Bu yazýda geçenler tüm redhat familyasýna sorunsuz þekilde uygulanabilir
Grsecurity:Kernel seviyesinde uygulanan güvenliði arttýrmak için bir çok yama ve seçenekten oluþmaktadýr.Sadece kernel i saðlamlaþtýrmakla kalmayýp olabilicek açýklara karþý sistemi korumaktadýr grsecurity 3 aþamadan oluþur tanýmlama bildirme ve önleme.Bu yazý genel olarak sunucular için hazýrlanmýþtýr ev kullanýcýlarýnýn kernellerini grsecurity ile patchlemeleri çok gerekli deðildir.
Grsecurity nin Genel Özellikleri Þunlardýr.
* Role-Based Access Control
* User, group, and special roles
* Domain support for users and groups
* Role transition tables
* IP-based roles
* Non-root access to special roles
* Special roles that require no authentication
* Nested subjects
* Variable support in configuration
* And, or, and difference set operations on variables in configuration
* Object mode that controls the creation of setuid and setgid files
* Create and delete object modes
* Kernel interpretation of inheritance
* Real-time regular-expression resolution
* Ability to deny ptraces to specific processes
* User and group transition checking and enforcement on an inclusive or exclusive basis
* /dev/grsec entry for kernel authentication and learning logs
* Next-generation code that produces least-privilege policies for the entire system with no configuration
* Policy statistics for gradm
* Inheritance-based learning
* Learning configuration file that allows the administrator to enable inheritance-based learning or disable learning on specific paths
* Full pathnames for offending process and parent process
* RBAC status function for gradm
* /proc/<pid>/ipaddr gives the remote address of the person who started a given process
* Secure policy enforcement
* Supports read, write, append, execute, view, and read-only ptrace object permissions
* Supports hide, protect, and override subject flags
* Supports the PaX flags
* Shared memory protection feature
* Integrated local attack response on all alerts
* Subject flag that ensures a process can never execute trojaned code
* Full-featured fine-grained auditing
* Resource, socket, and capability support
* Protection against exploit bruteforcing
* /proc/pid filedescriptor/memory protection
* Rules can be placed on non-existent files/processes
* Policy regeneration on subjects and objects
* Configurable log suppression
* Configurable process accounting
* Human-readable configuration
* Not filesystem or architecture dependent
* Scales well: supports as many policies as memory can handle with the same performance hit
* No runtime memory allocation
* SMP safe
* O(1) time efficiency for most operations
* Include directive for specifying additional policies
* Enable, disable, reload capabilities
* Option to hide kernel processes
Chroot restrictions
* No attaching shared memory outside of chroot
* No kill outside of chroot
* No ptrace outside of chroot (architecture independent)
* No capget outside of chroot
* No setpgid outside of chroot
* No getpgid outside of chroot
* No getsid outside of chroot
* No sending of signals by fcntl outside of chroot
* No viewing of any process outside of chroot, even if /proc is mounted
* No mounting or remounting
* No pivot_root
* No double chroot
* No fchdir out of chroot
* Enforced chdir(”/”) upon chroot
* No (f)chmod +s
* No mknod
* No sysctl writes
* No raising of scheduler priority
* No connecting to abstract unix domain sockets outside of chroot
* Removal of harmful privileges via capabilities
* Exec logging within chroot
Address space modification protection
* PaX: Page-based implementation of non-executable user pages for i386, sparc, sparc64, alpha, parisc, amd64, ia64, and ppc; negligible performance hit on all i386 CPUs but Pentium 4
* PaX: Segmentation-based implementation of non-executable user pages for i386 with no performance hit
* PaX: Segmentation-based implementation of non-executable KERNEL pages for i386
* PaX: Mprotect restrictions prevent new code from entering a task
* PaX: Randomization of stack and mmap base for i386, sparc, sparc64, alpha, parisc, amd64, ia64, ppc, and mips
* PaX: Randomization of heap base for i386, sparc, sparc64, alpha, parisc, amd64, ia64, ppc, and mips
* PaX: Randomization of executable base for i386, sparc, sparc64, alpha, parisc, amd64, ia64, and ppc
* PaX: Randomization of kernel stack
* PaX: Automatically emulate sigreturn trampolines (for libc5, glibc 2.0, uClibc, Modula-3 compatibility)
* PaX: No ELF .text relocations
* PaX: Trampoline emulation (GCC and linux sigreturn)
* PaX: PLT emulation for non-i386 archs
* No kernel modification via /dev/mem, /dev/kmem, or /dev/port
* Option to disable use of raw I/O
* Removal of addresses from /proc/<pid>/[maps|stat]
Auditing features
* Option to specify single group to audit
* Exec logging with arguments
* Denied resource logging
* Chdir logging
* Mount and unmount logging
* IPC creation/removal logging
* Signal logging
* Failed fork logging
* Time change logging
Randomization features
* Larger entropy pools
* Randomized PIDs
* Randomized TCP source ports
Other features
* /proc restrictions that don”t leak information about process owners
* Symlink/hardlink restrictions to prevent /tmp races
* FIFO restrictions
* Dmesg(8) restriction
* Enhanced implementation of Trusted Path Execution
* GID-based socket restrictions
* Nearly all options are sysctl-tunable, with a locking mechanism
* All alerts and audits support a feature that logs the IP address of the attacker with the log
* Stream connections across unix domain sockets carry the attacker”s IP address with them (on 2.4 only)
* Detection of local connections: copies attacker”s IP address to the other task
* Automatic deterrence of exploit bruteforcing
* Low, Medium, High, and Custom security levels
* Tunable flood-time and burst for logging
2.4.x kernelden 2.6.x kernele çýkýcak olanlar module-init-tools u güncellemeliler bu iþlem þu þekilde yapýlýcaktýr.
Kod:
cd /usr/local/src/
wget http://www.kernel.org/pub/linux/kernel/people/rusty/modules/old/module-init-tools-3.0.tar.gz
tar -zxf module-init-tools-3.0.tar.gz
cd module-init-tools-3.0
./configure –prefix=”"
make moveold
make install
./generate-modprobe.conf /etc/modprobe.conf
cd ..
Gerekli Paketlerin Yüklenmesi
-Gcc ve baðýmlýlýklarýnýn yüklenmesi
Fedora ve Centos için
Kod:
yum install gcc
Redhat için
Kod:
up2date gcc
-ncurses-devel ýn ve baðýmlýlýklarýnýn yüklenmesi menuconfig kýsmý için gerekli
Fedora ve Centos için
Kod:
yum install ncurses-devel
Redhat için
Kod:
up2date ncurses-devel
-Patch paketi ve baðýmlýlýklarýnýn yüklenmesi
Fedora ve Centos için
Kod:
yum install patch
Redhat için
Kod:
up2date patch
Root Olarak Baþlýyalým
Kerneli ve grsecurity patch ini indiriceðimiz dizine geçelim
Kod:
cd /usr/local/src
Kerneli çekelim
Kod:
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.14.3.tar.bz2
Grsecurity yi çekelim
Kod:
http://www.grsecurity.org/grsecurity-2.1.7-2.6.14.3-200511291802.patch.gz
Kerneli açalým
Kod:
tar xvfj linux-2.6.14.3.tar.bz2
Grsecurity yi açalým
Kod:
gzip -d grsecurity-2.1.7-2.6.14.3-200511291802.patch.gz
Kerneli patchliyelim
Kod:
patch -p0 < ./grsecurity-2.1.7-2.6.14.3-200511291802.patch
Kernel kaynak kodunun bulunduðu klasöre girelim
Kod:
cd /usr/src/linux-2.6.14.3
Eski ayarlarý temizleyelim
Kod:
make mrproper
Konfigurasyon menusune geçelim
Kod:
make menuconfig
burada sisteminizin ihtiyaçlarýnýza göre gerekli modülleri ekleyip çýkardýktan sonra en sonra Security Options kýsmýna geliyoruz
burda NSA SELinux Support kýsmýný kapatýyoruz yani yanýndaki iþaretini kaldýrýyoruz sonra grsecurity menusune giriyoruz
Grsecurity Menusu
Security Level kýsmýna gelip custom u seçiyoruz genelde medium seçeðide bir çok sistemde çok rahat çalýþacaktýr ayar yapmak istemiyorsanýz direk medium u seçip derlemeye baþlayabilrisiniz high ý seçerseniz bir çok panelde sorun yaþatýcaktýr özellikle cpanel ve directadmin de denediðim için söylüyorum logrotate olayý düzgün çalýþmayacak ve stats programlarýda düzgün þekilde iþlemeyecektir
Adress Space Protectionkýsmýna giriyoruz
bu bölümde þu 3 seçeði seçiyoruz
Deny writing to /dev/kmem, /dev/mem, and /dev/port
Hide kernel symbols
Disable privileged I/O
Eper x masaüstünü kullanýyorsanýz Disable privileged I/O kýsmýný seçmeyin yoksa sisteminiz açýlmayacaktýr.
Role Based Access Control Options kýsmýný olduðu gibi býrakýn
Filesystem Protections kýsmýna gelin burada þu seçenekleri seçin
*] Proc restrictions
Restrict /proc to user only
Additional restrictions
Linking restrictions
FIFO restrictions
Chroot jail restrictions
eðer ensim yada plesk kullanýyorsanýz Chroot jail restirictions seçeneðini seçmeyin yoksa ensimin kendi chroot sisitemini bozacaðý gibi plesk inde düzgün çalýþmamasýna neden olacaktýr
Kernel Auduting kýsmýný olduðu gibi býrakýn
Executable Protections kýsmýna gelin
Destroy unused shared memory
Dmesg(8) restriction
Randomized PIDs
Destroy unused shared memory
seçeneklerini seçin
Network Protections kýsmýna gelin
Larger entropy pools
Randomized TCP source ports
seçeneklerini seçin
Sysctl support ve logging options kýsýmlarýný geçin sysctl support kýsmýnda kernel ayarlarýnýn özellikle yaptýðýnýz grsecurity ayarlarýnýn kerneli yeniden derlemeden deðiþtirmenizi saðlamaktadýr.
þimdi kerneli derlemeye geçelim
sýrasýyla aþðýdaki komutlarý verin eðer monolitnic yani modül desteði olmayan bir kernel hazýrladýysanýz herþeyi static olarak eklediyseniz make modules ve make modules_install kýsýmlarýný atlayýn
Kod:
make bzImage
Kod:
make modules
Kod:
make modules_install
ve son olarak initial ramdisk oluþturucaz eðer bnu oluþturmazda grsecurity ile beraber derlerseniz grsecurity ile patchlenmiþ kernelle baþlattýðýnýzda alýcaðýnýz hata þu olacaktýr
Kod:
Kernel panic – not syncing vfs unable to mount root filesystem on unknown block gibi
initial ram disk oluþturuyoruz
Kod:
mkinitrd /boot/initrd-2.6.14.3-grsec.img 2.6.14.3
Kerneli kullaným için hazýrlýyoruz
Kod:
cp .config /boot/config-2.6.14.3-grsec
cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.14.3-grsec
cp System.map /boot/System.map-2.6.14.3-grsec
ln -s /boot/System.map-2.6.14.3-grsec /boot/System.map
/dev/mapper/control ile ilgili bir hata alýrsanýz bunu yapýn
Kod:
rm -rf /boot/initrd-2.6.14.3-grsec.img
mkinitrd –omit-lvm-modules /boot/initrd-2.6.14.3-grsec.img 2.6.14.3
Bootloaderlarýn ayarlanmasý LÝLO , GRUB
sýra geldi bootloader larýn ayarlanmasýna ilk önce grub ile baþlayalým
pico /etc/grub.conf yazarak ayar dosyasýný açýyoruz
Kod:
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You do not have a /boot partition. This means that
# all kernel and initrd paths are relative to /, eg.
# root (hd1,0)
# kernel /boot/vmlinuz-version ro root=/dev/hdb1
# initrd /boot/initrd-version.img
#boot=/dev/hda
default=0
timeout=5
splashimage=(hd1,0)/boot/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.9-22.0.1.EL)
root (hd1,0)
kernel /boot/vmlinuz-2.6.9-22.0.1.EL ro root=LABEL=/1 rhgb quiet
initrd /boot/initrd-2.6.9-22.0.1.EL.img
altýna þunu ekliyoruz
Kod:
title CentOS (2.6.14.3-grsec)
root (hd1,0)
kernel /boot/vmlinuz-2.6.14.3-grsec ro root=LABEL=/1 rhgb quiet
initrd /boot/initrd-2.6.14.3-grsec.img
Eklendiðinde tümünün görünümü þu þekilde oluyoru
Kod:
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You do not have a /boot partition. This means that
# all kernel and initrd paths are relative to /, eg.
# root (hd1,0)
# kernel /boot/vmlinuz-version ro root=/dev/hdb1
# initrd /boot/initrd-version.img
#boot=/dev/hda
default=0
timeout=5
splashimage=(hd1,0)/boot/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.9-22.0.1.EL)
root (hd1,0)
kernel /boot/vmlinuz-2.6.9-22.0.1.EL ro root=LABEL=/1 rhgb quiet
initrd /boot/initrd-2.6.9-22.0.1.EL.img
title CentOS (2.6.14.3-grsec)
root (hd1,0)
kernel /boot/vmlinuz-2.6.14.3-grsec ro root=LABEL=/1 rhgb quiet
initrd /boot/initrd-2.6.14.3-grsec.img
sonra grub yazýyoruz ve yeni kernelle 1 kere baþlatmak üzetre ayarlýyoruz eðer düzgün baþlarsa grub.conf ta default yazan deðeri 1 yapýyorsunuz
Kod:
savedefault –default=1 –once
ve reboot atýn
Lilo için ayarlanlasý
Kod:
pico /etc/lilo.conf yazarka lilo konfigurasyon dosyasýný açýyorsunuz
Kod:
prompt
timeout=50
default=2.4.21-32.0.1.E
boot=/dev/hda
map=/boot/map
install=/boot/boot.b
message=/boot/message
lba32
image=/boot/vmlinuz-2.4.21-32.0.1.EL
label=linux
initrd=/boot/initrd-2.4.21-32.0.1.EL.img
read-only
append=”root=LABEL=/”
þu kýýsmý ekliyoruz altýna
Kod:
image=/boot/vmlinuz-2.6.14.3-grsec
label=linux
initrd=/boot/initrd-2.6.14.3.-grsec.img
read-only
append=”root=LABEL=/”
görünümü þu þekilde oluyor
Kod:
prompt
timeout=50
default=2.4.21-32.0.1.E
boot=/dev/hda
map=/boot/map
install=/boot/boot.b
message=/boot/message
lba32
image=/boot/vmlinuz-2.4.21-32.0.1.EL
label=linux
initrd=/boot/initrd-2.4.21-32.0.1.EL.img
read-only
append=”root=LABEL=/”
image=/boot/vmlinuz-2.6.14.3-grsec
label=linux
initrd=/boot/initrd-2.6.14.3.-grsec.img
read-only
append=”root=LABEL=/”
ve yeni kernelle 1 kere boot edicek þekilde ayarlýyoruz
Kod:
lilo -v -v
Kod:
lilo -R 2.6.14.3.-grsec
eðer sorunsuz bir þekilde boot ederseniz gene lilo.conf u açýp default=2.4.21-32.0.1.E yazan kýsýmý default=2.6.14.3-grsec þeklinde deðiþtirip konsolda lilo -v -v komutunu vererek mbr ye kaydedin.
Saygýlar..