1 |
Hi! |
2 |
|
3 |
If you ever wonder how exactly differs predefined security levels, you'll |
4 |
find this information here. :) I've compared them, plus I did some |
5 |
benchmarking (Core2Duo E6600, 32bit OS, hardened-sources-3.1.5, |
6 |
single-user mode, kernel compile with -j3 as average user+sys time in 3 tests). |
7 |
|
8 |
This information shouldn't surprise hardened developers, but if there are |
9 |
some bugs with these levels then chances are you'll notice them now. |
10 |
|
11 |
I didn't tested low and medium levels because I don't think they have any |
12 |
real use. |
13 |
|
14 |
First table: differences between these security levels. |
15 |
"-" mean this level switch off that option |
16 |
"+" mean this level switch on that option |
17 |
" " mean this level doesn't change that option |
18 |
|
19 |
high server ws virt |
20 |
CONFIG_X86_32_LAZY_GS - - |
21 |
CONFIG_CC_STACKPROTECTOR - - |
22 |
CONFIG_GRKERNSEC_IO + |
23 |
CONFIG_GRKERNSEC_KERN_LOCKOUT + |
24 |
CONFIG_GRKERNSEC_PROC_ADD + + |
25 |
CONFIG_GRKERNSEC_SYSFS_RESTRICT + |
26 |
CONFIG_GRKERNSEC_PROC_IPADDR + + + |
27 |
CONFIG_GRKERNSEC_RWXMAP_LOG + + + |
28 |
CONFIG_GRKERNSEC_SYSCTL + + + |
29 |
CONFIG_GRKERNSEC_SYSCTL_ON + + + |
30 |
CONFIG_PAX_PER_CPU_PGD + + + - |
31 |
CONFIG_PAX_ELFRELOCS + |
32 |
CONFIG_PAX_KERNEXEC + + + - |
33 |
CONFIG_PAX_KERNEXEC_MODULE_TEXT 4 4 4 - |
34 |
CONFIG_PAX_MEMORY_SANITIZE + + + |
35 |
CONFIG_PAX_MEMORY_UDEREF + + - |
36 |
|
37 |
As you can see, if you switch between several levels you may end with |
38 |
different options on same level - for example, switching from server to |
39 |
workstation result in UDEREF on, while switching from virtualization to |
40 |
workstation result in UDEREF off. That's correct, but you should keep this |
41 |
in mind and re-check configuration after switching security level. |
42 |
|
43 |
Next, list of options which doesn't changed by any of these security |
44 |
levels, i.e. they are left completely up to user's choice. I'll show them |
45 |
both in CONFIG and menuconfig formats: |
46 |
|
47 |
CONFIG_GRKERNSEC_ACL_HIDEKERN |
48 |
CONFIG_GRKERNSEC_EXECLOG |
49 |
CONFIG_GRKERNSEC_CHROOT_EXECLOG |
50 |
CONFIG_GRKERNSEC_AUDIT_PTRACE |
51 |
CONFIG_GRKERNSEC_AUDIT_CHDIR |
52 |
CONFIG_GRKERNSEC_AUDIT_TEXTREL |
53 |
CONFIG_GRKERNSEC_BLACKHOLE |
54 |
CONFIG_PAX_EMUTRAMP |
55 |
CONFIG_PAX_MPROTECT_COMPAT |
56 |
CONFIG_PAX_MEMORY_STACKLEAK |
57 |
|
58 |
Grsecurity ---> |
59 |
[*] Grsecurity |
60 |
Role Based Access Control Options ---> |
61 |
[ ] Hide kernel processes |
62 |
Kernel Auditing ---> |
63 |
[ ] Exec logging |
64 |
[ ] Log execs within chroot |
65 |
[ ] Ptrace logging |
66 |
[ ] Chdir logging |
67 |
[ ] ELF text relocations logging (READ HELP) |
68 |
Network Protections ---> |
69 |
[ ] TCP/UDP blackhole and LAST_ACK DoS prevention |
70 |
PaX ---> |
71 |
[*] Enable various PaX features |
72 |
Non-executable pages ---> |
73 |
[ ] Emulate trampolines |
74 |
[ ] Use legacy/compat protection demoting (read help) |
75 |
Miscellaneous hardening features ---> |
76 |
[ ] Sanitize kernel stack |
77 |
|
78 |
All other GrSecurity/PaX options are switched on by all these security levels. |
79 |
|
80 |
Now, about benchmarking. I've enabled as much options as possible on |
81 |
workstation: server security level PLUS all good optional options MINUS |
82 |
CONFIG_GRKERNSEC_IO (for Xorg). And compared it to completely non-hardened |
83 |
environment (kernel with GrSecurity/PaX switched off and vanilla gcc). |
84 |
|
85 |
This way hardened was ~5% slower. |
86 |
Without CONFIG_PAX_MEMORY_STACKLEAK it become ~3% slower. |
87 |
Without CONFIG_PAX_MEMORY_STACKLEAK and CONFIG_PAX_MEMORY_SANITIZE - ~1% slower. |
88 |
|
89 |
As for me, spending ~1% performance for ~all hardened is good trade off, |
90 |
but spending 4% more for protection against leaking information in freed |
91 |
memory is too much for workstation (and for most servers too), so I |
92 |
recommend to change workstation security level to not enable |
93 |
CONFIG_PAX_MEMORY_SANITIZE by default. |
94 |
|
95 |
-- |
96 |
WBR, Alex. |