digg

Facebook Connect Join Digg About
See the original image at howtoforge.com

Hardening The Linux Kernel With Grsecurity (Debian)

howtoforge.com Security is based on three characteristics: prevention, protection and detection. Grsecurity is a patch for Linux kernel that allows you to increase each of these points.This howto was performed on a Debian Lenny system. Thus some tools are Debian specific. However, tasks can be performed with other distro specific tools or even with universal tool

Who dugg this? Made popular Nov 18, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

36 Comments

show profanity settings
expand all
  • Zaggynl, on 11/18/2008, -1/+17Uh yeah, a how to on compiling it, but what does it do?
    http://www.grsecurity.net/ !
  • weizbox, on 11/18/2008, -0/+12Beyond using apt to get the tools you need before getting the vanilla kernel, this should work with most any distro :)

    Def would be nice if they explained a little more in detail what Grsecurity is, and what it does before blinding wgetting and patching :)
  • morphir, on 11/18/2008, -1/+9grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GPL.
    It offers among many other features:

    * An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
    * Change root (chroot) hardening
    * /tmp race prevention
    * Extensive auditing
    * Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
    * Prevention of arbitrary code execution in the kernel
    * Randomization of the stack, library, and heap bases
    * Kernel stack base randomization
    * Protection against exploitable null-pointer dereference bugs in the kernel
    * Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
    * A restriction that allows a user to only view his/her processes
    * Security alerts and audits that contain the IP address of the person causing the alert
  • Renton, on 11/18/2008, -2/+10Considering most servers and supercomputers use it, pretty damn secure.
  • weeFred, on 11/18/2008, -0/+7yes, yes you are.
  • smotpoker, on 11/19/2008, -1/+8@john

    That report is about money/profit, not OS numbers. Considering most Linux distributions are completely free of cost and there is no comprehensive way to track them all it's not hard to see those numbers are but a fraction of the actual usage numbers
  • SeraphX, on 11/18/2008, -8/+13How much more secure does Linux need to be?
  • ribo, on 11/18/2008, -1/+6That's it..? No discussion of the config options at all? RBAC?

    I've used grsec before, and this is kinda pointless without explaining a security model.. especially since some of the options break a lot of software.
  • leerayIG88, on 11/18/2008, -2/+6oh yea, my level 80 golem has harden! nothing can beat him!
  • weizbox, on 11/18/2008, -0/+3you spammmmmm
  • smotpoker, on 11/19/2008, -1/+3Not really security *focused* per se (at least not all distributions/kernels) but always security conscious. Linux is and always has been intended for multi-user environments where the skill and clearance level of a given user is not automatically assumed high.

    That alone makes it secure enough to prevent rampant malware infections and mitigate worm propagation and for those who want/need, most distros come with a wide array of security solutions that only need be enabled. When you decide to throw pax, selinux, grsec etc into the mix the only thing comparable is obsd (afaik)
  • IHaveVoot, on 11/19/2008, -0/+2Harden the f**k up!

    http://www.youtube.com/watch?v=unkIVvjZc9Y
  • geesamba, on 11/18/2008, -1/+3That's simple, just run around as root.

    Just don't complain or ask for sympathy when you accidentally do an "rm -rf /var /log/*" instead of a "rm -rf /var/log/*"

    And yes, I know what that does from painful experience. Permissions can actually help you, kids. Even on home systems.
  • imasuperDOTcom, on 11/18/2008, -4/+6I've got a kernel you can come over here and harden. huhuhuhuhuh.
  • tnoy, on 11/19/2008, -0/+1@ScottyMcBaggs

    I said nothing of Ubuntu and using sudo, btw. That is completely different than roles and ACLs. Roles can be assigned as needed, there does not have to be an all powerful Admin role--setting one up would defeat the point of using roles.

    If you're having that much trouble with using sudo all the time, just 'sudo su -' once, do everything you need to do as root, then exit the shell.

    You could always just change the line in the /etc/sudoers file to: %admin ALL=NOPASSWORD: ALL
    Then you wont need to enter the password, but you're opening a big security hole.

    As for your rsync example, you could probably do that by tunneling rsync through SSH and using keys and a good passphrase for authentication. It's generally a bad idea to allow root to auth via ssh, though.
  • bernardbarney, on 11/19/2008, -0/+1That's what she said.
  • inactive, on 11/18/2008, -1/+2I harden my kernel alone :(
  • ScottyMcBaggs, on 11/20/2008, -0/+1I know you didn't mention ubuntu, i did because it's $HOTTOPIC on digg, and the OS constantly reminds me of how much i miss rh-based distros.

    I've used roles and ACLs since 2.0 or 2.2 from the rsbac.org kernel modules. They don't defeat the purpose of having uid 0, and vice versa. Unix would have to be re-designed from the ground up to get around the concept of a root account. Even the older tru64 stuff I've used that had more fine grained security, had a root account. It was barely ever used, but it's there. Like I said, you can minimize its use with ACLs and roles but you can't remove it completely.

    And yea, I know how to use sudo to execute su, or bash, or -i. Doesn't change the fact that obscuring root from a competent admin does nothing but piss off the admin. Pisst off being me in this case. Again this isn't really what you're talking about, but i can see why that approach would be viable on the desktop, but on the server it's pretty annoying.

    I haven't done vanilla rsync without ssh in years, and more keys to manage isn't really an option for me unfortunately. I would love everything to be keyed, but it's not and my only free time is talking to anonymous people on digg.

    I'm curious though, why you think it's a bad idea to allow root via ssh but you allow the admin role or in the ubuntu case admin user to? That doesn't make much sense to me. Even if someone manages a mitm attack, Or if they've replaced sshd with something that logs all your passwords, they have your admin role/admin user. Which is basically what root is, but they get to pretend they are an actual person in your organization.

  • tnoy, on 11/19/2008, -1/+2Dugg for the humor of one of the ads in the middle showing up as one for Microsoft OneCare when I first loaded the page.
  • ScottyMcBaggs, on 11/19/2008, -0/+1the -f switch should be used sparingly, and rm should be aliased to rm -i in root's profile.
  • ethana2, on 11/19/2008, -0/+1You haven't a kernel of an idea..
  • smotpoker, on 11/19/2008, -0/+1Defacing web-pages often has little to do with Linux or the web server. I think typically it is due to sloppy/ignorant development or admin practices that lead to sql injection and the like. In most these cases, the integrity of the rest of the system remains in tact and the only thing impacted is the site itself and it's resources.

    Of course, that isn't always the case because sometimes it can lead to privilege escalation but most of the time their attempts are thwarted before they get a chance to do much more than corrupt www data
  • ethana2, on 11/19/2008, -0/+1I hope they're paying based on how many times the ad is served and not by the click.
  • ubuwalker31, on 11/19/2008, -0/+1@SeraphX:
    Alot...there are whole blogs about it: http://www.linuxsecurity.com/
    @xsquirrel378x
    The Linux Kernel supports SELinux and AppArmor is available for Suse and Ubuntu
    @Renton:
    There are a lot of hackers out there that deface webpages running on linux...
  • ScottyMcBaggs, on 11/19/2008, -0/+1lulz @ this retarded ubuntuism. The unix system does not lend itself to completely removing the root user, which you seem to understand from waht i see in your first paragraph. Disallowing root access completely is a silly hack that doesn't offer any actual protection, considering you're still going to have an admin group/role and all it takes is one dumbass to get owned at his workstation and you're all done. Let's take this one for example (of why removing root will just piss you off).

    You're on machine A with sudo or root privileges, whatever, and you need to rsync a bunch of root owned files over to another machine. The other machine is using ubuntu so you can't authenticate with root privs. So how do you preserve permissions then??? You tarball the directory and transfer that, then login to the second box and untar it using sudo. Only problem is the directory is 4 GB and the tarball is only slightly smaller so this solution isn't even feasible in some situations. If you can think of a better way, i'd love to hear it. This minor nuisance has been pissing me off since i was forced to start using ubuntu.

    Another problem with the sudo paradigm is that you become so annoyed by entering your password constantly, that you just type it in without thinking. This is security fail. Entering your password all the time means tehre are more chances for someone to snarf it, AND it makes you just enter it as a reflex at the prompt....badbadbadbad.

    In the end, uid 0 is a MUST HAVE. Keeping its use to a minimum is a good thing(tm) but removing it completely is not such a great idea.
  • tnoy, on 11/19/2008, -1/+1The basic level of security in a typical Linux (some Unix, too) system (owner, group, all) is quite outdated and needs to be brought up to modern times. You only need one small misconfiguration for a normally secure machine to become very unsecured.

    To have a secure machine, you need to completely remove the idea of a "root" user. Its a very bad idea to have a single user being able to do virtually anything and everything. Role-Baced access control is one step in the right direction. Until you're willing to give anyone access to your root account, your machine is not secure.
  • Cyborg326, on 11/19/2008, -1/+1I heat my kernel till it pops, them I eat it yum yum.
  • Ajzimm3rman, on 11/19/2008, -1/+0What?
  • Ajzimm3rman, on 11/19/2008, -1/+0+1
  • Ajzimm3rman, on 11/19/2008, -1/+0Great job.
  • CalcProgrammer1, on 11/18/2008, -10/+3Sounds like the complete opposite of what I want from Linux. Restricting my access to my computer isn't what I want, I want to not have to type my password 20 times for every time I sit down at my Linux machine. I'd like a way to open up system folders so you don't have to sudo everything you do out of a terminal. I most certainly DON'T want to be restricted even more than I already am.

    Maybe a good tool for servers, definitely not something you want on your home computer.
  • jonddoe, on 11/18/2008, -8/+1That's not true.

    http://www.idc.com/getdoc.jsp?containerId=prUS2139 ...
  • inactive, on 11/18/2008, -12/+4Linux by default is not security focused at all
  • Spymodhf, on 11/18/2008, -11/+1did you see windows new OS?
    http://en.wikipedia.org/wiki/Barry_Gibb
  • coolgizmoz, on 11/18/2008, -17/+3Linux ruxxxxx


    http://digg.com/software/Ubuntu_8_10_Intrepid_Ibex ...
  • inactive, on 11/18/2008, -18/+0Another Lunux article... that I don't care about. Buried

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.