Gentoo hardened profile
here is little overview of that things: [url]http://www.gentoo.org/proj/en/hardened/primer.xml[/url] i was using funtoo x86_64 stable with few unmasked things for everything - about that things we will talk later. _DONT_FORGET_: thats only for testing purposes ... lets part this for .. for example 5 parts ...
1st part. difference.
2nd part. hardened toolchain.
3rd part. hardened-sources.
4th part. pax & co.
5th part. !?!?!
1st part. difference. main system was like that before everything:
but after all it can be like that:
- paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser <firstname.lastname@example.org> Released under the GNU Public Licence version 2 or later
Writing output to paxtest.log It may take a while for the tests to complete Test results: PaXtest - Copyright(c) 2003,2004 by Peter Busser <email@example.com> Released under the GNU Public Licence version 2 or later
Mode: blackhat Linux u2 2.6.35-hardened-r4 #1 SMP PREEMPT Thu Oct 21 00:29:06 MSD 2010 x86_64 Intel(R) Core(TM)2 Duo CPU E8300 @ 2.83GHz GenuineIntel GNU/Linux
Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable shared library bss : Killed Executable shared library data : Killed Executable anonymous mapping (mprotect) : Killed Executable bss (mprotect) : Killed Executable data (mprotect) : Killed Executable heap (mprotect) : Killed Executable stack (mprotect) : Killed Executable shared library bss (mprotect) : Killed Executable shared library data (mprotect): Killed Writable text segments : Killed Anonymous mapping randomisation test : 29 bits (guessed) Heap randomisation test (ET_EXEC) : 13 bits (guessed) Heap randomisation test (PIE) : 35 bits (guessed) Main executable randomisation (ET_EXEC) : No randomisation Main executable randomisation (PIE) : 27 bits (guessed) Shared library randomisation test : 29 bits (guessed) Stack randomisation test (SEGMEXEC) : 35 bits (guessed) Stack randomisation test (PAGEEXEC) : 35 bits (guessed) Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Vulnerable Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte. Return to function (memcpy, PIE) : Vulnerable [/code] its "app-admin/paxtest". it can show - that "its working".
2nd part. hardened toolchain.
for using hardened system - you will need to change your portage profile to the hardened one. like that [code]
- ln -sfn /usr/portage/profiles/hardened/linux/2.6/amd64/10.0 /etc/make.profile
- env-update && source /etc/profile
[/code] but we will _NOT_ do that ;3 ( i was just stripped that part and made more user friendly way of that things via hardened overlay ) now we need to clone and use hardened overlay. 1st of all we need to make dir and clone overlay to it ... for example at the /overlay [code]
- mkdir /overlay
- cd /overlay
- git clone git://github.com/damex/hardened.git
[/code] after that we need to make proper /etc/make.profile [code]
- rm /etc/make.profile
- mkdir /etc/make.profile
- touch /etc/make.profile/parent
- echo /usr/portage/profiles/default/linux/amd64/2008.0 /etc/make.profile/parent
- echo /overlay/hardened/profiles /etc/make.profile/parent
[/code] 1st echo - for your current profile. 2nd - for the overlay's. only that priority. now we'r need to add out overylay to the make.conf [code] /etc/make.conf PORTDIR_OVERLAY="/overlay/hardened" [/code] and run [code]
- env-update && source /etc/profile
[/code] few new flags like 'hardened' will be used system wide now. current gcc (4.3x) have only PIE support (i mean those gcc's that funtoo tree have now ~_~).to use all features of hardened toolchain (PIE/SSP) - we will use gcc-4.4.3-r3 or gcc-4.4.4-r2 (they'r from overlay one). to use that gcc - we may need newer glibc - it must be automatically pickupped form overlay/portage tree. now we can emerge our toolchain [code]
- sudo emerge -av linux-headers gcc libtool
[/code] now we need to enable our new gcc: [code]
- gcc-config -l
 x86_64-pc-linux-gnu-4.4.3  x86_64-pc-linux-gnu-4.4.3-hardenednopie  x86_64-pc-linux-gnu-4.4.3-hardenednopiessp  x86_64-pc-linux-gnu-4.4.3-hardenednossp  x86_64-pc-linux-gnu-4.4.3-vanilla
- gcc-config x86_64-pc-linux-gnu-4.4.3
- env-update&&source /etc/profile
[/code] now just emerge other part of toolchain [code]
- sudo emerge -av linux-headers glibc binutils libtool
[/code] now its time to run [code]
- sudo etc-update
[/code] and recheck your config files. after config check - its time to remerge whole world. [code]
- sudo emerge -uDeav world
[/code] dont forget to make sure that you have all use flags that you want enabled. it will take too long so you can just go away from keyboard.
