Gentoo - hardened setup

By: john.mcfarlane <john.mcfarlane@rockfloat.com>
Last updated: 09/29/2006 @ 22:36

Abstract:
This document is intended to help those unfamiliar with the Hardended Gentoo Project to both understand it's purpose, and learn the basics of it's implemenation.



top

1. What is the Hardened Gentoo Project?

"Hardened Gentoo is a project which oversees the research, implementation, and maintainence of security oriented projects for Gentoo Linux. [They] are a team of very competent individuals dedicated to bringing advanced security to Gentoo with a number of subprojects."

"Hardened Gentoo's purpose is to make Gentoo viable for high security, high stability production server environments. This project is not a standalone project disjoined from Gentoo proper; it is intended to be a team of Gentoo developers which are focused on delivering solutions to Gentoo that provide strong security and stability. These solutions will be available in Gentoo once they've been tested for security and stability by the Hardened team."

Above quoted from: http://hardened.gentoo.org

I'm finished with this step

top

2. Where to I begin?

You'll want to make sure your Portage snapshot includes the latest hardened profile stuffs: 

root# emerge --sync
You'll also probably want to read thru the Gentoo Hardened faq:

http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml

I'm finished with this step

top

3. Switch to the hardened profile

There is a special profile for use with Hardened Gentoo. It's very similar to the server and desktop profiles, only this one has security in mind.

Here's how you switch: 


root# rm /etc/make.profile  #DO NOT INCLUDE A TRAILING SLASH HERE!
root# ln -s /usr/portage/profiles/hardened/x86/2.6 /etc/make.profile
root# env-update
root# source /etc/profile

I'm finished with this step

top

4. Recompile system using hardened toolchain

Now that you are using the hardened profile, you need to recompile your entire system to take advantage of it: 

root# screen  # Optional, but highly recommended
root# emerge binutils gcc virtual/libc
root# emerge -e world
Tip At the time of this writing, you'll notice that gcc-4.x.x is not supported.
I'm finished with this step

top

5. Switch to a hardened kernel

You'll also want to run a kernel that's patched to support features needed by things like Pax (more on this later).

Here's how to roll a hardened kernel: 


root# emerge -a hardened-sources
root# cd /usr/src
root# cp linux/.config kernel.config.backup
root# rm linux
root# ln -s linux-2.6.16-hardened-r11 linux
root# cp kernel.config.backup linux/.config  # Optional
root# cd linux
root# make oldconfig  # Optional, use to clean up from your .config backup
root# make menuconfig
	# Make sure to select the following, along with your normal stuff
	[*] Enable various PaX features
	
	PaX Control ->
	 [ ] Support soft mode
	 [*] Use legacy ELF header marking
	 [*] Use ELF program header marking
	     MAC system integration (none)  --->
	
	Non-executable page ->
	 [*] Enforce non-executable pages
	 [*]   Paging based non-executable pages
	 [*]   Segmentation based non-executable pages
	 [*] Emulate trampolines
	 [*] Restrict mprotect()
	 [ ]   Disallow ELF text relocations
	
	Address Space Layout Randomization ->
	 [*] Address Space Layout Randomization
	 [*]   Randomize kernel stack base
	 [*]   Randomize user stack base
	 [*]   Randomize mmap() base
	 [*]     Randomize ET_EXEC base

root# make && make modules_install
root# mount /boot
root# cp arch/i386/boot/bzImage /boot/kernel-2.6.16-hardened-r11
root# cp System.map /boot/System.map-2.6.16-hardened-r11
root# cd /boot
root# rm System.map
root# ln -s System.map-2.6.16-hardened-r11 System.map
# Update /boot/grub/grub.conf - nothing special just the normal stuff
root# grub-install --no-recheck --no-floppy /dev/hda  # hda/sda
root# reboot

Once your system comes back up and you boot to your shiny new kernel, you'll be running the most basic of a hardened Gentoo setup. Next we will discuss the other essential components of a hardened system.
I'm finished with this step

top

6. PaX - Least privilege protections for memory pages

PaX is one of the most important parts of a hardened system. From the official Gentoo docs:

"PaX is a patch to the Linux kernel that provides hardening in two ways. The first, ASLR (Address Space Layout Randomization) provides a means to randomize the addressing scheme of all data loaded into memory. When an application is built as a PIE (Position Independent Executable), PaX is able to also randomize the addresses of the application base in addition. The second protection provided by PaX is non-executable memory. This prevents a common form of attack where executable code is inserted into memory by an attacker. More information on PaX can be found throughout this guide, but the homepage can be found at http://pax.grsecurity.net ."

Since we already built a kernel with PaX support, there isn't alot that needs to be done here. You will want a utility to aid in toggling protections on a per-executable basis: 

root# emerge paxctl
root# paxctl -h  # To see example usage
root# paxctl -v /usr/bin/python  # To view flags for a particular binary
Optionally you can install chpax which sets some reasonable default settings: 

root# emerge chpax
root# rc-update add chpax default
root# /etc/init.d/chpax start

# These packages are also usefull
root# emerge pax-utils
root# emerge paxtest
Once you have paxtest installed you can use it to test your setup: 

root# paxtest blackhat

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable stack (mprotect)              : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments                   : Killed
Anonymous mapping randomisation test     : 16 bits (guessed)
Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
Heap randomisation test (ET_DYN)         : 25 bits (guessed)
Main executable randomisation (ET_EXEC)  : 16 bits (guessed)
Main executable randomisation (ET_DYN)   : 17 bits (guessed)
Shared library randomisation test        : 16 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 23 bits (guessed)
Stack randomisation test (PAGEEXEC)      : No randomisation
Return to function (strcpy)              : Vulnerable
Return to function (memcpy)              : Vulnerable
Return to function (strcpy, RANDEXEC)    : Killed
Return to function (memcpy, RANDEXEC)    : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed

REFERENCE: http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml
REFERENCE: http://en.wikipedia.org/wiki/PaX

I'm finished with this step

top

7. SSP - Stack Smashing Protector

SSP is a really cool GCC extension designed to prevent buffer overflow attacks where possible. The project describes it as:

"It is a GCC (Gnu Compiler Collection) extension for protecting applications from stack-smashing attacks. Applications written in C will be protected by the method that automatically inserts protection code into an application at compilation time. The protection is realized by buffer overflow detection and the variable reordering feature to avoid the corruption of pointers. The basic idea of buffer overflow detection comes from StackGuard system."

"The novel features are (1) the reordering of local variables to place buffers after pointers to avoid the corruption of pointers that could be used to further corrupt arbitrary memory locations, (2) the copying of pointers in function arguments to an area preceding local variable buffers to prevent the corruption of pointers that could be used to further corrupt arbitrary memory locations, and the (3) omission of instrumentation code from some functions to decrease the performance overhead. "

The good news is... your rig is already setup to use it. The hardened profile takes care of that for you :)

REFERENCE: http://www.trl.ibm.com/projects/security/ssp/
REFERENCE: http://en.wikipedia.org/wiki/Stack-Smashing_Protector

I'm finished with this step

Changelog: Date Description
09/28/2006 @02:00 Remove -a switch from toolchain rebuild, added info on PaX and SSP
09/29/2006 @ 22:36 Add step to update System.map, don't emerge paxctl twice :)

This document was originally created on 09/28/2006


Conventions and tips for this howto document:
  1. This howto assumes you're running the 2.6 kernel

Disclaimer:
This page is not endorsed by gentoo.org or any other cool cats. Any information provided in this document is to be used at your own risk.