| View previous topic :: View next topic |
| Author |
Message |
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
 Posted: Mon Jun 09, 2014 8:30 pm Post subject: Grsecurity configuration and install, for non-experts |
 |
|
This post, and it's an exception, I don't delete my posts, could probably be deleted (just the post, not the topic, the topic I might only rename, if the qualm that I have is solved quickly, either by competent advice here, or on Grsecurity Forums
I'm delivering, with some obstacles, to what I promised here:
Uninstalling dbus and *kits (to Unfacilitate Remote Seats)
https://forums.gentoo.org/viewtopic-t-992146-postdays-0-postorder-asc-start-50.html#7565530
I fear (because I was burned), possible copyright issues if I simply quote from:
Developer Raps Linux Security
http://www.crmbuyer.com/story/39565.html
So, since I post on Grsecurity Forums, I have asked there for opinions.
You can read, although it is unfinished, there, what I plan to post here.
And you can give opinion on it as well.
But opinions that I ask for, are for people who can advise on copyright issues.
WARNING: I can't pay. No money here.
Pls. read my precise request for opinion here:
Tips on Grsecurity installation for Gentoo newbies
https://forums.grsecurity.net/viewtopic.php?f=3&t=3974&p=14061
Miroslav Rovis
www.CroatiaFidelis.hr |
|
| Back to top |
|
 |
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Mon Jun 09, 2014 11:16 pm Post subject: |
|
|
This post is a placeholder.
If the copyright issues are solved favorably for us to speak freely, then what you can currently see here:
Tips on Grsecurity installation for Gentoo newbies
https://forums.grsecurity.net/viewtopic.php?f=3&t=3974&p=14061#p14061
will be posted here.
I have to just use the opportunity to say how burned I was, for which reason I am wary:
Here:
Really? The Surveillance Engine Terminated All My Videos
http://forums.debian.net/viewtopic.php?f=3&t=113059
and see how you can be disappeared from the internet with five years of your work. |
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Mon Jun 09, 2014 11:19 pm Post subject: |
|
|
Pls. read the previous post, and wherever the introduction ended up to be, there on the site of the author of those words, the Spender's Grsecurity Forums, or in the previous post to this.
It is a necessary read if you want to know the status of the GNU/Linux's security that hasn't improved for the last ten (10) years for the users "as a whole" (Spender used that sintagma, for the time then being only).
I will here give you screenshots of what my Grsecurity in Hardened Gentoo sources will produce.
You are most comfortable following my instructions by installing hardened sources as peviously explained, cd'in into the directory of the new kernel (if you have diffuculty understanding type 'kernel' in Gentoo wiki, read there, and come back) and issuing:
It is customary to call these sets of patches just Grsecurity, but they are actually Grsecurity/Pax, and it's two main authors behind this twin project, Spender the main author for the Grsecurity proper and Pax Team, a Hungarian (to my understanding) genius whose name is not publically known to the world, who is the main author of Pax.
So pls. just bear in mind it's a twin program. We will call it just Grsecurity for reasons of simplicity. And also it is a unique patch, not two patches to apply to a particular kernel (for those who might venture patching and installing Grsecurity from vanilla kernel), one distintive patch that comprises both the programs.
This is what opens for you:
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
───────────────────────────────────────────────────────────────────────────────────
┌───────────── Linux/x86 3.14.4-hardened-r1 Kernel Configuration ──────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty │
│ submenus ----). Highlighted letters are hotkeys. Pressing <Y> includes, │
│ <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for │
│ Help, </> for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ [*] 64-bit kernel (NEW) │ │
│ │ General setup ---> │ │
│ │ [ ] Provide system-wide ring of trusted keys (NEW) │ │
│ │ [*] Enable loadable module support ---> │ │
│ │ -*- Enable the block layer ---> │ │
│ │ Processor type and features ---> │ │
│ │ Power management and ACPI options ---> │ │
│ │ Bus options (PCI etc.) ---> │ │
│ │ Executable file formats / Emulations ---> │ │
│ │ [*] Networking support ---> │ │
│ │ Device Drivers ---> │ │
│ │ Firmware Drivers ---> │ │
│ │ File systems ---> │ │
│ │ Kernel hacking ---> │ │
│ │ Security options ---> │ │
│ │ -*- Cryptographic API ---> │ │
│ │ [*] Virtualization (NEW) ---> │ │
│ │ Library routines ---> │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└──────────────────────────────────────────────────────────────────────────────┘
|
See the Security options 4th line from bottom? OK.
The following screen is what you get when you hit Enter after having used Down Arrow or Up Arrow to select it:
(oh, pls. notice that the kind of Address Bar on top, second line, as well as subtitle in midscreen on top, tells you the same "Security option" name of the section)
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
→ Security options ────────────────────────────────────────────────────────────────
┌────────────────────────────── Security options ──────────────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty │
│ submenus ----). Highlighted letters are hotkeys. Pressing <Y> includes, │
│ <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for │
│ Help, </> for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ Grsecurity ---> │ │
│ │ -*- Enable access key retention support │ │
│ │ [ ] Enable register of persistent per-UID keyrings (NEW) │ │
│ │ [ ] Large payload keys (NEW) │ │
│ │ < > ENCRYPTED KEYS (NEW) │ │
│ │ [*] Enable the /proc/keys file by which keys may be viewed │ │
│ │ [ ] Restrict unprivileged access to the kernel syslog (NEW) │ │
│ │ [*] Enable different security models │ │
│ │ [ ] Enable the securityfs filesystem (NEW) │ │
│ │ [*] Socket and Networking Security Hooks │ │
│ │ [ ] XFRM (IPSec) Networking Security Hooks (NEW) │ │
│ │ [ ] Security hooks for pathname based access control (NEW) │ │
│ │ [ ] Enable Intel(R) Trusted Execution Technology (Intel(R) TXT) (NEW) │ │
│ │ (65536) Low address space for LSM to protect from user allocation (NEW│ │
│ │ [*] NSA SELinux Support │ │
│ │ [*] NSA SELinux boot parameter │ │
│ │ (1) NSA SELinux boot parameter default value (NEW) │ │
│ │ [*] NSA SELinux runtime disable │ │
│ │ [*] NSA SELinux Development Support (NEW) │ │
│ │ [*] NSA SELinux AVC Statistics (NEW) │ │
│ │ (1) NSA SELinux checkreqprot default value (NEW) │ │
│ │ [ ] NSA SELinux maximum supported policy format version (NEW) │ │
│ │ [ ] Simplified Mandatory Access Control Kernel Support (NEW) │ │
│ │ [ ] TOMOYO Linux Support (NEW) │ │
│ │ [ ] AppArmor support (NEW) │ │
│ │ [ ] Yama support (NEW) │ │
│ │ [ ] Integrity Measurement Architecture(IMA) (NEW) │ │
│ │ [ ] EVM support (NEW) │ │
│ │ Default security module (SELinux) ---> │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└──────────────────────────────────────────────────────────────────────────────┘
|
So the first of all things to do, is rid yourself ot the surveillance-enabler on you, to be able to select and configure the privacy-enabler for you.
Make those disappear from your configuration:
Selecting and disabling just this one option:
| Code: |
│ │ [ ] Enable different security models │
|
will do that for you.
