Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


Search this Thread
Old 05-25-2003, 05:29 AM   #1
Senior Member
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
INFO: creating a special secured kernel (grsecurity kernel patch) w sysctl config

So you like to have a secure system? Well for the securing a Debian system check out main thread!

You might ask yourself why you need a kernel with those features. I have 2 answers for you:
1. security
2. performance enhancement

A kernel built for a specific system can be tuned more for that one ... the main goal though was to archive more security:
created a customized kernel

		- grsecurity

		- everything not explicitly required = disabled
		- no module support (defeating injection attacks)
		- grsecurity (customized)

	grsecurity settings (enabled ones):

		- Address Space protection
			x Deny writing to /dev/kmem, /dev/mem and

			x Disable privileged I/O

			x Remove addresses from /proc/pid/[maps|stat]

		- Filesystem Protections
			x Proc restrictions
				o Restrict to usr only
				o Additional restrictions

			x Linking restrictions

			x FIFO restrictions

			x chroot jail restrictions
				o Deny mounts
				o Deny double-chroots
				o Deny pivot_root in chroots
				o Enforce chdir("/") on all chroots
				o Deny (f)chmod +s
				o Deny fchdir out of chroot
				o Deny mknod
				o Deny shmat() out of chroot
				o Deny access to abstract AF_UNIX
				  sockets out of chroot
				o Protect outside processes
				o Restrict priority changes
				o Deny sysctl writes in chroot
				o Capability restrictions within

			- Kernel Auditing
				x Resource logging

				x Un(mount) logging

				x Signal logging

				x Fork failure logging

			- Executable Protections
				x Enforce RLIMIT_NPROC on execs

				x Dmesg(8) protection

				x Randomized PIDs

				x Trusted Path Execution
					o Partially restrict non-root

			- Network Protections
				x Larger entropy pools

				x Truly random TCP ISN selection

				x Randomized IP IDs

				x Randomized TCP source ports

				x Altered Ping IDS

			- Sysctl support
				x Sysctl support
As you can see there are a lot of things offered by that patch. You can download the grsecurity patch here. If you need more information on an option just check the help in the kernel config (I suggest you use make menuconfig). Posting that would be just another 200+ KB of data ...

I've used sysctl for configuring the stuff. You could also disable sysctl, this would improve security even a bit more. But for every change in that area you would need to recompile your kernel. So think if this is what you want. It's important to LOCK the settings after you have foudn your ideal settings:
implemented grsecurity's features
	mkdir /etc/grsec

	created /etc/grsec/sysctl.conf:

# /etc/grsec/sysctl.conf

# Filesystem Protections
# ====================================================================
# Linking restrictions
	kernel/grsecurity/linking_restrictions = 1

# FIFO restrictions
	kernel/grsecurity/fifo_restrictions = 1

# Chroot jail restrictions
	# Deny mounts
	kernel/grsecurity/chroot_deny_mount = 1

	# Deny double-chroots
	kernel/grsecurity/chroot_deny_chroot = 1

	# Deny pivot_root in chroot
	kernel/grsecurity/chroot_deny_pivot = 1

	# Enfoce chdir("/") on all chroots
	kernel/grsecurity/chroot_enforce_chdir = 1

	# Deny (f)chmod +s
	kernel/grsecurity/chroot_deny_chmod = 1

	# Deny fchdir out of chroot
	kernel/grsecurity/chroot_deny_fchdir = 1

	# Deny mknod
	kernel/grsecurity/chroot_deny_mknod = 1

	# Deny shmat() out of chroot
	kernel/grsecurity/chroot_deny_shmat = 1

	# Deny access to abstract AF_UNIX sockets out of chroot
	kernel/grsecurity/chroot_deny_unix = 1

	# Protect outside processes
	kernel/grsecurity/chroot_findtask = 1

	# Restrict priority changes
	kernel/grsecurity/chroot_restrict_nice = 1

	# Deny sysctl writes in chroot
	kernel/grsecurity/chroot_deny_sysctl = 1

	# Capability restrictions within chroot
	kernel/grsecurity/chroot_caps = 1
# --------------------------------------------------------------------

# Kernel Auditing
# ====================================================================
# Log execs within chroot
	kernel/grsecurity/chroot_execlog = 1

# (Un)Mount Logging
	kernel/grsecurity/audit_mount = 1

# Signal logging
	kernel/grsecurity/signal_logging = 1

# Fork failure logging
	kernel/grsecurity/forkfail_logging = 1
# --------------------------------------------------------------------

# Executable Protections
# ====================================================================
# Enforce RLIMIT_NPROC on execs
	kernel/grsecurity/execve_limiting = 1

# Dmesg restriction
	kernel/grsecurity/dmesg = 1

# Randomized PIDs
	kernel/grsecurity/rand_pids = 1

# Trusted path execution
	kernel/grsecurity/tpe = 1

# Particially restrict non-root users
	kernel/grsecurity/tpe_restrict_all = 1

# GID for untrusted users
#	kernel/grsecurity/tpe_gid = 
# --------------------------------------------------------------------

# Network Protections
# ====================================================================
# Truly random TCP ISN selection
	kernel/grsecurity/rand_isns = 1

# Randomized IP IDs
	kernel/grsecurity/rand_ip_ids = 1

# Randomized TCP source ports
	kernel/grsecurity/rand_tcp_src_ports = 1

# Altered Ping IDs
	kernel/grsecurity/altered_pings = 1
# --------------------------------------------------------------------

	kernel/grsecurity/grsec_lock = 1

	created init script
		[ /etc/init.d/grsecurity ]

	# Load grsecurity settings from file if
	# booted with grsecurity-enabled kernel

	if [ -d /proc/sys/kernel/grsecurity ]
		sysctl -p /etc/grsec/sysctl.conf
	exit 0

	exit 1

	cd /etc/rcS.d && ln -s ../init.d/grsecurity S39grsecurity

What I enjoy at grsecurity is TPE (Trusted Path Execution). unSpawn caught my interest on this nice feature. Ideally everybody is UNTRUSTED. Before configuring TPE you should get rid of not required users (and their groups):
deleted not required users
	userdel games
	userdel gnats
	userdel irc
	userdel list
	userdel postgres
	userdel proxy
	userdel sync
	userdel www-data

implemented trusted path execution
	created group for untrusted users:

		addgroup untrusted

	added all users except root to untrusted:

		usermod -G untrusted backup
		usermod -G untrusted bin
		usermod -G untrusted daemon
		usermod -G untrusted lp
		usermod -G untrusted mail
		usermod -G untrusted man
		usermod -G users,untrusted,wheel markus
		usermod -G untrusted news
		usermod -G untrusted nobody
		usermod -G untrusted operator
		usermod -G untrusted postfix
		usermod -G untrusted sshd
		usermod -G untrusted sys
		usermod -G untrusted uucp
You need to adjust the groupid of untrusted in /etc/grsec/sysctl.conf (tpe_gid) now!


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Cannot see Kernel Config Info, and my Swap File...Won't! fastvfr Debian 1 09-07-2004 03:37 AM
will grsecurity kernel 2.6.5 patch work against 2.6.7? TheOneAndOnlySM Linux - Security 3 07-12-2004 06:27 PM
kernel config, cant enable patch e1000 Linux - General 2 01-05-2004 06:21 PM
Kernel Patch -- Old Config chunkymunky Linux - Newbie 2 12-05-2003 02:10 AM
grsecurity post-kernel configs tarballedtux Linux - Security 3 09-25-2002 07:30 PM

All times are GMT -5. The time now is 07:06 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration