|
|
| Line 377: |
Line 377: |
| | | | |
| | =Debug symbols= | | =Debug symbols= |
| | + | |
| | + | to get debug working with portage |
| | + | you can read [http://www.gentoo.org/proj/en/qa/backtraces.xml?style=printable gentoo page] |
| | + | |
| | + | id like use that: |
| | + | {{Root|<nowiki>CFLAGS="... -ggdb" |
| | + | FEATURES="... splitdebug" |
| | + | </nowiki>}} |
| | + | |
| | + | that will be enough for non-hardened system. if you will try use gdb with hardened - you will get that message: |
| | + | {{Root|<nowiki>warning: The current binary is a PIE (Position Independent Executable), which |
| | + | GDB does NOT currently support. Most debugger features will fail if used |
| | + | in this session. |
| | + | </nowiki>}} |
| | + | |
| | + | to get it working - you need to custom your flags little more like that: |
| | + | {{Root|<nowiki>LDFLAGS="... -nopie" |
| | + | </nowiki>}} |
| | + | or |
| | + | {{Root|<nowiki>LDFLAGS="$LDFLAGS -nopie" |
| | + | </nowiki>}} |
| | + | if you wasnt using custom ldflags before. |
| | + | |
| | + | * "..." mean your defined options. |
| | | | |
| | [[Category:HOWTO]] | | [[Category:HOWTO]] |
Revision as of 22:32, 26 November 2010
overview of hardened things by gentoo devs
i was using funtoo x86_64 stable with few unmasked things for everything - about that things we will talk later.
_DONT_FORGET_: _NOW_ thats only for testing purposes ...
Difference
main system was like that before everything:
#paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
Mode: blackhat
Linux u2 2.6.36-rc8 #5 SMP PREEMPT Wed Oct 20 02:57:30 MSD 2010 x86_64 Intel(R) Core(TM)2 Duo CPU E8300 @ 2.83GHz GenuineIntel GNU/Linux
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable stack (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Writable text segments : Vulnerable
Anonymous mapping randomisation test : 29 bits (guessed)
Heap randomisation test (ET_EXEC) : 14 bits (guessed)
Heap randomisation test (PIE) : 28 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (PIE) : 28 bits (guessed)
Shared library randomisation test : 28 bits (guessed)
Stack randomisation test (SEGMEXEC) : 28 bits (guessed)
Stack randomisation test (PAGEEXEC) : 28 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Vulnerable
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE) : Vulnerable
but after all it can be like that:
#paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
Mode: blackhat
Linux u2 2.6.35-hardened-r4 #1 SMP PREEMPT Thu Oct 21 00:29:06 MSD 2010 x86_64 Intel(R) Core(TM)2 Duo CPU E8300 @ 2.83GHz GenuineIntel GNU/Linux
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 29 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (PIE) : 35 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (PIE) : 27 bits (guessed)
Shared library randomisation test : 29 bits (guessed)
Stack randomisation test (SEGMEXEC) : 35 bits (guessed)
Stack randomisation test (PAGEEXEC) : 35 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Vulnerable
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE) : Vulnerable
its "app-admin/paxtest".
it can test your machine and show useful pax-side stuff.
Hardened toolchain
for using hardened system with gentoo - you was need to change your portage profile to the hardened one.
like tha
#ln -sfn /usr/portage/profiles/hardened/linux/2.6/amd64/10.0 /etc/make.profile
#env-update && source /etc/profile
but we will _NOT_ do that.
now we need to clone and use hardened overlay.
1st of all we need to make dir and clone overlay to it ... for example at the /overlay
#mkdir /overlay
#cd /overlay
#git clone git://github.com/damex/hardened.git
after that we need to make proper /etc/make.profile
#rm /etc/make.profile
#mkdir /etc/make.profile
#touch /etc/make.profile/parent
#echo /usr/portage/profiles/default/linux/amd64/2008.0 /etc/make.profile/parent
#echo /overlay/hardened/profiles /etc/make.profile/parent
1st echo - for your current profile. 2nd - for the overlay's. only that priority.
now we'r need to add out overylay to the make.conf
/etc/make.conf
PORTDIR_OVERLAY="/overlay/hardened"
and run
#env-update && source /etc/profile
few new flags like 'hardened' will be used system wide now.
now we can emerge our toolchain
#sudo emerge -av linux-headers gcc libtool
few new flags like 'hardened' will be used system wide now. current gcc (4.3x) have only PIE support (i mean those gcc's that funtoo tree have now ~_~).to use all features of hardened toolchain (PIE/SSP) - we will use gcc-4.4.3-r3 or gcc-4.4.4-r2 (they'r from overlay one). to use that gcc - we may need newer glibc - it must be automatically pickupped form overlay/portage tree. now we can emerge our toolchain
now we need to enable our new gcc:
#gcc-config -l
[1] x86_64-pc-linux-gnu-4.4.3
[2] x86_64-pc-linux-gnu-4.4.3-hardenednopie
[3] x86_64-pc-linux-gnu-4.4.3-hardenednopiessp
[4] x86_64-pc-linux-gnu-4.4.3-hardenednossp
[5] x86_64-pc-linux-gnu-4.4.3-vanilla
#gcc-config x86_64-pc-linux-gnu-4.4.3
#env-update & source /etc/profile
now just emerge other part of toolchain
#sudo emerge -av linux-headers glibc binutils libtool
now its time to run
#sudo etc-update
and recheck your config files.
after config check - its time to remerge whole world.
#sudo emerge -uDeav world
dont forget to make sure that you have all use flags that you want enabled. it will take too long so you can just go away from keyboard.
if something fails with remerge world - dont forget to report
Hardened-sources
it can be emerged va
#emerge -av hardened-sources
i'd prefer latest sources so if you too (hope you'd prefer) - just add
/etc/portage/package.keywords
sys-kernel/hardened-sources
its "vanilla-sources" with hardened patch set.
its including atleast pax and grsecurity patches now. i will show example of configuring it via
#make menuconfig
wich is working fine for me at the desktop pc.
its placing at the
Security options --->
Grsecurity --->
PaX --->
i will show now configure of pax and then grsecurity
PaX --->
[*] Enable various PaX features
PaX Control --->
[ ] Support soft mode
[*] Use legacy ELF header marking
[*] Use ELF program header marking
MAC system integration (none) --->
Non-executable pages --->
[*] Enforce non-executable pages
[*] Paging based non-executable pages
[ ] Emulate trampolines
[*] Restrict mprotect()
[ ] Allow ELF text relocations (read help)
[ ] Enforce non-executable kernel pages
Address Space Layout Randomization --->
[*] Address Space Layout Randomization
[*] Randomize user stack base
[*] Randomize mmap() base
Miscellaneous hardening features --->
[ ] Sanitize all freed memory
[*] Prevent invalid userland pointer dereference
[ ] Prevent various kernel object reference counter overflows
[ ] Bounds check heap object copies between kernel and userland
Grsecurity --->
[*] Grsecurity
Security Level (Custom) --->
Address Space Protection --->
[*] Deny writing to /dev/kmem, /dev/mem, and /dev/port
[ ] Disable privileged I/O
[*] Remove addresses from /proc/<pid>/[smaps|maps|stat]
[*] Deter exploit bruteforcing
[ ] Harden module auto-loading
[*] Hide kernel symbols
Role Based Access Control Options --->
[*] Disable RBAC system
[*] Hide kernel processes
(5) Maximum tries before password lockout
(30) Time to wait after max password tries, in seconds
Filesystem Protections --->
[*] Proc restrictions
[*] Restrict /proc to user only
[*] Additional restrictions
[*] Linking restrictions
[*] FIFO restrictions
[ ] Runtime read-only mount protection
[*] Chroot jail restrictions
[*] Deny mounts
[*] Deny double-chroots
[*] Deny pivot_root in chroot
[*] Enforce chdir("/") on all chroots
[*] Deny (f)chmod +s
[*] Deny fchdir out of chroot
[*] Deny mknod
[*] Deny shmat() out of chroot
[*] Deny access to abstract AF_UNIX sockets out of chroot
[*] Protect outside processes
[*] Restrict priority changes
[*] Deny sysctl writes
[*] Capability restrictions
Kernel Auditing --->
[ ] Single group for auditing
[ ] Exec logging
[*] Resource logging
[ ] Log execs within chroot
[ ] Ptrace logging
[ ] Chdir logging
[*] (Un)Mount logging
[*] Signal logging
[*] Fork failure logging
[*] Time change logging
[*] /proc/<pid>/ipaddr support
[ ] Denied RWX mmap/mprotect logging
[ ] ELF text relocations logging (READ HELP)
Executable Protections --->
[*] Enforce RLIMIT_NPROC on execs
[*] Dmesg(8) restriction
[*] Deter ptrace-based process snooping
[ ] Trusted Path Execution (TPE)
Network Protections --->
[*] Larger entropy pools
[*] TCP/UDP blackhole and LAST_ACK DoS prevention
[ ] Socket restrictions
Sysctl support --->
[*] Sysctl support
[*] Turn on features by default
Logging Options --->
(10) Seconds in between log messages (minimum)
(4) Number of messages in a burst (maximum)
if you dont need xorg system - then you can enable
[*] Disable privileged I/O
but make sure that you have your hw clock and other things working fine.
if you'r going to enable
[*] Harden module auto-loading
then you can find that your adobe flash and few things more will't functioning.
if you need RBAC - then just disable that option
[ ] Disable RBAC system
if you "newbie" to all that then good point is to enable
[*] Support soft mode
to not have enforce pax features by default.
it also can be controlled by sysctl
/etc/sysctl.conf
kernel.pax.softmode = 1
1=soft mode on, 0=soft mode off.
to apply sysctl rules run
#sysctl -p
other kernel options isnt part of "hardened" patch set and you need to configure then by self.
all kernel configuration && installing will always will be like that:
#make menuconfig
#make -j1 && make install && make modules_install
#boot-update
better dont compile that sources with many treads (im compiling em with -j1 and sometimes -j2/-j3).
if you will need to be able run boot-update under your PAX enabled system then you will need to disable PAGEEXEC and MPROTECT for */sbin/grub-mkdevicemap* and */sbin/grub-probe* like that
paxctl -pm /sbin/grub-mkdevicemap
paxctl -pm /sbin/grub-probe
Pax & co
#paxctl -h
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>
usage: paxctl <options> <files>
options:
-p: disable PAGEEXEC -P: enable PAGEEXEC
-e: disable EMUTRMAP -E: enable EMUTRMAP
-m: disable MPROTECT -M: enable MPROTECT
-r: disable RANDMMAP -R: enable RANDMMAP
-x: disable RANDEXEC -X: enable RANDEXEC
-s: disable SEGMEXEC -S: enable SEGMEXEC
-v: view flags -z: restore default flags
-q: suppress error messages -Q: report flags in short format
-c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!)
-C: create PT_PAX_FLAGS (see manpage!)
it (dis~)allows running different features if hardened (w/ pax support) kernel used.
above descripted each option and i will show few examples with using it on the desktop.
if we'r using hardened desktop then few features will not prop~ functioning and we _maybe_ will want it get working.
lets start:
\"every application that will want something enabled/disabled out of pax features\" - will spam at the dmesg around with others features that pax prevents to be used.