if something fails with remerge world - dont forget to report ^_^
3rd part. hardened-sources. it can be emerged va [code]
- emerge -av hardened-sources
[/code] i'd prefer latest sources so if you too (hope you'd prefer) - just add [code] /etc/portage/package.keywords sys-kernel/hardened-sources [/code] its "vanilla-sources" with hardened patches. its including atleast pax and grsecurity patches now. i will show example of configuring it via [code]
- make menuconfig
[/code] wich is working fine for me at the desktop pc. its placing at the [code] Security options --->
Grsecurity ---> PaX --->
[/code] i will show now configure of pax and then grsecurity [code] PaX --->
[*] Enable various PaX features PaX Control ---> [ ] Support soft mode [*] Use legacy ELF header marking [*] Use ELF program header marking MAC system integration (none) ---> Non-executable pages ---> [*] Enforce non-executable pages [*] Paging based non-executable pages [ ] Emulate trampolines [*] Restrict mprotect() [ ] Allow ELF text relocations (read help) [ ] Enforce non-executable kernel pages Address Space Layout Randomization ---> [*] Address Space Layout Randomization [*] Randomize user stack base [*] Randomize mmap() base Miscellaneous hardening features ---> [ ] Sanitize all freed memory [*] Prevent invalid userland pointer dereference [ ] Prevent various kernel object reference counter overflows [ ] Bounds check heap object copies between kernel and userland
[code] Grsecurity --->
[*] Grsecurity Security Level (Custom) ---> Address Space Protection ---> [*] Deny writing to /dev/kmem, /dev/mem, and /dev/port [ ] Disable privileged I/O [*] Remove addresses from /proc/<pid>/[smaps|maps|stat] [*] Deter exploit bruteforcing [ ] Harden module auto-loading [*] Hide kernel symbols Role Based Access Control Options ---> [*] Disable RBAC system [*] Hide kernel processes (5) Maximum tries before password lockout (30) Time to wait after max password tries, in seconds Filesystem Protections ---> [*] Proc restrictions [*] Restrict /proc to user only [*] Additional restrictions [*] Linking restrictions [*] FIFO restrictions [ ] Runtime read-only mount protection [*] Chroot jail restrictions [*] Deny mounts [*] Deny double-chroots [*] Deny pivot_root in chroot [*] Enforce chdir("/") on all chroots [*] Deny (f)chmod +s [*] Deny fchdir out of chroot [*] Deny mknod [*] Deny shmat() out of chroot [*] Deny access to abstract AF_UNIX sockets out of chroot [*] Protect outside processes [*] Restrict priority changes [*] Deny sysctl writes [*] Capability restrictions Kernel Auditing ---> [ ] Single group for auditing [ ] Exec logging [*] Resource logging [ ] Log execs within chroot [ ] Ptrace logging [ ] Chdir logging [*] (Un)Mount logging [*] Signal logging [*] Fork failure logging [*] Time change logging [*] /proc/<pid>/ipaddr support [ ] Denied RWX mmap/mprotect logging [ ] ELF text relocations logging (READ HELP) Executable Protections ---> [*] Enforce RLIMIT_NPROC on execs [*] Dmesg(8) restriction [*] Deter ptrace-based process snooping [ ] Trusted Path Execution (TPE) Network Protections ---> [*] Larger entropy pools [*] TCP/UDP blackhole and LAST_ACK DoS prevention [ ] Socket restrictions Sysctl support ---> [*] Sysctl support [*] Turn on features by default Logging Options ---> (10) Seconds in between log messages (minimum) (4) Number of messages in a burst (maximum)
[/code] if you dont need xorg system - then you can enable [code] [*] Disable privileged I/O [/code] but make sure that you have your hw clock and other things working fine. if you'r going to enable [code] [*] Harden module auto-loading [/code] then you can find that your adobe flash and few things more will't functioning if you need RBAC - then just disable that option [code] [ ] Disable RBAC system [/code] if your intended to use RBAC - you can find that your Gajim will not work (can't run). to fix that - you will need updated python (its the same one... but with one important patch), wich you can get just by adding [code] /etc/portage/package.keywords dev-lang/python [/code] its revision will always be like portage's rX+1 if its supported. like now portage have "dev-lang/python-2.6.5-r3" and overlay "dev-lang/python-2.6.5-r4"
if you "newbie" to all that then good point is to enable [code] [*] Support soft mode [/code] to not have enforce pax features.
other options isnt part of "hardened" patch set and you need to configure then by self.
all kernel configuration && installing will always will be like that: [code]
- make menuconfig
- mount /boot //if needed//
- make && make install && make modules_install
- boot-update //if needed//
[/code] better dont compile that sources with many treads (im compiling em with -j1 and sometimes -j2/-j3).
if you will need to be able run boot-update under your PAX enabled system then you will need to disable PAGEEXEC and MPROTECT for */sbin/grub-mkdevicemap* and */sbin/grub-probe* like that [code] paxctl -pm /sbin/grub-mkdevicemap paxctl -pm /sbin/grub-probe [/code]
next time we will see more examples of pax and little overview of it :3 cya and dont forget that all that still in progress :)
4th part. pax & co. [code]
#paxctl -h PaX control v0.5 Copyright 2004,2005,2006,2007 PaX Team <firstname.lastname@example.org>
usage: paxctl <options> <files>
options: -p: disable PAGEEXEC -P: enable PAGEEXEC -e: disable EMUTRMAP -E: enable EMUTRMAP -m: disable MPROTECT -M: enable MPROTECT -r: disable RANDMMAP -R: enable RANDMMAP -x: disable RANDEXEC -X: enable RANDEXEC -s: disable SEGMEXEC -S: enable SEGMEXEC
-v: view flags -z: restore default flags -q: suppress error messages -Q: report flags in short format -c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!) -C: create PT_PAX_FLAGS (see manpage!)
[/code] it (dis~)allows running different features if hardened (w/ pax support) kernel used. above descripted each option and i will show few examples with using it on the desktop.
if we'r using hardened desktop then few features will not prop~ functioning and we _maybe_ will want it get working. lets start: \"every application that will want something enabled/disabled out of pax features\" - will spam at the dmesg around with others features that pax prevents to be used. that can be like that [code] _showing part of dmesg_ PAX: execution attempt in: <anonymous mapping>, 2efaa2e8000-2efaa2eb000 2efaa2e8000 PAX: terminating task: /usr/lib64/paxtest/anonmap(anonmap):24246, uid/euid: 1000/1000, PC: 000002efaa2e8000, SP: 000003c853d02428 PAX: bytes at PC: c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PAX: bytes at SP-8: 000003c853d02530 0000003a9df60fde 0000000000000000 0000003a9df60f85 000002efa9b4b710 0000000000000000 0000000000000000 000002efa9b6ad6d 0000000000000000 000003c853d02538 0000000100000001 grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib64/paxtest/anonmap[anonmap:24246] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib64/paxtest/anonmap[anonmap:24245] uid/eui$ PAX: execution attempt in: /usr/lib64/paxtest/execbss, 5035596000-5035597000 00002000 PAX: terminating task: /usr/lib64/paxtest/execbss(execbss):24249, uid/euid: 1000/1000, PC: 0000005035596020, SP: 000003f935695dc8 PAX: bytes at PC: c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PAX: bytes at SP-8: 000003f935695ed0 0000005035394f43 0000000000000000 0000005035394f05 000003361ab53710 0000000000000000 0000000000000000 000003361ab72d6d 0000000000000000 000003f935695ed8 0000000100000001 grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib64/paxtest/execbss[execbss:24249] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib64/paxtest/execbss[execbss:24248] uid/eui$ PAX: execution attempt in: /usr/lib64/paxtest/execdata, cf60ad000-cf60ae000 00002000 PAX: terminating task: /usr/lib64/paxtest/execdata(execdata):24252, uid/euid: 1000/1000, PC: 0000000cf60ad010, SP: 000003d5dc34b7c8 PAX: bytes at PC: c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PAX: bytes at SP-8: 000003d5dc34b8d0 0000000cf5eabee0 0000000000000000 0000000cf5eabea5 0000034f6d10e710 0000000000000000 0000000000000000 0000034f6d12dd6d 0000000000000000 000003d5dc34b8d8 0000000100000001 grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib64/paxtest/execdata[execdata:24252] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib64/paxtest/execdata[execdata:24251] uid$ PAX: execution attempt in: <anonymous mapping>, 298097e000-29809a0000 298097e000 PAX: terminating task: /usr/lib64/paxtest/execheap(execheap):24255, uid/euid: 1000/1000, PC: 000000298097f080, SP: 000003ed07962bc8 PAX: bytes at PC: c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PAX: bytes at SP-8: 000003ed07962cd0 000000298077bfa8 0000000000000000 000000298077bf65 000003296c266710 0000000000000000 0000000000000000 000003296c285d6d 0000000000000000 000003ed07962cd8 000000010000000 [/code]
to get few application fully working you will need to do like that: firefox (will not run?): [code] paxctl -m /usr/bin/firefox [/code] wine (will not run anything?): [code] paxctl -pemr /usr/bin/wine* [/code] kde4 (will not able to use screensaver and few other things?) [code] paxctl -m /usr/bin/kwin paxctl -m /usr/bin/knotify4 paxctl -m /usr/bin/kded4 paxctl -m /usr/bin/kdeinit4 paxctl -m /usr/bin/nepomuk* paxctl -m /usr/bin/systemsettings paxctl -m /usr/bin/*.kss paxctl -m /usr/lib/misc/xscreensaver/* [/code] xorg-x11 (in few cases X org may not be runned ... rly?) [code] paxctl -m /usr/bin/X [/code] mplayer (case of using with too old gcc's?) [code] paxctl -m /usr/bin/mplayer [/code] boot-update (wont run?) [code] paxctl -pm /sbin/grub-mkdevicemap paxctl -pm /sbin/grub-probe [/code]
most other graphic apps may need too disabling mprotect().
to revert paxctl things to the default - use [code] paxctl -z /path/to/the/my/binary [/code]
after remerging apps - you will need to reapply rules and im using for that purposes bash script. maybe you will want try it too ^_^ like that?: [code]
paxctl -m /usr/bin/firefox paxctl -pemr /usr/bin/wine* [/code]