hardened desktop then few features will not prop~ functioning and we _maybe_ will want it get working. lets start: \"every application that will want something enabled/disabled out of pax features\" - will spam at the dmesg around with others features that pax prevents to be used. that can be like that
to get few application fully working you will need to do like that: firefox (will not run?):
wine (will not run anything?):
kde4 (will not able to use screensaver and few other things?)
xorg-x11 (in few cases X org may not be runned ... rly?)
mplayer (case of using with too old gcc's?)
boot-update (wont run?)
most other graphic apps may need too disabling mprotect().
to revert paxctl things to the default - use
after remerging apps - you will need to reapply rules and im using for that purposes bash script. maybe you will want try it too ^_^ like that?:
