Hardened Gentoo is a project interested in the hardening of a Gentoo system. Several different solutions are supported by us and there is a fair bit of flexibility to create your own setup. At the heart of a common Hardened Gentoo setup is PaX.

PaX is a patch to the Linux kernel that provides hardening in two ways.

The first, ASLR (Address Space Layout Randomization) provides a means to randomize the addressing scheme of all data loaded into memory. When an application is built as a PIE (Position Independent Executable), PaX is able to also randomize the addresses of the application base in addition.

The second protection provided by PaX is non-executable memory. This prevents a common form of attack where executable code is inserted into memory by an attacker. More information on PaX can be found throughout this guide, but the homepage can be found at http://pax.grsecurity.net.

As mentioned above, PaX is complemented by PIE. This method of building executables stores information needed to relocate parts of the executable in memory, hence the name Position Independent.

SSP (Stack Smashing Protector) is a second complementary technology we introduce at executable build time. SSP was originally introduced by IBM under the name ProPolice. It modifies the C compiler to insert initialization code into functions that create a buffer in memory.

At run time, when a buffer is created, SSP adds a secret random value, the canary, to the end of the buffer. When the function returns, SSP makes sure that the canary is still intact. If an attacker were to perform a buffer overflow, he would overwrite this value and trigger that stack smashing handler. Currently this kills the target process.

Further reading on SSP.

Several Gentoo kernel trees are already patched with PaX.

For 2.4/2.6 based machines, the recommended kernels are hardened-sources

Grab one of the recommended source trees, or apply the appropriate patch from http://pax.grsecurity.net to your own tree and configure it as you normally would for the target machine.

In Security Options -> PaX, apply the options as shown below.

[*] Enable various PaX features

PaX Control ->

 [ ] Support soft mode
 [*] Use legacy ELF header marking
 [*] Use ELF program header marking
     MAC system integration (none)  --->

Non-executable page ->

 [*] Enforce non-executable pages
 [*]   Paging based non-executable pages
 [*]   Segmentation based non-executable pages
 [*] Emulate trampolines
 [*] Restrict mprotect()
 [ ]   Disallow ELF text relocations

Address Space Layout Randomization ->

 [*] Address Space Layout Randomization
 [*]   Randomize kernel stack base
 [*]   Randomize user stack base
 [*]   Randomize mmap() base
 [*]     Randomize ET_EXEC base

Build this kernel as you normally would and install it to /boot.

Hardened Gentoo has added support for transparent PIE/SSP building via GCC's specfile. This means that any users upgrading an older Hardened install should remove any LDFLAGS or CFLAGS used to trigger PIE/SSP. Also, the hardened-gcc package is now deprecated and should be unmerged (version 5.0 is a dummy package). To get the current GCC, add USE="hardened pic" to /etc/make.conf if not using the hardened profile.

To maintain a consistant toolchain, first emerge binutils gcc virtual/libc. Next, rebuild the entire system with emerge -e world. All future packages will be built with PIE/SSP.

You will probably also want to merge pax-utils. Often if an ELF has executable relocations in the text segment these can cause problems for us. scanelf -BRylptq

Some legitimate applications will attempt to generate code at run time which is executed out of memory. Naturally, PaX does not allow this and it will promptly kill the offending application.

Luckily there is a utility to toggle protections on a per-executable basis, paxctl. As with any other package in Gentoo, install paxctl with the command emerge paxctl. Usage is show by paxctl -h.

usage: paxctl <options> <files>

options:
        -p: disable PAGEEXEC            -P: enable PAGEEXEC
        -e: disable EMUTRMAP            -E: enable EMUTRMAP
        -m: disable MPROTECT            -M: enable MPROTECT
        -r: disable RANDMMAP            -R: enable RANDMMAP
        -x: disable RANDEXEC            -X: enable RANDEXEC
        -s: disable SEGMEXEC            -S: enable SEGMEXEC

        -v: view flags                  -z: restore default flags
        -q: suppress error messages     -Q: report flags in short format flags

The first option we will note is -v, which can display flags set on a particular binary.

shell user # paxctl -v /usr/bin/Xorg
PaX control v0.2
Copyright 2004 PaX Team <pageexec@freemail.hu>

- PaX flags: -p-sM--x-eR- [/usr/bin/Xorg]
        PAGEEXEC is disabled
        SEGMEXEC is disabled
        MPROTECT is enabled
        RANDEXEC is disabled
        EMUTRAMP is disabled
        RANDMMAP is enabled

This shows an XFree binary with all protections disabled.

To set flags on a binary, the -z flag is useful as it restores the default flags.

To disable protections on Xorg, run paxctl -zpeMRxs /usr/bin/Xorg.

Play around with disabling/enabling protections to see what is the least needed to run. Often we find that we need the -m -sp combos.