Re: [gentoo-hardened] Setting up Hardened Gentoo - gentoo-hardened

From:	"Tino Müller" <gnaag@×××.de>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] Setting up Hardened Gentoo
Date:	Thu, 15 Feb 2007 13:05:45
Message-Id:	`20070215130303.173590@gmx.net`
In Reply to:	[gentoo-hardened] Setting up Hardened Gentoo by "Tino Müller"

1

Hello,

2

3

I installed once again, but this time with default settings and only editing mandatory config files (like fstab). It's the original stage3-x86-hardened-2.6-2006.0.tar.bz2 without rebuilding any packages. Kernel config is mostly default, but with mandatory hardware drivers for disk and net and with PaX enabled.

4

5

Paxtest now shows this:

6

7

localhost ~ # paxtest kiddie

8

PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@×××××××××.org>

9

Released under the GNU Public Licence version 2 or later

10

11

Writing output to paxtest.log

12

It may take a while for the tests to complete

13

Test results:

14

PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@×××××××××.org>

15

Released under the GNU Public Licence version 2 or later

16

17

Mode: kiddie

18

Linux localhost 2.6.18-hardened #3 Thu Feb 15 13:33:17 Local time zone must be set--see zic manu i686 Intel(R) Pentium(R) 4 CPU 3.20GHz GenuineIntel GNU/Linux

19

20

Executable anonymous mapping             : Killed

21

Executable bss                           : Killed

22

Executable data                          : Killed

23

Executable heap                          : Killed

24

Executable stack                         : Killed

25

Executable anonymous mapping (mprotect)  : Killed

26

Executable bss (mprotect)                : Killed

27

Executable data (mprotect)               : Killed

28

Executable heap (mprotect)               : Killed

29

Executable stack (mprotect)              : Killed

30

Executable shared library bss (mprotect) : Killed

31

Executable shared library data (mprotect): Killed

32

Writable text segments                   : Killed

33

Anonymous mapping randomisation test     : 17 bits (guessed)

34

Heap randomisation test (ET_EXEC)        : 13 bits (guessed)

35

Heap randomisation test (ET_DYN)         : 23 bits (guessed)

36

Main executable randomisation (ET_EXEC)  : No randomisation

37

Main executable randomisation (ET_DYN)   : 15 bits (guessed)

38

Shared library randomisation test        : 17 bits (guessed)

39

Stack randomisation test (SEGMEXEC)      : 23 bits (guessed)

40

Stack randomisation test (PAGEEXEC)      : 23 bits (guessed)

41

Return to function (strcpy)              : Vulnerable

42

Return to function (memcpy)              : Vulnerable

43

Return to function (strcpy, RANDEXEC)    : Vulnerable

44

Return to function (memcpy, RANDEXEC)    : Vulnerable

45

Executable shared library bss            : Killed

46

Executable shared library data           : Killed

47

48

49

localhost ~ # emerge --info

50

Portage 2.0.53 (hardened/x86/2.6, gcc-3.4.4, glibc-2.3.5-r2, 2.6.18-hardened i686)

51

=================================================================

52

System uname: 2.6.18-hardened i686 Intel(R) Pentium(R) 4 CPU 3.20GHz

53

Gentoo Base System version 1.6.13

54

app-admin/eselect-compiler: [Not Present]

55

dev-java/java-config: [Not Present]

56

dev-lang/python:     2.4.2

57

dev-python/pycrypto: [Not Present]

58

dev-util/ccache:     [Not Present]

59

dev-util/confcache:  [Not Present]

60

sys-apps/sandbox:    1.2.12

61

sys-devel/autoconf:  2.13, 2.60

62

sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1, 1.10

63

sys-devel/binutils:  2.16.1

64

sys-devel/gcc-config: 1.3.12-r4

65

sys-devel/libtool:   1.5.20

66

virtual/os-headers:  2.6.11-r2

67

ACCEPT_KEYWORDS="x86"

68

AUTOCLEAN="yes"

69

CBUILD="i686-pc-linux-gnu"

70

CFLAGS="-O2 -march=i686"

71

CHOST="i686-pc-linux-gnu"

72

CONFIG_PROTECT="/etc"

73

CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"

74

CXXFLAGS="-O2 -march=i686"

75

DISTDIR="/usr/portage/distfiles"

