Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] hardened server
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 746

PostPosted: Mon Nov 16, 2015 7:34 am    Post subject: [solved] hardened server Reply with quote

Hi all,

after a lot of reading I decided to try to harden my server. I emerged hardened-sources, compiled kernel with enabled grsecurity and Pax, switched to hardened Profile, but did not have a look at selinux, yet.

The result is, that I cannot emerge anything with hardened-sources kernel booted. I often get an error, while emerge tries to link and says file exists. Sometimes it say bad Interpreter...

As soon as I boot last gentoo-sources kernel, emerge works fine, so I dont know, wether I am supposed to configure the System somehow in order to be able to emerge stuff with hardened kernel/profile.

I basically used automatic, not custom security configuration (Server/Security as priority (and not Performance)/virtual guest/VMWware as hypervisor, although the hypervisor seems to be Parallels but I only could choose from: KVM, XEN, VMware or Virtualbox), so softmode is deactivated and rbac is not active, which seemed ok to me, as I plan to use selinux for role based access control later on. Is VMware choice ok, or would one of the other possibilities fit better for Parallels? What is needed to re-enable system to successfully emerge packages of the tree?

Thanks in advance for giving me some hints in order to push me to the right direction :)


Last edited by Elleni on Sat Nov 21, 2015 12:52 pm; edited 1 time in total
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6276

PostPosted: Mon Nov 16, 2015 5:58 pm    Post subject: Re: hardened server Reply with quote

Elleni wrote:
I often get an error, while emerge tries to link and says file exists. Sometimes it say bad Interpreter...

This is all very strange and should in my experience not be related with hardened-sources. Maybe you are missing another kernel option (not related to hardened) like a certain CONFIG_BINFMT_* or CONFIG_IA32_EMULATION. If you have a hardened-specific problem, you should find a corresponding kernel message indicating that grsecurity has killed something and why.
But I have no experience with your virtual guests.
Back to top
View user's profile Send private message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 746

PostPosted: Wed Nov 18, 2015 1:16 am    Post subject: Reply with quote

Hello mv,

i see. I am recompiling kernel with config of working gentoo-sources kernel now, as I probably had deactivated to many modules, trying to trim kernel to minimum. As soon as I can confirm that emerges run successfully I'll mark topic as solved.

Thanks you for your post, which brought me to the right direction.

I love this forum! You are awesome, guys! Your help is really apreciated! :)
Back to top
View user's profile Send private message
fayeseom
n00b
n00b


Joined: 02 Nov 2015
Posts: 2

PostPosted: Wed Nov 18, 2015 12:36 pm    Post subject: hardened server Reply with quote

In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability.
Back to top
View user's profile Send private message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 746

PostPosted: Thu Nov 19, 2015 10:27 pm    Post subject: Reply with quote

Re-Hi,

I managed to compile a hardened kernel, that would allow me to emerge stuff. In fact it is the following setting in Grsecurity that stopped portage to successfully emerge packages:

Security Options / Grsecurity / Customize Configuration / Executable Protections/Invert GID option

dmesg shows the following after an atempt to emerge xz-utils for example:

Code:
grsec: time set by /sbin/hwclock[hwclock:2053] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:2052] uid/euid:0/0 gid/egid:0/0

grsec: From [my ipadress: denied untrusted exec (due to not being in trusted group and file in non-root-owned directory) of /var/tmp/portage/app-arch/xz-utils-5.0.8/work/xz-5.0.8/configure by /var/tmp/portage/app-arch/xz-utils-5.0.8/work/xz-5.0.8/configure[ebuild.sh:3717] uid/euid:250/250 gid/egid:250/250, parent /usr/lib64/portage/python2.7/ebuild.sh[ebuild.sh:3716] uid/euid:250/250 gid/egid:250/250

grsec: From [myipadress]: denied untrusted exec (due to not being in trusted group and file in non-root-owned directory) of /var/tmp/portage/app-arch/xz-utils-5.0.8/work/xz-5.0.8/configure by /var/tmp/portage/app-arch/xz-utils-5.0.8/work/xz-5.0.8/configure[ebuild.sh:3723] uid/euid:250/250 gid/egid:250/250, parent /usr/lib64/portage/python2.7/ebuild.sh[ebuild.sh:3676] uid/euid:250/250 gid/egid:250/250

In the meantime I followed selinux installation guide and enabled stict mode. Now I cannot login with useraccount via ssh to the vps using keybased authentication anymore (local login via vnc console is still working though). Switching back to permissive mode allows me to successfully ssh.

Questions:
What am I supposed to change, to reenable portage to successfully emerge even with Invert GID option option activated?
How am I supposed to proceed in order to be able to ssh to my vps in strict selinux mode with my useraccount?

Thanks in advance for your help!
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6276

PostPosted: Fri Nov 20, 2015 6:33 am    Post subject: Reply with quote

Elleni wrote:
Invert GID option

Do you understand the meaning of this option? You should have specified a TPE group (numerically). portage must be a member of this group.
Roughly speaking, only members of this group will be able to run self-written binary programs: Everybody else can only run programs from root-owned directories, i.e. to which he is not allowed to write. (This does not prevent them to run interpreter scripts if they can run the interpreter, of course, but they cannot take advantage of the executable bit, e.g. they must run "sh script" instead of "./script" and cannot run binary programs at all.)
Of course, portage has to run a lot of programs it has written (e.g. in the ./configure phase), so it must be a member of this TPE group.
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3374

PostPosted: Fri Nov 20, 2015 4:45 pm    Post subject: Reply with quote

You leave the impression that you're trying to do both grsecurity and selinux. I don't believe you should be trying to do both at the same time, I'd choose one or the other.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 746

PostPosted: Fri Nov 20, 2015 5:21 pm    Post subject: Reply with quote

mv, thank you. Obviously I did not understand it , but your explanation is helpfull to me. Instead of creating a new group. I added portage to the wheel group, which has GID 10 and it works now. Thank you :)
Back to top
View user's profile Send private message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 746

PostPosted: Fri Nov 20, 2015 6:04 pm    Post subject: Reply with quote

Hello depontius,

I already read through wikis explaining grsecurity and enabled most of it. Only problem was TPE; in the meantime I also read about trusted path execution wiki so I now will focus on selinux.

I am trying to understand and learn this concepts as I want to have a hardened vps.

My first problem to solve after having gone through the wiki of selinux is to enable my useraccount to ssh with keybased authentication. I can "locally" login via VNC, but I cannot connect to vps through ssh in strict mode.

I guess, I will do some more reading on selinux. If someone could help me with best practice to ssh to my client, this would be a nice learning example :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum