| 1 |
Hi! |
| 2 |
|
| 3 |
On Tue, Feb 14, 2006 at 05:56:38PM +0800, Ow Mun Heng wrote: |
| 4 |
> ps : hardenend-sources config sample anyone? |
| 5 |
|
| 6 |
Millar already sent one. Personally I prefer for comparison more "visual" |
| 7 |
representation of kernel config. Sorry if my message is pure example of |
| 8 |
"how to not answer questions in maillists". :) |
| 9 |
|
| 10 |
In my configuration enabled all security options except: |
| 11 |
1) a couple of options making protection more weak (for compatibility) :) |
| 12 |
2) Disallow ELF text relocations |
| 13 |
AFAIK with this option a lot of software will not work... :( |
| 14 |
3) Enforce non-executable kernel pages |
| 15 |
Disabled only at home workstation (for VMware), on my servers it's |
| 16 |
enabled. |
| 17 |
4) Disable privileged I/O |
| 18 |
Again, disabled only at home (for Xorg). |
| 19 |
5) Runtime module disabling |
| 20 |
Enabled only at home, because my servers has disabled loadable |
| 21 |
modules support at all. |
| 22 |
6) Trusted Path Execution (TPE) |
| 23 |
Just a feature, I don't need it now. |
| 24 |
7) Socket restrictions |
| 25 |
Just a feature, I don't need it now. |
| 26 |
|
| 27 |
|
| 28 |
So, here config details for my home and my servers (2.6.14-hardened-r5): |
| 29 |
|
| 30 |
PaX ---> |
| 31 |
[*] Enable various PaX features |
| 32 |
PaX Control ---> |
| 33 |
[ ] Support soft mode |
| 34 |
[*] Use legacy ELF header marking |
| 35 |
[*] Use ELF program header marking |
| 36 |
MAC system integration (none) ---> |
| 37 |
Non-executable pages ---> |
| 38 |
[*] Enforce non-executable pages |
| 39 |
[ ] Paging based non-executable pages |
| 40 |
[*] Segmentation based non-executable pages |
| 41 |
[ ] Emulate trampolines |
| 42 |
[*] Restrict mprotect() |
| 43 |
[ ] Disallow ELF text relocations |
| 44 |
> home [ ] Enforce non-executable kernel pages |
| 45 |
> server [*] Enforce non-executable kernel pages |
| 46 |
Address Space Layout Randomization ---> |
| 47 |
[*] Address Space Layout Randomization |
| 48 |
[*] Randomize kernel stack base |
| 49 |
[*] Randomize user stack base |
| 50 |
[*] Randomize mmap() base |
| 51 |
--- Disable the vsyscall page |
| 52 |
Grsecurity ---> |
| 53 |
[*] Grsecurity |
| 54 |
Security Level (Custom) ---> |
| 55 |
Address Space Protection ---> |
| 56 |
[*] Deny writing to /dev/kmem, /dev/mem, and /dev/port |
| 57 |
> home [ ] Disable privileged I/O |
| 58 |
> server [*] Disable privileged I/O |
| 59 |
[*] Remove addresses from /proc/<pid>/[smaps|maps|stat] |
| 60 |
[*] Deter exploit bruteforcing |
| 61 |
> home [*] Runtime module disabling |
| 62 |
> server ---------------------------- |
| 63 |
[*] Hide kernel symbols |
| 64 |
Role Based Access Control Options ---> |
| 65 |
[*] Hide kernel processes |
| 66 |
(3) Maximum tries before password lockout |
| 67 |
(30) Time to wait after max password tries, in seconds |
| 68 |
Filesystem Protections ---> |
| 69 |
[*] Proc restrictions |
| 70 |
[*] Restrict /proc to user only |
| 71 |
[*] Additional restrictions |
| 72 |
[*] Linking restrictions |
| 73 |
[*] FIFO restrictions |
| 74 |
[*] Chroot jail restrictions |
| 75 |
[*] Deny mounts |
| 76 |
[*] Deny double-chroots |
| 77 |
[*] Deny pivot_root in chroot |
| 78 |
[*] Enforce chdir("/") on all chroots |
| 79 |
[*] Deny (f)chmod +s |
| 80 |
[*] Deny fchdir out of chroot |
| 81 |
[*] Deny mknod |
| 82 |
[*] Deny shmat() out of chroot |
| 83 |
[*] Deny access to abstract AF_UNIX sockets out of chroot |
| 84 |
[*] Protect outside processes |
| 85 |
[*] Restrict priority changes |
| 86 |
[*] Deny sysctl writes |
| 87 |
[*] Capability restrictions |
| 88 |
Kernel Auditing ---> |
| 89 |
[ ] Single group for auditing |
| 90 |
[ ] Exec logging |
| 91 |
[*] Resource logging |
| 92 |
[ ] Log execs within chroot |
| 93 |
[ ] Chdir logging |
| 94 |
[*] (Un)Mount logging |
| 95 |
[ ] IPC logging |
| 96 |
[*] Signal logging |
| 97 |
[*] Fork failure logging |
| 98 |
[ ] Time change logging |
| 99 |
[*] /proc/<pid>/ipaddr support |
| 100 |
[ ] ELF text relocations logging (READ HELP) |
| 101 |
Executable Protections ---> |
| 102 |
[*] Enforce RLIMIT_NPROC on execs |
| 103 |
[*] Destroy unused shared memory |
| 104 |
[*] Dmesg(8) restriction |
| 105 |
[*] Randomized PIDs |
| 106 |
[ ] Trusted Path Execution (TPE) |
| 107 |
Network Protections ---> |
| 108 |
[*] Larger entropy pools |
| 109 |
[*] Randomized TCP source ports |
| 110 |
[ ] Socket restrictions |
| 111 |
Sysctl support ---> |
| 112 |
[*] Sysctl support |
| 113 |
[*] Turn on features by default |
| 114 |
Logging Options ---> |
| 115 |
(10) Seconds in between log messages (minimum) |
| 116 |
(4) Number of messages in a burst (maximum) |
| 117 |
|
| 118 |
|
| 119 |
Also, at the end of /etc/sysctl.conf: |
| 120 |
home: |
| 121 |
---cut--- |
| 122 |
kernel.grsecurity.disable_modules = 1 |
| 123 |
kernel.grsecurity.grsec_lock = 1 |
| 124 |
---cut--- |
| 125 |
servers: |
| 126 |
---cut--- |
| 127 |
kernel.grsecurity.grsec_lock = 1 |
| 128 |
---cut--- |
| 129 |
|
| 130 |
-- |
| 131 |
WBR, Alex. |
| 132 |
-- |
| 133 |
gentoo-server@g.o mailing list |
Archives