So that same screen must now look like this for you:
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
→ Security options ────────────────────────────────────────────────────────────────
┌────────────────────────────── Security options ──────────────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty │
│ submenus ----). Highlighted letters are hotkeys. Pressing <Y> includes, │
│ <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for │
│ Help, </> for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ Grsecurity ---> │ │
│ │ -*- Enable access key retention support │ │
│ │ [ ] Enable register of persistent per-UID keyrings (NEW) │ │
│ │ [ ] Large payload keys (NEW) │ │
│ │ < > ENCRYPTED KEYS (NEW) │ │
│ │ [*] Enable the /proc/keys file by which keys may be viewed │ │
│ │ [ ] Restrict unprivileged access to the kernel syslog (NEW) │ │
│ │ [ ] Enable different security models │ │
│ │ [ ] Enable the securityfs filesystem (NEW) │ │
│ │ [ ] Enable Intel(R) Trusted Execution Technology (Intel(R) TXT) (NEW) │ │
│ │ Default security module (Unix Discretionary Access Controls) --->│ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└──────────────────────────────────────────────────────────────────────────────┘
|
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
→ Security options → Grsecurity ───────────────────────────────────────────────────
┌───────────────────────────────── Grsecurity ─────────────────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty │
│ submenus ----). Highlighted letters are hotkeys. Pressing <Y> includes, │
│ <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for │
│ Help, </> for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ [ ] Grsecurity (NEW) │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└──────────────────────────────────────────────────────────────────────────────┘
|
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
→ Security options → Grsecurity ───────────────────────────────────────────────────
┌───────────────────────────────── Grsecurity ─────────────────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty │
│ submenus ----). Highlighted letters are hotkeys. Pressing <Y> includes, │
│ <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for │
│ Help, </> for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ [*] Grsecurity │ │
│ │ Configuration Method (Custom) ---> │ │
│ │ Customize Configuration ---> │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└──────────────────────────────────────────────────────────────────────────────┘
|
I bet you understood without me telling you more on this.
And I won't speak anymore (for the most part next).
I'll post my configuration, so bigger boys and girls than me could help me improve it, and along the way, for newbies to have a reference of what might work for their systems.
I really really don't guarantee anything. I'm just somewhat advanced user, not certainly an expert. Use my configuration at your own risk.
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
→ Security options → Grsecurity ───────────────────────────────────────────────────
┌──────────────────── Configuration Method ─────────────────────┐
│ Use the arrow keys to navigate this window or press the │
│ hotkey of the item you wish to select followed by the <SPACE │
│ BAR>. Press <?> for additional information about this │
│ ┌───────────────────────────────────────────────────────────┐ │
│ │ ( ) Automatic │ │
│ │ (X) Custom │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └───────────────────────────────────────────────────────────┘ │
├───────────────────────────────────────────────────────────────┤
│ <Select> < Help > │
└───────────────────────────────────────────────────────────────┘
|
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
→ Security options → Grsecurity → Customize Configuration ─────────────────────────
┌────────────────────────── Customize Configuration ───────────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty │
│ submenus ----). Highlighted letters are hotkeys. Pressing <Y> includes, │
│ <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for │
│ Help, </> for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ PaX ---> │ │
│ │ Memory Protections ---> │ │
│ │ Role Based Access Control Options ---> │ │
│ │ Filesystem Protections ---> │ │
│ │ Kernel Auditing ---> │ │
│ │ Executable Protections ---> │ │
│ │ Network Protections ---> │ │
│ │ Physical Protections ---> │ │
│ │ Sysctl Support ---> │ │
│ │ Logging Options ---> │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└──────────────────────────────────────────────────────────────────────────────┘
|
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
→ Security options → Grsecurity → Customize Configuration → PaX ───────────────────
┌──────────────────────────────────── PaX ─────────────────────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty │
│ submenus ----). Highlighted letters are hotkeys. Pressing <Y> includes, │
