Difference between revisions of "Gentoo hardened profile"
From Funtoo Linux
(typo corrected) |
|||
| (32 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | {{fancywarning|Things, described at that wiki page is _NOT_ supported by funtoo upstream and this is a sure way to destroy your system if you do not know what are you doing, following this wiki.}} | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | [http://www.gentoo.org/proj/en/hardened/primer.xml overview of hardened things by gentoo devs] | |
| − | + | i was using funtoo x86_64 stable with few unmasked things for everything - about that things we will talk later. | |
| − | + | _DONT_FORGET_: _NOW_ thats only for testing purposes ... | |
| − | + | = Difference= | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
main system was like that before everything: | main system was like that before everything: | ||
| − | + | {{Root|<nowiki>#paxtest blackhat | |
| − | + | PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> | |
| − | + | Released under the GNU Public Licence version 2 or later | |
| − | + | Writing output to paxtest.log | |
| − | + | It may take a while for the tests to complete | |
| − | + | Test results: | |
| − | + | PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> | |
| − | + | Released under the GNU Public Licence version 2 or later | |
| − | + | Mode: blackhat | |
| − | + | Linux u2 2.6.36-rc8 #5 SMP PREEMPT Wed Oct 20 02:57:30 MSD 2010 x86_64 Intel(R) Core(TM)2 Duo CPU E8300 @ 2.83GHz GenuineIntel GNU/Linux | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| + | Executable anonymous mapping : Killed | ||
| + | Executable bss : Killed | ||
| + | Executable data : Killed | ||
| + | Executable heap : Killed | ||
| + | Executable stack : Killed | ||
| + | Executable shared library bss : Killed | ||
| + | Executable shared library data : Killed | ||
| + | Executable anonymous mapping (mprotect) : Vulnerable | ||
| + | Executable bss (mprotect) : Vulnerable | ||
| + | Executable data (mprotect) : Vulnerable | ||
| + | Executable heap (mprotect) : Vulnerable | ||
| + | Executable stack (mprotect) : Vulnerable | ||
| + | Executable shared library bss (mprotect) : Vulnerable | ||
| + | Executable shared library data (mprotect): Vulnerable | ||
| + | Writable text segments : Vulnerable | ||
| + | Anonymous mapping randomisation test : 29 bits (guessed) | ||
| + | Heap randomisation test (ET_EXEC) : 14 bits (guessed) | ||
| + | Heap randomisation test (PIE) : 28 bits (guessed) | ||
| + | Main executable randomisation (ET_EXEC) : No randomisation | ||
| + | Main executable randomisation (PIE) : 28 bits (guessed) | ||
| + | Shared library randomisation test : 28 bits (guessed) | ||
| + | Stack randomisation test (SEGMEXEC) : 28 bits (guessed) | ||
| + | Stack randomisation test (PAGEEXEC) : 28 bits (guessed) | ||
| + | Return to function (strcpy) : paxtest: return address contains a NULL byte. | ||
| + | Return to function (memcpy) : Vulnerable | ||
| + | Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte. | ||
| + | Return to function (memcpy, PIE) : Vulnerable | ||
| + | </nowiki>}} | ||
but after all it can be like that: | but after all it can be like that: | ||
| − | + | {{Root|<nowiki>#paxtest blackhat | |
| − | # paxtest blackhat | + | |
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> | PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> | ||
Released under the GNU Public Licence version 2 or later | Released under the GNU Public Licence version 2 or later | ||
| Line 103: | Line 92: | ||
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte. | Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte. | ||
Return to function (memcpy, PIE) : Vulnerable | Return to function (memcpy, PIE) : Vulnerable | ||
| − | + | </nowiki>}} | |
its "app-admin/paxtest". | its "app-admin/paxtest". | ||
| − | it can show - | + | it can test your machine and show useful pax-side stuff. |
| + | =Hardened toolchain= | ||
| − | + | for using hardened system with gentoo - you was need to change your portage profile to the hardened one. | |
| − | + | ||
| − | for using hardened system - you | + | |
like that | like that | ||
| − | + | {{Root|<nowiki>#ln -sfn /usr/portage/profiles/hardened/linux/2.6/amd64/10.0 /etc/make.profile | |