76

FEATURES="autoconfig distlocks sandbox sfperms strict"

77

GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"

78

PKGDIR="/usr/portage/packages"

79

PORTAGE_TMPDIR="/var/tmp"

80

PORTDIR="/usr/portage"

81

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

82

USE="x86 berkdb bzip2 crypt dlloader expat hardened midi ncurses nls pam perl pic python readline ssl tcpd udev xorg zlib input_devices_mouse input_devices_keyboard userland_GNU kernel_linux elibc_glibc alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_pcm_plugins_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_pcm_plugins_shm alsa_pcm_plugins_softvol lcd_devices_bayrad lcd_devices_cfontz lcd_devices_cfontz633 lcd_devices_glk lcd_devices_hd44780 lcd_devices_lb216 lcd_devices_lcdm001 lcd_devices_mtxorb lcd_devices_ncurses lcd_devices_te!

83

xt"

84

Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS, PORTAGE_RSYNC_OPTS, PORTDIR_OVERLAY

85

86

87

Kernel config:

88

89

#

90

# PaX

91

#

92

CONFIG_PAX=y

93

94

#

95

# PaX Control

96

#

97

# CONFIG_PAX_SOFTMODE is not set

98

# CONFIG_PAX_EI_PAX is not set

99

CONFIG_PAX_PT_PAX_FLAGS=y

100

CONFIG_PAX_NO_ACL_FLAGS=y

101

# CONFIG_PAX_HAVE_ACL_FLAGS is not set

102

# CONFIG_PAX_HOOK_ACL_FLAGS is not set

103

104

#

105

# Non-executable pages

106

#

107

CONFIG_PAX_NOEXEC=y

108

CONFIG_PAX_PAGEEXEC=y

109

CONFIG_PAX_SEGMEXEC=y

110

# CONFIG_PAX_DEFAULT_PAGEEXEC is not set

111

CONFIG_PAX_DEFAULT_SEGMEXEC=y

112

CONFIG_PAX_EMUTRAMP=y

113

CONFIG_PAX_MPROTECT=y

114

CONFIG_PAX_NOELFRELOCS=y

115

CONFIG_PAX_KERNEXEC=y

116

117

#

118

# Address Space Layout Randomization

119

#

120

CONFIG_PAX_ASLR=y

121

CONFIG_PAX_RANDKSTACK=y

122

CONFIG_PAX_RANDUSTACK=y

123

CONFIG_PAX_RANDMMAP=y

124

125

#

126

# Miscellaneous hardening features

127

#

128

CONFIG_PAX_MEMORY_SANITIZE=y

129

CONFIG_PAX_MEMORY_UDEREF=y

130

131

#

132

# Grsecurity

133

#

134

# CONFIG_GRKERNSEC is not set

135

# CONFIG_KEYS is not set

136

# CONFIG_SECURITY is not set

137

138

139

localhost ~ # gcc -v

140

Reading specs from /usr/lib/gcc/i386-pc-linux-gnu/3.4.4/specs

141

Configured with: /var/tmp/portage/gcc-3.4.4-r1/work/gcc-3.4.4/configure --prefix=/usr --bindir=/usr/i386-pc-linux-gnu/gcc-bin/3.4.4 --includedir=/usr/lib/gcc/i386-pc-linux-gnu/3.4.4/include --datadir=/usr/share/gcc-data/i386-pc-linux-gnu/3.4.4 --mandir=/usr/share/gcc-data/i386-pc-linux-gnu/3.4.4/man --infodir=/usr/share/gcc-data/i386-pc-linux-gnu/3.4.4/info --with-gxx-include-dir=/usr/lib/gcc/i386-pc-linux-gnu/3.4.4/include/g++-v3 --host=i386-pc-linux-gnu --build=i386-pc-linux-gnu --disable-altivec --enable-nls --without-included-gettext --with-system-zlib --disable-checking --disable-werror --disable-libunwind-exceptions --disable-multilib --disable-libmudflap --disable-libgcj --enable-languages=c,c++ --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu

142

Thread model: posix

143

gcc version 3.4.4 (Gentoo Hardened 3.4.4-r1, ssp-3.4.4-1.0, pie-8.7.8)

144

145

146

It's the first time for me, that paxtest shows something else than Vulnerable. I'll now continue with customising the system and try to find out, which of my actions break PaX.

147

148

Thank you very much to everyone who helped me in this matter. Your help is appreciated.

149

I'll report back with my findings.

150

151

Best regards,

152

Tino

153

--

154

gentoo-hardened@g.o mailing list

1	Hello,
2
3	I installed once again, but this time with default settings and only editing mandatory config files (like fstab). It's the original stage3-x86-hardened-2.6-2006.0.tar.bz2 without rebuilding any packages. Kernel config is mostly default, but with mandatory hardware drivers for disk and net and with PaX enabled.
4
5	Paxtest now shows this:
6
7	localhost ~ # paxtest kiddie
8	PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@×××××××××.org>
9	Released under the GNU Public Licence version 2 or later
10
11	Writing output to paxtest.log
12	It may take a while for the tests to complete
13	Test results:
14	PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@×××××××××.org>
15	Released under the GNU Public Licence version 2 or later
16
17	Mode: kiddie
18	Linux localhost 2.6.18-hardened #3 Thu Feb 15 13:33:17 Local time zone must be set--see zic manu i686 Intel(R) Pentium(R) 4 CPU 3.20GHz GenuineIntel GNU/Linux
19
20	Executable anonymous mapping : Killed
21	Executable bss : Killed
22	Executable data : Killed
23	Executable heap : Killed
24	Executable stack : Killed
25	Executable anonymous mapping (mprotect) : Killed
26	Executable bss (mprotect) : Killed
27	Executable data (mprotect) : Killed
28	Executable heap (mprotect) : Killed
29	Executable stack (mprotect) : Killed
30	Executable shared library bss (mprotect) : Killed
31	Executable shared library data (mprotect): Killed
32	Writable text segments : Killed
33	Anonymous mapping randomisation test : 17 bits (guessed)
34	Heap randomisation test (ET_EXEC) : 13 bits (guessed)
35	Heap randomisation test (ET_DYN) : 23 bits (guessed)
36	Main executable randomisation (ET_EXEC) : No randomisation
37	Main executable randomisation (ET_DYN) : 15 bits (guessed)
38	Shared library randomisation test : 17 bits (guessed)
39	Stack randomisation test (SEGMEXEC) : 23 bits (guessed)
40	Stack randomisation test (PAGEEXEC) : 23 bits (guessed)
41	Return to function (strcpy) : Vulnerable
42	Return to function (memcpy) : Vulnerable
43	Return to function (strcpy, RANDEXEC) : Vulnerable
44	Return to function (memcpy, RANDEXEC) : Vulnerable
45	Executable shared library bss : Killed
46	Executable shared library data : Killed
47
48
49	localhost ~ # emerge --info
50	Portage 2.0.53 (hardened/x86/2.6, gcc-3.4.4, glibc-2.3.5-r2, 2.6.18-hardened i686)
51	=================================================================
52	System uname: 2.6.18-hardened i686 Intel(R) Pentium(R) 4 CPU 3.20GHz
53	Gentoo Base System version 1.6.13
54	app-admin/eselect-compiler: [Not Present]
55	dev-java/java-config: [Not Present]
56	dev-lang/python: 2.4.2
57	dev-python/pycrypto: [Not Present]
58	dev-util/ccache: [Not Present]
59	dev-util/confcache: [Not Present]
60	sys-apps/sandbox: 1.2.12
61	sys-devel/autoconf: 2.13, 2.60
62	sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1, 1.10
63	sys-devel/binutils: 2.16.1
64	sys-devel/gcc-config: 1.3.12-r4
65	sys-devel/libtool: 1.5.20
66	virtual/os-headers: 2.6.11-r2
67	ACCEPT_KEYWORDS="x86"
68	AUTOCLEAN="yes"
69	CBUILD="i686-pc-linux-gnu"
70	CFLAGS="-O2 -march=i686"
71	CHOST="i686-pc-linux-gnu"
72	CONFIG_PROTECT="/etc"
73	CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
