So you like to have a secure system? Well for the securing a Debian system check out
main thread!
You might ask yourself why you need a kernel with those features. I have 2 answers for you:
1. security
2. performance enhancement
A kernel built for a specific system can be tuned more for that one ... the main goal though was to archive more security:
Code:
----------------------------------------------------------------------
created a customized kernel
----------------------------------------------------------------------
patches:
- grsecurity
specs:
- everything not explicitly required = disabled
- no module support (defeating injection attacks)
- grsecurity (customized)
grsecurity settings (enabled ones):
- Address Space protection
x Deny writing to /dev/kmem, /dev/mem and
/dev/port
x Disable privileged I/O
x Remove addresses from /proc/pid/[maps|stat]
- Filesystem Protections
x Proc restrictions
o Restrict to usr only
o Additional restrictions
x Linking restrictions
x FIFO restrictions
x chroot jail restrictions
o Deny mounts
o Deny double-chroots
o Deny pivot_root in chroots
o Enforce chdir("/") on all chroots
o Deny (f)chmod +s
o Deny fchdir out of chroot
o Deny mknod
o Deny shmat() out of chroot
o Deny access to abstract AF_UNIX
sockets out of chroot
o Protect outside processes
o Restrict priority changes
o Deny sysctl writes in chroot
o Capability restrictions within
chroot
- Kernel Auditing
x Resource logging
x Un(mount) logging
x Signal logging
x Fork failure logging
- Executable Protections
x Enforce RLIMIT_NPROC on execs
x Dmesg(8) protection
x Randomized PIDs
x Trusted Path Execution
o Partially restrict non-root
users
- Network Protections
x Larger entropy pools
x Truly random TCP ISN selection
x Randomized IP IDs
x Randomized TCP source ports
x Altered Ping IDS
- Sysctl support
x Sysctl support
----------------------------------------------------------------------
As you can see there are a lot of things offered by that patch. You can download the grsecurity patch
here. If you need more information on an option just check the help in the kernel config (I suggest you use make menuconfig). Posting that would be just another 200+ KB of data ...
I've used sysctl for configuring the stuff. You could also disable sysctl, this would improve security even a bit more. But for every change in that area you would need to recompile your kernel. So think if this is what you want. It's important to LOCK the settings after you have foudn your ideal settings:
Code:
----------------------------------------------------------------------
implemented grsecurity's features
----------------------------------------------------------------------
mkdir /etc/grsec
created /etc/grsec/sysctl.conf:
# /etc/grsec/sysctl.conf
#
# Filesystem Protections
# ====================================================================
# Linking restrictions
kernel/grsecurity/linking_restrictions = 1
# FIFO restrictions
kernel/grsecurity/fifo_restrictions = 1
# Chroot jail restrictions
# Deny mounts
kernel/grsecurity/chroot_deny_mount = 1
# Deny double-chroots
kernel/grsecurity/chroot_deny_chroot = 1
# Deny pivot_root in chroot
kernel/grsecurity/chroot_deny_pivot = 1
# Enfoce chdir("/") on all chroots
kernel/grsecurity/chroot_enforce_chdir = 1
# Deny (f)chmod +s
kernel/grsecurity/chroot_deny_chmod = 1
# Deny fchdir out of chroot
kernel/grsecurity/chroot_deny_fchdir = 1
# Deny mknod
kernel/grsecurity/chroot_deny_mknod = 1
# Deny shmat() out of chroot
kernel/grsecurity/chroot_deny_shmat = 1
# Deny access to abstract AF_UNIX sockets out of chroot
kernel/grsecurity/chroot_deny_unix = 1
# Protect outside processes
kernel/grsecurity/chroot_findtask = 1
# Restrict priority changes
kernel/grsecurity/chroot_restrict_nice = 1
# Deny sysctl writes in chroot
kernel/grsecurity/chroot_deny_sysctl = 1
# Capability restrictions within chroot
kernel/grsecurity/chroot_caps = 1
# --------------------------------------------------------------------
# Kernel Auditing
# ====================================================================
# Log execs within chroot
kernel/grsecurity/chroot_execlog = 1
# (Un)Mount Logging
kernel/grsecurity/audit_mount = 1
# Signal logging
kernel/grsecurity/signal_logging = 1
# Fork failure logging
kernel/grsecurity/forkfail_logging = 1
# --------------------------------------------------------------------
# Executable Protections
# ====================================================================
# Enforce RLIMIT_NPROC on execs
kernel/grsecurity/execve_limiting = 1
# Dmesg restriction
kernel/grsecurity/dmesg = 1
# Randomized PIDs
kernel/grsecurity/rand_pids = 1
# Trusted path execution
kernel/grsecurity/tpe = 1
# Particially restrict non-root users
kernel/grsecurity/tpe_restrict_all = 1
# GID for untrusted users
# kernel/grsecurity/tpe_gid =
# --------------------------------------------------------------------
# Network Protections
# ====================================================================
# Truly random TCP ISN selection
kernel/grsecurity/rand_isns = 1
# Randomized IP IDs
kernel/grsecurity/rand_ip_ids = 1
# Randomized TCP source ports
kernel/grsecurity/rand_tcp_src_ports = 1
# Altered Ping IDs
kernel/grsecurity/altered_pings = 1
# --------------------------------------------------------------------
# LOCK SETTINGS
kernel/grsecurity/grsec_lock = 1
created init script
[ /etc/init.d/grsecurity ]
# Load grsecurity settings from file if
# booted with grsecurity-enabled kernel
#!/bin/bash
if [ -d /proc/sys/kernel/grsecurity ]
then
sysctl -p /etc/grsec/sysctl.conf
exit 0
fi
exit 1
cd /etc/rcS.d && ln -s ../init.d/grsecurity S39grsecurity
----------------------------------------------------------------------
What I enjoy at grsecurity is TPE (Trusted Path Execution). unSpawn caught my interest on this nice feature. Ideally everybody is UNTRUSTED. Before configuring TPE you should get rid of not required users (and their groups):
Code:
----------------------------------------------------------------------
deleted not required users
----------------------------------------------------------------------
userdel games
userdel gnats
userdel irc
userdel list
userdel postgres
userdel proxy
userdel sync
userdel www-data
----------------------------------------------------------------------
----------------------------------------------------------------------
implemented trusted path execution
----------------------------------------------------------------------
created group for untrusted users:
addgroup untrusted
added all users except root to untrusted:
usermod -G untrusted backup
usermod -G untrusted bin
usermod -G untrusted daemon
usermod -G untrusted lp
usermod -G untrusted mail
usermod -G untrusted man
usermod -G users,untrusted,wheel markus
usermod -G untrusted news
usermod -G untrusted nobody
usermod -G untrusted operator
usermod -G untrusted postfix
usermod -G untrusted sshd
usermod -G untrusted sys
usermod -G untrusted uucp
----------------------------------------------------------------------
You need to adjust the groupid of untrusted in /etc/grsec/sysctl.conf (tpe_gid) now!
