getting started with grsecurity
TRANSCRIPT
![Page 1: Getting started with GrSecurity](https://reader036.vdocuments.us/reader036/viewer/2022092622/587960681a28ab1e388b626f/html5/thumbnails/1.jpg)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com)
A set of patches to harden your Linux kernel
![Page 2: Getting started with GrSecurity](https://reader036.vdocuments.us/reader036/viewer/2022092622/587960681a28ab1e388b626f/html5/thumbnails/2.jpg)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com)
What is
• set of kernel patches
• grsecurity itself, PaX, TPE
• MAC tool with RBAC based on ACL
• gradm, utility to manage the RBAC
• PaX (memory protection)
• paxctld, daemon to manage PaX
![Page 3: Getting started with GrSecurity](https://reader036.vdocuments.us/reader036/viewer/2022092622/587960681a28ab1e388b626f/html5/thumbnails/3.jpg)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com)
Development timeline
• First lines back in 2000/2001
• Still in active development
• Testing is open source
• Stable went closed source last year
• PaX devs collaborates but are a separated team
• PaX is still open source!
![Page 4: Getting started with GrSecurity](https://reader036.vdocuments.us/reader036/viewer/2022092622/587960681a28ab1e388b626f/html5/thumbnails/4.jpg)
Hardening Two June 13, 2016 Francesco Pira (fpira.com)
Keywords
• roles
• subjects
• objects
• policy
• domains
• the policy defines behaviour of roles / subjects / objects
as higher abstraction of users
as abstraction of executables
as abstraction of system resources
as a set of rules (usually system-wide)
combine roles of different groups together
![Page 5: Getting started with GrSecurity](https://reader036.vdocuments.us/reader036/viewer/2022092622/587960681a28ab1e388b626f/html5/thumbnails/5.jpg)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com)
How it works
• object is a system resource or capability
• subject is an executable (it access objects)
• admin is the new root (root as compromised)
• domains to combine roles and groups together
• path-based ACL, deeper path = higher priority
• hierarchies (user -> group -> default and path-based)
![Page 6: Getting started with GrSecurity](https://reader036.vdocuments.us/reader036/viewer/2022092622/587960681a28ab1e388b626f/html5/thumbnails/6.jpg)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com)
Features
• double authentication (via password for grsec admin and shutdown roles)
• system capabilities limitations
• default is deny-all (no rule means no execution)
• learning mode is available, full or per-process
• kernel auditing
• improved file-system and chroot() security
• Trusted Path Execution (TPE)
• kernel and userspace memory protection
• customize before compile (via menuconfig)
• underneath, edits setting via sysctl
![Page 7: Getting started with GrSecurity](https://reader036.vdocuments.us/reader036/viewer/2022092622/587960681a28ab1e388b626f/html5/thumbnails/7.jpg)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com)
How it works
![Page 8: Getting started with GrSecurity](https://reader036.vdocuments.us/reader036/viewer/2022092622/587960681a28ab1e388b626f/html5/thumbnails/8.jpg)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com)
Installation
1. download Linux kernel sources
2. download grsecurity patch for your kernel
3. verify files, unzip and patch
4. customise with menuconfig
5. compile and install
6. install dependencies, gradm, paxctld
![Page 9: Getting started with GrSecurity](https://reader036.vdocuments.us/reader036/viewer/2022092622/587960681a28ab1e388b626f/html5/thumbnails/9.jpg)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com)
Post-installation
1. Set a password for basic roles
• admin
• shutdown
2. start the first learning mode (gradm -F -L /etc/grsec/learning.logs)
3. use the system normally (do not perform bad actions!)
4. check file output (/etc/grsec/learning.logs)
5. apply output file as policy (gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy)
6. enable grsec (gradm -E)
![Page 10: Getting started with GrSecurity](https://reader036.vdocuments.us/reader036/viewer/2022092622/587960681a28ab1e388b626f/html5/thumbnails/10.jpg)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com)
Usage
• gradm -S to check the status
• gradm -E to enable, gradm -D to disable
• gradm -C for policy control
• gradm -a [role] to login into a role
• gradm -u to logout
• gradm -F -L /etc/grsec/learning.logs, for learning mode
• … -O /etc/grsec/policy to apply learned rules
![Page 11: Getting started with GrSecurity](https://reader036.vdocuments.us/reader036/viewer/2022092622/587960681a28ab1e388b626f/html5/thumbnails/11.jpg)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com)
A policy excerpt
# Role: utentexsubject /usr/lib/firefox/firefox o { / h /home/utentex r /home/utentex/Downloads rwxcd /home/utentex/cartellasegreta h}
![Page 12: Getting started with GrSecurity](https://reader036.vdocuments.us/reader036/viewer/2022092622/587960681a28ab1e388b626f/html5/thumbnails/12.jpg)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com)
The good
• theoretically compatible with all Linux distress
• can coexist with other LSM-based tools
• good role management
• inheritance of rules
• policy syntax supports union, intersections and wildcards ( * , ? , [] )
• memory protection included
• can’t enable a policy if it is too permissive
• RAP to defend against code reuse attacks
![Page 13: Getting started with GrSecurity](https://reader036.vdocuments.us/reader036/viewer/2022092622/587960681a28ab1e388b626f/html5/thumbnails/13.jpg)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com)
The bad
• all policy sits in one file
• inconvenient for manual editing
• cannot write rules using gradm
• per-subject learning mode is unfriendly
• you only have access to testing code
• stable is closed-source (and expensive!)
![Page 14: Getting started with GrSecurity](https://reader036.vdocuments.us/reader036/viewer/2022092622/587960681a28ab1e388b626f/html5/thumbnails/14.jpg)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com)
About PaX
• Protects from:
• arbitrary code execution
• original code execution but in different order
• original code execution in order but + malicious code
• How?
• NOEXEC and runtime code checking
• ASLR, to better randomise memory addresses
• putting flags in the executable header (needs conversion!)
![Page 15: Getting started with GrSecurity](https://reader036.vdocuments.us/reader036/viewer/2022092622/587960681a28ab1e388b626f/html5/thumbnails/15.jpg)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com)
Resources
• Official Wiki (https://en.wikibooks.org/wiki/Grsecurity)
• Debian Wiki (https://wiki.debian.org/grsecurity)
• Gentoo Wiki (wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart)
• forums.grsecurity.net
• official mailing list
• irc.oftc.net #grsecurity
• https://grsecurity.net/rap_faq.php
• PaX - Gentoo Wiki (https://wiki.gentoo.org/wiki/Project:Hardened/PaX_Quickstart)
• chpax (8) - man online (http://dev.man-online.org/man8/chpax/)
• TPE (https://wiki.gentoo.org/wiki/Hardened/Grsecurity_Trusted_Path_Execution)
![Page 16: Getting started with GrSecurity](https://reader036.vdocuments.us/reader036/viewer/2022092622/587960681a28ab1e388b626f/html5/thumbnails/16.jpg)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com)
Questions?
Thank you