Hardened Gentoo: customization

Hardened configuration consists of two parts: kernel configuration, and role configuration (RBAC or SELinux). I will show an example of kernel configuration 2.6.20. And I have not set up RBAC / SELinux yet.

I think it will be clearest to bring the settings the way they look in make menuconfig - this will allow us to assess the possibilities of PaX and GrSecurity for those who haven’t encountered them yet.

They vary slightly between different versions of the kernel, but not significantly.

PaX ---> . [*] Enable various PaX features ....... PaX Control ---> ......... [ ] Support soft mode ......... [*] Use legacy ELF header marking ......... [*] Use ELF program header marking ............. MAC system integration (none) ---> ....... Non-executable pages ---> ......... [*] Enforce non-executable pages ......... [*] . Segmentation based non-executable pages ......... [ ] Emulate trampolines ......... [*] Restrict mprotect() ......... [ ] . Disallow ELF text relocations ......... [ ] Enforce non-executable kernel pages ....... Address Space Layout Randomization ---> ......... [*] Address Space Layout Randomization ......... [*] . Randomize kernel stack base ......... [*] . Randomize user stack base ......... [*] . Randomize mmap() base ..... Miscellaneous hardening features ---> ....... [ ] Sanitize all freed memory ....... [*] Prevent invalid userland pointer dereference Grsecurity ---> . Security Level (Custom) ---> . Address Space Protection ---> ... [*] Deny writing to /dev/kmem, /dev/mem, and /dev/port ... [ ] Disable privileged I/O ... [*] Remove addresses from /proc/<pid>/[smaps|maps|stat] ... [*] Deter exploit bruteforcing ... [*] Runtime module disabling ... [*] Hide kernel symbols . Role Based Access Control Options ---> ... [*] Hide kernel processes ... (3) Maximum tries before password lockout ... (30) Time to wait after max password tries, in seconds . Filesystem Protections ---> ... [*] Proc restrictions ... [*] . Restrict /proc to user only ... [*] Additional restrictions ... [*] Linking restrictions ... [*] FIFO restrictions ... [*] Chroot jail restrictions ... [*] . Deny mounts ... [*] . Deny double-chroots ... [*] . Deny pivot_root in chroot ... [*] . Enforce chdir("/") on all chroots ... [*] . Deny (f)chmod +s ... [*] . Deny fchdir out of chroot ... [*] . Deny mknod ... [*] . Deny shmat() out of chroot ... [*] . Deny access to abstract AF_UNIX sockets out of chroot ... [*] . Protect outside processes ... [*] . Restrict priority changes ... [*] . Deny sysctl writes ... [*] . Capability restrictions . Kernel Auditing ---> ... [ ] Single group for auditing ... [ ] Exec logging ... [*] Resource logging ... [ ] Log execs within chroot ... [ ] Chdir logging ... [*] (Un)Mount logging ... [ ] IPC logging ... [*] Signal logging ... [*] Fork failure logging ... [ ] Time change logging ... [*] /proc/<pid>/ipaddr support ... [ ] ELF text relocations logging (READ HELP) . Executable Protections ---> ... [*] Enforce RLIMIT_NPROC on execs ... [*] Destroy unused shared memory ... [*] Dmesg(8) restriction ... [ ] Trusted Path Execution (TPE) . Network Protections ---> ... [*] Larger entropy pools ... [ ] Socket restrictions . Sysctl support ---> ... [*] Sysctl support ... [*] . Turn on features by default . Logging Options ---> ... (10) Seconds in between log messages (minimum) ... (4) Number of messages in a burst (maximum) [ ] Enable access key retention support [ ] Enable different security models 

The absolute majority of these features work transparently for the user. But there are a couple that you may notice: first, ordinary users will no longer see the processes of other users, and secondly they will lose access to some files in / proc /, due to which output of the commands ifconfig, route, etc. running ordinary users will be much more modest.

It should be noted that most of these features can be controlled via sysctl. Which is usually bad. And what good is that a hacker breaks the system in half, gets the ability to disable these protections via sysctl, after which it breaks down completely? Fortunately, it is possible to block the changing of the GrSecurity settings via sysctl. To do this, add to /etc/sysctl.conf:

 kernel.grsecurity.disable_modules = 1 kernel.grsecurity.grsec_lock = 1 

Where the first command prohibits the loading of kernel modules (it is best to not support the modules on the servers in the kernel, but if this is not possible, then there is a way out: load the required modules when the system is booted, and then use kernel.grsecurity.disable_modules to prevent modules from loading - so that no one accidentally root the rootkit :)), and the second prohibits changing any settings of GrSecurity.
')
The disadvantage of this is that if you need to load the module or disable some of the GrSecurity features (for example, chroot to build a new Gentoo), you will have to edit /etc/sysctl.conf and reboot.

Actually, the setting is over.

As a summary, I’ll quote the full set of commands that will convert your Gentoo to Hardened:

 emerge hardened-sources #     (    # hardened),     . ln -snf ../usr/portage/profiles/hardened/x86/2.6/ /etc/make.profile #      CFLAGS  /etc/make.conf #   -O2. # : CFLAGS="-march=pentium-m -O2 -pipe" #   $PKGDIR ( /usr/portage/packages/)  #      #  -b  -k  emerge. emerge -C linux-headers emerge linux-headers glibc binutils gcc-config gcc #    ,   #    gcc (. <a href="http://www.gentoo.org/doc/en/gcc-upgrading.xml">GCC Upgrade Guide</a>). emerge -b glibc binutils gcc portage emerge -bke system emerge -ke world glsa-check -l | grep '\[N\]' #   ,    glsa-check. emerge -a --depclean emerge -uDNa world emerge paxtest paxctl gradm revdep-rebuild dispatch-conf #       Hardened, #    . 

Start. The second part of. The ending should ...