a few questions before i install

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

a few questions before i install

Postby TheOneAndOnlySM » Sat Aug 21, 2004 2:27 pm

i am going to compile my 2.6.7 kernel with the latest grsecurity; i have patched my tree successfully

if someone could clarify these for me, it would be appreciated:
1.) will compiling in grsecurity (let's say at medium level) and pax slow down my kernel and system? even in the most insignificant slowdown, i just want to know
2.) is there an option for randomized PID's? (and is it enabled in medium security?)
3.) after compiling in grsecurity (and with sysctl enabled) and pax, are all the settings enabled once the kernel loads, or do i have to echo or use a program to enable the security?
4.) what is the iptables stealth module patch? what do i patch that against, and how do i use it? (will it let me stealth my port 80 even while i run an apache server there?)
5.) what log files does grsecurity and pax log to?
6.) i run a single machine with a bunch of servers (nfs, apache, sendmail, mysql, etc) on my daily-computer-use machine mostly just for fun and security isn't an enormous issue, but i'd like to avoid getting hacked without sacrificing my daily programs (which is why i'm settling for medium security without proc restrictions) - will grsecurity or pax hinder the usage of any of these servers?
TheOneAndOnlySM
 
Posts: 4
Joined: Sat Aug 21, 2004 2:13 pm

Postby TheOneAndOnlySM » Fri Sep 03, 2004 8:20 pm

anyone? can no one answer a single question?

i've gone ahead and compiled in some grsecurity options, but running paxtest says that i am vulnerable to all tests; i have pax options set, so how do i enable them?
TheOneAndOnlySM
 
Posts: 4
Joined: Sat Aug 21, 2004 2:13 pm

Postby fonya » Thu Sep 09, 2004 4:50 am

Hi!

1: Try it! Maybe it will be slover, than before.
2: If You see Configure.help, You can find Your answer easily... Yes, the pids will be randomised /if You choose low security it will be randomized too./
3: If You select the CONFIG_GRKERNSEC_SYSCTL, You must echo, or somthing, to enable some special features, or change behavior.
4: See Configre.help:

Enabling this option will drop all syn packets coming to unserved tcp
ports as well as all packets coming to unserved udp ports. If you
are using your system to route any type of packets (ie. via NAT)
you should put this module at the end of your ruleset, since it will
drop packets that aren't going to ports that are listening on your
machine itself, it doesn't take into account that the packet might be
destined for someone on your internal network if you're using NAT for
instance.

5: In my system grsec.log :) It uses the kernel ring buffer.
6: Maybe. Try it, and configure the pax, and grsec right.

And see the docs, if You don't know what You do, the security will be weak.
fonya
 
Posts: 36
Joined: Thu Mar 28, 2002 11:22 am

Postby TheOneAndOnlySM » Fri Sep 10, 2004 9:25 pm

thanks for replying!

do you know what i need to echo and where i echo these to? (i assume somewhere in proc)
TheOneAndOnlySM
 
Posts: 4
Joined: Sat Aug 21, 2004 2:13 pm

Postby fonya » Sat Sep 11, 2004 1:55 pm

In the /proc/sys/kernel/grsecurity, and /proc/sys/kernel/pax I think, but I not use sysctl code, I compile it in the kernel.

For example:
echo 1 > /proc/sys/kernel/grsec/something
or,
sysctl -w kernel.grsec.something=1

BTW, if You don't know this, why do You want to use it? This is the basic knowledge for the kernel runtime configuration. Please read some docs, before
You get start this. (All grsec related docs int the Configure.help, all docs in the grsec site, and http://www.grsecurity.net/~spender/doc/ http://www.grsecurity.net/~spender/quickstart.doc and in the linux source Documentation/sysctl/*)
fonya
 
Posts: 36
Joined: Thu Mar 28, 2002 11:22 am

Postby TheOneAndOnlySM » Sat Sep 11, 2004 5:11 pm

well, i want to learn, so i have to find some resources, and the best resources are humans themselves; that is why i like forums

i know about sysctl, i just didn't know where the sysctl options were located; thanks for the information, grsecurity is working, but....

PaX still doesn't seem to be doing anything; running paxtest still shows everything with vulnerabilities, even when i have the randomisation options set and elf header marking, etc - i have tried with softmode enabled and disabled, but i cannot see anything in proc related to PaX

kernel 2.6.7 with latest grsec path... any ideas?
TheOneAndOnlySM
 
Posts: 4
Joined: Sat Aug 21, 2004 2:13 pm

Postby PaX Team » Sun Sep 12, 2004 4:49 am

TheOneAndOnlySM wrote:well, i want to learn, so i have to find some resources, and the best resources are humans themselves; that is why i like forums
then feel free to use this one as well ;-), there's a search button somewhere at the top, look for EI_PAX and read those threads, hopefully they will help.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity support