LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Blogs > arniekat
User Name
Password

Notices

Rate this Entry

Slackware-14.1-GrSecurity/PaX Kernel

Posted 05-27-2014 at 10:20 PM by arniekat
Updated 05-27-2014 at 10:52 PM by arniekat (Correct gradm script)

This tutorial will show a quick way to get GrSecurity/PaX running on Slackware64 14.1 Kernel 3.10.17. The principle is the same for Slackware 14.0, 13.37, etc. The GrSecurity Patches already contain the PaX Code. The Kernel Package Creation section will be on another tutorial as I get time. This tutorial shows the Manual Method of installing the kernel. I will be using Kernel 3.11.9 since that is the only GrSecurity Patch still available in the archives for gradm-3.0. FYI, I have also got the GrSecurity Patches Version 3.0 to work with Kernel 3.12.8 so you can try those also. The patches for GrSecurity 2.9.1 are also available for many kernels (3.10.X, 3.11.X) that will work with Slackware64 14.1, so you have plenty to choose from.

Note - You do not need to do all of the following. They are just ideas in list form knowing how much everyone likes lists. Before you compile and install a Mandatory Access Control System, think about/do the following to harden/secure your system and to keep the Role Based Access Control from creating rules for services and applications that you will not be using:

1. Physically secure your Laptop or Desktop to keep it from being stolen.
2. Password protect the BIOS and Lilo (after installing) to keep people from booting with USB sticks, Cd-ROMs, etc.
3. Install Slackware using LUKS to encrypt your Hard Drive.
4. Create a good User Password and a strong Root Password. Check with John The Ripper.
5. Turn off all Services you will not be using. See my Tutorial.
6. Remove as many packages as you can for applications you will not be using. See my Package Removal Script.
7. Update your system packages to run the most current software. Manually update or use Slackpkg.
8. Configure Su/Sudo to restrict who is able to su to root. See my Tutorial.
9. Use Security-Enhancing Software to detect unwanted changes to your machine. Aide, Chkrootkit, Rkhunter and Lynis.
10. Harden you Login Manager (XDM, KDM, GDM, or SLim) so it does not give out Usernames and never set it up for Automatic Login.
11. Install a Firewall. You can use a Firewall Script, FireHol, UFW, or Arno-IpTables-Firewall from SlackBuilds.org
12. Lock-down your browser since that is where malicious code can come into your computer.
13. Turn on the NX Bit if your hardware supports it.
14. Compile and install a Hardened Kernel like GrSecurity/Pax, Tomoyo, or RSBAC and configure the Mandatory Access Control System.

Download the patches either from the Stable Archive Branch: http://mirrors.muarf.org/grsecurity/stable/
or from the Testing Archive Branch: http://mirrors.muarf.org/grsecurity/test/
and the Gradm Administration Tool: http://grsecurity.net/stable/gradm-3...1291757.tar.gz
or older Gradm Releases: http://dev.gentoo.org/~blueness/hardened-sources/gradm/
and the Paxctl Tool: http://pax.grsecurity.net/paxctl-0.8.tar.gz
and the Paxtest Tool: http://grsecurity.net/~spender/paxtest-0.9.11.tar.gz
and the Linux Kernel 3.11.9: https://www.kernel.org/pub/linux/ker...-3.11.9.tar.xz

I downloaded the Linux Kernel Source 3.11.9, the GrSecurity/PaX Kernel Patch grsecurity-3.0-3.11.9-201311242034.patch.gz, the GrSecurity Administration Tool gradm-3.0-201401291757.tar.gz, the Paxctl Application paxctl-0.8.tar.gz, and the Paxtest Tool paxtest-0.9.11.tar.gz.

Paxtest can be used to test the functionality of memory protection on your system. I normally check my system with the stock Slackware Kernel and then with the GrSecurity/Pax Kernel.

After you untar it, cd into the directory and run one of the following commands as root:

For Slackware 14.1 (32-Bit)
# make linux32

For Slackware64 14.1 (64-Bit)
# make linux64

In order to run paxtest:

# ./paxtest blackhat

Mode: blackhat
Linux apple 3.14.4 #2 SMP Tue May 13 13:05:06 CDT 2014 with NX Bit
x86_64 Intel(R) Celeron(R) CPU E3200 @ 2.40GHz GenuineIntel GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable stack (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Writable text segments : Vulnerable
Anonymous mapping randomisation test : 28 bits (guessed)
Heap randomisation test (ET_EXEC) : 14 bits (guessed)
Heap randomisation test (PIE) : 28 bits (guessed)
Main executable randomisation (ET_EXEC) : 28 bits (guessed)
Main executable randomisation (PIE) : 28 bits (guessed)
Shared library randomisation test : 28 bits (guessed)
Stack randomisation test (SEGMEXEC) : 28 bits (guessed)
Stack randomisation test (PAGEEXEC) : 28 bits (guessed)
Arg/env randomisation test (SEGMEXEC) : 20 bits (guessed)
Arg/env randomisation test (PAGEEXEC) : 20 bits (guessed)
Randomization under memory exhaustion @~0: 28 bits (guessed)
Randomization under memory exhaustion @0 : 28 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Killed
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE) : Killed

This will create a file paxtest.log in the current directory. Copy that file to another location so you can compare readings. When you run it again with the Pax-Enabled Kernel, paxtest.log will be over-written with the new information.

Untar the Linux Kernel 3.11.9 into the folder /usr/src/linux-3.11.9-grsec, apply the GrSecurity/Pax Patch, copy the kernel config file from the 3.10.17 Slackware Kernel, merge it with the new kernel/grsecurity/pax, change some settings, and compile. Here is the sequence:

# cd /usr/src
# cp /location/of/linux-3.11.9.tar.xz /usr/src
# tar -xvf linux-3.11.9.tar.xz
# cp -R linux-3.11.9 linux-3.11.9-grsec
# rm linux-3.11.9.tar.xz
# rm -rf linux-3.11.9
# cd linux-3.11.9-grsec
# cp /location/of/grsecurity-3.0-3.11.9-201311242034.patch.gz /usr/src/linux-3.11.9-grsec
# zcat grsecurity-3.0-3.11.9-201311242034.patch.gz | patch -p1
# zcat /proc/config.gz > .config
# make oldconfig

Hit <ENTER> until you get to this section, then select number 3:

Kernel compression mode
1. Gzip (KERNEL_GZIP)
2. Bzip2 (KERNEL_BZIP2)
> 3. LZMA (KERNEL_LZMA)
4. XZ (KERNEL_XZ)
5. LZO (KERNEL_LZO)
6. LZ4 (KERNEL_LZ4) (NEW)
choice[1-6?]: 3 <ENTER>

Keep hitting <ENTER> (approx 25 times) until you get back to a prompt. You will see the GrSecurity menu items.

Now, run "make menuconfig" to change the kernel config and GrSecurity/Pax Settings before compiling the kernel.

# make menuconfig

This recommendation comes from the Hardened Gentoo Project and my own testing. It is for the
grsecurity-3.0-3.11.9-201311242034.patch.gz along with Linux Kernel 3.11.9 for Slackware64 14.1.
NOTE - I left the Default Setting for Kernel Auditing as I do not want tons of logs!

Linux/x86 3.11.9 Kernel Configuration

Security options > Grsecurity --->

GRSECURITY KERNEL FEATURES
[*] Grsecurity

Configuration Method (Automatic) --->
Usage Type (Desktop) --->
Virtualization Type (None) --->
Required Priorities (Performance) --->
Default Special Groups ---> (10) GID exempted from /proc restrictions
Customize Configuration --->

Customize Configuration > Memory Protections
[*] Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port
[ ] Disable privileged I/O[*] Harden BPF JIT against spray attacks[*] Disable unprivileged PERF_EVENTS usage by default[*] Insert random gaps between thread stacks[*] Harden ASLR against information leaks and entropy reduction[*] Deter exploit bruteforcing[*] Harden module auto-loading[*] Hide kernel symbols[*] Active kernel exploit response

Customize Configuration > Role Based Access Control Options

[ ] Disable RBAC system[*] Hide kernel processes
(3) Maximum tries before password lockout
(30) Time to wait after max password tries, in seconds

Customize Configuration > Filesystem Protections
[*] Proc restrictions
[ ] Restrict /proc to user only[*] Allow special group
(10) GID for special group[*] Additional restrictions[*] Linking restrictions
[ ] Kernel-enforced SymlinksIfOwnerMatch[*] FIFO restrictions
[ ] Sysfs/debugfs restriction
[ ] Runtime read-only mount protection[*] Eliminate stat/notify-based device sidechannels[*] Chroot jail restrictions[*] Deny mounts[*] Deny double-chroots[*] Deny pivot_root in chroot[*] Enforce chdir("/") on all chroots[*] Deny (f)chmod +s[*] Deny fchdir out of chroot[*] Deny mknod[*] Deny shmat() out of chroot[*] Deny access to abstract AF_UNIX sockets out of chroot[*] Protect outside processes[*] Restrict priority changes[*] Deny sysctl writes[*] Capability restrictions[*] Exempt initrd tasks from restrictions

Customize Configuration > Kernel Auditing (Full Auditing - use sysctl to minimize logs!)
I did not use this setting!

[ ] Single group for auditing[*] Exec logging[*] Resource logging[*] Log execs within chroot[*] Ptrace logging[*] Chdir logging[*] (Un)Mount logging[*] Signal logging[*] Fork failure logging[*] Time change logging[*] /proc/<pid>/ipaddr support[*] Denied RWX mmap/mprotect logging

Customize Configuration > Kernel Auditing (Default Setting)
This is the setting I used!

[ ] Single group for auditing
[ ] Exec logging[*] Resource logging
[ ] Log execs within chroot
[ ] Ptrace logging
[ ] Chdir logging
[ ] (Un)Mount logging[*] Signal logging
[ ] Fork failure logging[*] Time change logging[*] /proc/<pid>/ipaddr support[*] Denied RWX mmap/mprotect logging

Customize Configuration > Executable Protections
[*] Dmesg(8) restriction[*] Deter ptrace-based process snooping[*] Require read access to ptrace sensitive binaries[*] Enforce consistent multithreaded privileges[*] Disallow access to world-accessible IPC objects[*] Trusted Path Execution (TPE)[*] Partially restrict all non-root users
[ ] Invert GID option
(100) GID for TPE-untrusted users

Customize Configuration > Network Protections
[*] Larger entropy pools[*] TCP/UDP blackhole and LAST_ACK DoS prevention[*] Disable TCP Simultaneous Connect
[ ] Socket restrictions

Customize Configuration > Physical Protections
[*] Deny new USB connections after toggle
[ ] Reject all USB devices not connected at boot

Customize Configuration > Sysctl Support
[*] Sysctl support[*] Turn on features by default

Customize Configuration > Logging Options

(10) Seconds in between log messages (minimum)
(6) Number of messages in a burst (maximum)

Security options > Grsecurity ---> Customize configuration > Pax

PAX KERNEL FEATURES
[*] Enable various PaX features

PaX Control for Paxctl-0.8 Marking ->

[ ] Support soft mode
[ ] Use legacy ELF header marking[*] Use ELF program header marking
[ ] Use filesystem extended attributes marking
MAC system integration (none) --->

PaX Control For Extended Attributes Marking ->

[ ] Support soft mode
[ ] Use legacy ELF header marking
[ ] Use ELF program header marking[*] Use filesystem extended attributes marking
MAC system integration (none) --->

Non-executable pages ->
[*] Enforce non-executable pages[*] Paging based non-executable pages[*] Segmentation based non-executable pages <--- Not available on amd64[*] Emulate trampolines[*] Restrict mprotect()[*] Use legacy/compat protection demoting
[ ] Allow ELF text relocations[*] Enforce non-executable kernel pages
Return Address Instrumentation Method (or) ---> <--- Not available on x86
(4) Minimum amount of memory reserved for module code <--- Not available on amd64

Address Space Layout Randomization ->
[*] Address Space Layout Randomization[*] Randomize kernel stack base[*] Randomize user stack base[*] Randomize mmap() base

Miscellaneous hardening features --->
[*] Sanitize kernel stack[*] Forcibly initialize local variables copied to userland[*] Prevent invalid userland pointer dereference[*] Prevent various kernel object reference counter overflows[*] Automatically constify eligible structures[*] Harden heap object copies between kernel and userland[*] Prevent various integer overflows in function size parameters[*] Generate some entropy during boot and runtime

Hit <Exit> until you are asked if you want to save the Configuration File. Select <Yes>.

Now, compile the bzImage, modules, and install the modules to the proper location.

