Thursday, 23 July 2009

Hardened Gentoo running glibc-2.10 and gcc-4.4 with PAX in 15 minutes.

UPDATED 5.10 - More up-to-date HowTo is available here Enjoy! :)

UPDATED 22.09 - Further changes - the overlay can be now tracked directly via layman and is called 'hardened-development'. I hope to post an updated HowTo (with LUKS encryption) soon...

UPDATED 17.08 - It is no longer needed to use the testing branch from overlay, so skip this part. Also the repo name in repos.conf should then read 'secure' rather than 'secure-testing'.

...well, not exactly so - but still faster and easier that one could expect! ;) Depending on used hardware, in few hours you could have a state-of-art, up-to-date, secure system...well, let's say - maybe bit more secure than others... ;] But why bother?

Note for impatient: open this, then search this page for 'enough of BS' and start from there... ;)

Health&Safety note: this info might contain some bugs (no influenza though!). You might ruin your system. Your box might explode (especially if adequate cooling is not provided during compilation ;)). Your wife/girlfriend might get mad ("Honey, I just need to compile one more package, I promise!"). Your friends will hate you ("So your system is secure - how is your new printer/camera/other_new_fancy_device working?" - well, it isn't, you fool!). Ya've been warned!

So what's the motivation? Being security paranoid doesn't leave you much choice anyway, does it...? ;) Well, run the paxtest tool and the checksec.sh script (elfutils package needed!) on your favourite distro, compare and decide by yourself if it's worth the effort :)

~ # ./checksec.sh --proc-all
COMMAND PID RELRO STACK CANARY NX PIE ASLR
init 1 Full RELRO Canary found NX enabled PIE enabled ASLR enabled
dhcpcd 1437 Full RELRO Canary found NX enabled PIE enabled ASLR enabled
syslog-ng 1557 Full RELRO Canary found NX enabled PIE enabled ASLR enabled
sshd 1577 Full RELRO Canary found NX enabled PIE enabled ASLR enabled
cron 1592 Full RELRO Canary found NX enabled PIE enabled ASLR enabled
agetty 1605 Full RELRO Canary found NX enabled PIE enabled ASLR enabled
agetty 1608 Full RELRO Canary found NX enabled PIE enabled ASLR enabled
agetty 1609 Full RELRO Canary found NX enabled PIE enabled ASLR enabled
agetty 1610 Full RELRO Canary found NX enabled PIE enabled ASLR enabled
agetty 1611 Full RELRO Canary found NX enabled PIE enabled ASLR enabled
agetty 1612 Full RELRO Canary found NX enabled PIE enabled ASLR enabled
sshd 1641 Full RELRO Canary found NX enabled PIE enabled ASLR enabled
bash 1646 Full RELRO Canary found NX enabled PIE enabled ASLR enabled
udevd 519 Full RELRO Canary found NX enabled PIE enabled ASLR enabled

~ # paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser
Released under the GNU Public Licence version 2 or later

Mode: blackhat
Linux 2.6.29-hardened #8 SMP Fri Jul 17 13:35:18 GMT 2009 i686 QEMU Virtual CPU version 0.10.50 GenuineIntel GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 17 bits (guessed)
Heap randomisation test (ET_EXEC) : 23 bits (guessed)
Heap randomisation test (ET_DYN) : 23 bits (guessed)
Main executable randomisation (ET_EXEC) : 15 bits (guessed)
Main executable randomisation (ET_DYN) : 15 bits (guessed)
Shared library randomisation test : 17 bits (guessed)
Stack randomisation test (SEGMEXEC) : 23 bits (guessed)
Stack randomisation test (PAGEEXEC) : 23 bits (guessed)
Return to function (strcpy) : *** buffer overflow detected ***: rettofunc1 - terminated
rettofunc1: buffer overflow attack in function - terminated
Report to http://bugs.gentoo.org/
Killed
Return to function (memcpy) : *** buffer overflow detected ***: rettofunc2 - terminated
rettofunc2: buffer overflow attack in function - terminated
Report to http://bugs.gentoo.org/
Killed
Return to function (strcpy, RANDEXEC) : *** buffer overflow detected ***: rettofunc1x - terminated
rettofunc1x: buffer overflow attack in function - terminated
Report to http://bugs.gentoo.org/
Killed
Return to function (memcpy, RANDEXEC) : *** buffer overflow detected ***: rettofunc2x - terminated
rettofunc2x: buffer overflow attack in function - terminated
Report to http://bugs.gentoo.org/
Killed
Executable shared library bss : Killed
Executable shared library data : Killed


Ready? If you're not faint-hearted read below! Otherwise take the blue pill ;]

Requirements:
- bit of time and dedication. RTFM skills will be required too... ;]
- new VM or spare machine - nothing fancy but the faster it is the sooner it's done! Base install took approximately 3G of space but if you want to install anything else than just a base system, you'd need more than that. This HowTo assumes a x86 box.
- no prior knowledge about kernel configuration required yet you will have a PAX kernel! ;]

Two main links are here:
http://forums.gentoo.org/viewtopic-t-705939.html
http://www.gentoo.org/doc/en/handbook/handbook-x86.xml

First link is the main one you want to follow and describes everything you need to know and do to complete the installation procedure. I have used stages from here and the official gentoo minimal installation CD that can be found here

To make life easier, I ssh to the new box from another box where I have the guid open - copy&paste made easy. To do so run on new system:

/etc/init.d/sshd start
passwd
ifconfig


Then ssh into the system using IP shown in the ifconfig command:

sshd root@your_ip_here

If for whatever reason installation process is interrupted (power outage) or needs to be stopped (shouting girlfriend ;)), and you've already created and partitioned disk, after neutralizing the threat you can continue the installation like this:
1. boot liveCD
2. ssh into the box as mentioned earlier
3. run:

livecd ~ # mount /dev/your_root_partition_here /mnt/gentoo/
livecd ~ # swapon /dev/your_swap_partition_here
mount -t proc none /mnt/gentoo/proc
mount -o bind /dev /mnt/gentoo/dev
chroot /mnt/gentoo /bin/bash
env-update && source /etc/profile
export PS1="(chroot) $PS1"


Right, enough of BS - start here:

Follow the guide until it says about keywording packages - "First we add certain packages that are known to fail from the portage tree." That's not required anymore :) Instead of this:

echo "=sys-devel/gcc-4.3*" >>/etc/portage/package.keywords
echo "=sys-devel/gcc-4.3*" >>/etc/portage/package.unmask
echo "=sys-libs/glibc-2.8*">>/etc/portage/package.keywords


run:

echo "=sys-devel/gcc-4.4*" >>/etc/portage/package.keywords
echo "=sys-devel/gcc-4.4*" >>/etc/portage/package.unmask
echo "=sys-libs/glibc-2.10*">>/etc/portage/package.keywords
echo "=sys-libs/glibc-2.10*">>/etc/portage/package.unmask


..and then go for the testing branch. When running the initial emerge of key packages:

emerge gcc-config linux-headers glibc binutils gcc portage -1

I run into a weird portage error. The issue was resolved by emerging portage manually:

emerge portage

and then emerging rest of the packages:

emerge gcc-config linux-headers glibc binutils gcc -1

Continue...Don't unmask this: sys-apps/openrc-9999 - doesn't seem to be required anymore. At the kernel configuration stage - unmask latest hardened-sources to get the latest kernel source with all security goodies (2.6.29 at the time of this writing)

echo "sys-kernel/hardened-sources ~x86">>/etc/portage/package.keywords
emerge -av hardened-sources genkernel


New kernel tree should be ready for ya:

(chroot) livecd src # ls -la
total 12
drwxr-xr-x 3 root root 4096 Jul 22 13:14 .
drwxr-xr-x 13 root root 4096 Jul 21 14:12 ..
-rw-r--r-- 1 root root 0 Apr 1 00:28 .keep
lrwxrwxrwx 1 root root 21 Jul 22 13:14 linux -> linux-2.6.29-hardened
drwxr-xr-x 23 root root 4096 Jul 22 13:14 linux-2.6.29-hardened


Now config time - the lazy (not-so-secure) way is shown below. The result will be a default Gentoo kernel with PAX and Grsecurity enabled. To use current configuration of currently running kernel (that is: the one that LiveCD is using):

zcat /proc/config.gz > /usr/src/linux/.config

Alternatively copy it to default genkernel location like this:

zcat /proc/config.gz > /usr/share/genkernel/arch/x86_64/kernel-
config


and then:

genkernel --menuconfig all

Under Security options enable Grsecurity and PAX. Feel free to tune settings but defaults should be just fine. Use 'gentoo-workstation' or 'gentoo-server' pre-set options. Exit and save configuration and let the kernel compile :)

Follow the handbook until it says...reboot! (..and pray). If anything goes wrong and kernel does not boot - use 'rescue' procedure as described at the beginning of this how-to.

If you see login prompt - voilĂ ! You've done it! emerge paxtest, run and relax - or show off in front of your friends ;). You might need to keyword it:

echo "app-admin/paxtest ~x86" >> /etc/portage/package.keywords
emerge paxtest


And finally:

~ # gcc -v
Using built-in specs.
Target: i686-pc-linux-gnu
Configured with: /var/tmp/portage/sys-devel/gcc-4.4.0-r4/work/gcc-4.4.0/configure --prefix=/usr --bindir=/usr/i686-pc-linux-gnu/gcc-bin/4.4.0 --includedir=/usr/lib/gcc/i686-pc-linux-gnu/4.4.0/include --datadir=/usr/share/gcc-data/i686-pc-linux-gnu/4.4.0 --mandir=/usr/share/gcc-data/i686-pc-linux-gnu/4.4.0/man --infodir=/usr/share/gcc-data/i686-pc-linux-gnu/4.4.0/info --with-gxx-include-dir=/usr/lib/gcc/i686-pc-linux-gnu/4.4.0/include/g++-v4 --host=i686-pc-linux-gnu --build=i686-pc-linux-gnu --disable-altivec --disable-fixed-point --disable-nls --without-ppl --without-cloog --disable-ppl-version-check --disable-cloog-version-check --with-system-zlib --disable-checking --disable-werror --enable-secureplt --disable-multilib --enable-libmudflap --enable-espf --disable-libssp --disable-libgomp --enable-cld --disable-libgcj --with-arch=i686 --enable-languages=c,c++ --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu --with-bugurl=http://bugs.gentoo.org/ --with-pkgversion='Gentoo Hardened 4.4.0-r4 p1.1, espf-0.2.9'
Thread model: posix
gcc version 4.4.0 (Gentoo Hardened 4.4.0-r4 p1.1, espf-0.2.9)


Rite...so now you have a 'secure' system...or as secure as it gets one should say :) What about classics like weak passwords/default accounts left, default configuration and services, design or configuration errors, 0days, kernel exploits (or DoSes ;))..but hey - at least it's a good start! ;]

Next good thing to do would be to tune the kernel and remove all the unnecessary functionality, especially when it comes to device drivers - they just tend to be a bit less secure than expected... ;)

Enjoy! If it worked for you - great! If it didn't - well, I'm sorry...try again ;)

Hmm...of course your system might now require few more packages but who have ever said that terminal is ugly? Depending on your mood do 'emerge gnome' or 'emerge kde-meta' and go get some beer...
Few days later....

No comments:

Post a Comment

Have your say: