Kernel Hardening - security-misc

madaidan · May 2, 2019, 5:33pm

Whonix should implement more kernel hardening. All of these settings add no or a very minimal performance decrease.

Setting “kernel.kptr_restrict=1” makes kernel symbols in /proc/kallsyms only accessible to root which can make it more difficult for a kernel exploit to resolve addresses/symbols. Setting it to 2 hides the symbols regardless of privileges.

Setting “kernel.dmesg_restrict=1” restricts access to the kernel logs which can give an attacker less information on what they can do.

Setting “kernel.unprivileged_bpf_disabled=1” and “net.core.bpf_jit_harden=2” hardens the BPF JIT compiler and restricts it to root. It comes with a performance drop on systems that use the JIT compiler a lot but this should only really effect servers.

Setting “vm.mmap_rnd_bits=32” and “vm.mmap_rnd_compat_bits=16” improves KASLR effectiveness for mmap.

These can all be set in files in /etc/sysctl.d

I have tested all of these on Whonix Gateway and Whonix Workstation and they worked fine.

Adding “slab_nomerge” as a boot parameter may also be useful. slab_nomerge disables the merging of slabs of similar sizes. Sometimes a slab can be used in a vulnerable way which an attacker can exploit.

Mounting /proc with hidepid=2 in /etc/fstab will hide other users’ processes from unprivileged users. This makes it a lot harder for an attacker to get information about other running processes. This did break systemd-logind for me on Whonix even when I added an exception for systemd-logind.

It may also be good to look into using the linux-hardened kernel. Would it be possible to use this for Whonix?

Useful links:

https://wiki.archlinux.org/index.php/Security#Kernel_hardening

http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

https://www.kernel.org/doc/Documentation/sysctl/kernel.txt

https://tails.boum.org/contribute/design/kernel_hardening/

Edit by Patrick:

⚓ T670 Activating Lockdown

Patrick · May 2, 2019, 6:31pm

Could you please also suggest these changes to Debian?

If they’re added upstream, the wider ecosystem (Tor relays etc.) would
benefit. Also eventual bugs would be spotted by a much bigger community.

madaidan · May 2, 2019, 6:40pm

Where would I suggest that? I don’t have much experience with Debian.

HulaHoop · May 2, 2019, 7:30pm

File a bug report on their tracker using email. Use my bug report as a template:

https://bugs.debian.org/927972

You must format the message beginning t include this info otherwise it won;t go anywhere:

Package: linux-image-amd64
Version: 4.19+104
Severity: important

The receiving email you send to is: submit@bugs.debian.org

madaidan · May 2, 2019, 9:39pm

Thanks! I sent the email. Here it is.

https://bugs.debian.org/928362

Patrick · May 3, 2019, 4:40am

Patrick · May 3, 2019, 9:21am

/etc/sysctl.d by Tails:
https://git-tails.immerda.ch/tails/tree/config/chroot_local-includes/etc/sysctl.d

Tails kernel boot parameters. (source)

AMNESIA_APPEND=“live-media=removable nopersistence noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1 union=aufs”

Some do not apply to Whonix since these are only related to live mode.

Patrick · May 3, 2019, 9:31am

Was dropped by Tails.
Upgrade Linux to 4.8 and adjust our kernel tweaks accordingly (#11886) · Issues · tails / tails · GitLab

madaidan · May 3, 2019, 5:02pm

“page_poison=1” and the P on the “slub_debug” option are mainly used for Tails’ RAM poisoning. These may improve security anyway by preventing some use-after-free vulnerabilites. These might not work properly in a VM as it doesn’t have access to all of the host’s RAM.

“mce=0” is only useful for ECC memory. It might be good to have just incase but it also might not work properly in a VM.

“vsyscall=none” disables vsyscalls which were removed so this setting is redundant.

The rest except “slab_nomerge” seems to be related to live mode or some other features unrelated to security.

It seems to be enabled by default now. I didn’t know that. I checked Whonix and it’s enabled there too.

madaidan · May 3, 2019, 5:18pm

Also, one problem with "kernel.dmesg_restrict=1” is that the kernel logs can still be read out by journalctl if the user is part of the systemd-journal, adm or wheel groups. The ordinary user in Whonix is part of the adm group so the kernel logs can still easily be read by an attacker. Maybe there is a way to somehow restrict this even further?

Disabling journald altogether could prevent this but it shouldn’t be done as it’s very useful in debugging errors.

Another way would be to change the permissions for /var/log/journal, /run/log/journal and /bin/journalctl so only root can use it. I don’t know how useful this would be though.

There is an issue on the linux-hardened github repo about this.

github.com/anthraxx/linux-hardened

`kernel.dmesg_restrict` not working with `journalctl`

opened 01:24PM - 25 Apr 19 UTC

closed 02:15PM - 31 Mar 20 UTC

evict

Version: `5.0.7.a-2-hardened` When running `dmesg`, the following occurs when… attempting to read the kernel buffer: ```bash Ʋ dmesg INSERT dmesg: read kernel buffer failed: Operation not permitted ``` `journalctl` however, is not restricted from reading the buffer: ```log Ʋ journalctl -k -- Logs begin at Wed 2018-11-14 13:28:42 CET, end at Thu 2019-04-25 15:13:35 CES> Apr 23 10:48:49 UNLIGHT kernel: Linux version 5.0.7.a-2-hardened (builduser@jell> Apr 23 10:48:49 UNLIGHT kernel: Command line: initrd=\initramfs-linux.img cryptd> Apr 23 10:48:49 UNLIGHT kernel: KERNEL supported cpus: Apr 23 10:48:49 UNLIGHT kernel: Intel GenuineIntel Apr 23 10:48:49 UNLIGHT kernel: AMD AuthenticAMD Apr 23 10:48:49 UNLIGHT kernel: Hygon HygonGenuine Apr 23 10:48:49 UNLIGHT kernel: Centaur CentaurHauls Apr 23 10:48:49 UNLIGHT kernel: x86/fpu: Supporting XSAV ``` Since `systemd-journal` uses the `sys_admin` capability, it is not restricted: ```bash Ʋ pscap | grep journal 1 29264 root systemd-journal chown, dac_override, dac_read_search, fowner, setgid, setuid, sys_ptrace, sys_admin, audit_control, mac_override, syslog, audit_read ``` Is there anyway we can restrict `journalctl` from accessing `dmesg`? The `systemd` project recommends removing the user from the `systemd-journald` group, but that does not work for my installation, as my user is not in that group.

For some reason it doesn’t allow me to send the actual link. (Edit by Patrick: link fixed)

Edit: It seems I needed to get the basic badge to send links which I just got.

Patrick · May 4, 2019, 12:55pm

Since Tails is using most if not all of these configuration changes, shipping these in Whonix might be sustainble (not breaking too many things than current development manpower allows to triage, fix and user support).

Patches are Welcome!

The GitHub - Kicksecure/security-misc: Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc package looks like the right place to add these.

/etc/sysctl.d configs could be dropped here (maybe copy over from Tails verbatim as much as makes sense): https://github.com/Whonix/security-misc/tree/master/etc/sysctl.d

kernel boot parameters could be modified by shipping a configuration snippet similar to https://github.com/Whonix/grub-enable-apparmor/blob/master/etc/default/grub.d/30_apparmor.cfg (perhaps simpler) could be dropped into security-misc too. (One kernel boot parameter per one line if good.)

Users might manually do this as per Whonix Documentation but I don’t think this is sustainable for default installation in Whonix with current developer manpower since the package is not available from packages.debian.org, see also:

(Kernel is not an “app” but stuff written there applies here too.)

madaidan · May 4, 2019, 10:28pm

Will I create a pull request for these or something else?

How would hidepid be added if at all?

Patrick · May 5, 2019, 6:00am

madaidan via Whonix Forum:

Will I create a pull request for these or something else?

Yes, please.

For /etc/sysctl.d and /etc/default/grub.d (and perhaps /etc/modprobe.d
if needed).

How would hidepid be added if at all?

Please test if it works. If yes, we can take it too.

Which platforms could you test?

virtualbox-guest-additions in Whonix VirtualBox shouldn’t break by this.
(Then things would get more complex - another package or if/else code if
possible required.)

madaidan · May 5, 2019, 2:51pm

I’ve created the pull request.

I’m not sure if I should add the other boot parameters like page_poison=1 and slub_debug=FZP. What do you think of these? The tails kernel hardening page goes over these.

I can test on Virtualbox and virt-manager (KVM).

Also, regarding the journalctl thing, I’ve made a simple bash script and systemd service that restricts everything to root at boot. It works well and I haven’t gotten any errors yet. Do you think it’d be good to add this to Whonix?

HulaHoop · May 5, 2019, 7:08pm

Both of these are Grsec features ported by KSPP to the mainline kernel and they seem very useful for mitigating memory corruption:

https://tails.boum.org/contribute/design/kernel_hardening/

If you can document how to disable it for debugging purposes then sure.

Patrick · May 5, 2019, 8:39pm

Looks really good at first! Will probably be merged soon.

Haven’t seen anything negative about these. Why not. Yes, please add.

Awesome, that helps a lot! I’ll test in Qubes first.

Can be considered but I am not sure that would be a clean implementation. Rather, I would like to possibly fix the original cause of these issues. Will answer more soon.

Patrick · May 5, 2019, 8:50pm

group adm is from here: https://github.com/Whonix/anon-base-files/blob/master/debian/anon-base-files.postinst#L67

That code was carried around probably from the early TorBOX script version and never been questioned unfortunately.

usermod --append --groups adm,cdrom,audio,dip,sudo,plugdev user || true

Maybe that has to be reworked. Should we remove some user groups, we can modify that for existing users to in whonix-legacy package (using the “do only once” style).

Could you please try removing user user from adm (and whatever else seems to make sense) and see how that works generally?

What’s next? Suggest removal of user user being in group sudo by default?

Strong Linux User Account Isolation i.e. how well can linux protect from root privileged escalation after user user account was compromised (by a remote code execution vulnerability).

If we must yes. But fixing the original issue above is better. (Since this solution is more fragile - overriding config of with [systemd or whatever that will be in future or ports] tmpfiles.d mechanism.)

madaidan · May 5, 2019, 8:57pm

I’ve added the other kernel parameters. They seem to work well with Whonix. I haven’t had any problems.

You just need to disable/mask the systemd service and revert the files to back the original permissions.

systemctl mask restrict-journalctl.service   
chmod 2755 /run/log/journal 
chmod 2750 /run/log/journal/* 
chmod 640 /run/log/journal/*/*
chmod 755 $(which journalctl)

I’ll test that now on the Gateway and Workstation. I’m not sure what purpose adm has except for the journal.

Well for a completely locked down system, that would actually be good. Just make a systemd service for updating at boot. It’d be incredibly difficult to use properly though.

I agree. My way would probably break a lot of things.

madaidan · May 5, 2019, 9:00pm

It seems the adm group is only used for viewing log files. Removing this shouldn’t cause problems.

madaidan · May 5, 2019, 9:05pm

Removing the user from the adm group works perfectly. I get an error when running journalctl and I can’t view the log files manually. There are no other errors.