grsecurity forums

Hi all,

I have successfully installed GrSecurity/Pax on a server.
However, except running poorly a uname, how can I check if GrSecurity and/or Pax are well installed ?

Thanks

evilangel wrote:However, except running poorly a uname, how can I check if GrSecurity and/or Pax are well installed ?

try paxtest or 'grep PaX /proc/pid/status' also shows what's active on a given task. kernel self-protection features are a bit hard to test without risking a kernel oops or crash.

I was on http://www.adamantix.org/paxtest/ to get paxtest.
The server is down.
Howver, it seems to be the original point of the project.

1/ Is paxtest still alive ?

kernel self-protection features are a bit hard to test without risking a kernel oops or crash.

The server is not already in production, so I can crash it as mush as i enjoy
But, in my understanding, in need black hat tool to test pax/grsecurity good installation on my server, no ?

Thanks for these information

evilangel wrote:1/ Is paxtest still alive ?

Peter stopped developing it a while ago and i took it over, my test dir has the latest paxtest as well (it's quite old though and badly needs a rewrite .

The server is not already in production, so I can crash it as mush as i enjoy
But, in my understanding, in need black hat tool to test pax/grsecurity good installation on my server, no ?

for testing read-only kernel memory (part of KERNEXEC) you can use a simple dd into /dev/mem at the proper offset, but for testing the other features you'll need a kernel module or some exploit that triggers a real bug and runs afoul of a protection mechanism.

Peter stopped developing it a while ago and i took it over, my test dir has the latest paxtest as well

OK. Is your test dir public (to download paxtest)?

Thanks for information

evilangel wrote:OK. Is your test dir public (to download paxtest)?

it's linked from the PaX homepage: http://www.grsecurity.net/~paxguy1/

OK.

Thanks a lot !

I downloaded, compiled and lauched paxtest.
I launched it on a system I patched with grsecurity in medium mode.

I am surprised of the output of paxtest: everything is vulnerable.

Code: Select all

bob@mars:/tmp/paxtest-0.9.7-pre5$ ./paxtest kiddie
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Mode: kiddie
Linux malibu 2.6.24.5-grsec #1 Sat Aug 9 19:47:27 CEST 2008 i686 GNU/Linux

Executable anonymous mapping             : Vulnerable
Executable bss                           : Vulnerable
Executable data                          : Vulnerable
Executable heap                          : Vulnerable
Executable stack                         : Vulnerable
Executable anonymous mapping (mprotect)  : Vulnerable
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect)              : Vulnerable
Anonymous mapping randomisation test     : 18 bits (guessed)
Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
Heap randomisation test (ET_DYN)         : 24 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (ET_DYN)   : 16 bits (guessed)
Shared library randomisation test        : 18 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 24 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 24 bits (guessed)
Return to function (strcpy)              : Vulnerable
Return to function (strcpy, RANDEXEC)    : Vulnerable
Return to function (memcpy)              : Vulnerable
Return to function (memcpy, RANDEXEC)    : Vulnerable
Executable shared library bss            : Vulnerable
Executable shared library data           : Vulnerable
Writable text segments                   : Vulnerable

bob@mars:/tmp/paxtest-0.9.7-pre5$

Is my system really weak? Or is paxtest deprecated and provinding false positive?

Ps: part of my config file

Code: Select all

bob@mars:/boot$ grep -i  medium config-2.6.24.5-grsec
CONFIG_GRKERNSEC_MEDIUM=y
bob@mars:/boot$

Thanks

It's mentioned in the configuration help for the option what features are enabled in the medium security settings. The current list of PaX options enabled in the medium security is: PAX_RANDUSTACK, PAX_ASLR, PAX_RANDMMAP, and PAX_REFCOUNT. So you're only getting userland ASLR support and protection against a specific class of bugs in the kernel. You'll need to use security levels high or custom to get non-executable page support from PaX.

-Brad

Ok, thanks for this.
I'll try in security level high.