Hardened Gentoo is a project interested in the hardening of a Gentoo system.
Several different solutions are supported by us and there is a fair bit of
flexibility to create your own setup. At the heart of a common Hardened Gentoo
setup is
PaX is a patch to the Linux kernel that provides hardening in two ways.
The first,
The second protection provided by PaX is non-executable memory. This prevents a
common form of attack where executable code is inserted into memory by an
attacker. More information on PaX can be found throughout this guide, but the
homepage can be found at
As mentioned above, PaX is complemented by PIE. This method of building
executables stores information needed to relocate parts of the executable in
memory, hence the name
At run time, when a buffer is created, SSP adds a secret random value, the canary, to the end of the buffer. When the function returns, SSP makes sure that the canary is still intact. If an attacker were to perform a buffer overflow, he would overwrite this value and trigger that stack smashing handler. Currently this kills the target process.
Several Gentoo kernel trees are already patched with PaX.
For 2.4/2.6 based machines, the recommended kernels are
Grab one of the recommended source trees, or apply the appropriate patch from
In
[*] Enable various PaX features PaX Control -> [ ] Support soft mode [*] Use legacy ELF header marking [*] Use ELF program header marking MAC system integration (none) ---> Non-executable page -> [*] Enforce non-executable pages [*] Paging based non-executable pages [*] Segmentation based non-executable pages [*] Emulate trampolines [*] Restrict mprotect() [ ] Disallow ELF text relocations Address Space Layout Randomization -> [*] Address Space Layout Randomization [*] Randomize kernel stack base [*] Randomize user stack base [*] Randomize mmap() base [*] Randomize ET_EXEC base
Build this kernel as you normally would and install it to
Hardened Gentoo has added support for transparent PIE/SSP building via GCC's
specfile. This means that any users upgrading an older Hardened install should
remove any LDFLAGS or CFLAGS used to trigger PIE/SSP. Also, the
To maintain a consistant toolchain, first
You will probably also want to merge pax-utils. Often if an ELF has executable relocations in the text segment these can cause problems for us. scanelf -BRylptq
Some legitimate applications will attempt to generate code at run time which is executed out of memory. Naturally, PaX does not allow this and it will promptly kill the offending application.
Luckily there is a utility to toggle protections on a per-executable basis,
usage: paxctl <options> <files> options: -p: disable PAGEEXEC -P: enable PAGEEXEC -e: disable EMUTRMAP -E: enable EMUTRMAP -m: disable MPROTECT -M: enable MPROTECT -r: disable RANDMMAP -R: enable RANDMMAP -x: disable RANDEXEC -X: enable RANDEXEC -s: disable SEGMEXEC -S: enable SEGMEXEC -v: view flags -z: restore default flags -q: suppress error messages -Q: report flags in short format flags
The first option we will note is
shell user # paxctl -v /usr/bin/Xorg PaX control v0.2 Copyright 2004 PaX Team <pageexec@freemail.hu> - PaX flags: -p-sM--x-eR- [/usr/bin/Xorg] PAGEEXEC is disabled SEGMEXEC is disabled MPROTECT is enabled RANDEXEC is disabled EMUTRAMP is disabled RANDMMAP is enabled
This shows an XFree binary with all protections disabled.
To set flags on a binary, the
To disable protections on Xorg, run
Play around with disabling/enabling protections to see what is the least needed to run. Often we find that we need the -m -sp combos.