1 |
Hi! |
2 |
|
3 |
On Tue, Feb 14, 2006 at 05:56:38PM +0800, Ow Mun Heng wrote: |
4 |
> ps : hardenend-sources config sample anyone? |
5 |
|
6 |
Millar already sent one. Personally I prefer for comparison more "visual" |
7 |
representation of kernel config. Sorry if my message is pure example of |
8 |
"how to not answer questions in maillists". :) |
9 |
|
10 |
In my configuration enabled all security options except: |
11 |
1) a couple of options making protection more weak (for compatibility) :) |
12 |
2) Disallow ELF text relocations |
13 |
AFAIK with this option a lot of software will not work... :( |
14 |
3) Enforce non-executable kernel pages |
15 |
Disabled only at home workstation (for VMware), on my servers it's |
16 |
enabled. |
17 |
4) Disable privileged I/O |
18 |
Again, disabled only at home (for Xorg). |
19 |
5) Runtime module disabling |
20 |
Enabled only at home, because my servers has disabled loadable |
21 |
modules support at all. |
22 |
6) Trusted Path Execution (TPE) |
23 |
Just a feature, I don't need it now. |
24 |
7) Socket restrictions |
25 |
Just a feature, I don't need it now. |
26 |
|
27 |
|
28 |
So, here config details for my home and my servers (2.6.14-hardened-r5): |
29 |
|
30 |
PaX ---> |
31 |
[*] Enable various PaX features |
32 |
PaX Control ---> |
33 |
[ ] Support soft mode |
34 |
[*] Use legacy ELF header marking |
35 |
[*] Use ELF program header marking |
36 |
MAC system integration (none) ---> |
37 |
Non-executable pages ---> |
38 |
[*] Enforce non-executable pages |
39 |
[ ] Paging based non-executable pages |
40 |
[*] Segmentation based non-executable pages |
41 |
[ ] Emulate trampolines |
42 |
[*] Restrict mprotect() |
43 |
[ ] Disallow ELF text relocations |
44 |
> home [ ] Enforce non-executable kernel pages |
45 |
> server [*] Enforce non-executable kernel pages |
46 |
Address Space Layout Randomization ---> |
47 |
[*] Address Space Layout Randomization |
48 |
[*] Randomize kernel stack base |
49 |
[*] Randomize user stack base |
50 |
[*] Randomize mmap() base |
51 |
--- Disable the vsyscall page |
52 |
Grsecurity ---> |
53 |
[*] Grsecurity |
54 |
Security Level (Custom) ---> |
55 |
Address Space Protection ---> |
56 |
[*] Deny writing to /dev/kmem, /dev/mem, and /dev/port |
57 |
> home [ ] Disable privileged I/O |
58 |
> server [*] Disable privileged I/O |
59 |
[*] Remove addresses from /proc/<pid>/[smaps|maps|stat] |
60 |
[*] Deter exploit bruteforcing |
61 |
> home [*] Runtime module disabling |
62 |
> server ---------------------------- |
63 |
[*] Hide kernel symbols |
64 |
Role Based Access Control Options ---> |
65 |
[*] Hide kernel processes |
66 |
(3) Maximum tries before password lockout |
67 |
(30) Time to wait after max password tries, in seconds |
68 |
Filesystem Protections ---> |
69 |
[*] Proc restrictions |
70 |
[*] Restrict /proc to user only |
71 |
[*] Additional restrictions |
72 |
[*] Linking restrictions |
73 |
[*] FIFO restrictions |
74 |
[*] Chroot jail restrictions |
75 |
[*] Deny mounts |
76 |
[*] Deny double-chroots |
77 |
[*] Deny pivot_root in chroot |
78 |
[*] Enforce chdir("/") on all chroots |
79 |
[*] Deny (f)chmod +s |
80 |
[*] Deny fchdir out of chroot |
81 |
[*] Deny mknod |
82 |
[*] Deny shmat() out of chroot |
83 |
[*] Deny access to abstract AF_UNIX sockets out of chroot |
84 |
[*] Protect outside processes |
85 |
[*] Restrict priority changes |
86 |
[*] Deny sysctl writes |
87 |
[*] Capability restrictions |
88 |
Kernel Auditing ---> |
89 |
[ ] Single group for auditing |
90 |
[ ] Exec logging |
91 |
[*] Resource logging |
92 |
[ ] Log execs within chroot |
93 |
[ ] Chdir logging |
94 |
[*] (Un)Mount logging |
95 |
[ ] IPC logging |
96 |
[*] Signal logging |
97 |
[*] Fork failure logging |
98 |
[ ] Time change logging |
99 |
[*] /proc/<pid>/ipaddr support |
100 |
[ ] ELF text relocations logging (READ HELP) |
101 |
Executable Protections ---> |
102 |
[*] Enforce RLIMIT_NPROC on execs |
103 |
[*] Destroy unused shared memory |
104 |
[*] Dmesg(8) restriction |
105 |
[*] Randomized PIDs |
106 |
[ ] Trusted Path Execution (TPE) |
107 |
Network Protections ---> |
108 |
[*] Larger entropy pools |
109 |
[*] Randomized TCP source ports |
110 |
[ ] Socket restrictions |
111 |
Sysctl support ---> |
112 |
[*] Sysctl support |
113 |
[*] Turn on features by default |
114 |
Logging Options ---> |
115 |
(10) Seconds in between log messages (minimum) |
116 |
(4) Number of messages in a burst (maximum) |
117 |
|
118 |
|
119 |
Also, at the end of /etc/sysctl.conf: |
120 |
home: |
121 |
---cut--- |
122 |
kernel.grsecurity.disable_modules = 1 |
123 |
kernel.grsecurity.grsec_lock = 1 |
124 |
---cut--- |
125 |
servers: |
126 |
---cut--- |
127 |
kernel.grsecurity.grsec_lock = 1 |
128 |
---cut--- |
129 |
|
130 |
-- |
131 |
WBR, Alex. |
132 |
-- |
133 |
gentoo-server@g.o mailing list |