grsecurity forums

[h4x0r]

I just installed the rc3 of 1.9.9 on two boxes last night to test it out. No compile problems everything seemed to be in order similar to my 1.9.7 boxen. (I do not run 1.9.8 because of the broken PROC_USERGROUP posted in the forum.) When I logged into them today there were some serious problems. Both had high loads:

11:58am up 1 day, 2:30, 1 user, load average: 3.34, 3.08, 2.86
11:59am up 1 day, 11:30, 1 user, load average: 8.00, 7.45, 6.53

(normally 15min avg is 0.00 on these boxes)

And the cmds I issued from the shell just crapped out and left my terminal hanging, couldnt even ctrl-c or crl-z out of them, had to d/c and reconnect. Ended up hard rebooting the systems. After reboot back into 2.4.20+grsec1.9.9-rc3 kernel, everything seems fine.

Heres the contents of grsec section of config:

# Buffer Overflow Protection
CONFIG_GRKERNSEC_PAX_NOEXEC=y
# CONFIG_GRKERNSEC_PAX_PAGEEXEC is not set
CONFIG_GRKERNSEC_PAX_SEGMEXEC=y
# CONFIG_GRKERNSEC_PAX_EMUTRAMP is not set
CONFIG_GRKERNSEC_PAX_MPROTECT=y
CONFIG_GRKERNSEC_PAX_NOELFRELOCS=y
CONFIG_GRKERNSEC_PAX_ASLR=y
CONFIG_GRKERNSEC_PAX_RANDKSTACK=y
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_PAX_RANDEXEC=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_RTC=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y

# ACL options
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

# Filesystem Protections
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=113
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

# Kernel Auditing
CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=1000
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_AUDIT_IPC=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y


# Executable Protections
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_TPE_GID=1000

# Network Protections
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
CONFIG_GRKERNSEC_RANDPING=y
# CONFIG_GRKERNSEC_SOCKET is not set

# Sysctl support
CONFIG_GRKERNSEC_SYSCTL=y

# Miscellaneous Features
CONFIG_GRKERNSEC_FLOODTIME=30
CONFIG_GRKERNSEC_FLOODBURST=4

basically all the protections, but no acls.

[PaX Team]

When I logged into them today there were some serious problems. Both had high loads:

11:58am up 1 day, 2:30, 1 user, load average: 3.34, 3.08, 2.86
11:59am up 1 day, 11:30, 1 user, load average: 8.00, 7.45, 6.53

(normally 15min avg is 0.00 on these boxes)

are these boxes SMP? also can you guess what applications may have been running at the time?

And the cmds I issued from the shell just crapped out and left my terminal hanging, couldnt even ctrl-c or crl-z out of them, had to d/c and reconnect.

hmm, does this mean that login/bash ran fine but nothing else did?

CONFIG_GRKERNSEC_PAX_NOELFRELOCS=y

i see you enabled this one. out of curiosity, which distro are you using that has only PIC libraries? also if the problem occurs again, could you try to disable this option and see what happens?

[h4x0r]

CONFIG_GRKERNSEC_PAX_NOELFRELOCS=y

doh!

Sorry for the wasted post, I imagine after I recompile them correctly they will run fine.