getting started with grsecurity

GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com)

A set of patches to harden your Linux kernel


What is

• set of kernel patches

• grsecurity itself, PaX, TPE

• MAC tool with RBAC based on ACL

• gradm, utility to manage the RBAC

• PaX (memory protection)

• paxctld, daemon to manage PaX


Development timeline

• First lines back in 2000/2001

• Still in active development

• Testing is open source

• Stable went closed source last year

• PaX devs collaborates but are a separated team

• PaX is still open source!

Hardening Two June 13, 2016 Francesco Pira (fpira.com)

Keywords

• roles

• subjects

• objects

• policy

• domains

• the policy defines behaviour of roles / subjects / objects

as higher abstraction of users

as abstraction of executables

as abstraction of system resources

as a set of rules (usually system-wide)

combine roles of different groups together


How it works

• object is a system resource or capability

• subject is an executable (it access objects)

• admin is the new root (root as compromised)

• domains to combine roles and groups together

• path-based ACL, deeper path = higher priority

• hierarchies (user -> group -> default and path-based)


Features

• double authentication (via password for grsec admin and shutdown roles)

• system capabilities limitations

• default is deny-all (no rule means no execution)

• learning mode is available, full or per-process

• kernel auditing

• improved file-system and chroot() security

• Trusted Path Execution (TPE)

• kernel and userspace memory protection

• customize before compile (via menuconfig)

• underneath, edits setting via sysctl


How it works


Installation

1. download Linux kernel sources

2. download grsecurity patch for your kernel

3. verify files, unzip and patch

4. customise with menuconfig

5. compile and install

6. install dependencies, gradm, paxctld


Post-installation

1. Set a password for basic roles

• admin

• shutdown

2. start the first learning mode (gradm -F -L /etc/grsec/learning.logs)

3. use the system normally (do not perform bad actions!)

4. check file output (/etc/grsec/learning.logs)

5. apply output file as policy (gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy)

6. enable grsec (gradm -E)


Usage

• gradm -S to check the status

• gradm -E to enable, gradm -D to disable

• gradm -C for policy control

• gradm -a [role] to login into a role

• gradm -u to logout

• gradm -F -L /etc/grsec/learning.logs, for learning mode

• … -O /etc/grsec/policy to apply learned rules


A policy excerpt

# Role: utentexsubject /usr/lib/firefox/firefox o { / h /home/utentex r /home/utentex/Downloads rwxcd /home/utentex/cartellasegreta h}


The good

• theoretically compatible with all Linux distress

• can coexist with other LSM-based tools

• good role management

• inheritance of rules

• policy syntax supports union, intersections and wildcards ( * , ? , [] )

• memory protection included

• can’t enable a policy if it is too permissive

• RAP to defend against code reuse attacks


The bad

• all policy sits in one file

• inconvenient for manual editing

• cannot write rules using gradm

• per-subject learning mode is unfriendly

• you only have access to testing code

• stable is closed-source (and expensive!)


About PaX

• Protects from:

• arbitrary code execution

• original code execution but in different order

• original code execution in order but + malicious code

• How?

• NOEXEC and runtime code checking

• ASLR, to better randomise memory addresses

• putting flags in the executable header (needs conversion!)


Resources

• Official Wiki (https://en.wikibooks.org/wiki/Grsecurity)

• Debian Wiki (https://wiki.debian.org/grsecurity)

• Gentoo Wiki (wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart)

• forums.grsecurity.net

• official mailing list

• irc.oftc.net #grsecurity

• https://grsecurity.net/rap_faq.php

• PaX - Gentoo Wiki (https://wiki.gentoo.org/wiki/Project:Hardened/PaX_Quickstart)

• chpax (8) - man online (http://dev.man-online.org/man8/chpax/)

• TPE (https://wiki.gentoo.org/wiki/Hardened/Grsecurity_Trusted_Path_Execution)

https://grsecurity.net/rap_faq.php


Questions?

Thank you

getting started with grsecurity

Software