GrSecurity / PaX: preset security level
(An article for those already in the subject. The rest will be more interesting to first read my previous articles about Hardened Gentoo: description , installation , configuration , impressions .)
It will be about setting up GrSecurity / PaX (I gave Russian-language links, but English-language ones are much more informative ) in the linux kernel. Everything described above is relevant for Hardened Gentoo (kernel 3.1.5), but applicable in any distribution (there will not be any pre-installed Gentoo security level workstation / server / virtualization, but according to my description in this article, they will be easily implemented manually).
In addition, I conducted a small performance test to determine how much the use of GrSecurity / PaX slows down the system. The tests were conducted on Core2Duo in a 32-bit OS in single user mode on compiling the kernel with -j3, the average user + sys was taken over three runs (the kernel build speed was compared with the reference one: with GrSecurity and PaX disabled in the core and using the usual, not hardened , gcc).
So, we have 6 preset security levels (
')
Here is a list of kernel options that differ between these security levels ("+" means that the option is turned on, "-" that the option is turned off, nothing - that the value of the option does not change):
(Disabling CC_STACKPROTECTOR caused by the inclusion of PAX_MEMORY_UDEREF.)
As you see, by switching between different levels, you can get different sets of options at the same level - for example, switching from server to workstation we will get UDEREF turned on, and switching from virtualization to workstation we will get disabled UDEREF. This is the correct behavior, but it must be borne in mind in order not to forget to recheck all the settings after switching the predefined security levels.
Next, here is a list of options that are not changed by any of the predefined security levels, i.e. given completely under the control of the user (for convenience of perception, I will show them both in the CONFIG_ * format and in the menuconfig format):
All other GrSecurity / PaX options are enabled at all security levels.
Now for performance. The inclusion of all possible options that increase safety leads to a 5% drop in performance. Disabling CONFIG_PAX_MEMORY_STACKLEAK reduces the performance drop by up to 3% . Additional disconnection CONFIG_PAX_MEMORY_SANITIZE - up to 1% . Honestly, my personal opinion is that both of these options are absolutely not needed on workstations, and on most servers. To lose 1% of performance in exchange for almost all the features of GrSecurity / PaX is definitely worth it, but decide whether to lose another 4% on these two features.
And finally: the compatibility of all this with a regular home workstation - where you need Xs, proprietary drivers nvidia, skype and vmware. At the moment, of course, in the future the situation may change.
It will be about setting up GrSecurity / PaX (I gave Russian-language links, but English-language ones are much more informative ) in the linux kernel. Everything described above is relevant for Hardened Gentoo (kernel 3.1.5), but applicable in any distribution (there will not be any pre-installed Gentoo security level workstation / server / virtualization, but according to my description in this article, they will be easily implemented manually).
In addition, I conducted a small performance test to determine how much the use of GrSecurity / PaX slows down the system. The tests were conducted on Core2Duo in a 32-bit OS in single user mode on compiling the kernel with -j3, the average user + sys was taken over three runs (the kernel build speed was compared with the reference one: with GrSecurity and PaX disabled in the core and using the usual, not hardened , gcc).
So, we have 6 preset security levels (
Security options → Grsecurity → Security Level ):- Low
- Medium
- High
- Hardened Gentoo [server]
- Hardened Gentoo [workstation]
- Hardened Gentoo [virtualization]
')
Here is a list of kernel options that differ between these security levels ("+" means that the option is turned on, "-" that the option is turned off, nothing - that the value of the option does not change):
| high | server | ws | virt | |
|---|---|---|---|---|
| CONFIG_X86_32_LAZY_GS | - | - | ||
| CONFIG_CC_STACKPROTECTOR | - | - | ||
| CONFIG_GRKERNSEC_IO | + | |||
| CONFIG_GRKERNSEC_KERN_LOCKOUT | + | |||
| CONFIG_GRKERNSEC_PROC_ADD | + | + | ||
| CONFIG_GRKERNSEC_SYSFS_RESTRICT | + | |||
| CONFIG_GRKERNSEC_PROC_IPADDR | + | + | + | |
| CONFIG_GRKERNSEC_RWXMAP_LOG | + | + | + | |
| CONFIG_GRKERNSEC_SYSCTL | + | + | + | |
| CONFIG_GRKERNSEC_SYSCTL_ON | + | + | + | |
| CONFIG_PAX_PER_CPU_PGD | + | + | + | - |
| CONFIG_PAX_ELFRELOCS | + | |||
| CONFIG_PAX_KERNEXEC | + | + | + | - |
| CONFIG_PAX_KERNEXEC_MODULE_TEXT | four | four | four | - |
| CONFIG_PAX_MEMORY_SANITIZE | + | + | + | |
| CONFIG_PAX_MEMORY_UDEREF | + | + | - |
As you see, by switching between different levels, you can get different sets of options at the same level - for example, switching from server to workstation we will get UDEREF turned on, and switching from virtualization to workstation we will get disabled UDEREF. This is the correct behavior, but it must be borne in mind in order not to forget to recheck all the settings after switching the predefined security levels.
