Gentoo - hardened setup
1. What is the Hardened Gentoo Project?
"Hardened Gentoo's purpose is to make Gentoo viable for high security, high stability production server environments. This project is not a standalone project disjoined from Gentoo proper; it is intended to be a team of Gentoo developers which are focused on delivering solutions to Gentoo that provide strong security and stability. These solutions will be available in Gentoo once they've been tested for security and stability by the Hardened team."
Above quoted from: http://hardened.gentoo.org
2. Where to I begin?
You'll also probably want to read thru the Gentoo Hardened faq:
root# emerge --sync
3. Switch to the hardened profile
Here's how you switch:
root# rm /etc/make.profile #DO NOT INCLUDE A TRAILING SLASH HERE! root# ln -s /usr/portage/profiles/hardened/x86/2.6 /etc/make.profile root# env-update root# source /etc/profile
4. Recompile system using hardened toolchain
root# screen # Optional, but highly recommended root# emerge binutils gcc virtual/libc root# emerge -e world
5. Switch to a hardened kernel
Here's how to roll a hardened kernel:
Once your system comes back up and you boot to your shiny new kernel, you'll be running the most basic of a hardened Gentoo setup. Next we will discuss the other essential components of a hardened system.
root# emerge -a hardened-sources root# cd /usr/src root# cp linux/.config kernel.config.backup root# rm linux root# ln -s linux-2.6.16-hardened-r11 linux root# cp kernel.config.backup linux/.config # Optional root# cd linux root# make oldconfig # Optional, use to clean up from your .config backup root# make menuconfig # Make sure to select the following, along with your normal stuff [*] Enable various PaX features PaX Control -> [ ] Support soft mode [*] Use legacy ELF header marking [*] Use ELF program header marking MAC system integration (none) ---> Non-executable page -> [*] Enforce non-executable pages [*] Paging based non-executable pages [*] Segmentation based non-executable pages [*] Emulate trampolines [*] Restrict mprotect() [ ] Disallow ELF text relocations Address Space Layout Randomization -> [*] Address Space Layout Randomization [*] Randomize kernel stack base [*] Randomize user stack base [*] Randomize mmap() base [*] Randomize ET_EXEC base root# make && make modules_install root# mount /boot root# cp arch/i386/boot/bzImage /boot/kernel-2.6.16-hardened-r11 root# cp System.map /boot/System.map-2.6.16-hardened-r11 root# cd /boot root# rm System.map root# ln -s System.map-2.6.16-hardened-r11 System.map # Update /boot/grub/grub.conf - nothing special just the normal stuff root# grub-install --no-recheck --no-floppy /dev/hda # hda/sda root# reboot
6. PaX - Least privilege protections for memory pages
"PaX is a patch to the Linux kernel that provides hardening in two ways. The first, ASLR (Address Space Layout Randomization) provides a means to randomize the addressing scheme of all data loaded into memory. When an application is built as a PIE (Position Independent Executable), PaX is able to also randomize the addresses of the application base in addition. The second protection provided by PaX is non-executable memory. This prevents a common form of attack where executable code is inserted into memory by an attacker. More information on PaX can be found throughout this guide, but the homepage can be found at http://pax.grsecurity.net ."Since we already built a kernel with PaX support, there isn't alot that needs to be done here. You will want a utility to aid in toggling protections on a per-executable basis:
Optionally you can install chpax which sets some reasonable default settings:
root# emerge paxctl root# paxctl -h # To see example usage root# paxctl -v /usr/bin/python # To view flags for a particular binary
Once you have paxtest installed you can use it to test your setup:
root# emerge chpax root# rc-update add chpax default root# /etc/init.d/chpax start # These packages are also usefull root# emerge pax-utils root# emerge paxtest
root# paxtest blackhat Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable anonymous mapping (mprotect) : Killed Executable bss (mprotect) : Killed Executable data (mprotect) : Killed Executable heap (mprotect) : Killed Executable stack (mprotect) : Killed Executable shared library bss (mprotect) : Killed Executable shared library data (mprotect): Killed Writable text segments : Killed Anonymous mapping randomisation test : 16 bits (guessed) Heap randomisation test (ET_EXEC) : 13 bits (guessed) Heap randomisation test (ET_DYN) : 25 bits (guessed) Main executable randomisation (ET_EXEC) : 16 bits (guessed) Main executable randomisation (ET_DYN) : 17 bits (guessed) Shared library randomisation test : 16 bits (guessed) Stack randomisation test (SEGMEXEC) : 23 bits (guessed) Stack randomisation test (PAGEEXEC) : No randomisation Return to function (strcpy) : Vulnerable Return to function (memcpy) : Vulnerable Return to function (strcpy, RANDEXEC) : Killed Return to function (memcpy, RANDEXEC) : Killed Executable shared library bss : Killed Executable shared library data : Killed
7. SSP - Stack Smashing Protector
"It is a GCC (Gnu Compiler Collection) extension for protecting applications from stack-smashing attacks. Applications written in C will be protected by the method that automatically inserts protection code into an application at compilation time. The protection is realized by buffer overflow detection and the variable reordering feature to avoid the corruption of pointers. The basic idea of buffer overflow detection comes from StackGuard system."
"The novel features are (1) the reordering of local variables to place buffers after pointers to avoid the corruption of pointers that could be used to further corrupt arbitrary memory locations, (2) the copying of pointers in function arguments to an area preceding local variable buffers to prevent the corruption of pointers that could be used to further corrupt arbitrary memory locations, and the (3) omission of instrumentation code from some functions to decrease the performance overhead. "
The good news is... your rig is already setup to use it. The hardened profile takes care of that for you :)
|09/28/2006 @02:00||Remove -a switch from toolchain rebuild, added info on PaX and SSP|
|09/29/2006 @ 22:36||Add step to update System.map, don't emerge paxctl twice :)|
This document was originally created on 09/28/2006
This page is not endorsed by gentoo.org or any other cool cats. Any information provided in this document is to be used at your own risk.