# make bzImage modules
# make modules_install

Make sure you are still in /usr/src/linux-3.11.9-grsec
To manually copy the kernel and new rc.modules file so you can boot it:

# cp /etc/rc.d/rc.modules-3.10.17 /etc/rc.d/rc.modules-3.11.9-grsec
# cp arch/x86/boot/bzImage /boot/vmlinuz-huge-3.11.9-grsec
# cp System.map /boot/System.map-huge-3.11.9-grsec
# cp .config /boot/config-huge-3.11.9-grsec

To find out which packages will need a recompile after you boot with the new kernel because they need to have kernel modules recompiled for the new kernel:

# cd /var/log/packages
# grep -l "lib/modules/$(uname -r)" *

Edit your /etc/lilo.conf file and add in the new kernel:

# vi /etc/lilo.conf

# Linux bootable partition config begins
image = /boot/vmlinuz-huge-3.10.17
root = /dev/sda1
label = Slack31017
read-only
# Linux bootable partition config ends
# GrSecurity bootable partition config begins
image = /boot/vmlinuz-huge-3.11.9-grsec
root = /dev/sda1
label = GrSec3119
read-only
# GrSecurity bootable partition config ends

Save the file, exit and run /sbin/lilo

# /sbin/lilo

Now, compile the paxctl-0.8 package. You can get the paxctl-0.7 SlackBuild and Slack-desc and just change the version number and the type of source package (bz2 to gz) on the script and it will work fine.

VERSION=${VERSION:-0.8}
tar xvf $CWD/$PRGNAM-$VERSION.tar.gz

After installing the paxctl-0.8 package, run the following commands to enable KDM and KDE to work before rebooting into your new GrSecurity/PaX Kernel. See my Pax Notes blog for the additional PaX Flags that need to be changed.

# paxctl -cm /usr/bin/ksmserver
# paxctl -cm /usr/bin/kwrapper4
# paxctl -cm /usr/bin/kdeinit4
# paxctl -cm /usr/bin/kwin
# paxctl -cm /usr/bin/okular

If you get the message /usr/bin/kwrapper4: Text file busy, then you need to reboot your Slackware kernel or you can open up a Terminal and su to root. Then enter:

# init 3

to change to run level 3. If you do reboot, at the Lilo prompt, hit the TAB button, enter the Slackware Kernel Name followed by a space, then a 3 to boot into runlevel 3 and using the Command Line as root, run each of the commands that did not change the PaX Flags.

Lilo: Slack31017 3

Login as root and run the commands to change the PaX Flags.

# paxctl -cm /usr/bin/kwrapper4
# paxctl -cm /usr/bin/kdeinit4
# paxctl -cm /usr/bin/kwin

Reboot your machine and select the GrSecurity Kernel 3.11.9. Everything should work as normal. Re-run the Paxtest Suite and compare the readings. Here is my computer for comparison:

Mode: blackhat
Linux apple 3.11.9-grsec #1 SMP Tue May 27 18:55:13 PDT 2014 with NX Bit
x86_64 Intel(R) Celeron(R) CPU E3200 @ 2.40GHz GenuineIntel GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 29 bits (guessed)
Heap randomisation test (ET_EXEC) : 23 bits (guessed)
Heap randomisation test (PIE) : 35 bits (guessed)
Main executable randomisation (ET_EXEC) : 29 bits (guessed)
Main executable randomisation (PIE) : 29 bits (guessed)
Shared library randomisation test : 29 bits (guessed)
Stack randomisation test (SEGMEXEC) : 35 bits (guessed)
Stack randomisation test (PAGEEXEC) : 35 bits (guessed)
Arg/env randomisation test (SEGMEXEC) : 39 bits (guessed)
Arg/env randomisation test (PAGEEXEC) : 39 bits (guessed)
Randomization under memory exhaustion @~0: 29 bits (guessed)
Randomization under memory exhaustion @0 : 29 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Killed
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE) : Killed

You can use the gradm-2.9.1_201301041755 SlackBuild from SlackBuilds.org and just make the following changes for gradm-3.0-201401291757.tar.gz (Note-You MUST compile the package using your new GrSecurity/PaX Kernel after rebooting!). These are the only changes you need to make to the SlackBuild (last one is after untarring the source code):

VERSION=${VERSION:-3.0_201401291757}
...
cd ${PRGNAM}

Compile the gradm package and install it.

Now what you will have is a Slackware Machine that has been hardened by some practical suggestions and further hardened with a GrSecurity/Pax Kernel which you can then use to learn about Mandatory Access Control creating Role Based Access Policy to further lock-down your system.
Posted in Uncategorized
Views 329 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 02:33 PM.

Main Menu
Advertisement

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration