Kernel Hardening - security-misc

Patrick · December 4, 2019, 4:49pm

Qubes Debian VM with Qubes dom0 kernel.

sudo checksec --kernel

Kernel protection information:

Description - List the status of kernel protection mechanisms. Rather than
inspect kernel mechanisms that may aid in the prevention of exploitation of
userspace processes, this option lists the status of kernel configuration
options that harden the kernel itself against attack.

Kernel config:
/proc/config.gz

Vanilla Kernel ASLR: Full
Protected symlinks: Enabled
Protected hardlinks: Enabled
Ipv4 reverse path filtering: Disabled
Ipv6 reverse path filtering: Disabled
Kernel heap randomization: Enabled
GCC stack protector support: Enabled
GCC structleak plugin: Enabled
GCC structleak by ref plugin: Enabled
SLAB freelist randomization: Enabled
Virtually-mapped kernel stack: Enabled
Enforce read-only kernel data: Enabled
Enforce read-only module data: Enabled
Exec Shield: Disabled

Hardened Usercopy: Enabled
Hardened Usercopy Pagespan: Disabled
Harden str/mem functions: Enabled
Restrict /dev/mem access: Enabled
Restrict I/O access to /dev/mem: Enabled
Restrict /dev/kmem access: Enabled

X86 only:
Address space layout randomization: Enabled

SELinux: Disabled

SELinux infomation available here:
http://selinuxproject.org/

grsecurity / PaX: No GRKERNSEC

The grsecurity / PaX patchset is available here:
http://grsecurity.net/

Patrick · December 4, 2019, 4:55pm

Same in Qubes Debian VM with Qubes VM kernel.

Patrick · December 4, 2019, 4:59pm

False-positives.

github.com/slimm609/checksec.sh

unaccomplishable kernel checks

opened 03:50PM - 19 Sep 19 UTC

closed 02:10PM - 27 May 20 UTC

cgzones

# Issue The kernel checks for 'Ipv6 reverse path filtering' and 'Exec Shield' a…re unaccomplishable, as the corresponding kernel settings do not exist any more. # OS version and Kernel version Debian unstable Linux desktopdebian 5.2.0-2-amd64 #1 SMP Debian 5.2.9-2 (2019-08-21) x86_64 GNU/Linux # Extra info ``` ls -l /proc/sys/kernel/ total 0 -rw-r--r-- 1 root root 0 Sep 19 16:27 acct -rw-r--r-- 1 root root 0 Sep 19 16:27 acpi_video_flags -rw-r--r-- 1 root root 0 Sep 19 16:27 auto_msgmni -r--r--r-- 1 root root 0 Sep 19 16:27 bootloader_type -r--r--r-- 1 root root 0 Sep 19 16:27 bootloader_version -rw-r--r-- 1 root root 0 Sep 19 16:27 bpf_stats_enabled -rw------- 1 root root 0 Sep 19 16:27 cad_pid -r--r--r-- 1 root root 0 Sep 19 15:24 cap_last_cap -rw-r--r-- 1 root root 0 Sep 19 15:24 core_pattern -rw-r--r-- 1 root root 0 Sep 19 16:27 core_pipe_limit -rw-r--r-- 1 root root 0 Sep 19 16:27 core_uses_pid -rw-r--r-- 1 root root 0 Sep 19 16:27 ctrl-alt-del -rw-r--r-- 1 root root 0 Sep 19 16:27 dmesg_restrict -rw-r--r-- 1 root root 0 Sep 19 15:24 domainname dr-xr-xr-x 1 root root 0 Sep 19 16:27 firmware_config -rw-r--r-- 1 root root 0 Sep 19 16:27 ftrace_dump_on_oops -rw-r--r-- 1 root root 0 Sep 19 16:27 ftrace_enabled -rw-r--r-- 1 root root 0 Sep 19 16:27 hardlockup_all_cpu_backtrace -rw-r--r-- 1 root root 0 Sep 19 16:27 hardlockup_panic -rw-r--r-- 1 root root 0 Sep 19 15:24 hostname -rw-r--r-- 1 root root 0 Sep 19 16:27 hung_task_check_count -rw-r--r-- 1 root root 0 Sep 19 16:27 hung_task_check_interval_secs -rw-r--r-- 1 root root 0 Sep 19 16:27 hung_task_panic -rw-r--r-- 1 root root 0 Sep 19 16:27 hung_task_timeout_secs -rw-r--r-- 1 root root 0 Sep 19 16:27 hung_task_warnings -rw-r--r-- 1 root root 0 Sep 19 16:27 io_delay_type -rw-r--r-- 1 root root 0 Sep 19 16:27 kexec_load_disabled dr-xr-xr-x 1 root root 0 Sep 19 16:27 keys -rw-r--r-- 1 root root 0 Sep 19 16:27 kptr_restrict -rw-r--r-- 1 root root 0 Sep 19 16:27 max_lock_depth -rw-r--r-- 1 root root 0 Sep 19 16:27 modprobe -rw-r--r-- 1 root root 0 Sep 19 16:27 modules_disabled -rw-r--r-- 1 root root 0 Sep 19 16:27 msgmax -rw-r--r-- 1 root root 0 Sep 19 16:27 msgmnb -rw-r--r-- 1 root root 0 Sep 19 16:27 msgmni -rw-r--r-- 1 root root 0 Sep 19 16:27 msg_next_id -r--r--r-- 1 root root 0 Sep 19 15:24 ngroups_max -rw-r--r-- 1 root root 0 Sep 19 16:27 nmi_watchdog -rw-rw-rw- 1 root root 0 Sep 19 16:27 ns_last_pid -rw-r--r-- 1 root root 0 Sep 19 16:27 numa_balancing -rw-r--r-- 1 root root 0 Sep 19 16:27 numa_balancing_scan_delay_ms -rw-r--r-- 1 root root 0 Sep 19 16:27 numa_balancing_scan_period_max_ms -rw-r--r-- 1 root root 0 Sep 19 16:27 numa_balancing_scan_period_min_ms -rw-r--r-- 1 root root 0 Sep 19 16:27 numa_balancing_scan_size_mb -r--r--r-- 1 root root 0 Sep 19 17:24 osrelease -r--r--r-- 1 root root 0 Sep 19 16:27 ostype -rw-r--r-- 1 root root 0 Sep 19 15:24 overflowgid -rw-r--r-- 1 root root 0 Sep 19 15:24 overflowuid -rw-r--r-- 1 root root 0 Sep 19 16:27 panic -rw-r--r-- 1 root root 0 Sep 19 16:27 panic_on_io_nmi -rw-r--r-- 1 root root 0 Sep 19 16:27 panic_on_oops -rw-r--r-- 1 root root 0 Sep 19 16:27 panic_on_rcu_stall -rw-r--r-- 1 root root 0 Sep 19 16:27 panic_on_unrecovered_nmi -rw-r--r-- 1 root root 0 Sep 19 16:27 panic_on_warn -rw-r--r-- 1 root root 0 Sep 19 16:27 panic_print -rw-r--r-- 1 root root 0 Sep 19 16:27 perf_cpu_time_max_percent -rw-r--r-- 1 root root 0 Sep 19 16:27 perf_event_max_contexts_per_stack -rw-r--r-- 1 root root 0 Sep 19 16:27 perf_event_max_sample_rate -rw-r--r-- 1 root root 0 Sep 19 16:27 perf_event_max_stack -rw-r--r-- 1 root root 0 Sep 19 16:27 perf_event_mlock_kb -rw-r--r-- 1 root root 0 Sep 19 16:27 perf_event_paranoid -rw-r--r-- 1 root root 0 Sep 19 15:24 pid_max -rw-r--r-- 1 root root 0 Sep 19 16:27 poweroff_cmd -rw-r--r-- 1 root root 0 Sep 19 16:27 print-fatal-signals -rw-r--r-- 1 root root 0 Sep 19 16:27 printk -rw-r--r-- 1 root root 0 Sep 19 16:27 printk_delay -rw-r--r-- 1 root root 0 Sep 19 16:27 printk_devkmsg -rw-r--r-- 1 root root 0 Sep 19 16:27 printk_ratelimit -rw-r--r-- 1 root root 0 Sep 19 16:27 printk_ratelimit_burst dr-xr-xr-x 1 root root 0 Sep 19 16:27 pty dr-xr-xr-x 1 root root 0 Sep 19 17:24 random -rw-r--r-- 1 root root 0 Sep 19 16:27 randomize_va_space -rw-r--r-- 1 root root 0 Sep 19 16:27 real-root-dev -rw-r--r-- 1 root root 0 Sep 19 16:27 sched_autogroup_enabled -rw-r--r-- 1 root root 0 Sep 19 16:27 sched_cfs_bandwidth_slice_us -rw-r--r-- 1 root root 0 Sep 19 16:27 sched_child_runs_first dr-xr-xr-x 1 root root 0 Sep 19 16:27 sched_domain -rw-r--r-- 1 root root 0 Sep 19 16:27 sched_latency_ns -rw-r--r-- 1 root root 0 Sep 19 16:27 sched_migration_cost_ns -rw-r--r-- 1 root root 0 Sep 19 16:27 sched_min_granularity_ns -rw-r--r-- 1 root root 0 Sep 19 16:27 sched_nr_migrate -rw-r--r-- 1 root root 0 Sep 19 16:27 sched_rr_timeslice_ms -rw-r--r-- 1 root root 0 Sep 19 16:27 sched_rt_period_us -rw-r--r-- 1 root root 0 Sep 19 16:27 sched_rt_runtime_us -rw-r--r-- 1 root root 0 Sep 19 16:27 sched_schedstats -rw-r--r-- 1 root root 0 Sep 19 16:27 sched_tunable_scaling -rw-r--r-- 1 root root 0 Sep 19 16:27 sched_wakeup_granularity_ns dr-xr-xr-x 1 root root 0 Sep 19 16:27 seccomp -rw-r--r-- 1 root root 0 Sep 19 16:27 sem -rw-r--r-- 1 root root 0 Sep 19 16:27 sem_next_id -rw-r--r-- 1 root root 0 Sep 19 16:27 shmall -rw-r--r-- 1 root root 0 Sep 19 16:27 shmmax -rw-r--r-- 1 root root 0 Sep 19 16:27 shmmni -rw-r--r-- 1 root root 0 Sep 19 16:27 shm_next_id -rw-r--r-- 1 root root 0 Sep 19 16:27 shm_rmid_forced -rw-r--r-- 1 root root 0 Sep 19 16:27 softlockup_all_cpu_backtrace -rw-r--r-- 1 root root 0 Sep 19 16:27 softlockup_panic -rw-r--r-- 1 root root 0 Sep 19 16:27 soft_watchdog -rw-r--r-- 1 root root 0 Sep 19 16:27 stack_tracer_enabled -rw-r--r-- 1 root root 0 Sep 19 16:27 sysctl_writes_strict -rw-r--r-- 1 root root 0 Sep 19 16:27 sysrq -rw-r--r-- 1 root root 0 Sep 19 16:27 tainted -rw-r--r-- 1 root root 0 Sep 19 15:24 threads-max -rw-r--r-- 1 root root 0 Sep 19 16:27 timer_migration -rw-r--r-- 1 root root 0 Sep 19 16:27 traceoff_on_warning -rw-r--r-- 1 root root 0 Sep 19 16:27 tracepoint_printk -rw-r--r-- 1 root root 0 Sep 19 16:27 unknown_nmi_panic -rw-r--r-- 1 root root 0 Sep 19 16:27 unprivileged_bpf_disabled -rw------- 1 root root 0 Sep 19 16:27 unprivileged_userns_apparmor_policy -rw-r--r-- 1 root root 0 Sep 19 16:27 unprivileged_userns_clone dr-xr-xr-x 1 root root 