Kernel Hardening - security-misc

OpenSUSE actually has a package that changes the file permissions.

https://en.opensuse.org/openSUSE:Security_Documentation

• the easy profile has a focus on ease of use where more program features work out of the box without the user having to intervene. It also means that there is a larger security attack surface. It can be used for typical single user desktop systems when usability is favored over stricter security.

• the secure profile is more security oriented and disables certain program privileges. This can result in some program features not being available or behaving less conventiently. It can be used for typical server or multi-user host machines.

• the paranoid profile is a tightly locked down set of settings that isn’t fully usable in production, because a lot of program features will stop working. This should only be used when security is the major requirement and when you are willing to tune the profile into a state where you can perform the task you want to fullfill with the system.

I can’t find the permissions file anywhere online to see what they do. I’ll setup a VM to check.

Here is opensuse’s configuration.

permissions.secure: Debian paste error

permissions.paranoid: Debian paste error

Awesome find! Can you find the source code? Maybe it can be ported to Debian.

Looks like “/etc/permissions.paranoid” was forgotten. Most search results from year 2002 - 2004. Looks like we’re rediscovering old security knowledge.

The source only seems to be distributed in .rpm files which I have no idea how to use.

download.opensuse.org/source/distribution/leap/15.0-Current/repo/oss/src/permissions-20180125-lp150.1.2.src.rpm

No, it’s still supported by opensuse. Just doesn’t seem very popular.

An rpm is similar to a deb. Just an archive with a different file extension. Please open it and look around.

ark permissions-20180125-lp150.1.2.src.rpm

permission.spec

License: GPL-2.0+
Url: GitHub - openSUSE/permissions

source code repository is here:

Are there any other kernel modules that we could load for better security?

Last commit on permissions.paranoid was yesterday. Definitely isn’t forgotten.

Dunno why I couldn’t find that repo when searching.

https://wiki.gentoo.org/index.php?title=Hardened_Kernel&oldid=638760

CONFIG_PAGE_POISONING forces debug infrastructure bloat, slab poisoning via slub_debug=P disables the slub fast path which is unnecessarily, ridiculously slow + always enables verification which can be a nice security feature but hurts performance more. It also forces the freelist pointer after the allocation, which is a security improvement in terms of mitigating use-after-free but wastes memory (PaX leaves it inline now unlike in the past and just sanitizes the rest). It also uses a poison value resulting in pointers pointing to userspace - quite dangerous without UDEREF, and still a bad idea with it present.

Seems like init_on_free is more secure and has better performance.

init_on_{free,alloc} don’t seem to have sanity checks though (page poisoning does). linux-hardened solves this with CONFIG_PAGE_SANITIZE_VERIFY and CONFIG_SLAB_SANITIZE_VERIFY.

Btw the init_on options are basically PAX_MEMORY_SANITIZE AFAIK (what the link is comparing page poisoning to).

What about lockdown lsm?

Lockdown is about to be incorporated in the kernel itself if not already AFAICT.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=aefcf2f4b58155d27340ba5f9ddbe9513da8286d

How to use it?
Should we use it?

Lockdown is nice but it doesn’t do much. It’s only focused on making it harder for root to escalate to kernel code but most of the things it does can already be done without lockdown.

It’s mostly just marketing. Most Linux users won’t benefit from it anyway as an untrusted root user isn’t part of their threat model (although it is part of ours).

Also see https://twitter.com/DanielMicay/status/1180072339112898562

It’s only available in linux 5.4 which is far away from the debian stable kernel.

Maybe not a blocker.

Qubes Debian VM with Qubes dom0 kernel.

sudo checksec --kernel

• Kernel protection information:

  Description - List the status of kernel protection mechanisms. Rather than
  inspect kernel mechanisms that may aid in the prevention of exploitation of
  userspace processes, this option lists the status of kernel configuration
  options that harden the kernel itself against attack.

  Kernel config:
  /proc/config.gz

  Vanilla Kernel ASLR: Full
  Protected symlinks: Enabled
  Protected hardlinks: Enabled
  Ipv4 reverse path filtering: Disabled
  Ipv6 reverse path filtering: Disabled
  Kernel heap randomization: Enabled
  GCC stack protector support: Enabled
  GCC structleak plugin: Enabled
  GCC structleak by ref plugin: Enabled
  SLAB freelist randomization: Enabled
  Virtually-mapped kernel stack: Enabled
  Enforce read-only kernel data: Enabled
  Enforce read-only module data: Enabled
  Exec Shield: Disabled

  Hardened Usercopy: Enabled
  Hardened Usercopy Pagespan: Disabled
  Harden str/mem functions: Enabled
  Restrict /dev/mem access: Enabled
  Restrict I/O access to /dev/mem: Enabled
  Restrict /dev/kmem access: Enabled

• X86 only:
  Address space layout randomization: Enabled

• SELinux: Disabled

  SELinux infomation available here:
  http://selinuxproject.org/

• grsecurity / PaX: No GRKERNSEC

  The grsecurity / PaX patchset is available here:
  http://grsecurity.net/

Same in Qubes Debian VM with Qubes VM kernel.

False-positives.

Probably kernel recompilation required? → kernel recompilation for better hardening

Hardened usercopy pagespan is only good for debugging AFAIK.

5 posts were split to a new topic: enable reverse path filtering

Something we don’t have yet here?