Next, here is a list of options that are not changed by any of the predefined security levels, i.e. given completely under the control of the user (for convenience of perception, I will show them both in the CONFIG_ * format and in the menuconfig format):
CONFIG_GRKERNSEC_ACL_HIDEKERN CONFIG_GRKERNSEC_EXECLOG CONFIG_GRKERNSEC_CHROOT_EXECLOG CONFIG_GRKERNSEC_AUDIT_PTRACE CONFIG_GRKERNSEC_AUDIT_CHDIR CONFIG_GRKERNSEC_AUDIT_TEXTREL CONFIG_GRKERNSEC_BLACKHOLE CONFIG_PAX_EMUTRAMP CONFIG_PAX_MPROTECT_COMPAT CONFIG_PAX_MEMORY_STACKLEAK Grsecurity ---> [*] Grsecurity Role Based Access Control Options ---> [ ] Hide kernel processes Kernel Auditing ---> [ ] Exec logging [ ] Log execs within chroot [ ] Ptrace logging [ ] Chdir logging [ ] ELF text relocations logging (READ HELP) Network Protections ---> [ ] TCP/UDP blackhole and LAST_ACK DoS prevention PaX ---> [*] Enable various PaX features Non-executable pages ---> [ ] Emulate trampolines [ ] Use legacy/compat protection demoting (read help) Miscellaneous hardening features ---> [ ] Sanitize kernel stack All other GrSecurity / PaX options are enabled at all security levels.
Now for performance. The inclusion of all possible options that increase safety leads to a 5% drop in performance. Disabling CONFIG_PAX_MEMORY_STACKLEAK reduces the performance drop by up to 3% . Additional disconnection CONFIG_PAX_MEMORY_SANITIZE - up to 1% . Honestly, my personal opinion is that both of these options are absolutely not needed on workstations, and on most servers. To lose 1% of performance in exchange for almost all the features of GrSecurity / PaX is definitely worth it, but decide whether to lose another 4% on these two features.
And finally: the compatibility of all this with a regular home workstation - where you need Xs, proprietary drivers nvidia, skype and vmware. At the moment, of course, in the future the situation may change.
- Xorg. Disable CONFIG_GRKERNSEC_IO.
- VMware. You need to disable CONFIG_PAX_KERNEXEC and CONFIG_PAX_MEMORY_UDEREF. If either (or both) of these options is enabled, then VMware overloads the host OS when trying to start the guest OS!
- Nvidia If CONFIG_PAX_KERNEXEC is enabled, then you need to increase the CONFIG_PAX_KERNEXEC_MODULE_TEXT value from 4 (default) to 16 - the nvidia driver weighs ~ 10MB and, with a limit of 4MB, simply cannot boot.
- Skype Now works without requiring special treatment. Some time ago, version 2.2 did not start up with CONFIG_PAX_EMUTRAMP turned off (which is actually strange - firstly 2.1 worked fine without it, and secondly, for EMUTRAMP to work, you need to enable the option in the core, but also activate it via paxctl for a specific program , and 2.2 started to work without requiring activation via paxctl - most likely this was caused by a bug in the kernel, which was already fixed).
- Wireshark. When started not under root, CONFIG_GRKERNSEC_BRUTE works and kills all processes of the current user for 15 minutes. You must either disable this option or disable kernel.grsecurity.deter_bruteforce via sysctl (or simply do not run wireshark as a regular user until this bug is fixed). Update: I just managed to catch this bug - the problem is in libpcap-1.1.1-r1, and in libpcap-1.2.1 it has already been fixed (wireshark still does not work under a normal user, but it does not crash anymore). Update2: Disabling CONFIG_GRKERNSEC_SYSFS_RESTRICT and enabling CONFIG_NF_CT_NETLINK enables wireshark to work correctly under a regular user even on libpcap-1.1.1-r1.
Source: https://habr.com/ru/post/137171/
All Articles