0 Sep 19 16:27 usermodehelper -r--r--r-- 1 root root 0 Sep 19 16:27 version -rw-r--r-- 1 root root 0 Sep 19 16:27 watchdog -rw-r--r-- 1 root root 0 Sep 19 16:27 watchdog_cpumask -rw-r--r-- 1 root root 0 Sep 19 16:27 watchdog_thresh dr-xr-xr-x 1 root root 0 Sep 19 16:27 yama ``` ``` ll /proc/sys/net/ipv6/conf/all total 0 dr-xr-xr-x 1 root root 0 Sep 19 16:27 . dr-xr-xr-x 1 root root 0 Sep 19 15:24 .. -rw-r--r-- 1 root root 0 Sep 19 16:27 accept_dad -rw-r--r-- 1 root root 0 Sep 19 16:27 accept_ra -rw-r--r-- 1 root root 0 Sep 19 16:27 accept_ra_defrtr -rw-r--r-- 1 root root 0 Sep 19 16:27 accept_ra_from_local -rw-r--r-- 1 root root 0 Sep 19 16:27 accept_ra_min_hop_limit -rw-r--r-- 1 root root 0 Sep 19 16:27 accept_ra_mtu -rw-r--r-- 1 root root 0 Sep 19 16:27 accept_ra_pinfo -rw-r--r-- 1 root root 0 Sep 19 16:27 accept_ra_rt_info_max_plen -rw-r--r-- 1 root root 0 Sep 19 16:27 accept_ra_rt_info_min_plen -rw-r--r-- 1 root root 0 Sep 19 16:27 accept_ra_rtr_pref -rw-r--r-- 1 root root 0 Sep 19 16:27 accept_redirects -rw-r--r-- 1 root root 0 Sep 19 16:27 accept_source_route -rw-r--r-- 1 root root 0 Sep 19 16:27 addr_gen_mode -rw-r--r-- 1 root root 0 Sep 19 16:27 autoconf -rw-r--r-- 1 root root 0 Sep 19 16:27 dad_transmits -rw-r--r-- 1 root root 0 Sep 19 16:27 disable_ipv6 -rw-r--r-- 1 root root 0 Sep 19 16:27 disable_policy -rw-r--r-- 1 root root 0 Sep 19 16:27 drop_unicast_in_l2_multicast -rw-r--r-- 1 root root 0 Sep 19 16:27 drop_unsolicited_na -rw-r--r-- 1 root root 0 Sep 19 16:27 enhanced_dad -rw-r--r-- 1 root root 0 Sep 19 16:27 force_mld_version -rw-r--r-- 1 root root 0 Sep 19 16:27 force_tllao -rw-r--r-- 1 root root 0 Sep 19 16:27 forwarding -rw-r--r-- 1 root root 0 Sep 19 16:27 hop_limit -rw-r--r-- 1 root root 0 Sep 19 16:27 ignore_routes_with_linkdown -rw-r--r-- 1 root root 0 Sep 19 16:27 keep_addr_on_down -rw-r--r-- 1 root root 0 Sep 19 16:27 max_addresses -rw-r--r-- 1 root root 0 Sep 19 16:27 max_desync_factor -r--r--r-- 1 root root 0 Sep 19 16:27 mc_forwarding -rw-r--r-- 1 root root 0 Sep 19 16:27 mldv1_unsolicited_report_interval -rw-r--r-- 1 root root 0 Sep 19 16:27 mldv2_unsolicited_report_interval -rw-r--r-- 1 root root 0 Sep 19 16:27 mtu -rw-r--r-- 1 root root 0 Sep 19 16:27 ndisc_notify -rw-r--r-- 1 root root 0 Sep 19 16:27 ndisc_tclass -rw-r--r-- 1 root root 0 Sep 19 16:27 optimistic_dad -rw-r--r-- 1 root root 0 Sep 19 16:27 proxy_ndp -rw-r--r-- 1 root root 0 Sep 19 16:27 regen_max_retry -rw-r--r-- 1 root root 0 Sep 19 16:27 router_probe_interval -rw-r--r-- 1 root root 0 Sep 19 16:27 router_solicitation_delay -rw-r--r-- 1 root root 0 Sep 19 16:27 router_solicitation_interval -rw-r--r-- 1 root root 0 Sep 19 16:27 router_solicitation_max_interval -rw-r--r-- 1 root root 0 Sep 19 16:27 router_solicitations -rw-r--r-- 1 root root 0 Sep 19 16:27 seg6_enabled -rw-r--r-- 1 root root 0 Sep 19 16:27 seg6_require_hmac -rw------- 1 root root 0 Sep 19 16:27 stable_secret -rw-r--r-- 1 root root 0 Sep 19 16:27 suppress_frag_ndisc -rw-r--r-- 1 root root 0 Sep 19 16:27 temp_prefered_lft -rw-r--r-- 1 root root 0 Sep 19 16:27 temp_valid_lft -rw-r--r-- 1 root root 0 Sep 19 16:27 use_oif_addrs_only -rw-r--r-- 1 root root 0 Sep 19 16:27 use_optimistic -rw-r--r-- 1 root root 0 Sep 19 16:27 use_tempaddr ```