| − | #ln -sfn /usr/portage/profiles/hardened/linux/2.6/amd64/10.0 /etc/make.profile | + | |
#env-update && source /etc/profile | #env-update && source /etc/profile | ||
| − | + | </nowiki>}} | |
| − | but we will _NOT_ do that | + | but we will _NOT_ do that. |
| − | + | ||
now we need to clone and use hardened overlay. | now we need to clone and use hardened overlay. | ||
1st of all we need to make dir and clone overlay to it ... for example at the /overlay | 1st of all we need to make dir and clone overlay to it ... for example at the /overlay | ||
| − | + | {{Root|<nowiki>#mkdir /overlay | |
| − | #mkdir /overlay | + | |
#cd /overlay | #cd /overlay | ||
| − | #git clone git://github.com/damex/hardened.git | + | #git clone git://github.com/damex/hardened-overlay.git |
| − | + | </nowiki>}} | |
| − | + | Previously it was possible to make use of /etc/make.profile to add the hardened profile but this method is now broken. Currently, the easiest way to accomplish this is to switch to the new funtoo-path version of portage. This can be accomplished by emerging portage-9999. More information on how to setup this new version can be found in [http://forums.funtoo.org/viewtopic.php?id=194 this thread] from Funtoo forums. After switching simply add '/overlay/hardened-overlay/profiles' to the end of your /etc/portage/parent file and add '/overlay/hardened-overlay' to /etc/portage/overlays. | |
| − | + | ||
| − | + | Once you have everything set up run: | |
| − | + | {{Root|<nowiki>#env-update && source /etc/profile | |
| − | + | </nowiki>}} | |
| − | + | A few new flags like 'hardened' will now be enabled globaly. | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | /etc/ | + | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | #env-update && source /etc/profile | + | |
| − | + | ||
| − | few new flags like 'hardened' will | + | |
| − | + | ||
now we can emerge our toolchain | now we can emerge our toolchain | ||
| − | + | {{Root|<nowiki>#emerge -av linux-headers gcc libtool | |
| − | # | + | </nowiki>}} |
| − | + | current gcc (4.3x) have only PIE support (i mean those gcc's that funtoo tree have now ~_~).to use all features of hardened toolchain (PIE/SSP) - we will use gcc-4.4.3-r3 or gcc-4.4.4-r2 (they'r from overlay one). to use that gcc - we may need newer glibc - it must be automatically pickupped form overlay/portage tree. now we can emerge our toolchain | |
now we need to enable our new gcc: | now we need to enable our new gcc: | ||
| − | + | {{Root|<nowiki>#gcc-config -l | |
| − | #gcc-config -l | + | |
[1] x86_64-pc-linux-gnu-4.4.3 | [1] x86_64-pc-linux-gnu-4.4.3 | ||
[2] x86_64-pc-linux-gnu-4.4.3-hardenednopie | [2] x86_64-pc-linux-gnu-4.4.3-hardenednopie | ||
| Line 158: | Line 128: | ||
[5] x86_64-pc-linux-gnu-4.4.3-vanilla | [5] x86_64-pc-linux-gnu-4.4.3-vanilla | ||
#gcc-config x86_64-pc-linux-gnu-4.4.3 | #gcc-config x86_64-pc-linux-gnu-4.4.3 | ||
| − | #env-update | + | #env-update & source /etc/profile |
| − | + | </nowiki>}} | |
now just emerge other part of toolchain | now just emerge other part of toolchain | ||
| − | + | {{Root|<nowiki>#emerge -av linux-headers glibc binutils libtool | |
| − | # | + | </nowiki>}} |
| − | + | ||
now its time to run | now its time to run | ||
| − | + | {{Root|<nowiki>#etc-update | |
| − | # | + | </nowiki>}} |
| − | + | ||
and recheck your config files. | and recheck your config files. | ||
after config check - its time to remerge whole world. | after config check - its time to remerge whole world. | ||
| − | + | {{Root|<nowiki>#emerge -uDeav world | |
| − | # | + | </nowiki>}} |
| − | + | ||
dont forget to make sure that you have all use flags that you want enabled. it will take too long so you can just go away from keyboard. | dont forget to make sure that you have all use flags that you want enabled. it will take too long so you can just go away from keyboard. | ||
| − | if something fails with remerge world - dont forget to report | + | if something fails with remerge world - dont forget to report |
| − | + | =Hardened-sources= | |
it can be emerged va | it can be emerged va | ||
| − | + | {{Root|<nowiki>#emerge -av hardened-sources | |
| − | #emerge -av hardened-sources | + | </nowiki>}} |
| − | + | ||
i'd prefer latest sources so if you too (hope you'd prefer) - just add | i'd prefer latest sources so if you too (hope you'd prefer) - just add | ||
