Advertisement
Getting started with GrSecurity
Jun. 15, 2016•0 likes•766 views
0 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Software
An introduction to better understand and getting started with GrSecurity, a set of Linux patches to harden the Linux kernel.
Francesco PiraFollow
DevOps Engineer at LeonardoAdvertisement
Advertisement
Advertisement
Getting started with GrSecurity
- GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) A set of patches to harden your Linux kernel
- GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) What is • set of kernel patches • grsecurity itself, PaX, TPE • MAC tool with RBAC based on ACL • gradm, utility to manage the RBAC • PaX (memory protection) • paxctld, daemon to manage PaX
- GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Development timeline • First lines back in 2000/2001 • Still in active development • Testing is open source • Stable went closed source last year • PaX devs collaborates but are a separated team • PaX is still open source!
- Hardening Two June 13, 2016 Francesco Pira (fpira.com) Keywords • roles • subjects • objects • policy • domains • the policy defines behaviour of roles / subjects / objects as higher abstraction of users as abstraction of executables as abstraction of system resources as a set of rules (usually system-wide) combine roles of different groups together
- GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) How it works • object is a system resource or capability • subject is an executable (it access objects) • admin is the new root (root as compromised) • domains to combine roles and groups together • path-based ACL, deeper path = higher priority • hierarchies (user -> group -> default and path-based)
- GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Features • double authentication (via password for grsec admin and shutdown roles) • system capabilities limitations • default is deny-all (no rule means no execution) • learning mode is available, full or per-process • kernel auditing • improved file-system and chroot() security • Trusted Path Execution (TPE) • kernel and userspace memory protection • customize before compile (via menuconfig) • underneath, edits setting via sysctl
- GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) How it works
- GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Installation 1. download Linux kernel sources 2. download grsecurity patch for your kernel 3. verify files, unzip and patch 4. customise with menuconfig 5. compile and install 6. install dependencies, gradm, paxctld
- GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Post-installation 1. Set a password for basic roles • admin • shutdown 2. start the first learning mode (gradm -F -L /etc/grsec/learning.logs) 3. use the system normally (do not perform bad actions!) 4. check file output (/etc/grsec/learning.logs) 5. apply output file as policy (gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy) 6. enable grsec (gradm -E)
- GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Usage • gradm -S to check the status • gradm -E to enable, gradm -D to disable • gradm -C for policy control • gradm -a [role] to login into a role • gradm -u to logout • gradm -F -L /etc/grsec/learning.logs, for learning mode • … -O /etc/grsec/policy to apply learned rules
- GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) A policy excerpt # Role: utentex subject /usr/lib/firefox/firefox o { / h /home/utentex r /home/utentex/Downloads rwxcd /home/utentex/cartellasegreta h }
- GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) The good • theoretically compatible with all Linux distress • can coexist with other LSM-based tools • good role management • inheritance of rules • policy syntax supports union, intersections and wildcards ( * , ? , [] ) • memory protection included • can’t enable a policy if it is too permissive • RAP to defend against code reuse attacks
- GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) The bad • all policy sits in one file • inconvenient for manual editing • cannot write rules using gradm • per-subject learning mode is unfriendly • you only have access to testing code • stable is closed-source (and expensive!)
- GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) About PaX • Protects from: • arbitrary code execution • original code execution but in different order • original code execution in order but + malicious code • How? • NOEXEC and runtime code checking • ASLR, to better randomise memory addresses • putting flags in the executable header (needs conversion!)
- GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Resources • Official Wiki (https://en.wikibooks.org/wiki/Grsecurity) • Debian Wiki (https://wiki.debian.org/grsecurity) • Gentoo Wiki (wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart) • forums.grsecurity.net • official mailing list • irc.oftc.net #grsecurity • https://grsecurity.net/rap_faq.php • PaX - Gentoo Wiki (https://wiki.gentoo.org/wiki/Project:Hardened/PaX_Quickstart) • chpax (8) - man online (http://dev.man-online.org/man8/chpax/) • TPE (https://wiki.gentoo.org/wiki/Hardened/Grsecurity_Trusted_Path_Execution)
- GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Questions? Thank you
Advertisement