-   Linux - Security (
-   -   INFO: creating a special secured kernel (grsecurity kernel patch) w sysctl config (

markus1982 05-25-2003 05:29 AM

INFO: creating a special secured kernel (grsecurity kernel patch) w sysctl config
So you like to have a secure system? Well for the securing a Debian system check out main thread!

You might ask yourself why you need a kernel with those features. I have 2 answers for you:
1. security
2. performance enhancement

A kernel built for a specific system can be tuned more for that one ... the main goal though was to archive more security:

created a customized kernel

                - grsecurity

                - everything not explicitly required = disabled
                - no module support (defeating injection attacks)
                - grsecurity (customized)

        grsecurity settings (enabled ones):

                - Address Space protection
                        x Deny writing to /dev/kmem, /dev/mem and

                        x Disable privileged I/O

                        x Remove addresses from /proc/pid/[maps|stat]

                - Filesystem Protections
                        x Proc restrictions
                                o Restrict to usr only
                                o Additional restrictions

                        x Linking restrictions

                        x FIFO restrictions

                        x chroot jail restrictions
                                o Deny mounts
                                o Deny double-chroots
                                o Deny pivot_root in chroots
                                o Enforce chdir("/") on all chroots
                                o Deny (f)chmod +s
                                o Deny fchdir out of chroot
                                o Deny mknod
                                o Deny shmat() out of chroot
                                o Deny access to abstract AF_UNIX
                                  sockets out of chroot
                                o Protect outside processes
                                o Restrict priority changes
                                o Deny sysctl writes in chroot
                                o Capability restrictions within

                        - Kernel Auditing
                                x Resource logging

                                x Un(mount) logging

                                x Signal logging

                                x Fork failure logging

                        - Executable Protections
                                x Enforce RLIMIT_NPROC on execs

                                x Dmesg(8) protection

                                x Randomized PIDs

                                x Trusted Path Execution
                                        o Partially restrict non-root

                        - Network Protections
                                x Larger entropy pools

                                x Truly random TCP ISN selection

                                x Randomized IP IDs

                                x Randomized TCP source ports

                                x Altered Ping IDS

                        - Sysctl support
                                x Sysctl support

As you can see there are a lot of things offered by that patch. You can download the grsecurity patch here. If you need more information on an option just check the help in the kernel config (I suggest you use make menuconfig). Posting that would be just another 200+ KB of data ...

I've used sysctl for configuring the stuff. You could also disable sysctl, this would improve security even a bit more. But for every change in that area you would need to recompile your kernel. So think if this is what you want. It's important to LOCK the settings after you have foudn your ideal settings:

implemented grsecurity's features
        mkdir /etc/grsec

        created /etc/grsec/sysctl.conf:

# /etc/grsec/sysctl.conf

# Filesystem Protections
# ====================================================================
# Linking restrictions
        kernel/grsecurity/linking_restrictions = 1

# FIFO restrictions
        kernel/grsecurity/fifo_restrictions = 1

# Chroot jail restrictions
        # Deny mounts
        kernel/grsecurity/chroot_deny_mount = 1

        # Deny double-chroots
        kernel/grsecurity/chroot_deny_chroot = 1

        # Deny pivot_root in chroot
        kernel/grsecurity/chroot_deny_pivot = 1

        # Enfoce chdir("/") on all chroots
        kernel/grsecurity/chroot_enforce_chdir = 1

        # Deny (f)chmod +s
        kernel/grsecurity/chroot_deny_chmod = 1

        # Deny fchdir out of chroot
        kernel/grsecurity/chroot_deny_fchdir = 1

        # Deny mknod
        kernel/grsecurity/chroot_deny_mknod = 1

        # Deny shmat() out of chroot
        kernel/grsecurity/chroot_deny_shmat = 1

        # Deny access to abstract AF_UNIX sockets out of chroot
        kernel/grsecurity/chroot_deny_unix = 1

        # Protect outside processes
        kernel/grsecurity/chroot_findtask = 1

        # Restrict priority changes
        kernel/grsecurity/chroot_restrict_nice = 1

        # Deny sysctl writes in chroot
        kernel/grsecurity/chroot_deny_sysctl = 1

        # Capability restrictions within chroot
        kernel/grsecurity/chroot_caps = 1
# --------------------------------------------------------------------

# Kernel Auditing
# ====================================================================
# Log execs within chroot
        kernel/grsecurity/chroot_execlog = 1

# (Un)Mount Logging
        kernel/grsecurity/audit_mount = 1

# Signal logging
        kernel/grsecurity/signal_logging = 1

# Fork failure logging
        kernel/grsecurity/forkfail_logging = 1
# --------------------------------------------------------------------

# Executable Protections
# ====================================================================
# Enforce RLIMIT_NPROC on execs
        kernel/grsecurity/execve_limiting = 1

# Dmesg restriction
        kernel/grsecurity/dmesg = 1

# Randomized PIDs
        kernel/grsecurity/rand_pids = 1

# Trusted path execution
        kernel/grsecurity/tpe = 1

# Particially restrict non-root users
        kernel/grsecurity/tpe_restrict_all = 1

# GID for untrusted users
#        kernel/grsecurity/tpe_gid =
# --------------------------------------------------------------------

# Network Protections
# ====================================================================
# Truly random TCP ISN selection
        kernel/grsecurity/rand_isns = 1

# Randomized IP IDs
        kernel/grsecurity/rand_ip_ids = 1

# Randomized TCP source ports
        kernel/grsecurity/rand_tcp_src_ports = 1

# Altered Ping IDs
        kernel/grsecurity/altered_pings = 1
# --------------------------------------------------------------------

        kernel/grsecurity/grsec_lock = 1

        created init script
                [ /etc/init.d/grsecurity ]

        # Load grsecurity settings from file if
        # booted with grsecurity-enabled kernel

        if [ -d /proc/sys/kernel/grsecurity ]
                sysctl -p /etc/grsec/sysctl.conf
        exit 0

        exit 1

        cd /etc/rcS.d && ln -s ../init.d/grsecurity S39grsecurity


What I enjoy at grsecurity is TPE (Trusted Path Execution). unSpawn caught my interest on this nice feature. Ideally everybody is UNTRUSTED. Before configuring TPE you should get rid of not required users (and their groups):

deleted not required users
        userdel games
        userdel gnats
        userdel irc
        userdel list
        userdel postgres
        userdel proxy
        userdel sync
        userdel www-data

implemented trusted path execution
        created group for untrusted users:

                addgroup untrusted

        added all users except root to untrusted:

                usermod -G untrusted backup
                usermod -G untrusted bin
                usermod -G untrusted daemon
                usermod -G untrusted lp
                usermod -G untrusted mail
                usermod -G untrusted man
                usermod -G users,untrusted,wheel markus
                usermod -G untrusted news
                usermod -G untrusted nobody
                usermod -G untrusted operator
                usermod -G untrusted postfix
                usermod -G untrusted sshd
                usermod -G untrusted sys
                usermod -G untrusted uucp

You need to adjust the groupid of untrusted in /etc/grsec/sysctl.conf (tpe_gid) now!

All times are GMT -5. The time now is 10:36 AM.