Hi!
On Tue, Feb 14, 2006 at 05:56:38PM +0800, Ow Mun Heng wrote:
> ps : hardenend-sources config sample anyone?
Millar already sent one. Personally I prefer for comparison more "visual"
representation of kernel config. Sorry if my message is pure example of
"how to not answer questions in maillists". :)
In my configuration enabled all security options except:
1) a couple of options making protection more weak (for compatibility) :)
2) Disallow ELF text relocations
AFAIK with this option a lot of software will not work... :(
3) Enforce non-executable kernel pages
Disabled only at home workstation (for VMware), on my servers it's
enabled.
4) Disable privileged I/O
Again, disabled only at home (for Xorg).
5) Runtime module disabling
Enabled only at home, because my servers has disabled loadable
modules support at all.
6) Trusted Path Execution (TPE)
Just a feature, I don't need it now.
7) Socket restrictions
Just a feature, I don't need it now.
So, here config details for my home and my servers (2.6.14-hardened-r5):
PaX --->
[*] Enable various PaX features
PaX Control --->
[ ] Support soft mode
[*] Use legacy ELF header marking
[*] Use ELF program header marking
MAC system integration (none) --->
Non-executable pages --->
[*] Enforce non-executable pages
[ ] Paging based non-executable pages
[*] Segmentation based non-executable pages
[ ] Emulate trampolines
[*] Restrict mprotect()
[ ] Disallow ELF text relocations
> home [ ] Enforce non-executable kernel pages
> server [*] Enforce non-executable kernel pages
Address Space Layout Randomization --->
[*] Address Space Layout Randomization
[*] Randomize kernel stack base
[*] Randomize user stack base
[*] Randomize mmap() base
--- Disable the vsyscall page
Grsecurity --->
[*] Grsecurity
Security Level (Custom) --->
Address Space Protection --->
[*] Deny writing to /dev/kmem, /dev/mem, and /dev/port
> home [ ] Disable privileged I/O
> server [*] Disable privileged I/O
[*] Remove addresses from /proc/<pid>/[smaps|maps|stat]
[*] Deter exploit bruteforcing
> home [*] Runtime module disabling
> server ----------------------------
[*] Hide kernel symbols
Role Based Access Control Options --->
[*] Hide kernel processes
(3) Maximum tries before password lockout
(30) Time to wait after max password tries, in seconds
Filesystem Protections --->
[*] Proc restrictions
[*] Restrict /proc to user only
[*] Additional restrictions
[*] Linking restrictions
[*] FIFO restrictions
[*] Chroot jail restrictions
[*] Deny mounts
[*] Deny double-chroots
[*] Deny pivot_root in chroot
[*] Enforce chdir("/") on all chroots
[*] Deny (f)chmod +s
[*] Deny fchdir out of chroot
[*] Deny mknod
[*] Deny shmat() out of chroot
[*] Deny access to abstract AF_UNIX sockets out of chroot
[*] Protect outside processes
[*] Restrict priority changes
[*] Deny sysctl writes
[*] Capability restrictions
Kernel Auditing --->
[ ] Single group for auditing
[ ] Exec logging
[*] Resource logging
[ ] Log execs within chroot
[ ] Chdir logging
[*] (Un)Mount logging
[ ] IPC logging
[*] Signal logging
[*] Fork failure logging
[ ] Time change logging
[*] /proc/<pid>/ipaddr support
[ ] ELF text relocations logging (READ HELP)
Executable Protections --->
[*] Enforce RLIMIT_NPROC on execs
[*] Destroy unused shared memory
[*] Dmesg(8) restriction
[*] Randomized PIDs
[ ] Trusted Path Execution (TPE)
Network Protections --->
[*] Larger entropy pools
[*] Randomized TCP source ports
[ ] Socket restrictions
Sysctl support --->
[*] Sysctl support
[*] Turn on features by default
Logging Options --->
(10) Seconds in between log messages (minimum)
(4) Number of messages in a burst (maximum)
Also, at the end of /etc/sysctl.conf:
home:
---cut---
kernel.grsecurity.disable_modules = 1
kernel.grsecurity.grsec_lock = 1
---cut---
servers:
---cut---
kernel.grsecurity.grsec_lock = 1
---cut---
--
WBR, Alex.
--
[email protected] mailing list