| 1 |
On 05/09/2014 11:29 AM, Mark Gomersbach wrote: |
| 2 |
> Maybe a bug somewhere else too, which combination kernel/grsec/pax was used? |
| 3 |
> |
| 4 |
|
| 5 |
Whatever came with sys-kernel/hardened-sources-3.11.7-r1: |
| 6 |
|
| 7 |
# uname -a |
| 8 |
Linux mmmc2 3.11.7-hardened-r1 #1 SMP Fri Jan 3 23:13:48 EST 2014 |
| 9 |
x86_64 Intel(R) Xeon(R) CPU 5160 @ 3.00GHz GenuineIntel GNU/Linux |
| 10 |
|
| 11 |
Here's the hardened portion of the kernel .config for the web server |
| 12 |
that blew up today. The config for the mail server should be almost |
| 13 |
identical. I maintain the kernel configs for different hardware in |
| 14 |
different repos, but unless I've made a mistake, the hardening options |
| 15 |
should be the same. |
| 16 |
|
| 17 |
|
| 18 |
# |
| 19 |
# Security options |
| 20 |
# |
| 21 |
|
| 22 |
# |
| 23 |
# Grsecurity |
| 24 |
# |
| 25 |
CONFIG_PAX_KERNEXEC_PLUGIN=y |
| 26 |
CONFIG_PAX_PER_CPU_PGD=y |
| 27 |
CONFIG_TASK_SIZE_MAX_SHIFT=42 |
| 28 |
CONFIG_PAX_USERCOPY_SLABS=y |
| 29 |
CONFIG_GRKERNSEC=y |
| 30 |
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set |
| 31 |
CONFIG_GRKERNSEC_CONFIG_CUSTOM=y |
| 32 |
|
| 33 |
# |
| 34 |
# Customize Configuration |
| 35 |
# |
| 36 |
|
| 37 |
# |
| 38 |
# PaX |
| 39 |
# |
| 40 |
CONFIG_PAX=y |
| 41 |
|
| 42 |
# |
| 43 |
# PaX Control |
| 44 |
# |
| 45 |
# CONFIG_PAX_SOFTMODE is not set |
| 46 |
# CONFIG_PAX_PT_PAX_FLAGS is not set |
| 47 |
CONFIG_PAX_XATTR_PAX_FLAGS=y |
| 48 |
CONFIG_PAX_NO_ACL_FLAGS=y |
| 49 |
# CONFIG_PAX_HAVE_ACL_FLAGS is not set |
| 50 |
# CONFIG_PAX_HOOK_ACL_FLAGS is not set |
| 51 |
|
| 52 |
# |
| 53 |
# Non-executable pages |
| 54 |
# |
| 55 |
CONFIG_PAX_NOEXEC=y |
| 56 |
CONFIG_PAX_PAGEEXEC=y |
| 57 |
# CONFIG_PAX_EMUTRAMP is not set |
| 58 |
CONFIG_PAX_MPROTECT=y |
| 59 |
# CONFIG_PAX_MPROTECT_COMPAT is not set |
| 60 |
# CONFIG_PAX_ELFRELOCS is not set |
| 61 |
CONFIG_PAX_KERNEXEC=y |
| 62 |
# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS is not set |
| 63 |
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR=y |
| 64 |
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="or" |
| 65 |
|
| 66 |
# |
| 67 |
# Address Space Layout Randomization |
| 68 |
# |
| 69 |
CONFIG_PAX_ASLR=y |
| 70 |
# CONFIG_PAX_RANDKSTACK is not set |
| 71 |
CONFIG_PAX_RANDUSTACK=y |
| 72 |
CONFIG_PAX_RANDMMAP=y |
| 73 |
|
| 74 |
# |
| 75 |
# Miscellaneous hardening features |
| 76 |
# |
| 77 |
# CONFIG_PAX_MEMORY_SANITIZE is not set |
| 78 |
# CONFIG_PAX_MEMORY_STACKLEAK is not set |
| 79 |
CONFIG_PAX_MEMORY_STRUCTLEAK=y |
| 80 |
CONFIG_PAX_MEMORY_UDEREF=y |
| 81 |
CONFIG_PAX_REFCOUNT=y |
| 82 |
CONFIG_PAX_CONSTIFY_PLUGIN=y |
| 83 |
CONFIG_PAX_USERCOPY=y |
| 84 |
# CONFIG_PAX_USERCOPY_DEBUG is not set |
| 85 |
CONFIG_PAX_SIZE_OVERFLOW=y |
| 86 |
# CONFIG_PAX_LATENT_ENTROPY is not set |
| 87 |
|
| 88 |
# |
| 89 |
# Memory Protections |
| 90 |
# |
| 91 |
CONFIG_GRKERNSEC_KMEM=y |
| 92 |
CONFIG_GRKERNSEC_IO=y |
| 93 |
CONFIG_GRKERNSEC_PERF_HARDEN=y |
| 94 |
CONFIG_GRKERNSEC_RAND_THREADSTACK=y |
| 95 |
CONFIG_GRKERNSEC_PROC_MEMMAP=y |
| 96 |
CONFIG_GRKERNSEC_BRUTE=y |
| 97 |
CONFIG_GRKERNSEC_MODHARDEN=y |
| 98 |
# CONFIG_GRKERNSEC_HIDESYM is not set |
| 99 |
# CONFIG_GRKERNSEC_KERN_LOCKOUT is not set |
| 100 |
|
| 101 |
# |
| 102 |
# Role Based Access Control Options |
| 103 |
# |
| 104 |
CONFIG_GRKERNSEC_NO_RBAC=y |
| 105 |