74	CXXFLAGS="-O2 -march=i686"
75	DISTDIR="/usr/portage/distfiles"
76	FEATURES="autoconfig distlocks sandbox sfperms strict"
77	GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
78	PKGDIR="/usr/portage/packages"
79	PORTAGE_TMPDIR="/var/tmp"
80	PORTDIR="/usr/portage"
81	SYNC="rsync://rsync.gentoo.org/gentoo-portage"
82	USE="x86 berkdb bzip2 crypt dlloader expat hardened midi ncurses nls pam perl pic python readline ssl tcpd udev xorg zlib input_devices_mouse input_devices_keyboard userland_GNU kernel_linux elibc_glibc alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_pcm_plugins_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_pcm_plugins_shm alsa_pcm_plugins_softvol lcd_devices_bayrad lcd_devices_cfontz lcd_devices_cfontz633 lcd_devices_glk lcd_devices_hd44780 lcd_devices_lb216 lcd_devices_lcdm001 lcd_devices_mtxorb lcd_devices_ncurses lcd_devices_te!
83	xt"
84	Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS, PORTAGE_RSYNC_OPTS, PORTDIR_OVERLAY
85
86
87	Kernel config:
88
89	#
90	# PaX
91	#
92	CONFIG_PAX=y
93
94	#
95	# PaX Control
96	#
97	# CONFIG_PAX_SOFTMODE is not set
98	# CONFIG_PAX_EI_PAX is not set
99	CONFIG_PAX_PT_PAX_FLAGS=y
100	CONFIG_PAX_NO_ACL_FLAGS=y
101	# CONFIG_PAX_HAVE_ACL_FLAGS is not set
102	# CONFIG_PAX_HOOK_ACL_FLAGS is not set
103
104	#
105	# Non-executable pages
106	#
107	CONFIG_PAX_NOEXEC=y
108	CONFIG_PAX_PAGEEXEC=y
109	CONFIG_PAX_SEGMEXEC=y
110	# CONFIG_PAX_DEFAULT_PAGEEXEC is not set
111	CONFIG_PAX_DEFAULT_SEGMEXEC=y
112	CONFIG_PAX_EMUTRAMP=y
113	CONFIG_PAX_MPROTECT=y
114	CONFIG_PAX_NOELFRELOCS=y
115	CONFIG_PAX_KERNEXEC=y
116
117	#
118	# Address Space Layout Randomization
119	#
120	CONFIG_PAX_ASLR=y
121	CONFIG_PAX_RANDKSTACK=y
122	CONFIG_PAX_RANDUSTACK=y
123	CONFIG_PAX_RANDMMAP=y
124
125	#
126	# Miscellaneous hardening features
127	#
128	CONFIG_PAX_MEMORY_SANITIZE=y
129	CONFIG_PAX_MEMORY_UDEREF=y
130
131	#
132	# Grsecurity
133	#
134	# CONFIG_GRKERNSEC is not set
135	# CONFIG_KEYS is not set
136	# CONFIG_SECURITY is not set
137
138
139	localhost ~ # gcc -v
140	Reading specs from /usr/lib/gcc/i386-pc-linux-gnu/3.4.4/specs
141	Configured with: /var/tmp/portage/gcc-3.4.4-r1/work/gcc-3.4.4/configure --prefix=/usr --bindir=/usr/i386-pc-linux-gnu/gcc-bin/3.4.4 --includedir=/usr/lib/gcc/i386-pc-linux-gnu/3.4.4/include --datadir=/usr/share/gcc-data/i386-pc-linux-gnu/3.4.4 --mandir=/usr/share/gcc-data/i386-pc-linux-gnu/3.4.4/man --infodir=/usr/share/gcc-data/i386-pc-linux-gnu/3.4.4/info --with-gxx-include-dir=/usr/lib/gcc/i386-pc-linux-gnu/3.4.4/include/g++-v3 --host=i386-pc-linux-gnu --build=i386-pc-linux-gnu --disable-altivec --enable-nls --without-included-gettext --with-system-zlib --disable-checking --disable-werror --disable-libunwind-exceptions --disable-multilib --disable-libmudflap --disable-libgcj --enable-languages=c,c++ --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu
142	Thread model: posix
143	gcc version 3.4.4 (Gentoo Hardened 3.4.4-r1, ssp-3.4.4-1.0, pie-8.7.8)
144
145
146	It's the first time for me, that paxtest shows something else than Vulnerable. I'll now continue with customising the system and try to find out, which of my actions break PaX.
147
148	Thank you very much to everyone who helped me in this matter. Your help is appreciated.
149	I'll report back with my findings.
150
151	Best regards,
152	Tino
153	--
154	gentoo-hardened@g.o mailing list

Gentoo Archives: gentoo-hardened