GIT – In this article we are going to cover a very large part of advanced . I am going to show you how to create your own hardened kernel using grsecurity.

GridVirt Inc. takes no responsibility if you break something and than find your server won’t boot or your server blows up and showers the techs with hot shards of destroyed kernel. grsecurity is a great project and not only saves many people tons of work they are also making the net a safer place to be by their contributions. So please if you use grsecurity please consider helping the guys out over at Grsecurity with a donation to show your appreciation. I’ll only list a small amount of features here as the list is quite large. For a full list please go here >> Grsecurity Features

Small List of Grsecurity Features

– Enforced chdir("/") on chroot

– Extensive auditing (Security alerts and audits that contain the IP address of the person causing the alert)

– Prevent exploitation of most refcount overflows

– Deter exploit bruteforcing

– Randomization of the stack, library, and heap bases

– Kernel stack base randomization

– Proc restrictions

I’ll stop now though i would love to keep going! Lets dig into some advanced Centos security. First thing we need to do is grab the correct grsecurity patch and matching source code. For example at the time of this articles creation the matching grsecurity patch and source are:

grsecurity-2.9-3.2.19-201206042135.patch
linux-3.2.19.tar.bz2

See the match? So now we need to both as well as gradm the administration utility for grsecurity’s RBAC system, you must the version that matches the version of the grsecurity
patch you downloaded. Gradm is located on the same download page as grsecurity. We will also grab the [sig] for verifying both files while we are at it:

cd /usr/src/kernels
wget www.kernel.org/pub/linux/kernel/v3.0/linux-3.2.19.tar.bz2
wget http://grsecurity.net/stable/grsecurity-2.9-3.2.19-201206042135.patch
wget grsecurity.net/stable/gradm-2.9-201202232055.tar.gz
wget http://grsecurity.net/spender-gpg-key.asc
wget grsecurity.net/stable/grsecurity-2.9-3.2.19-201206042135.patch.sig
wget grsecurity.net/stable/gradm-2.9-201202232055.tar.gz.sig

Now we need to verify both the grsecurity patch and gradm. First import the key than verify. It is normal to have a warning and as long as GPG reports good than you are all good.

gpg –import spender-gpg-key.asc
gpg –verify grsecurity-2.9-3.2.18-201206031033.patch.sig
gpg –verify gradm-2.9-201202232055.tar.gz.sig

Let’s make sure we have the packages to patch the kernel:

yum -y groupinstall “Development Tools”
yum -y ncurses-devel

Now we’ll unpack, patch, and clean:

tar xjf linux-3.2.18.tar.bz2
cd linux-3.2.18
patch -p1 < ../grsecurity-2.9-3.2.18-201206031033.patch
make clean && make mrproper

To save yourself some time you can use your current kernels config that just leaves grsecurity to configure. Copy your current config file than you can go into the configuration menu:

cp /boot/config-`uname -r` .config
make menuconfig

Go security options>>grsecurity and hit enter than hit “Y” and it will enable the function and show you the options available. Users that are not comfortable with grsecurity should enable systcl interface this allows you to change the options that grsecurity runs with without recompiling the kernel. To list all of grsecuritys options and explain them for a customized setup is beyond the scope of this article. At times I will make a custom config and others I will choose “High” from grsecurity>> Security Level. Please take the time to read up on the different levels (read me!) and if you really want to get into the meat of it read through all the settings and create your own custom config. I highly recommend doing some reading and trying you own custom configs this is going to give you a much deeper understanding of advanced centos security. Once you have finished go ahead and exit and save. Lets compile and install are now bulletproof Kernel!

make bzImage && make modules
make modules_install && make install

You should now be ready to go. Make sure your set to boot into the new kernel and than reboot and hope it lets you back in! Once in check and make sure you are running in the new kernel, if so than great! Now we will need to install gradm the admin tool for grsecurity that we downloaded and checked earlier. I prefer to build and compile from source rather than a distro supplied package for gradm.

cd /usr/src/kernels
tar xzf gradm-2.9-201202232055.tar.gz
cd gradm2
make
make install

Now to use gradm:

gradm –h

So now you are running a extremely secure kernel! Of course with such extensive changes and increased security you may run into a few problems with certain software but I have found it to be a rare occasion and the small hassle of fixing the problem far outweighed by the enhanced security the hardened Kernel brings. I hope this helps a few people keep things a bit safer and hopefully nobody breaks their server trying! Here is a small list of feature your newly hardened Kernel boasts:

linking restrictions
fifo restrictions
random pids
enforcing nproc on execve()
restricted dmesg
random ip ids
enforced chdir(“/”) on chroot

random tcp source ports
failed fork logging
time change logging
signal logging
deny mounts in chroot
deny double chrooting
deny writes in chroot
deny mknod in chroot
deny access to abstract AF_UNIX sockets out of chroot
deny pivot_root in chroot
denied writes of /dev/kmem, /dev/mem, and /dev/port
/proc restrictions with special gid set to 10 (usually wheel)
address space layout randomization
removal of addresses from /proc/<pid>/[maps|stat]

additional /proc restrictions
chmod restrictions in chroot
no signals, ptrace, or viewing processes outside of chroot
capability restrictions in chroot
deny fchdir out of chroot
priority restrictions in chroot
segmentation-based implementation of PaX
mprotect restrictions
kernel stack randomization
mount/unmount/remount logging
kernel symbol hiding

Print Friendly

Comments

comments

Bài viết liên quan