│ <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for │
│ Help, </> for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ [*] Enable various PaX features │ │
│ │ PaX Control ---> │ │
│ │ Non-executable pages ---> │ │
│ │ Address Space Layout Randomization ---> │ │
│ │ Miscellaneous hardening features ---> │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└──────────────────────────────────────────────────────────────────────────────┘
|
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
→ Security options → Grsecurity → Customize Configuration → PaX → PaX Control ─────
┌──────────────────────────────── PaX Control ─────────────────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty │
│ submenus ----). Highlighted letters are hotkeys. Pressing <Y> includes, │
│ <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for │
│ Help, </> for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ [ ] Support soft mode (NEW) │ │
│ │ [*] Use ELF program header marking │ │
│ │ [ ] Use filesystem extended attributes marking (NEW) │ │
│ │ MAC system integration (none) ---> │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└──────────────────────────────────────────────────────────────────────────────┘
|
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
→ Security options → Grsecurity → Customize Configuration → PaX → PaX Control ─────
┌─────────────────── MAC system integration ────────────────────┐
│ Use the arrow keys to navigate this window or press the │
│ hotkey of the item you wish to select followed by the <SPACE │
│ BAR>. Press <?> for additional information about this │
│ ┌───────────────────────────────────────────────────────────┐ │
│ │ (X) none │ │
│ │ ( ) direct │ │
│ │ ( ) hook │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └───────────────────────────────────────────────────────────┘ │
├───────────────────────────────────────────────────────────────┤
│ <Select> < Help > │
└───────────────────────────────────────────────────────────────┘
|
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
[...] options → Grsecurity → Customize Configuration → PaX → Non-executable pages
┌──────────────────────────── Non-executable pages ────────────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty │
│ submenus ----). Highlighted letters are hotkeys. Pressing <Y> includes, │
│ <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for │
│ Help, </> for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ [*] Enforce non-executable pages │ │
│ │ [*] Paging based non-executable pages │ │
│ │ [*] Emulate trampolines (NEW) │ │
│ │ [*] Restrict mprotect() │ │
│ │ [ ] Use legacy/compat protection demoting (read help) (NEW) │ │
│ │ [ ] Allow ELF text relocations (read help) (NEW) │ │
│ │ [ ] Enforce non-executable kernel pages (NEW) │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└──────────────────────────────────────────────────────────────────────────────┘
|
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
[...] ecurity → Customize Configuration → PaX → Address Space Layout Randomization
┌───────────────────── Address Space Layout Randomization ─────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty │
│ submenus ----). Highlighted letters are hotkeys. Pressing <Y> includes, │
│ <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for │
│ Help, </> for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ [*] Address Space Layout Randomization │ │
│ │ [*] Randomize kernel stack base │ │
│ │ [*] Randomize user stack base │ │
│ │ [*] Randomize mmap() base │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└──────────────────────────────────────────────────────────────────────────────┘
|
Continues in next post. |
|
| Back to top |
|
|
miroR
l33t
Joined: 05 Mar 2008
Posts: 826
|
| Posted: Mon Jun 09, 2014 11:25 pm Post subject: |
|
|
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
[...] rsecurity → Customize Configuration → PaX → Miscellaneous hardening features
┌────────────────────── Miscellaneous hardening features ──────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty │
│ submenus ----). Highlighted letters are hotkeys. Pressing <Y> includes, │
│ <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for │
│ Help, </> for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ [*] Sanitize all freed memory │ │
│ │ [*] Sanitize kernel stack │ │
│ │ [*] Forcibly initialize local variables copied to userland │ │
│ │ [*] Prevent invalid userland pointer dereference │ │
│ │ [*] Prevent various kernel object reference counter overflows │ │
│ │ [*] Harden heap object copies between kernel and userland │ │
│ │ [*] Prevent various integer overflows in function size parameters │ │
│ │ [ ] Generate some entropy during boot and runtime (NEW) │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└──────────────────────────────────────────────────────────────────────────────┘
|
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
→ Security options → Grsecurity → Customize Configuration → Memory Protections ────
┌───────────────────────────── Memory Protections ─────────────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty │
│ submenus ----). Highlighted letters are hotkeys. Pressing <Y> includes, │
│ <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for │
│ Help, </> for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ [*] Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port │ │
│ │ [ ] Disable privileged I/O (NEW) │ │
│ │ [*] Disable unprivileged PERF_EVENTS usage by default │ │
│ │ [ ] Insert random gaps between thread stacks (NEW) │ │
│ │ [*] Harden ASLR against information leaks and entropy reduction (NEW) │ │
│ │ [*] Deter exploit bruteforcing │ │
│ │ [*] Harden module auto-loading │ │
│ │ [*] Hide kernel symbols │ │
│ │ [ ] Randomize layout of sensitive kernel structures (NEW) │ │
│ │ [*] Active kernel exploit response │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└──────────────────────────────────────────────────────────────────────────────┘
|
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
[...] s → Grsecurity → Customize Configuration → Role Based Access Control Options
┌───────────────────── Role Based Access Control Options ──────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty │
│ submenus ----). Highlighted letters are hotkeys. Pressing <Y> includes, │
│ <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for │
│ Help, </> for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ [ ] Disable RBAC system (NEW) │ │
│ │ [*] Hide kernel processes │ │
│ │ (3) Maximum tries before password lockout (NEW) │ │
│ │ (30) Time to wait after max password tries, in seconds (NEW) │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└──────────────────────────────────────────────────────────────────────────────┘
|
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
→ Security options → Grsecurity → Customize Configuration → Filesystem Protections
┌─────────────────────────── Filesystem Protections ───────────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty │
│ submenus ----). Highlighted letters are hotkeys. Pressing <Y> includes, │
│ <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for │
│ Help, </> for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ [*] Proc restrictions │ │
│ │ [ ] Restrict /proc to user only (NEW) │ │
│ │ [ ] Allow special group (NEW) │ │
│ │ [*] Linking restrictions │ │
│ │ [ ] Kernel-enforced SymlinksIfOwnerMatch (NEW) │ │
│ │ [*] FIFO restrictions │ │
│ │ [*] Sysfs/debugfs restriction │ │
│ │ [ ] Runtime read-only mount protection (NEW) │ │
│ │ [ ] Eliminate stat/notify-based device sidechannels (NEW) │ │
│ │ [*] Chroot jail restrictions │ │
│ │ [*] Deny mounts │ │
│ │ [*] Deny double-chroots │ │
│ │ [*] Deny pivot_root in chroot │ │
│ │ [*] Enforce chdir("/") on all chroots │ │
│ │ [*] Deny (f)chmod +s │ │
│ │ [*] Deny fchdir out of chroot │ │
│ │ [*] Deny mknod │ │
│ │ [*] Deny shmat() out of chroot │ │
│ │ [*] Deny access to abstract AF_UNIX sockets out of chroot │ │
│ │ [*] Protect outside processes │ │
│ │ [*] Restrict priority changes │ │
│ │ [*] Deny sysctl writes │ │
│ │ [*] Capability restrictions │ │
│ │ [ ] Exempt initrd tasks from restrictions (NEW) │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└──────────────────────────────────────────────────────────────────────────────┘
|
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
→ Security options → Grsecurity → Customize Configuration → Kernel Auditing ───────
┌────────────────────────────── Kernel Auditing ───────────────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty │
│ submenus ----). Highlighted letters are hotkeys. Pressing <Y> includes, │
│ <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for │
│ Help, </> for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ [ ] Single group for auditing (NEW) │ │
│ │ [ ] Exec logging │ │
│ │ [*] Resource logging │ │
│ │ [*] Log execs within chroot │ │
│ │ [*] Ptrace logging │ │
│ │ [*] Chdir logging │ │
│ │ [*] (Un)Mount logging │ │
│ │ [*] Signal logging │ │
│ │ [*] Fork failure logging │ │
│ │ [*] Time change logging │ │
│ │ [*] /proc/<pid>/ipaddr support │ │
│ │ [*] Denied RWX mmap/mprotect logging │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└──────────────────────────────────────────────────────────────────────────────┘
|
I kept quiet for the most part, didn't I. Now I have to tell you that I actually have:
| Code: |
│ │ [*] Exec logging │ │
|
enabled, and you can see it in action in my post:
Uninstalling dbus and *kits (to Unfacilitate Remote Seats)
https://forums.gentoo.org/viewtopic-t-992146-postdays-0-postorder-asc-start-50.html#7564068
You can enable it too, just, then it is better that you make sure you know how to disable it, for which you need to understand what is said under "Sysctl Support" (in the help, which you get by hitting ? and then Enter with options first Sysctl support and then also Turn on features by default selected), which we will enable too.