that can be like that
_showing part of dmesg_
PAX: execution attempt in: <anonymous mapping>, 2efaa2e8000-2efaa2eb000 2efaa2e8000
PAX: terminating task: /usr/lib64/paxtest/anonmap(anonmap):24246, uid/euid: 1000/1000, PC: 000002efaa2e8000, SP: 000003c853d02428
PAX: bytes at PC: c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PAX: bytes at SP-8: 000003c853d02530 0000003a9df60fde 0000000000000000 0000003a9df60f85 000002efa9b4b710 0000000000000000 0000000000000000 000002efa9b6ad6d 0000000000000000 000003c853d02538 0000000100000001
grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib64/paxtest/anonmap[anonmap:24246] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib64/paxtest/anonmap[anonmap:24245] uid/eui$
PAX: execution attempt in: /usr/lib64/paxtest/execbss, 5035596000-5035597000 00002000
PAX: terminating task: /usr/lib64/paxtest/execbss(execbss):24249, uid/euid: 1000/1000, PC: 0000005035596020, SP: 000003f935695dc8
PAX: bytes at PC: c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PAX: bytes at SP-8: 000003f935695ed0 0000005035394f43 0000000000000000 0000005035394f05 000003361ab53710 0000000000000000 0000000000000000 000003361ab72d6d 0000000000000000 000003f935695ed8 0000000100000001
grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib64/paxtest/execbss[execbss:24249] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib64/paxtest/execbss[execbss:24248] uid/eui$
PAX: execution attempt in: /usr/lib64/paxtest/execdata, cf60ad000-cf60ae000 00002000
PAX: terminating task: /usr/lib64/paxtest/execdata(execdata):24252, uid/euid: 1000/1000, PC: 0000000cf60ad010, SP: 000003d5dc34b7c8
PAX: bytes at PC: c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PAX: bytes at SP-8: 000003d5dc34b8d0 0000000cf5eabee0 0000000000000000 0000000cf5eabea5 0000034f6d10e710 0000000000000000 0000000000000000 0000034f6d12dd6d 0000000000000000 000003d5dc34b8d8 0000000100000001
grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib64/paxtest/execdata[execdata:24252] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib64/paxtest/execdata[execdata:24251] uid$
PAX: execution attempt in: <anonymous mapping>, 298097e000-29809a0000 298097e000
PAX: terminating task: /usr/lib64/paxtest/execheap(execheap):24255, uid/euid: 1000/1000, PC: 000000298097f080, SP: 000003ed07962bc8
PAX: bytes at PC: c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PAX: bytes at SP-8: 000003ed07962cd0 000000298077bfa8 0000000000000000 000000298077bf65 000003296c266710 0000000000000000 0000000000000000 000003296c285d6d 0000000000000000 000003ed07962cd8 000000010000000
to get few application fully working you will need to do like that:
firefox (few exceptional verisons may not work):
paxctl -m /usr/bin/firefox
boot-update (wont run)
paxctl -pm /sbin/grub-mkdevicemap
paxctl -pm /sbin/grub-probe
if you'r using proprientary video drivers => most other graphic apps may need too disabling mprotect() like that:
paxctl -m /path/to/the/my/binary
to revert paxctl things to the default - use
paxctl -z /path/to/the/my/binary
after remerging apps - you will need to reapply rules and im using for that purposes bash script. maybe you will want try it too ^_^
like that:
#!/bin/bash
paxctl -m /usr/games/bin/dolphin-emu
paxctl -pemr /usr/bin/wine*
Debug symbols
to get debug working with portage
you can read gentoo page
id like use that:
CFLAGS="... -ggdb"
FEATURES="... splitdebug"
that will be enough for non-hardened system. if you will try use gdb with hardened - you will get that message:
warning: The current binary is a PIE (Position Independent Executable), which
GDB does NOT currently support. Most debugger features will fail if used
in this session.
to get it working - you need to custom your flags little more like that:
LDFLAGS="... -nopie"
or
LDFLAGS="$LDFLAGS -nopie"
if you wasnt using custom ldflags before.
- "..." mean your defined options.
