You are not logged in.

#1 2012-09-17 10:46:40

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

I highly suggest all Archers install GRsecurity/PAX

I'd just got this new laptop and thought I'd give grsecurity & PaX a shot. I had always wanted to use it, but thought that it would simply be a massive pain in the butt and brake everything. However, I am ecstatic to report that the linux-grsec kernel in the AUR is problem free!

When I configure the kernel by setting the line 20 in the PKGBUILD to , "_menuconfig=1", I then go to the security section, grsecurity, then change to the auto configuration option. Then just select desktop, Virtualization host, kvm, performance. I also disable sysctl and change the GID of the TPE to a different GID then the /proc group. I also tick all three TPE boxes (so my user can execute code owned by me and root that is not world or group writable, but nothing ells). I don't give my user /proc access. I also change the processor to Core2 and Newer. Then you copy the .config file you created from /yaourt-tmp-$(whoami)/aur-linux-grsec/src/linux-#-#-#/.config to ~ and delete the directory /yaourt-tmp-$(whoami)/aur-linux-grsec. Then start the intall again, copy the .config file to /yaourt-tmp-$(whoami)/aur-linux-grsec/config.x86_64 and change the 5th sha256sum hash to the modified config.x86_64 hash and leave line 20 set to _menuconfig=0 and alow it to compile with your new kernel config settings. I also just download the kernel and kernel version patch from kernel.org. I also check the gpg sig's, however you are getting the sha256sum's out-of-band, so you should be fine.

With this setup I have a KDE desktop, and qemu/kvm VM's working flawlessly. If something dose not work (the only things I have found are a kde settings bin and the kde splash page) you simply use paxctl which is vary simple. You can tell by simply looking at journalctl. Like RWX memory remapping is blocked by MPROTECT. However, almost everything is setup for you by the linux-pax-flags package. (Don't even bother with VirualBox though, in order to make it work you must disable critical pax kernel settings, and even then I could not get it to work.)

To sum it up. Arch Linux is a fantastic distro to run hardened. Don't be scarred off by the gentoo hardened wiki. It's easy a pie. If you can install Arch you can install Hardened Arch, and your laptop will work fine wink

# Grsecurity
#
CONFIG_TASK_SIZE_MAX_SHIFT=47
CONFIG_PAX_USERCOPY_SLABS=y
CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CONFIG_AUTO=y
# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
# CONFIG_GRKERNSEC_CONFIG_SERVER is not set
CONFIG_GRKERNSEC_CONFIG_DESKTOP=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y
CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set
CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF=y
# CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY is not set

#
# Default Special Groups
#
CONFIG_GRKERNSEC_PROC_GID=6666
CONFIG_GRKERNSEC_TPE_GID=7777
CONFIG_GRKERNSEC_SYMLINKOWN_GID=33

#
# Customize Configuration
#

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_XATTR_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y

#
# Miscellaneous hardening features
#
CONFIG_PAX_MEMORY_STACKLEAK=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_SIZE_OVERFLOW is not set
# CONFIG_PAX_LATENT_ENTROPY is not set

#
# Memory Protections
#
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_KERN_LOCKOUT=y

#
# Role Based Access Control Options
#
# CONFIG_GRKERNSEC_NO_RBAC is not set
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_SYMLINKOWN=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
CONFIG_GRKERNSEC_ROFS=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
CONFIG_GRKERNSEC_AUDIT_PTRACE=y
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#
# Executable Protections
#
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_TPE_INVERT=y

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl Support
#
# CONFIG_GRKERNSEC_SYSCTL is not set

#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6

Last edited by hunterthomson (2012-09-17 22:25:36)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#2 2012-09-17 11:12:25

thisoldman
Member
From: Pittsburgh
Registered: 2009-04-25
Posts: 1,172

Re: I highly suggest all Archers install GRsecurity/PAX

Please surround your quoted code with the BBCode tags [⁣code] and [/⁣code].  It makes it easier for others to scan and parse, especially with all the differing display devices available.

Offline

#3 2012-09-17 11:12:36

DSpider
Member
From: Romania
Registered: 2009-08-23
Posts: 2,273

Re: I highly suggest all Archers install GRsecurity/PAX

You should use [ code ] tags when posting code.


Edit: Thanks. Easier to scroll now, especially on a widescreen monitor (where vertical space is precious).

Last edited by DSpider (2012-09-17 15:50:34)


"How to Succeed with Linux"

I have made a personal commitment not to reply in topics that start with a lowercase letter. Proper grammar and punctuation is a sign of respect, and if you do not show any, you will NOT receive any help (at least not from me).

Offline

#4 2012-09-17 14:35:05

brebs
Member
Registered: 2007-04-03
Posts: 3,456

Re: I highly suggest all Archers install GRsecurity/PAX

Is this with the *nvidia* driver? Just seeking reassurance that it works - seems to.

Offline

#5 2012-09-17 14:40:29

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 13,429

Re: I highly suggest all Archers install GRsecurity/PAX

Looks like something I may have to try in my copious spare time smile 

Have you considered creating a Wiki entry?


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
You assume people are rational and influenced by evidence.  You must not work with the public much. -- Trilby
----
How to Ask Questions the Smart Way

Offline

#6 2012-09-17 15:08:42

Stebalien
Member
Registered: 2010-04-27
Posts: 1,227
Website

Re: I highly suggest all Archers install GRsecurity/PAX

PAX is very useful and helps protect against quite a few common exploits but, in my experience, a pain to maintain (exception flags have to constantly be fixed when updating). Of course, if pacman ever gets hooks support, maintaining extended attributes could become quite a bit easier.

GRsecurity, on the other hand, is designed to protect against kernel privilege escalation vulnerabilities. This is pretty much useless on personal computers where the principal user is constantly switching to an administrative/root context. However, it can help protect against non-targeted attacks that assume an unhardened kernel.

If you are interested in security and have time to spare, I highly recommend that you try out Tomoyo and profile your entire system.


Steven [ web : git ]
GPG:  327B 20CE 21EA 68CF A7748675 7C92 3221 5899 410C
Do not email: honeypot@stebalien.com

Offline

#7 2012-09-17 21:39:44

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: I highly suggest all Archers install GRsecurity/PAX

Awe, I am using the i915 intel video driver for my i7 HD4000 graphics.  I would guess the FOSS drivers works fine. In any case the linux-grsec kernel installs with -grsec at the end of the name so it dose not overwrite the default Arch kernel. You can always just select the normal kernel in grub to boot without grsec if dose not work.

***

When you update a package, yes the pax flags are not set on the new bin's, but you can just run linux-pax-flags again which will set all the pax flags again. It is also best to tell the linux-pax-flags package mantianer about the extra programs/flags that you need to set so he/she will add them to the linux-pax-flags script.

Ya, there is a need to setup more access controls. I'm going to try out the RBAC system in grsecurity. I also have AIDE setup and saving the integrity database to an encrypted SD card that is only mounted when AIDE is run. That way I'll at least know if my system gets messed with.

Yes, being a desktop and running the biggest attack vectors like Firefox, Java, Flash running as your normal user which is in the wheel group is a kind of big hole. However, RBAC can take care of that. Ideally it would be best to crate another user that is in the wheel group that is used for yaourt and stuff.  Then edit /etc/securetty to only allow root and that wheel user to long in from a local tty.

All measures are just mitigating security risks. Even with the normal user in the wheel group things are still far more secure. Like the local TOR proxy is run as the tor user, apache is run as apache. The CONFIG_GRKERNSEC_BRUTE protects sshd from being bruteforce exploited. It will also harden your TCP/IP stack, so you have random sequence numbers and a black-hole to send things too. It will turn chroot into a real BSD like  jail.

Long story short. It is vary easy and basically trouble free, so I see little reason not to use grsecurity/pax. Even if you don't set it up as hard as possible, it will still greatly reduce the attack surface, and getting use to using it will be a vary attractive job skill.

Last edited by hunterthomson (2012-09-17 22:31:08)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#8 2012-10-05 11:41:51

ph0tios
Member
Registered: 2008-02-23
Posts: 126

Re: I highly suggest all Archers install GRsecurity/PAX

It is a viable option for a desktop? Is RBAC that difficult to configure?

Offline

#9 2012-10-06 05:03:03

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: I highly suggest all Archers install GRsecurity/PAX

ph0tios wrote:

It is a viable option for a desktop? Is RBAC that difficult to configure?

Yes, both grsecurity and RBAC are 100% viable. The package linux-pax-flags in AUR takes care of any problem you would have with PAX. It is basicaly just a bash script that sets all the pax flags for you. If you find an executable that needs different flags set, just comment on the AUR post and it will be added.

Ya, RBAC has learnig mode, it is basicaly vary much like AppArmor.

Owe, and even if your user is in the wheel group. The attacker would still have to bruteforce your password to gain elevated privileges.

The only kernel config option that needs to be disabled for a desktop is CONFIG_GRKERNSEC_IO
https://en.wikibooks.org/wiki/Grsecurit … eged_I.2FO

Last edited by hunterthomson (2012-10-06 05:31:18)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#10 2012-10-11 00:49:14

ph0tios
Member
Registered: 2008-02-23
Posts: 126

Re: I highly suggest all Archers install GRsecurity/PAX

Thanks for the info! I'm going to give it a try today. Hopefully all goes well.

Offline

#11 2012-11-13 02:22:29

phects
Member
Registered: 2010-08-31
Posts: 10

Re: I highly suggest all Archers install GRsecurity/PAX

Thanks for recommending linux-grsec, huntertomson! I can only join in wink.

I've never tried to run linux-grsec or linux-pax with proprietary drivers from amd/ati or nvidia but I included a linux-{grsec,pax}-headers package, so it might work. At least I got no negative feedback for this, yet. The VirtualBox modules appear to have problems being compiled against a grsec/PaX kernel.

I would change a kernel config like this (assuming we're in the PKGBUILDs directory):

MENUCONFIG=1 makepkg
cp src/linux-*/.config config.$(uname -m)
makepkg -g >> PKGBUILD
makepkg

I agree on the usefulness of pacman hooks for setting PaX flags but, myself, experience almost no problems maintaining the flags.

Offline

Board footer

Powered by FluxBB