grsecurity 3.0 updates

After the recently discovered linux vulnerabilities I thought it was time to do a new grsecurity enabled kernel release.
Also Giana reported to me an issue about iSCSI and asked for the possibility to add a group in the whitelist for procfs restrictions. Doing so it would mean enabling full access to procfs to only a particular group but with some information still hidden due to the GRKERNSEC_HIDESYM option enabled. This would lead to disabling another protection. Honestly I don’t feel confident to change this behaviour, sorry.
Anyway for this release I am happy to announce there have been a lot of changes that will make your system a little bit more secure and manageable.
You can download directly linux-grsec version 3.0-3.2.60-201406101410 and its userland tool gradm version 3.0-201405281853 or use my debian repository.
Here is a quick view of the changes in the configuration I made.
Preventing kernel stack overflows:

CONFIG_GRKERNSEC_KSTACKOVERFLOW=y

Kernel-enforced Apache SymlinksIfOwnerMatch option and its GID:

CONFIG_GRKERNSEC_SYMLINKOWN=y
CONFIG_GRKERNSEC_SYMLINKOWN_GID=60535

Runtime read-only mount protection:

CONFIG_GRKERNSEC_ROFS=y

Audit and logging:

CONFIG_GRKERNSEC_AUDIT_GROUP=y
CONFIG_GRKERNSEC_AUDIT_GID=60510
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_PTRACE=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y

Trusted path execution:

CONFIG_GRKERNSEC_TPE_TRUSTED_GID=60521
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_TPE_INVERT=y
CONFIG_GRKERNSEC_TPE_GID=60521

Socket restrictions:

CONFIG_GRKERNSEC_SOCKET=y
CONFIG_GRKERNSEC_SOCKET_ALL=y
CONFIG_GRKERNSEC_SOCKET_ALL_GID=60500
CONFIG_GRKERNSEC_SOCKET_CLIENT=y
CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=60501
CONFIG_GRKERNSEC_SOCKET_SERVER=y
CONFIG_GRKERNSEC_SOCKET_SERVER_GID=60502

Deny new USB connections after toggle:

CONFIG_GRKERNSEC_DENYUSB=y

You can view all the changes from the previous kernel in my websvn.
The choice of the various GID numbers was not random: they were taken from the SameKernel project.
Remember that all the grsecurity features are enabled at boot time but you can change the configuration and the corresponding behaviour using the sysctl options.
For example, to disable some of the new features introduced in this release, use these commands:

sysctl kernel.grsecurity.tpe_restrict_all=0
sysctl kernel.grsecurity.tpe_invert=0
sysctl kernel.grsecurity.exec_logging=0
sysctl kernel.grsecurity.audit_chdir=0

In our debian systems you can create a .conf file with all the directives you want inside the /etc/sysctl.d folder.
What is mandatory is that the last line of this file should be this one:

sysctl kernel.grsecurity.grsec_lock=1

In this way no one, even root, can change the behaviour of your grsecurity configuration: you’ll have to edit your sysctl file and reboot.
I’ve been testing this kernel for a couple of days now and I don’t have any issue, let me know if you have any.


This entry was posted on Friday, June 13th, 2014 at 8:22 AM and is filed under stuff.

You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.