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set |
| 106 |
CONFIG_GRKERNSEC_ACL_MAXTRIES=3 |
| 107 |
CONFIG_GRKERNSEC_ACL_TIMEOUT=30 |
| 108 |
|
| 109 |
# |
| 110 |
# Filesystem Protections |
| 111 |
# |
| 112 |
CONFIG_GRKERNSEC_PROC=y |
| 113 |
CONFIG_GRKERNSEC_PROC_USER=y |
| 114 |
CONFIG_GRKERNSEC_PROC_ADD=y |
| 115 |
CONFIG_GRKERNSEC_LINK=y |
| 116 |
# CONFIG_GRKERNSEC_SYMLINKOWN is not set |
| 117 |
CONFIG_GRKERNSEC_FIFO=y |
| 118 |
CONFIG_GRKERNSEC_SYSFS_RESTRICT=y |
| 119 |
# CONFIG_GRKERNSEC_ROFS is not set |
| 120 |
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y |
| 121 |
CONFIG_GRKERNSEC_CHROOT=y |
| 122 |
CONFIG_GRKERNSEC_CHROOT_MOUNT=y |
| 123 |
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y |
| 124 |
CONFIG_GRKERNSEC_CHROOT_PIVOT=y |
| 125 |
CONFIG_GRKERNSEC_CHROOT_CHDIR=y |
| 126 |
CONFIG_GRKERNSEC_CHROOT_CHMOD=y |
| 127 |
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y |
| 128 |
CONFIG_GRKERNSEC_CHROOT_MKNOD=y |
| 129 |
CONFIG_GRKERNSEC_CHROOT_SHMAT=y |
| 130 |
CONFIG_GRKERNSEC_CHROOT_UNIX=y |
| 131 |
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y |
| 132 |
CONFIG_GRKERNSEC_CHROOT_NICE=y |
| 133 |
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y |
| 134 |
CONFIG_GRKERNSEC_CHROOT_CAPS=y |
| 135 |
# CONFIG_GRKERNSEC_CHROOT_INITRD is not set |
| 136 |
|
| 137 |
# |
| 138 |
# Kernel Auditing |
| 139 |
# |
| 140 |
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set |
| 141 |
# CONFIG_GRKERNSEC_EXECLOG is not set |
| 142 |
CONFIG_GRKERNSEC_RESLOG=y |
| 143 |
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set |
| 144 |
# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set |
| 145 |
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set |
| 146 |
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set |
| 147 |
CONFIG_GRKERNSEC_SIGNAL=y |
| 148 |
CONFIG_GRKERNSEC_FORKFAIL=y |
| 149 |
# CONFIG_GRKERNSEC_TIME is not set |
| 150 |
CONFIG_GRKERNSEC_PROC_IPADDR=y |
| 151 |
CONFIG_GRKERNSEC_RWXMAP_LOG=y |
| 152 |
|
| 153 |
# |
| 154 |
# Executable Protections |
| 155 |
# |
| 156 |
CONFIG_GRKERNSEC_DMESG=y |
| 157 |
CONFIG_GRKERNSEC_HARDEN_PTRACE=y |
| 158 |
CONFIG_GRKERNSEC_PTRACE_READEXEC=y |
| 159 |
# CONFIG_GRKERNSEC_SETXID is not set |
| 160 |
# CONFIG_GRKERNSEC_TPE is not set |
| 161 |
|
| 162 |
# |
| 163 |
# Network Protections |
| 164 |
# |
| 165 |
CONFIG_GRKERNSEC_RANDNET=y |
| 166 |
# CONFIG_GRKERNSEC_BLACKHOLE is not set |
| 167 |
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y |
| 168 |
# CONFIG_GRKERNSEC_SOCKET is not set |
| 169 |
|
| 170 |
# |
| 171 |
# Physical Protections |
| 172 |
# |
| 173 |
# CONFIG_GRKERNSEC_DENYUSB is not set |
| 174 |
|
| 175 |
# |
| 176 |
# Sysctl Support |
| 177 |
# |
| 178 |
# CONFIG_GRKERNSEC_SYSCTL is not set |
| 179 |
|
| 180 |
# |
| 181 |
# Logging Options |
| 182 |
# |
| 183 |
CONFIG_GRKERNSEC_FLOODTIME=1 |
| 184 |
CONFIG_GRKERNSEC_FLOODBURST=4 |
| 185 |
# CONFIG_KEYS is not set |
| 186 |
CONFIG_SECURITY_DMESG_RESTRICT=y |
| 187 |
CONFIG_SECURITY=y |
| 188 |
# CONFIG_SECURITYFS is not set |
| 189 |
# CONFIG_SECURITY_NETWORK is not set |
| 190 |
# CONFIG_SECURITY_PATH is not set |
| 191 |
# CONFIG_INTEL_TXT is not set |
| 192 |
# CONFIG_SECURITY_SMACK is not set |
| 193 |
# CONFIG_SECURITY_TOMOYO is not set |
| 194 |
# CONFIG_SECURITY_APPARMOR is not set |
| 195 |
# CONFIG_IMA is not set |
Archives