Probably kernel recompilation required? → kernel recompilation for better hardening

madaidan · December 4, 2019, 8:03pm

Hardened usercopy pagespan is only good for debugging AFAIK.

Patrick · December 5, 2019, 9:44am

github.com/slimm609/checksec.sh

do not show "Hardened Usercopy Pagespan: Disabled" as issue / CONFIG_HARDENED_USERCOPY_PAGESPAN=y

opened 09:42AM - 05 Dec 19 UTC

closed 01:17AM - 25 Dec 19 UTC

adrelanos

https://groups.google.com/d/msg/syzkaller-bugs/wt3NikTfotQ/zJnFApHtBAAJ > Bas…ically, yes. CONFIG_HARDENED_USERCOPY_PAGESPAN=y should not be used -- it's for tracking down these cases (not really for general-purpose "debugging"), but no one is currently working on solving them. https://patchwork.kernel.org/patch/10565519/ > PAGESPAN checking is buggy for a lot of reasons, unfortunately. It > should generally stay disabled unless someone is working on getting > rid of allocations that _should_ have marked themselves as spanning > pages. It's unclear if this is even a solvable problem in the kernel > right now due to how networking code manages skbs.

Patrick · December 5, 2019, 8:51pm

5 posts were split to a new topic: enable reverse path filtering

Patrick · December 7, 2019, 12:52pm

Something we don’t have yet here?

madaidan · December 7, 2019, 1:03pm

Doesn’t seem to have anything we don’t have.

madaidan · December 7, 2019, 2:21pm

Also, some systems don’t store the System.map file in /boot but in files such such as /lib/modules/*/*/System.map or /usr/src/*/System.map.

If we were to remove read access to kernel images in /boot for non-root users, then we’d also need to remove read access to files like /usr/src/*/vmlinux and /vmlinuz.

madaidan · December 7, 2019, 7:39pm

madaidan · December 7, 2019, 8:24pm

Instead of porting opensuse’s stuff to Debian, we can make our own simpler solution like Debian paste error

Config files would look like Debian paste error

Patrick · December 7, 2019, 8:47pm

Commented inline on github.

Really good approach.

(Although might have some nitpicks. mywiki.wooledge.org might say for line in $(cat ${config_file}) isn’t secure. Never mind. Please send a pull request. I’ll add any parsing enhancements on top.)

dpkg-statoverride should be used, though. Ideally as replacement for chmod/chown - if that is possible. But surely in combination with dpkg-statoverride. Because when packages are updated, these permissions will be reset- By using dpkg-statoverride, permissions will always be consistent what we want - even if packages are updated.

madaidan · December 7, 2019, 9:49pm

I was testing around with file capabilities and did some grep hackery to add a [Capabilities] sections where we can specify file capabilities.

What do you think of Debian paste error?

Example of a config file: Debian paste error

Would

while read line; do command; done <${config_file}

be better?

Should it also use a systemd service so these permissions are always set at boot regardless?

If users need to, they can disable the service or add a permission-hardening.d file for custom permissions.

anontor · December 7, 2019, 10:30pm

It’s a good list, and as @madaidan said, Whonix implements pretty much all of it. We do not have separate partitions, but we restrict the permissions.With restricted root and the other Whonix protections, there is good security.

madaidan · December 7, 2019, 10:34pm

Probably better to add an optional 5th column Debian paste error

Example: Debian paste error

https://phabricator.whonix.org/T522

madaidan · December 8, 2019, 12:06am

A much better script Debian paste error

Patrick_mobile · December 8, 2019, 5:44am

The advantage here would be we can just copy/paste the suse config file and don’t need yo modify it? Please add a source comment.
And then we could add our own config file in addition if we need to extend it?

if ! dpkg-statoverride --list | grep -q "${owner} ${group} ${mode:1} ${file%/}"; then

How would dpkg-statoverride update existing entries then if permissions changed in config? Maybe better to remove that line or improve of that’s feasible, not too much effort?

Patrick_mobile · December 8, 2019, 5:47am

Could be. Considered bonus feature.

Not doable using systemd tmpfiles.d due to capabilities?

Sounds great!

Patrick · December 8, 2019, 6:19am

madaidan via Whonix Forum:

Would

while read line; do command; done <${config_file}

be better?

Yes.

madaidan · December 8, 2019, 3:23pm

I think it would be better to create our own.

You can’t update them either way.

dpkg-statoverride will fail with an error:

dpkg-statoverride: error: an override for '/bin/true' already exists; aborting

We’d need to make it remove the entry then add it with the new permissions.

If this line was removed, dpkg-statoverride would spam a bunch of errors.