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
→ Security options → Grsecurity → Customize Configuration → Executable Protections
┌─────────────────────────── Executable Protections ───────────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty │
│ submenus ----). Highlighted letters are hotkeys. Pressing <Y> includes, │
│ <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for │
│ Help, </> for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ [*] Dmesg(8) restriction │ │
│ │ [*] Deter ptrace-based process snooping │ │
│ │ [ ] Require read access to ptrace sensitive binaries (NEW) │ │
│ │ [*] Enforce consistent multithreaded privileges │ │
│ │ [*] Disallow access to overly-permissive IPC objects │ │
│ │ [ ] Trusted Path Execution (TPE) (NEW) │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└──────────────────────────────────────────────────────────────────────────────┘
|
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
→ Security options → Grsecurity → Customize Configuration → Network Protections ───
┌──────────────────────────── Network Protections ─────────────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty │
│ submenus ----). Highlighted letters are hotkeys. Pressing <Y> includes, │
│ <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for │
│ Help, </> for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ [*] Larger entropy pools │ │
│ │ [*] TCP/UDP blackhole and LAST_ACK DoS prevention │ │
│ │ [*] Disable TCP Simultaneous Connect │ │
│ │ [ ] Socket restrictions (NEW) │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└──────────────────────────────────────────────────────────────────────────────┘
|
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
→ Security options → Grsecurity → Customize Configuration → Physical Protections ──
┌──────────────────────────── Physical Protections ────────────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty │
│ submenus ----). Highlighted letters are hotkeys. Pressing <Y> includes, │
│ <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for │
│ Help, </> for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ [ ] Deny new USB connections after toggle (NEW) │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└──────────────────────────────────────────────────────────────────────────────┘
|
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
→ Security options → Grsecurity → Customize Configuration → Sysctl Support ────────
┌─────────────────────────────── Sysctl Support ───────────────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty │
│ submenus ----). Highlighted letters are hotkeys. Pressing <Y> includes, │
│ <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for │
│ Help, </> for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ [*] Sysctl support │ │
│ │ [*] Turn on features by default │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└──────────────────────────────────────────────────────────────────────────────┘
|
Here click Enter to read help on these topics, if you enabled Exec Logging.
| Code: |
.config - Linux/x86 3.14.4-hardened-r1 Kernel Configuration
→ Security options → Grsecurity → Customize Configuration → Logging Options ───────
┌────────────────────────────── Logging Options ───────────────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty │
│ submenus ----). Highlighted letters are hotkeys. Pressing <Y> includes, │
│ <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for │
│ Help, </> for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ (10) Seconds in between log messages (minimum) (NEW) │ │
│ │ (6) Number of messages in a burst (maximum) (NEW) │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└──────────────────────────────────────────────────────────────────────────────┘
|
That's all.
I'll post these as they are. Exactly if you set your urxvt (which I use) or konsole or lxde-terminal or console to 85x49 (got these numbers by chance, but they fit nicely into Gentoo Forums posts).
Pls. take note, that if you are a complete beginners, you will have issues and things to solve, yet.
I recommend Grsecurity Forums for that purpose in things more purely Grsecurity, and here for more general Gentoo side issues.There is documentation, abundant, although not in all aspects easy for beginners, at Gentoo Wiki, and other places.
Miroslav Rovis
www.CroatiaFidelis.hr |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
