grsecurity forums

[evilangel]

Hi all,

I have successfully installed GrSecurity/Pax on a server.
However, except running poorly a uname, how can I check if GrSecurity and/or Pax are well installed ?

Thanks

[PaX Team]

However, except running poorly a uname, how can I check if GrSecurity and/or Pax are well installed ?

try paxtest or 'grep PaX /proc/pid/status' also shows what's active on a given task. kernel self-protection features are a bit hard to test without risking a kernel oops or crash.

[evilangel]

I was on http://www.adamantix.org/paxtest/ to get paxtest.
The server is down.
Howver, it seems to be the original point of the project.

1/ Is paxtest still alive ?

kernel self-protection features are a bit hard to test without risking a kernel oops or crash.

The server is not already in production, so I can crash it as mush as i enjoy
But, in my understanding, in need black hat tool to test pax/grsecurity good installation on my server, no ?

Thanks for these information

[PaX Team]

1/ Is paxtest still alive ?

Peter stopped developing it a while ago and i took it over, my test dir has the latest paxtest as well (it's quite old though and badly needs a rewrite .

The server is not already in production, so I can crash it as mush as i enjoy
But, in my understanding, in need black hat tool to test pax/grsecurity good installation on my server, no ?

for testing read-only kernel memory (part of KERNEXEC) you can use a simple dd into /dev/mem at the proper offset, but for testing the other features you'll need a kernel module or some exploit that triggers a real bug and runs afoul of a protection mechanism.

[evilangel]

Peter stopped developing it a while ago and i took it over, my test dir has the latest paxtest as well

OK. Is your test dir public (to download paxtest)?

Thanks for information

[PaX Team]

OK. Is your test dir public (to download paxtest)?

it's linked from the PaX homepage: http://www.grsecurity.net/~paxguy1/

[evilangel]

OK.

Thanks a lot !

[evilangel]

I downloaded, compiled and lauched paxtest.
I launched it on a system I patched with grsecurity in medium mode.

I am surprised of the output of paxtest: everything is vulnerable.

Code: Select all

bob@mars:/tmp/paxtest-0.9.7-pre5$ ./paxtest kiddie
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Mode: kiddie
Linux malibu 2.6.24.5-grsec #1 Sat Aug 9 19:47:27 CEST 2008 i686 GNU/Linux

Executable anonymous mapping             : Vulnerable
Executable bss                           : Vulnerable
Executable data                          : Vulnerable
Executable heap                          : Vulnerable
Executable stack                         : Vulnerable
Executable anonymous mapping (mprotect)  : Vulnerable
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect)              : Vulnerable
Anonymous mapping randomisation test     : 18 bits (guessed)
Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
Heap randomisation test (ET_DYN)         : 24 bits (guessed)
Main executable randomisation (ET_EXEC)  : No randomisation
Main executable randomisation (ET_DYN)   : 16 bits (guessed)
Shared library randomisation test        : 18 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 24 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 24 bits (guessed)
Return to function (strcpy)              : Vulnerable
Return to function (strcpy, RANDEXEC)    : Vulnerable
Return to function (memcpy)              : Vulnerable
Return to function (memcpy, RANDEXEC)    : Vulnerable
Executable shared library bss            : Vulnerable
Executable shared library data           : Vulnerable
Writable text segments                   : Vulnerable

bob@mars:/tmp/paxtest-0.9.7-pre5$

Is my system really weak? Or is paxtest deprecated and provinding false positive?

Ps: part of my config file

Code: Select all

bob@mars:/boot$ grep -i  medium config-2.6.24.5-grsec
CONFIG_GRKERNSEC_MEDIUM=y
bob@mars:/boot$

Thanks

[spender]

It's mentioned in the configuration help for the option what features are enabled in the medium security settings. The current list of PaX options enabled in the medium security is: PAX_RANDUSTACK, PAX_ASLR, PAX_RANDMMAP, and PAX_REFCOUNT. So you're only getting userland ASLR support and protection against a specific class of bugs in the kernel. You'll need to use security levels high or custom to get non-executable page support from PaX.

-Brad

[evilangel]

Ok, thanks for this.
I'll try in security level high.