Update 6/25/2007: I’ve been made aware of Cr0’s Kernel Security package repository.
Sorry in advance for the awful linebreaks!
I told myself I’d go to bed 2 hours ago, but I went to NYSEC6 tonight and the paranoia is finally starting to sink in. The good guys are just really damn good and there’s very little you can do to protect yourself if one of the guys at that table were going after you (I’m looking at you Dave!). Realizing I had to do something to prevent potential self-pwnage, I was reminded of a recent e-mail Dave himself sent out to his mailing list:
I have to wear a suit today, otherwise I’d wear the “Brad Protects Us”
tee-shirt.For those of you who don’t know Brad - grsecurity.org has some
information on his main project, a “for hackers, by hackers” kernel
patch. Because hackers hate getting owned while they own you.- -dave
Dave is right, I DO hate getting owned! Grsecurity is no easy task to get running on your system if you want to stick as close as possible to the distro kernel like I do so I spent some time and experimented a bit and wrote up what worked best for me below. Now if only Ubuntu would pick this up as part of their default patchset…
Some things I realized while writing this tutorial:
- Ubuntu makes it hard to find which minor release of the vanilla Linux kernel theirs is based on (linux-image-2.6.20-15 from ubuntu != 2.6.20.15 from kernel.org)
- grsecurity patches get released for specific kernel versions for a reason. Don’t try to patch a kernel that your grsec wasn’t specifically made for. You’re wasting your time. Caveat - development grsecurity patches are different, use patch –dry-run.
- Check the Restricted Drivers Manager for any modules you’re running outside what’s included with the vanilla kernel. You’re gonna need to get those on your own after you’re done with this tutorial. For most people this means installing Envy and getting those VMWare scripts ready.
cd /usr/src
sudo apt-get install build-essential libncurses5-dev fakeroot kernel-package
*** NOTE: Kernel and Grsecurity patch levels will have changed by the time you read this. Get newer ones. ***
sudo wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.21.1.tar.bz2
sudo wget http://www.grsecurity.net/test/grsecurity-2.1.10-2.6.21-200705071727.patch
sudo tar xjf linux-2.6.21.1.tar.bz2
cd linux-2.6.21.1
sudo cp /boot/config-2.6.20-15-generic .config
patch -p1 –dry-run <../grsecurity-2.1.10-2.6.21-200705071727.patch | less
patch -p1 <../grsecurity-2.1.10-2.6.21-200705071727.patch
sudo make menuconfig
Go to ‘Load Alternate Configuration File’ and load ‘.config’ (the default). Then go to ‘Security options’ and turn Grsecurity on. Setting ‘Security Level’ to ‘Medium’ is a good starting point (see confighelp).
sudo make-kpkg clean
sudo make-kpkg –initrd kernel_image kernel_headers*** make-kpkg also has useful –revision=1 and –append-to-version=-2.1.10 parameters you might want to use ***
cd ..
sudo dpkg -i kernel-image-2.6.21.1-grsec*.deb kernel-headers-2.6.21.1-grsec*.deb
Almost done. Now reboot and see if what you just made isn’t a heaping pile of shit.
If it worked, now you need to configure grsecurity’s RBAC system. You’ll need gradm2 for this so install it now:
sudo apt-get install gradm2
Quoting from an already written tutorial located at http://grsecurity.net/quickstart.pdf (no sense in rewriting an already good explanation!)
Since the general strategy of grsecurity is “detection, prevention, and containment,” the RBAC system is key to the containment component. Grsecurity’s RBAC system allows you to grant only the privileges necessary for a process or user to accomplish their tasks. Unlike other systems, grsecurity’s RBAC system provides a functional, human-readable, centralized configuration file, and does not require much manual configuration.
Full-system learning will generate a least privilege policy for your entire system that anticipates normalized usage. In other words, it is not necessary to run the learning mode for weeks and use every single utility on your system several times in every possible combination. The learning mode will anticipate this usage while still enforcing a secure policy. Through graph and heuristic analysis, a secure policy is generated. A few basic rules are followed when generating the policy. If a process uses special “root” privileges, accesses the Internet, or modifies important files or directories, it is marked as a privileged process and segmented from the rest of the system. The learning mode is designed to be as easy to use as possible. To begin full system learning, enter:
gradm –F –L /etc/grsec/learning.log
Then use your system normally. It may be necessary to run the system for more than a day so that time-based applications such as cron can be recognized and profiled.
Do not perform any administrative tasks while running in learning mode. This includes starting/stopping system services, adding or removing users from the system, or adding or removing new software. These kinds of tasks should only be performed under the administration role once the learning phase is over. Remember that “root” can no longer be trusted, so assume root is the attacker and do not do anything you would allow an attacker to do.
When you decide to end the learning phase, enter:
gradm –F –L /etc/grsec/learning.log –O /etc/grsec/acl
You will now be able to enable the RBAC system with your new learned policy.
Ok go on now, don’t get pwned!
ps. I’d appreciate any input anyone is willing to give on this topic.
