Hi!

On Tue, Feb 14, 2006 at 05:56:38PM +0800, Ow Mun Heng wrote:
> ps : hardenend-sources config sample anyone?

Millar already sent one. Personally I prefer for comparison more "visual"
representation of kernel config. Sorry if my message is pure example of
"how to not answer questions in maillists". :)

In my configuration enabled all security options except:
1) a couple of options making protection more weak (for compatibility) :)
2) Disallow ELF text relocations
        AFAIK with this option a lot of software will not work... :(
3) Enforce non-executable kernel pages
        Disabled only at home workstation (for VMware), on my servers it's
        enabled.
4) Disable privileged I/O
        Again, disabled only at home (for Xorg).
5) Runtime module disabling
        Enabled only at home, because my servers has disabled loadable
        modules support at all.
6) Trusted Path Execution (TPE)
        Just a feature, I don't need it now.
7) Socket restrictions
        Just a feature, I don't need it now.


So, here config details for my home and my servers (2.6.14-hardened-r5):

    PaX  --->
      [*] Enable various PaX features
            PaX Control  --->
              [ ] Support soft mode
              [*] Use legacy ELF header marking
              [*] Use ELF program header marking
                  MAC system integration (none)  --->
            Non-executable pages  --->
              [*] Enforce non-executable pages
              [ ]   Paging based non-executable pages
              [*]   Segmentation based non-executable pages
              [ ] Emulate trampolines
              [*] Restrict mprotect()
              [ ]   Disallow ELF text relocations
> home        [ ] Enforce non-executable kernel pages
> server      [*] Enforce non-executable kernel pages
            Address Space Layout Randomization  --->
              [*] Address Space Layout Randomization
              [*]   Randomize kernel stack base
              [*]   Randomize user stack base
              [*]   Randomize mmap() base
              ---   Disable the vsyscall page
    Grsecurity  --->
      [*] Grsecurity
            Security Level (Custom)  --->
            Address Space Protection  --->
              [*] Deny writing to /dev/kmem, /dev/mem, and /dev/port
> home        [ ] Disable privileged I/O
> server      [*] Disable privileged I/O
              [*] Remove addresses from /proc/<pid>/[smaps|maps|stat]
              [*] Deter exploit bruteforcing
> home        [*] Runtime module disabling
> server      ----------------------------
              [*] Hide kernel symbols
            Role Based Access Control Options  --->
              [*] Hide kernel processes
              (3) Maximum tries before password lockout
              (30) Time to wait after max password tries, in seconds
            Filesystem Protections  --->
              [*] Proc restrictions
              [*]   Restrict /proc to user only
              [*] Additional restrictions
              [*] Linking restrictions
              [*] FIFO restrictions
              [*] Chroot jail restrictions
              [*]   Deny mounts
              [*]   Deny double-chroots
              [*]   Deny pivot_root in chroot
              [*]   Enforce chdir("/") on all chroots
              [*]   Deny (f)chmod +s
              [*]   Deny fchdir out of chroot
              [*]   Deny mknod
              [*]   Deny shmat() out of chroot
              [*]   Deny access to abstract AF_UNIX sockets out of chroot
              [*]   Protect outside processes
              [*]   Restrict priority changes
              [*]   Deny sysctl writes
              [*]   Capability restrictions
            Kernel Auditing  --->
              [ ] Single group for auditing
              [ ] Exec logging
              [*] Resource logging
              [ ] Log execs within chroot
              [ ] Chdir logging
              [*] (Un)Mount logging
              [ ] IPC logging
              [*] Signal logging
              [*] Fork failure logging
              [ ] Time change logging
              [*] /proc/<pid>/ipaddr support
              [ ] ELF text relocations logging (READ HELP)
            Executable Protections  --->
              [*] Enforce RLIMIT_NPROC on execs
              [*] Destroy unused shared memory
              [*] Dmesg(8) restriction
              [*] Randomized PIDs
              [ ] Trusted Path Execution (TPE)
            Network Protections  --->
              [*] Larger entropy pools
              [*] Randomized TCP source ports
              [ ] Socket restrictions
            Sysctl support  --->
              [*] Sysctl support
              [*]   Turn on features by default
            Logging Options  --->
              (10) Seconds in between log messages (minimum)
              (4) Number of messages in a burst (maximum)


Also, at the end of /etc/sysctl.conf:
    home:
---cut---
kernel.grsecurity.disable_modules = 1
kernel.grsecurity.grsec_lock = 1
---cut---
    servers:
---cut---
kernel.grsecurity.grsec_lock = 1
---cut---

-- 
                        WBR, Alex.
-- 
[email protected] mailing list

Reply via email to