I`m building hardened gentoo system, and now i have:
Kernel:
Linux serv 2.4.28-grsec-2.1.0 #6 Sun Feb 13 14:28:05 MSK 2005 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
grsecurity pax kernel settings:
- Code: Select all
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y
# CONFIG_GRKERNSEC_PAX_SOFTMODE is not set
CONFIG_GRKERNSEC_PAX_EI_PAX=y
CONFIG_GRKERNSEC_PAX_PT_PAX_FLAGS=y
# CONFIG_GRKERNSEC_PAX_NO_ACL_FLAGS is not set
CONFIG_GRKERNSEC_PAX_HAVE_ACL_FLAGS=y
# CONFIG_GRKERNSEC_PAX_HOOK_ACL_FLAGS is not set
CONFIG_GRKERNSEC_PAX_NOEXEC=y
# CONFIG_GRKERNSEC_PAX_PAGEEXEC is not set
CONFIG_GRKERNSEC_PAX_SEGMEXEC=y
CONFIG_GRKERNSEC_PAX_EMUTRAMP=y
# CONFIG_GRKERNSEC_PAX_EMUSIGRT is not set
CONFIG_GRKERNSEC_PAX_MPROTECT=y
# CONFIG_GRKERNSEC_PAX_NOELFRELOCS is not set
CONFIG_GRKERNSEC_PAX_ASLR=y
CONFIG_GRKERNSEC_PAX_RANDKSTACK=y
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_PAX_RANDEXEC=y
Compiler is:
gcc version 3.2.3 20030422 (Gentoo Linux 1.4 3.2.3-r1, propolice)
system is fully rebuilded with it.
Now, paxtest gives:
- Code: Select all
Released under the GNU Public Licence version 2 or later
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect) : Killed
Anonymous mapping randomisation test : 16 bits (guessed)
Heap randomisation test (ET_EXEC) : No randomisation <<<<<<<<<<<<<<<<<<
Heap randomisation test (ET_DYN) : 25 bits (guessed)
Main executable randomisation (ET_EXEC) : 16 bits (guessed)
Main executable randomisation (ET_DYN) : 17 bits (guessed)
Shared library randomisation test : 16 bits (guessed)
Stack randomisation test (SEGMEXEC) : 23 bits (guessed)
Stack randomisation test (PAGEEXEC) : 23 bits (guessed)
Return to function (strcpy) : Killed
Return to function (strcpy, RANDEXEC) : Killed
Return to function (memcpy) : Killed
Return to function (memcpy, RANDEXEC) : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Writable text segments : Killed
everything looks good, except for message about ET_EXEC and no randomisation.
so, where is the trouble? am i missed some kernel options? in gentoo security guide document in example of paxtest result for this option is: 16 bits (guessed).
=============================
And the second is about ACLs:
which is the config file? /etc/grsec/acl or /etc/grsec/policy? if both, in which order they are used?
I used Full learn mode and got some ACLs. Here is generated rules
for syslog-ng in role 'root':
- Code: Select all
subject /usr/sbin/syslog-ng o {
/ h
/etc h
/etc/ld.so.cache r
/etc/syslog-ng/syslog-ng.conf r
/lib rx
/proc h
/proc/kmsg rw
/usr h
/usr/sbin/syslog-ng x
/usr/share/zoneinfo/Europe/Moscow r
/var h
/var/log
/var/log/messages w
/var/log/sshd.log w
/var/run
/var/run/syslog-ng.pid w
/dev
/dev/log wcd
/dev/null rw
/dev/tty12 a
/dev/urandom r
/dev/vc
/dev/vc/12 w
/dev/grsec h
/dev/mem h
/dev/kmem h
/dev/port h
-CAP_ALL
+CAP_DAC_OVERRIDE
bind disabled
connect disabled
}
so, question 2 is: why some entries do not have a letter mode? - i see
/var/log,/dev/vc,/dev. What does this mean? No access at all? or?
question 3:
in documentation for v.1.5., i found that 'o' flag in subject definition (i think it means same for role in v.2) tells grsec not to perform inheritance for this object. All of roles, generated by learn mode, have this flag.
i found that lot of subjects(in the same role) have simular permissions for same objects: for example subjects /bin/bash and /bin/ln have same permission for '/': h(ide).Also, there is a '/' subject, which also sets permission for '/' as 'h'.
So, if i will remove 'o' flag for /bin/bash and /bin/ln and remove rule for '/',
will it be inherited from '/' subject ? Does my understanding of inheritance right?
and one more question: when version 2 documentation is going to be out?
P.S. Feel free to call me stupid, point me to obvious documentaion...