| View previous topic :: View next topic |
| Author |
Message |
Elleni
Veteran
Joined: 23 May 2006
Posts: 1270
|
 Posted: Mon Nov 16, 2015 7:34 am Post subject: [solved] hardened server |
 |
|
Hi all,
after a lot of reading I decided to try to harden my server. I emerged hardened-sources, compiled kernel with enabled grsecurity and Pax, switched to hardened Profile, but did not have a look at selinux, yet.
The result is, that I cannot emerge anything with hardened-sources kernel booted. I often get an error, while emerge tries to link and says file exists. Sometimes it say bad Interpreter...
As soon as I boot last gentoo-sources kernel, emerge works fine, so I dont know, wether I am supposed to configure the System somehow in order to be able to emerge stuff with hardened kernel/profile.
I basically used automatic, not custom security configuration (Server/Security as priority (and not Performance)/virtual guest/VMWware as hypervisor, although the hypervisor seems to be Parallels but I only could choose from: KVM, XEN, VMware or Virtualbox), so softmode is deactivated and rbac is not active, which seemed ok to me, as I plan to use selinux for role based access control later on. Is VMware choice ok, or would one of the other possibilities fit better for Parallels? What is needed to re-enable system to successfully emerge packages of the tree?
Thanks in advance for giving me some hints in order to push me to the right direction 
Last edited by Elleni on Sat Nov 21, 2015 12:52 pm; edited 1 time in total |
|
| Back to top |
|
 |
mv
Watchman
Joined: 20 Apr 2005
Posts: 6747
|
| Posted: Mon Nov 16, 2015 5:58 pm Post subject: Re: hardened server |
|
|
| Elleni wrote: | | I often get an error, while emerge tries to link and says file exists. Sometimes it say bad Interpreter... |
This is all very strange and should in my experience not be related with hardened-sources. Maybe you are missing another kernel option (not related to hardened) like a certain CONFIG_BINFMT_* or CONFIG_IA32_EMULATION. If you have a hardened-specific problem, you should find a corresponding kernel message indicating that grsecurity has killed something and why.
But I have no experience with your virtual guests. |
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1270
|
| Posted: Wed Nov 18, 2015 1:16 am Post subject: |
|
|
Hello mv,
i see. I am recompiling kernel with config of working gentoo-sources kernel now, as I probably had deactivated to many modules, trying to trim kernel to minimum. As soon as I can confirm that emerges run successfully I'll mark topic as solved.
Thanks you for your post, which brought me to the right direction.
I love this forum! You are awesome, guys! Your help is really apreciated! |
|
| Back to top |
|
|
fayeseom
n00b
Joined: 02 Nov 2015
Posts: 2
|
| Posted: Wed Nov 18, 2015 12:36 pm Post subject: hardened server |
|
|
| In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability. |
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1270
|
| Posted: Thu Nov 19, 2015 10:27 pm Post subject: |
|
|
Re-Hi,
I managed to compile a hardened kernel, that would allow me to emerge stuff. In fact it is the following setting in Grsecurity that stopped portage to successfully emerge packages:
Security Options / Grsecurity / Customize Configuration / Executable Protections/Invert GID option
dmesg shows the following after an atempt to emerge xz-utils for example:
| Code: | grsec: time set by /sbin/hwclock[hwclock:2053] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:2052] uid/euid:0/0 gid/egid:0/0
grsec: From [my ipadress: denied untrusted exec (due to not being in trusted group and file in non-root-owned directory) of /var/tmp/portage/app-arch/xz-utils-5.0.8/work/xz-5.0.8/configure by /var/tmp/portage/app-arch/xz-utils-5.0.8/work/xz-5.0.8/configure[ebuild.sh:3717] uid/euid:250/250 gid/egid:250/250, parent /usr/lib64/portage/python2.7/ebuild.sh[ebuild.sh:3716] uid/euid:250/250 gid/egid:250/250
grsec: From [myipadress]: denied untrusted exec (due to not being in trusted group and file in non-root-owned directory) of /var/tmp/portage/app-arch/xz-utils-5.0.8/work/xz-5.0.8/configure by /var/tmp/portage/app-arch/xz-utils-5.0.8/work/xz-5.0.8/configure[ebuild.sh:3723] uid/euid:250/250 gid/egid:250/250, parent /usr/lib64/portage/python2.7/ebuild.sh[ebuild.sh:3676] uid/euid:250/250 gid/egid:250/250
|
In the meantime I followed selinux installation guide and enabled stict mode. Now I cannot login with useraccount via ssh to the vps using keybased authentication anymore (local login via vnc console is still working though). Switching back to permissive mode allows me to successfully ssh.
Questions:
What am I supposed to change, to reenable portage to successfully emerge even with Invert GID option option activated?
How am I supposed to proceed in order to be able to ssh to my vps in strict selinux mode with my useraccount?
Thanks in advance for your help! |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6747
|
| Posted: Fri Nov 20, 2015 6:33 am Post subject: |
|
|
| Elleni wrote: | | Invert GID option |
Do you understand the meaning of this option? You should have specified a TPE group (numerically). portage must be a member of this group.
Roughly speaking, only members of this group will be able to run self-written binary programs: Everybody else can only run programs from root-owned directories, i.e. to which he is not allowed to write. (This does not prevent them to run interpreter scripts if they can run the interpreter, of course, but they cannot take advantage of the executable bit, e.g. they must run "sh script" instead of "./script" and cannot run binary programs at all.)
Of course, portage has to run a lot of programs it has written (e.g. in the ./configure phase), so it must be a member of this TPE group. |
|
| Back to top |
|
|
depontius
Advocate
Joined: 05 May 2004
Posts: 3509
|
| Posted: Fri Nov 20, 2015 4:45 pm Post subject: |
|
|
You leave the impression that you're trying to do both grsecurity and selinux. I don't believe you should be trying to do both at the same time, I'd choose one or the other.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1270
|
| Posted: Fri Nov 20, 2015 5:21 pm Post subject: |
|
|
| mv, thank you. Obviously I did not understand it , but your explanation is helpfull to me. Instead of creating a new group. I added portage to the wheel group, which has GID 10 and it works now. Thank you |
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1270
|
| Posted: Fri Nov 20, 2015 6:04 pm Post subject: |
|
|
Hello depontius,
I already read through wikis explaining grsecurity and enabled most of it. Only problem was TPE; in the meantime I also read about trusted path execution wiki so I now will focus on selinux.
I am trying to understand and learn this concepts as I want to have a hardened vps.
My first problem to solve after having gone through the wiki of selinux is to enable my useraccount to ssh with keybased authentication. I can "locally" login via VNC, but I cannot connect to vps through ssh in strict mode.
I guess, I will do some more reading on selinux. If someone could help me with best practice to ssh to my client, this would be a nice learning example |
|
| Back to top |
|
|
|
Networking & Security