| − | + | {{Root|<nowiki>/etc/portage/package.keywords | |
| − | /etc/portage/package.keywords | + | |
sys-kernel/hardened-sources | sys-kernel/hardened-sources | ||
| − | + | </nowiki>}} | |
| − | its "vanilla-sources" with hardened | + | its "vanilla-sources" with hardened patch set. |
its including atleast pax and grsecurity patches now. i will show example of configuring it via | its including atleast pax and grsecurity patches now. i will show example of configuring it via | ||
| − | + | {{Root|<nowiki>#make menuconfig | |
| − | #make menuconfig | + | </nowiki>}} |
| − | + | ||
wich is working fine for me at the desktop pc. | wich is working fine for me at the desktop pc. | ||
its placing at the | its placing at the | ||
| − | + | {{Root|<nowiki> Security options ---> | |
| − | Security options ---> | + | |
Grsecurity ---> | Grsecurity ---> | ||
PaX ---> | PaX ---> | ||
| − | + | </nowiki>}} | |
i will show now configure of pax and then grsecurity | i will show now configure of pax and then grsecurity | ||
| − | + | {{Root|<nowiki>PaX ---> | |
| − | PaX ---> | + | |
[*] Enable various PaX features | [*] Enable various PaX features | ||
PaX Control ---> | PaX Control ---> | ||
| Line 224: | Line 186: | ||
[ ] Prevent various kernel object reference counter overflows | [ ] Prevent various kernel object reference counter overflows | ||
[ ] Bounds check heap object copies between kernel and userland | [ ] Bounds check heap object copies between kernel and userland | ||
| − | + | </nowiki>}} | |
| − | + | {{Root|<nowiki>Grsecurity ---> | |
| − | Grsecurity ---> | + | |
[*] Grsecurity | [*] Grsecurity | ||
Security Level (Custom) ---> | Security Level (Custom) ---> | ||
| Line 292: | Line 253: | ||
(10) Seconds in between log messages (minimum) | (10) Seconds in between log messages (minimum) | ||
(4) Number of messages in a burst (maximum) | (4) Number of messages in a burst (maximum) | ||
| − | + | </nowiki>}} | |
if you dont need xorg system - then you can enable | if you dont need xorg system - then you can enable | ||
| − | + | {{Root|<nowiki>[*] Disable privileged I/O | |
| − | [*] Disable privileged I/O | + | </nowiki>}} |
| − | + | ||
but make sure that you have your hw clock and other things working fine. | but make sure that you have your hw clock and other things working fine. | ||
if you'r going to enable | if you'r going to enable | ||
| − | + | {{Root|<nowiki>[*] Harden module auto-loading | |
| − | [*] Harden module auto-loading | + | </nowiki>}} |
| − | + | then you can find that your adobe flash and few things more will't functioning. | |
| − | then you can find that your adobe flash and few things more will't functioning | + | |
if you need RBAC - then just disable that option | if you need RBAC - then just disable that option | ||
| − | + | {{Root|<nowiki>[ ] Disable RBAC system | |
| − | [ ] Disable RBAC system | + | </nowiki>}} |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
if you "newbie" to all that then good point is to enable | if you "newbie" to all that then good point is to enable | ||
| − | + | {{Root|<nowiki>[*] Support soft mode | |
| − | [*] Support soft mode | + | </nowiki>}} |
| − | + | to not have enforce pax features by default. | |
| − | to not have enforce pax features. | + | it also can be controlled by sysctl |
| + | {{Root|<nowiki>/etc/sysctl.conf | ||
| + | kernel.pax.softmode = 1 | ||
| + | </nowiki>}} | ||
| + | 1=soft mode on, 0=soft mode off. | ||
| + | to apply sysctl rules run | ||
| + | {{Root|<nowiki>#sysctl -p | ||
| + | </nowiki>}} | ||
| − | other options isnt part of "hardened" patch set and you need to configure then by self. | + | other kernel options isnt part of "hardened" patch set and you need to configure then by self. |
all kernel configuration && installing will always will be like that: | all kernel configuration && installing will always will be like that: | ||
| − | + | {{Root|<nowiki> | |
#make menuconfig | #make menuconfig | ||
| − | + | #make -j1 && make install && make modules_install | |
| − | #make && make install && make modules_install | + | #boot-update |
| − | #boot-update | + | </nowiki>}} |
| − | + | ||
better dont compile that sources with many treads (im compiling em with -j1 and sometimes -j2/-j3). | better dont compile that sources with many treads (im compiling em with -j1 and sometimes -j2/-j3). | ||
if you will need to be able run boot-update under your PAX enabled system then you will need to disable PAGEEXEC and MPROTECT for */sbin/grub-mkdevicemap* and */sbin/grub-probe* like that | if you will need to be able run boot-update under your PAX enabled system then you will need to disable PAGEEXEC and MPROTECT for */sbin/grub-mkdevicemap* and */sbin/grub-probe* like that | ||
| − | + | {{Root|<nowiki>paxctl -pm /sbin/grub-mkdevicemap | |
| − | paxctl -pm /sbin/grub-mkdevicemap | + | |
paxctl -pm /sbin/grub-probe | paxctl -pm /sbin/grub-probe | ||
| − | + | </nowiki>}} | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | =Pax & co= | |
| − | + | {{Root|<nowiki> #paxctl -h | |
| − | + | ||
PaX control v0.5 | PaX control v0.5 | ||
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu> | Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu> | ||
| Line 363: | Line 313: | ||
-c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!) | -c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!) | ||
-C: create PT_PAX_FLAGS (see manpage!) | -C: create PT_PAX_FLAGS (see manpage!) | ||
| − | + | </nowiki>}} | |
it (dis~)allows running different features if hardened (w/ pax support) kernel used. | it (dis~)allows running different features if hardened (w/ pax support) kernel used. | ||
above descripted each option and i will show few examples with using it on the desktop. | above descripted each option and i will show few examples with using it on the desktop. | ||
| Line 371: | Line 321: | ||
\"every application that will want something enabled/disabled out of pax features\" - will spam at the dmesg around with others features that pax prevents to be used. | \"every application that will want something enabled/disabled out of pax features\" - will spam at the dmesg around with others features that pax prevents to be used. | ||
that can be like that | that can be like that | ||
| − | + | {{Root|<nowiki>_showing part of dmesg_ | |
| − | _showing part of dmesg_ | + | |
PAX: execution attempt in: <anonymous mapping>, 2efaa2e8000-2efaa2eb000 2efaa2e8000 | PAX: execution attempt in: <anonymous mapping>, 2efaa2e8000-2efaa2eb000 2efaa2e8000 | ||
PAX: terminating task: /usr/lib64/paxtest/anonmap(anonmap):24246, uid/euid: 1000/1000, PC: 000002efaa2e8000, SP: 000003c853d02428 | PAX: terminating task: /usr/lib64/paxtest/anonmap(anonmap):24246, uid/euid: 1000/1000, PC: 000002efaa2e8000, SP: 000003c853d02428 | ||
| Line 392: | Line 341: | ||
PAX: bytes at PC: c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | PAX: bytes at PC: c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
PAX: bytes at SP-8: 000003ed07962cd0 000000298077bfa8 0000000000000000 000000298077bf65 000003296c266710 0000000000000000 0000000000000000 000003296c285d6d 0000000000000000 000003ed07962cd8 000000010000000 | PAX: bytes at SP-8: 000003ed07962cd0 000000298077bfa8 0000000000000000 000000298077bf65 000003296c266710 0000000000000000 0000000000000000 000003296c285d6d 0000000000000000 000003ed07962cd8 000000010000000 | ||
| − | + | </nowiki>}} | |
to get few application fully working you will need to do like that: | to get few application fully working you will need to do like that: | ||
| − | firefox ( | + | firefox (few exceptional verisons may not work): |
| − | + | {{Root|<nowiki>paxctl -m /usr/bin/firefox | |
| − | paxctl -m /usr/bin/firefox | + | </nowiki>}} |
| − | + | ||
| − | + | boot-update (wont run) | |
| − | + | {{Root|<nowiki>paxctl -pm /sbin/grub-mkdevicemap | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | boot-update (wont run | + | |
| − | + | ||
| − | paxctl -pm /sbin/grub-mkdevicemap | + | |
paxctl -pm /sbin/grub-probe | paxctl -pm /sbin/grub-probe | ||
| − | + | </nowiki>}} | |
| − | most other graphic apps may need too disabling mprotect() | + | if you'r using proprientary video drivers => most other graphic apps may need too disabling mprotect() like that: |
| + | {{Root|<nowiki>paxctl -m /path/to/the/my/binary | ||
| + | </nowiki>}} | ||
to revert paxctl things to the default - use | to revert paxctl things to the default - use | ||
| − | + | {{Root|<nowiki>paxctl -z /path/to/the/my/binary | |
| − | paxctl -z /path/to/the/my/binary | + | </nowiki>}} |
| − | + | ||
after remerging apps - you will need to reapply rules and im using for that purposes bash script. maybe you will want try it too ^_^ | after remerging apps - you will need to reapply rules and im using for that purposes bash script. maybe you will want try it too ^_^ | ||
| − | like that | + | like that: |
| − | + | {{Root|<nowiki>#!/bin/bash | |
| − | #!/bin/bash | + | paxctl -m /usr/games/bin/dolphin-emu |
| − | paxctl -m /usr/bin/ | + | |
paxctl -pemr /usr/bin/wine* | paxctl -pemr /usr/bin/wine* | ||
| − | [/ | + | </nowiki>}} |
| + | |||
| + | =Debug symbols= | ||
| + | |||
| + | to get debug working with portage | ||
| + | you can read [http://www.gentoo.org/proj/en/qa/backtraces.xml?style=printable gentoo page] | ||
| + | |||
| + | id like use that: | ||
| + | {{Root|<nowiki>CFLAGS="... -ggdb" | ||
| + | FEATURES="... splitdebug" | ||
| + | </nowiki>}} | ||
| + | |||
| + | that will be enough for non-hardened system. if you will try use gdb with hardened - you will get that message: | ||
| + | {{Root|<nowiki>warning: The current binary is a PIE (Position Independent Executable), which | ||
| + | GDB does NOT currently support. Most debugger features will fail if used | ||
| + | in this session. | ||
| + | </nowiki>}} | ||
| + | |||
| + | to get it working - you need to custom your flags little more like that: | ||
| + | {{Root|<nowiki>LDFLAGS="... -nopie" | ||
| + | </nowiki>}} | ||
| + | or | ||
| + | {{Root|<nowiki>LDFLAGS="$LDFLAGS -nopie" | ||
| + | </nowiki>}} | ||
| + | if you wasnt using custom ldflags before. | ||
| + | |||
| + | * "..." mean your defined options. | ||
| + | |||
| + | |||
| + | =Revert back= | ||
| + | |||
| + | to revert back you need to produce these steps: | ||
| + | |||
| + | {{Root|<nowiki>1. shut off grbac/pax things on system/bins | ||
| + | </nowiki>}} | ||
| + | |||
| + | {{Root|<nowiki>2. bring your lovely non-hardened kernel back | ||
| + | </nowiki>}} | ||
| + | |||
| + | {{Root|<nowiki>3. remerge non-hardened toolchain | ||
| + | </nowiki>}} | ||
| + | |||
| + | {{Root|<nowiki>5. remerge world with non-hardened toolchan | ||
| + | </nowiki>}} | ||
| + | |||
| + | {{Root|<nowiki>6. PROFIT!1111 | ||
| + | </nowiki>}} | ||
| + | |||
| + | [[Category:HOWTO]] | ||
Latest revision as of 16:49, 29 August 2012
Things, described at that wiki page is _NOT_ supported by funtoo upstream and this is a sure way to destroy your system if you do not know what are you doing, following this wiki.
overview of hardened things by gentoo devs
i was using funtoo x86_64 stable with few unmasked things for everything - about that things we will talk later.
_DONT_FORGET_: _NOW_ thats only for testing purposes ...
Contents |
[edit] Difference
main system was like that before everything:
#paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
Mode: blackhat
Linux u2 2.6.36-rc8 #5 SMP PREEMPT Wed Oct 20 02:57:30 MSD 2010 x86_64 Intel(R) Core(TM)2 Duo CPU E8300 @ 2.83GHz GenuineIntel GNU/Linux
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable stack (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Writable text segments : Vulnerable
Anonymous mapping randomisation test : 29 bits (guessed)
Heap randomisation test (ET_EXEC) : 14 bits (guessed)
Heap randomisation test (PIE) : 28 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (PIE) : 28 bits (guessed)
Shared library randomisation test : 28 bits (guessed)
Stack randomisation test (SEGMEXEC) : 28 bits (guessed)
Stack randomisation test (PAGEEXEC) : 28 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Vulnerable
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE) : Vulnerable
but after all it can be like that:
#paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
Mode: blackhat
Linux u2 2.6.35-hardened-r4 #1 SMP PREEMPT Thu Oct 21 00:29:06 MSD 2010 x86_64 Intel(R) Core(TM)2 Duo CPU E8300 @ 2.83GHz GenuineIntel GNU/Linux
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 29 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (PIE) : 35 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (PIE) : 27 bits (guessed)
Shared library randomisation test : 29 bits (guessed)
Stack randomisation test (SEGMEXEC) : 35 bits (guessed)
Stack randomisation test (PAGEEXEC) : 35 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Vulnerable
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE) : Vulnerable
its "app-admin/paxtest".
it can test your machine and show useful pax-side stuff.
[edit] Hardened toolchain
for using hardened system with gentoo - you was need to change your portage profile to the hardened one. like that
#ln -sfn /usr/portage/profiles/hardened/linux/2.6/amd64/10.0 /etc/make.profile
#env-update && source /etc/profile
but we will _NOT_ do that.
now we need to clone and use hardened overlay.
1st of all we need to make dir and clone overlay to it ... for example at the /overlay
#mkdir /overlay
#cd /overlay
#git clone git://github.com/damex/hardened-overlay.git
Previously it was possible to make use of /etc/make.profile to add the hardened profile but this method is now broken. Currently, the easiest way to accomplish this is to switch to the new funtoo-path version of portage. This can be accomplished by emerging portage-9999. More information on how to setup this new version can be found in this thread from Funtoo forums. After switching simply add '/overlay/hardened-overlay/profiles' to the end of your /etc/portage/parent file and add '/overlay/hardened-overlay' to /etc/portage/overlays.
Once you have everything set up run:
#env-update && source /etc/profile
A few new flags like 'hardened' will now be enabled globaly.
now we can emerge our toolchain
#emerge -av linux-headers gcc libtool
current gcc (4.3x) have only PIE support (i mean those gcc's that funtoo tree have now ~_~).to use all features of hardened toolchain (PIE/SSP) - we will use gcc-4.4.3-r3 or gcc-4.4.4-r2 (they'r from overlay one). to use that gcc - we may need newer glibc - it must be automatically pickupped form overlay/portage tree. now we can emerge our toolchain
now we need to enable our new gcc:
#gcc-config -l
[1] x86_64-pc-linux-gnu-4.4.3
[2] x86_64-pc-linux-gnu-4.4.3-hardenednopie
[3] x86_64-pc-linux-gnu-4.4.3-hardenednopiessp
[4] x86_64-pc-linux-gnu-4.4.3-hardenednossp
[5] x86_64-pc-linux-gnu-4.4.3-vanilla
#gcc-config x86_64-pc-linux-gnu-4.4.3
#env-update & source /etc/profile
now just emerge other part of toolchain
#emerge -av linux-headers glibc binutils libtool
now its time to run
#etc-update
and recheck your config files.
after config check - its time to remerge whole world.
#emerge -uDeav world
dont forget to make sure that you have all use flags that you want enabled. it will take too long so you can just go away from keyboard.
if something fails with remerge world - dont forget to report
[edit] Hardened-sources
it can be emerged va
#emerge -av hardened-sources
i'd prefer latest sources so if you too (hope you'd prefer) - just add
/etc/portage/package.keywords
sys-kernel/hardened-sources
its "vanilla-sources" with hardened patch set.
its including atleast pax and grsecurity patches now. i will show example of configuring it via
#make menuconfig
wich is working fine for me at the desktop pc.
