Enabling security features

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Enabling security features

Postby Sapient2003 » Sun May 30, 2004 7:01 pm

I enabled some og the grsecurity and PaX security features, but none of them seem to be enabled. I used paxtest v0.9.5 to test my system and all of them say I am vulnerable or there is no randomization. Do you need to enable the protections manually for them to take any effect?

I have these security options selected:

Enable different security modles
-Socket and Networking Security Hooks
-Default Linux Capabilities
-NSA SELinux Support
--NSA SELinux boot parameter

Grsecurity
-Address Space Protection
--Deny writting to /dev/kmem, /dev/mem, and dev/port
--Remove addresses from /proc/<pid>/[maps|stat]
--Hide kernel symbols
-Role Based Access Control Options
--Hide kernel processes
-Filesystem Protections
--Proc restrictions
--Additional restrictions
--Linking restrictions
--FIFO restriictions
-Executable Protections
--Enforce RLIMIT_NPROC on execs
--Dmesg(8) restriction
--Randomized PIDs
-Network Protections
--Larger entropy pools
--Truly random TCP ISN selection
--Randomized IP IDs
--Randomized TCP source ports
--Randomized RPC XIDs
-Sysctl support
--Sysctl support

Pax
-Enable various Pax Features
--Pax Control
---Support soft mode
---Use legacy ELF header marking
---Use ELF program header marking
--Non-executable pages
---Enforce non-executable pages
--Address Space Layout Randomization
---Randomize kernel stack base
---Randomize user stack base
---Randomize mmap() base
---Disable the vsyscall page
Sapient2003
 
Posts: 9
Joined: Tue Feb 04, 2003 6:46 pm

Re: Enabling security features

Postby hightower » Mon May 31, 2004 12:17 pm

Sapient2003 wrote:I enabled some og the grsecurity and PaX security features, but none of them seem to be enabled. I used paxtest v0.9.5 to test my system and all of them say I am vulnerable or there is no randomization. Do you need to enable the protections manually for them to take any effect?

Err, what is selected here? Most common failure of users is that they forget to enable:

- Use legacy ELF header marking
- Use ELF program header marking

Further make sure you enabled mprotect and aslr and segmexec or pageexec.

ciao, Marc
hightower
 
Posts: 49
Joined: Wed Mar 06, 2002 11:36 am

Postby Sheps » Sun Jun 13, 2004 1:07 pm

I see you have sysctl enabled. Did you 'echo 1 > /proc/sys/kernel/grsecurity/setting_name'?
Sheps
 
Posts: 2
Joined: Sun Jun 13, 2004 12:45 pm


Return to grsecurity support

cron