Adding a tutorial from one of the ChaseNET admins, with his permission ofcourse
--------
Copyright (c) 2010 Declan Williams.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is included here
http://www.gnu.org/licenses/fdl-1.3.htmlCustom Kernel+Grsec+PaX HOWTO
First, draw up hardware lists to make sure you build in all the required support into the kernel.
I recommend disabling LKM to help prevent kernel level rootkits.
I also recommend putting PaX on the highest settings, and enabling the features to stop writing to /proc/kmsg and other areas nasties abuse.
Also, use a hardened toolchain throughout installation of applications on your machine,Though you will have to compile your applications.
Recommendations: Gentoo Hardened Project.
Recommended Grsecurity settings:
Security Options ->
Grsecurity ->
Security Level (High)
Address Space Protection
[*] Deny writing to /dev/kmem, /dev/mem, and /dev/port //kmem can be used to insert rootkits
[*] Disable Privileged I/O //Enable if you use X11 etc, disable for servers.
[*] Removed addresses from /proc/<pid>/[smaps|maps|stat] //Speaks for itself
[*] Deter exploit bruteforcing //You definitely want this one
[*] Hide kernel symbols //Again, no reason for legit to see this
Role Based Access Control ->
[ ] Disable RBAC System //This is fantastic, do NOT disable it,use it
[*] Hide kernel processes //No legit reason to see these in production.
(3) Maximum tries before password lockout
(3600) Time to wait after max password tries, in seconds //That's an hour, pick as appropriate
Filesystem Protections
[*] Proc restrictions //Proc has lots of useful info, to attackers too.
[*] Restrict /proc to user only //Makes sure the user can only see their own processes, and hids network info(like binded ports(can use to identify daemons to exploit))
[*] Allow special group //Certain GID that can see it all, choose wisely
[*] Additional Restrictions //Adds more restrictions, prevents users from seeing slabinfo and devinfo
[*] Linking Restrictions //Prevents /tmp race condition 'sploits, stops users from following symlinks from other users in world-write+t dirs, useful stuff
[*] FIFO Restrictions //Similar to above except FIFO pipes now, again nice to stop
[*] Runtime Read-only Mount Protection //Adds sysctl option to prevent new rw mounts, remounting rw, write on block devs, CHOOSE IF THIS APPLIES TO YOU
[*] Chroot Jail Restrictions //You want ALL of these, hardens your chroots by defeating common bypass methods completely.
...
Kernel Auditing ->
[*] Log execs within chroot //Just in case they're doing the naughty.
[*] Ptrace logging //Shouldn't be done on a production system, useful to attackers, you want to know this
[*] /proc/<pid>/ipaddr support //Tells you the IP the process was executed by, again useful to know
[*] Denied RWX MMAP/MPROT logging //Tells you if something tripped PAX_MPROTECT
Executable Protections
[*] Enforce RLIMIT_NPROC on execs //If the user is limited, it'll be checked also during execve(), usually it's just fork()
[*] DMESG Restrictions //Stops non-super reading the last 4kb of messages in the kernel buffer.
[*] Deter ptrace-based process snooping //Monitoring tools that use ptrace will be mitigated if they try to do it to an already running process
[*] Trusted Path Execution(TPE) //Good stuff, can stop users running stuff in their own directories etc depending on the following selections
[ ] Partially restrict all non-root //Doesn't usually apply, check first if you prefer that option.
[*] Invert GID option //Now it applies to everyone except given GID, choose wisely
Network Protections ->
[*] Larger entropy pools //Makes things more random and therefore decreases predictability(very important in network security)
[*] TCP/UDP blackhole and LAST_ACK DoS prevention //Prevents resets and destination-unreachable being sent back to unbinded ports.
[*] Socket restrictions ->
[*] Deny any sockets to group ->
[no-net GID] GID to deny all sockets for
Recommended PaX settings:
Security options ->
PaX ->
Non-executable pages ->
[ ] Emulate trampolines //can break shit, but also poses a risk if enabled.
[*] Disallow ELF text relocations
Miscellaneous hardening features ->
[*] Sanitize all freed memory //Erases pages when not used, stops sensitive info remaining in memory long enough to be stolen
From there, you will also want to remove the /dev/kmem device in character devices, remove any functionality and drivers you do not need, then go into kernel hacking and remove all debugging options available.
Make sure you have kernel.org's public key:
% gpg --keyserver wwwkeys.pgp.net --recv-keys 0x517D0F0E
% wget http://www.grsecurity.net/spender-gpg-key.asc
% gpg --import spender-gpg-key.asc Download latest release(bz2+bz2.sign files):
% lynx http://www.kernel.org/pub/linux/kernel/v2.6/
% gpg --verify linux-2.6.*.bz2.sign linux-2.6.*.bz2
% tar xvjpf ./linux-2.6.* Move the folder:
% sudo mv -R ./linux-2.6.*/ /usr/src/ Create new Symlink:
% sudo ln -s /usr/src/linux-2.6.<version here>/ /usr/src/linux Get the grsec patch and sign for your kernel:
% lynx http://grsecurity.net/download.php Verify the patch:
% gpg --verify ./grsecurity*.patch.sig ./grsecurity*.patch Move the patch:
% sudo mv ./grsecurity*.patch /usr/src/linux Change dir:
% cd /usr/src/linux Patch the kernel:
% patch -p1<./grsecurity*.patch Escalate privs:
% sudo -iYou're going to want to harden your flags for this.
$ export CFLAGS="-O2 -pipe -fomit-frame-pointer -DFORTIFY_SOURCE_2 -fstack-protector -fPIE -fPIC"
$ export CXXFLAGS="Â${CFLAGS}"
$ export LDFLAGS="-z relro -pie" Make the config file:
Ncurses:
$ make menuconfig GTK:
$ make gconfig QT:
$ make xconfig After doing so, and saving, make the kernel:
$ make If using lkm, then make the modules:
$ make modules_install Then install the kernel:
$ make install Modify your GRUB configuration as required:
$ vi /boot/grub/menu.lst Reboot
$ reboot If all is well, download gradm and the .sig, else repeat the steps previously shown from menuconfig onwards.
% lynx http://grsecurity.net/test.php
% gpg --verify ./gradm*.gz.sig ./gradm*.gz
% tar xvf ./gradm*.gz Then we make it:
% cd ./gradm2
% make
% sudo make install Then download paxutils:
% wget http://mirror.bytemark.co.uk/gentoo/distfiles/pax-utils-0.2.tar.bz2
% tar xvjpf ./pax-utils*.bz2
% cd ./pax-utils*/
% make
% sudo make install Then we cleanup
% cd ../
% rm -rf ./gradm2/
% rm -rf ./pax-utils*/
% rm -rf ./linux-2.6*/
% rm ./grsec*
% rm ./gradm*
% rm ./linux-2.6.*
% rm ./pax-utils*.bz2
% cd /usr/src/linux
% sudo make clean
% cdFrom here it's recommended to make sure all your userland is compiled with the hardened flags and stripped of all debugging information etc,
and that you set up RBAC using the links below.
To check for any badly compilec processes(no RELRO, stack canary etc), then check out this brilliant script
http://tk-blog.blogspot.com/2009/02/checksec.html All done, for further resources in regards to PAX, GRSecurity etc, checkout the gentoo hardened project:
http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml http://www.gentoo.org/proj/en/hardened/grsecurity.xml Hope this has been somewhat useful, la revedere.
Canis.
-------