its placing at the
Security options --->
Grsecurity --->
PaX --->
i will show now configure of pax and then grsecurity
PaX --->
[*] Enable various PaX features
PaX Control --->
[ ] Support soft mode
[*] Use legacy ELF header marking
[*] Use ELF program header marking
MAC system integration (none) --->
Non-executable pages --->
[*] Enforce non-executable pages
[*] Paging based non-executable pages
[ ] Emulate trampolines
[*] Restrict mprotect()
[ ] Allow ELF text relocations (read help)
[ ] Enforce non-executable kernel pages
Address Space Layout Randomization --->
[*] Address Space Layout Randomization
[*] Randomize user stack base
[*] Randomize mmap() base
Miscellaneous hardening features --->
[ ] Sanitize all freed memory
[*] Prevent invalid userland pointer dereference
[ ] Prevent various kernel object reference counter overflows
[ ] Bounds check heap object copies between kernel and userland
Grsecurity --->
[*] Grsecurity
Security Level (Custom) --->
Address Space Protection --->
[*] Deny writing to /dev/kmem, /dev/mem, and /dev/port
[ ] Disable privileged I/O
[*] Remove addresses from /proc/<pid>/[smaps|maps|stat]
[*] Deter exploit bruteforcing
[ ] Harden module auto-loading
[*] Hide kernel symbols
Role Based Access Control Options --->
[*] Disable RBAC system
[*] Hide kernel processes
(5) Maximum tries before password lockout
(30) Time to wait after max password tries, in seconds
Filesystem Protections --->
[*] Proc restrictions
[*] Restrict /proc to user only
[*] Additional restrictions
[*] Linking restrictions
[*] FIFO restrictions
[ ] Runtime read-only mount protection
[*] Chroot jail restrictions
[*] Deny mounts
[*] Deny double-chroots
[*] Deny pivot_root in chroot
[*] Enforce chdir("/") on all chroots
[*] Deny (f)chmod +s
[*] Deny fchdir out of chroot
[*] Deny mknod
[*] Deny shmat() out of chroot
[*] Deny access to abstract AF_UNIX sockets out of chroot
[*] Protect outside processes
[*] Restrict priority changes
[*] Deny sysctl writes
[*] Capability restrictions
Kernel Auditing --->
[ ] Single group for auditing
[ ] Exec logging
[*] Resource logging
[ ] Log execs within chroot
[ ] Ptrace logging
[ ] Chdir logging
[*] (Un)Mount logging
[*] Signal logging
[*] Fork failure logging
[*] Time change logging
[*] /proc/<pid>/ipaddr support
[ ] Denied RWX mmap/mprotect logging
[ ] ELF text relocations logging (READ HELP)
Executable Protections --->
[*] Enforce RLIMIT_NPROC on execs
[*] Dmesg(8) restriction
[*] Deter ptrace-based process snooping
[ ] Trusted Path Execution (TPE)
Network Protections --->
[*] Larger entropy pools
[*] TCP/UDP blackhole and LAST_ACK DoS prevention
[ ] Socket restrictions
Sysctl support --->
[*] Sysctl support
[*] Turn on features by default
Logging Options --->
(10) Seconds in between log messages (minimum)
(4) Number of messages in a burst (maximum)
if you dont need xorg system - then you can enable
[*] Disable privileged I/O
but make sure that you have your hw clock and other things working fine.
if you'r going to enable
[*] Harden module auto-loading
then you can find that your adobe flash and few things more will't functioning.
if you need RBAC - then just disable that option
[ ] Disable RBAC system
if you "newbie" to all that then good point is to enable
[*] Support soft mode
to not have enforce pax features by default.
it also can be controlled by sysctl
/etc/sysctl.conf
kernel.pax.softmode = 1
1=soft mode on, 0=soft mode off.
to apply sysctl rules run
#sysctl -p
other kernel options isnt part of "hardened" patch set and you need to configure then by self.
all kernel configuration && installing will always will be like that:
#make menuconfig
#make -j1 && make install && make modules_install
#boot-update
better dont compile that sources with many treads (im compiling em with -j1 and sometimes -j2/-j3).
if you will need to be able run boot-update under your PAX enabled system then you will need to disable PAGEEXEC and MPROTECT for */sbin/grub-mkdevicemap* and */sbin/grub-probe* like that
paxctl -pm /sbin/grub-mkdevicemap
paxctl -pm /sbin/grub-probe
[edit] Pax & co
#paxctl -h
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>
usage: paxctl <options> <files>
options:
-p: disable PAGEEXEC -P: enable PAGEEXEC
-e: disable EMUTRMAP -E: enable EMUTRMAP
-m: disable MPROTECT -M: enable MPROTECT
-r: disable RANDMMAP -R: enable RANDMMAP
-x: disable RANDEXEC -X: enable RANDEXEC
-s: disable SEGMEXEC -S: enable SEGMEXEC
-v: view flags -z: restore default flags
-q: suppress error messages -Q: report flags in short format
-c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!)
-C: create PT_PAX_FLAGS (see manpage!)
it (dis~)allows running different features if hardened (w/ pax support) kernel used.
above descripted each option and i will show few examples with using it on the desktop.
if we'r using hardened desktop then few features will not prop~ functioning and we _maybe_ will want it get working. lets start: \"every application that will want something enabled/disabled out of pax features\" - will spam at the dmesg around with others features that pax prevents to be used. that can be like that
_showing part of dmesg_
PAX: execution attempt in: <anonymous mapping>, 2efaa2e8000-2efaa2eb000 2efaa2e8000
PAX: terminating task: /usr/lib64/paxtest/anonmap(anonmap):24246, uid/euid: 1000/1000, PC: 000002efaa2e8000, SP: 000003c853d02428
PAX: bytes at PC: c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PAX: bytes at SP-8: 000003c853d02530 0000003a9df60fde 0000000000000000 0000003a9df60f85 000002efa9b4b710 0000000000000000 0000000000000000 000002efa9b6ad6d 0000000000000000 000003c853d02538 0000000100000001
grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib64/paxtest/anonmap[anonmap:24246] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib64/paxtest/anonmap[anonmap:24245] uid/eui$
PAX: execution attempt in: /usr/lib64/paxtest/execbss, 5035596000-5035597000 00002000
PAX: terminating task: /usr/lib64/paxtest/execbss(execbss):24249, uid/euid: 1000/1000, PC: 0000005035596020, SP: 000003f935695dc8
PAX: bytes at PC: c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PAX: bytes at SP-8: 000003f935695ed0 0000005035394f43 0000000000000000 0000005035394f05 000003361ab53710 0000000000000000 0000000000000000 000003361ab72d6d 0000000000000000 000003f935695ed8 0000000100000001
grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib64/paxtest/execbss[execbss:24249] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib64/paxtest/execbss[execbss:24248] uid/eui$
PAX: execution attempt in: /usr/lib64/paxtest/execdata, cf60ad000-cf60ae000 00002000
PAX: terminating task: /usr/lib64/paxtest/execdata(execdata):24252, uid/euid: 1000/1000, PC: 0000000cf60ad010, SP: 000003d5dc34b7c8
PAX: bytes at PC: c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PAX: bytes at SP-8: 000003d5dc34b8d0 0000000cf5eabee0 0000000000000000 0000000cf5eabea5 0000034f6d10e710 0000000000000000 0000000000000000 0000034f6d12dd6d 0000000000000000 000003d5dc34b8d8 0000000100000001
grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib64/paxtest/execdata[execdata:24252] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib64/paxtest/execdata[execdata:24251] uid$
PAX: execution attempt in: <anonymous mapping>, 298097e000-29809a0000 298097e000
PAX: terminating task: /usr/lib64/paxtest/execheap(execheap):24255, uid/euid: 1000/1000, PC: 000000298097f080, SP: 000003ed07962bc8
PAX: bytes at PC: c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PAX: bytes at SP-8: 000003ed07962cd0 000000298077bfa8 0000000000000000 000000298077bf65 000003296c266710 0000000000000000 0000000000000000 000003296c285d6d 0000000000000000 000003ed07962cd8 000000010000000
to get few application fully working you will need to do like that: firefox (few exceptional verisons may not work):
paxctl -m /usr/bin/firefox
boot-update (wont run)
paxctl -pm /sbin/grub-mkdevicemap
paxctl -pm /sbin/grub-probe
if you'r using proprientary video drivers => most other graphic apps may need too disabling mprotect() like that:
paxctl -m /path/to/the/my/binary
to revert paxctl things to the default - use
paxctl -z /path/to/the/my/binary
after remerging apps - you will need to reapply rules and im using for that purposes bash script. maybe you will want try it too ^_^ like that:
#!/bin/bash
paxctl -m /usr/games/bin/dolphin-emu
paxctl -pemr /usr/bin/wine*
[edit] Debug symbols
to get debug working with portage you can read gentoo page
id like use that:
CFLAGS="... -ggdb"
FEATURES="... splitdebug"
that will be enough for non-hardened system. if you will try use gdb with hardened - you will get that message:
warning: The current binary is a PIE (Position Independent Executable), which
GDB does NOT currently support. Most debugger features will fail if used
in this session.
to get it working - you need to custom your flags little more like that:
LDFLAGS="... -nopie"
or
LDFLAGS="$LDFLAGS -nopie"
if you wasnt using custom ldflags before.
- "..." mean your defined options.
[edit] Revert back
to revert back you need to produce these steps:
1. shut off grbac/pax things on system/bins
2. bring your lovely non-hardened kernel back
3. remerge non-hardened toolchain
5. remerge world with non-hardened toolchan
6. PROFIT!1111
