SlideShare une entreprise Scribd logo

Getting started with GrSecurity

Francesco Pira
Francesco Pira

An introduction to better understand and getting started with GrSecurity, a set of Linux patches to harden the Linux kernel.

Logiciels
1  sur  16
Télécharger pour lire hors ligne
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) A set of patches to harden your Linux kernel
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) What is • set of kernel patches • grsecurity itself, PaX, TPE • MAC tool with RBAC based on ACL • gradm, utility to manage the RBAC • PaX (memory protection) • paxctld, daemon to manage PaX
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Development timeline • First lines back in 2000/2001 • Still in active development • Testing is open source • Stable went closed source last year • PaX devs collaborates but are a separated team • PaX is still open source!
Hardening Two June 13, 2016 Francesco Pira (fpira.com) Keywords • roles • subjects • objects • policy • domains • the policy defines behaviour of roles / subjects / objects as higher abstraction of users as abstraction of executables as abstraction of system resources as a set of rules (usually system-wide) combine roles of different groups together
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) How it works • object is a system resource or capability • subject is an executable (it access objects) • admin is the new root (root as compromised) • domains to combine roles and groups together • path-based ACL, deeper path = higher priority • hierarchies (user -> group -> default and path-based)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Features • double authentication (via password for grsec admin and shutdown roles) • system capabilities limitations • default is deny-all (no rule means no execution) • learning mode is available, full or per-process • kernel auditing • improved file-system and chroot() security • Trusted Path Execution (TPE) • kernel and userspace memory protection • customize before compile (via menuconfig) • underneath, edits setting via sysctl
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) How it works
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Installation 1. download Linux kernel sources 2. download grsecurity patch for your kernel 3. verify files, unzip and patch 4. customise with menuconfig 5. compile and install 6. install dependencies, gradm, paxctld
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Post-installation 1. Set a password for basic roles • admin • shutdown 2. start the first learning mode (gradm -F -L /etc/grsec/learning.logs) 3. use the system normally (do not perform bad actions!) 4. check file output (/etc/grsec/learning.logs) 5. apply output file as policy (gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy) 6. enable grsec (gradm -E)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Usage • gradm -S to check the status • gradm -E to enable, gradm -D to disable • gradm -C for policy control • gradm -a [role] to login into a role • gradm -u to logout • gradm -F -L /etc/grsec/learning.logs, for learning mode • … -O /etc/grsec/policy to apply learned rules
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) A policy excerpt # Role: utentex subject /usr/lib/firefox/firefox o { / h /home/utentex r /home/utentex/Downloads rwxcd /home/utentex/cartellasegreta h }
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) The good • theoretically compatible with all Linux distress • can coexist with other LSM-based tools • good role management • inheritance of rules • policy syntax supports union, intersections and wildcards ( * , ? , [] ) • memory protection included • can’t enable a policy if it is too permissive • RAP to defend against code reuse attacks
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) The bad • all policy sits in one file • inconvenient for manual editing • cannot write rules using gradm • per-subject learning mode is unfriendly • you only have access to testing code • stable is closed-source (and expensive!)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) About PaX • Protects from: • arbitrary code execution • original code execution but in different order • original code execution in order but + malicious code • How? • NOEXEC and runtime code checking • ASLR, to better randomise memory addresses • putting flags in the executable header (needs conversion!)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Resources • Official Wiki (https://en.wikibooks.org/wiki/Grsecurity) • Debian Wiki (https://wiki.debian.org/grsecurity) • Gentoo Wiki (wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart) • forums.grsecurity.net • official mailing list • irc.oftc.net #grsecurity • https://grsecurity.net/rap_faq.php • PaX - Gentoo Wiki (https://wiki.gentoo.org/wiki/Project:Hardened/PaX_Quickstart) • chpax (8) - man online (http://dev.man-online.org/man8/chpax/) • TPE (https://wiki.gentoo.org/wiki/Hardened/Grsecurity_Trusted_Path_Execution)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Questions? Thank you

Recommandé

An introduction to MAC RBAC and LSM
An introduction to MAC RBAC and LSMAn introduction to MAC RBAC and LSM
An introduction to MAC RBAC and LSM
Francesco Pira
 
Linux 4.6 and memory protections
Linux 4.6 and memory protectionsLinux 4.6 and memory protections
Linux 4.6 and memory protections
Francesco Pira
 
Getting started with AppArmor
Getting started with AppArmorGetting started with AppArmor
Getting started with AppArmor
Francesco Pira
 
Apparmor
ApparmorApparmor
Apparmor
n|u - The Open Security Community
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
Michael Boelen
 
Ubuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesUbuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security Features
Dustin Kirkland
 
Windows Security Crash Course
Windows Security Crash CourseWindows Security Crash Course
Windows Security Crash Course
UTD Computer Security Group
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
pankaj009
 

Recommandé

An introduction to MAC RBAC and LSM
An introduction to MAC RBAC and LSMAn introduction to MAC RBAC and LSM
An introduction to MAC RBAC and LSM
Francesco Pira
 
Linux 4.6 and memory protections
Linux 4.6 and memory protectionsLinux 4.6 and memory protections
Linux 4.6 and memory protections
Francesco Pira
 
Getting started with AppArmor
Getting started with AppArmorGetting started with AppArmor
Getting started with AppArmor
Francesco Pira
 
Apparmor
ApparmorApparmor
Apparmor
n|u - The Open Security Community
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
Michael Boelen
 
Ubuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesUbuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security Features
Dustin Kirkland
 
Windows Security Crash Course
Windows Security Crash CourseWindows Security Crash Course
Windows Security Crash Course
UTD Computer Security Group
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
pankaj009
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
Michael Boman
 
Linux Security
Linux SecurityLinux Security
Linux Security
nayakslideshare
 
Intro to Exploitation
Intro to ExploitationIntro to Exploitation
Intro to Exploitation
UTD Computer Security Group
 
Ubuntu 9.10 Party Tainan - small talk
Ubuntu 9.10 Party Tainan - small talkUbuntu 9.10 Party Tainan - small talk
Ubuntu 9.10 Party Tainan - small talk
Irvin Chen
 
Linux Security Crash Course
Linux Security Crash CourseLinux Security Crash Course
Linux Security Crash Course
UTD Computer Security Group
 
Lifnaaaaaa e
Lifnaaaaaa eLifnaaaaaa e
Lifnaaaaaa e
henelpj
 
Rust
RustRust
Rust
Naga Dinesh
 
Using metasploit
Using metasploitUsing metasploit
Using metasploit
CyberRad
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]
Vincent Batts
 
IoT mit Rust programmieren
IoT mit Rust programmierenIoT mit Rust programmieren
IoT mit Rust programmieren
Lars Gregori
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
n|u - The Open Security Community
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
Ramnath Shenoy
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
Information Technology
 
Linux security
Linux securityLinux security
Linux security
trilokchandra prakash
 
Metasploit @ 2010 Utah Open Source Conference
Metasploit @ 2010 Utah Open Source ConferenceMetasploit @ 2010 Utah Open Source Conference
Metasploit @ 2010 Utah Open Source Conference
Jason Wood
 
Snort
SnortSnort
Snort
bala150985
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
Rizky Ariestiyansyah
 
Request For Comments (RFC)
Request For Comments (RFC)Request For Comments (RFC)
Request For Comments (RFC)
Subhajit Sahu
 
Sweden11
Sweden11Sweden11
Sweden11
Dru Lavigne
 
Securing Your Linux System
Securing Your Linux SystemSecuring Your Linux System
Securing Your Linux System
Novell
 
WordPress Security Hardening
WordPress Security HardeningWordPress Security Hardening
WordPress Security Hardening
Timothy Wood
 

Contenu connexe

Tendances

Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
Information Technology
 

Tendances (20)

Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
Intro to Exploitation
Intro to ExploitationIntro to Exploitation
Intro to Exploitation
 
Ubuntu 9.10 Party Tainan - small talk
Ubuntu 9.10 Party Tainan - small talkUbuntu 9.10 Party Tainan - small talk
Ubuntu 9.10 Party Tainan - small talk
 
Linux Security Crash Course
Linux Security Crash CourseLinux Security Crash Course
Linux Security Crash Course
 
Lifnaaaaaa e
Lifnaaaaaa eLifnaaaaaa e
Lifnaaaaaa e
 
Rust
RustRust
Rust
 
Using metasploit
Using metasploitUsing metasploit
Using metasploit
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]
 
IoT mit Rust programmieren
IoT mit Rust programmierenIoT mit Rust programmieren
IoT mit Rust programmieren
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
 
Linux security
Linux securityLinux security
Linux security
 
Metasploit @ 2010 Utah Open Source Conference
Metasploit @ 2010 Utah Open Source ConferenceMetasploit @ 2010 Utah Open Source Conference
Metasploit @ 2010 Utah Open Source Conference
 
Snort
SnortSnort
Snort
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Request For Comments (RFC)
Request For Comments (RFC)Request For Comments (RFC)
Request For Comments (RFC)
 
Sweden11
Sweden11Sweden11
Sweden11
 

En vedette

System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
Sonatype
 

En vedette (12)

Securing Your Linux System
Securing Your Linux SystemSecuring Your Linux System
Securing Your Linux System
 
WordPress Security Hardening
WordPress Security HardeningWordPress Security Hardening
WordPress Security Hardening
 
Hardening Linux Server Security
Hardening Linux Server SecurityHardening Linux Server Security
Hardening Linux Server Security
 
grsecurity and PaX
grsecurity and PaXgrsecurity and PaX
grsecurity and PaX
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server Hardening
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
 
Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by Steps
 
Linux Hardening
Linux HardeningLinux Hardening
Linux Hardening
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
Evitando execução de códigos arbitrários com GRsecurity e PaX
Evitando execução de códigos arbitrários com GRsecurity e PaXEvitando execução de códigos arbitrários com GRsecurity e PaX
Evitando execução de códigos arbitrários com GRsecurity e PaX
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
 

Similaire à Getting started with GrSecurity

Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Walid Shaari
 
Integrity and Security in Filesystems
Integrity and Security in FilesystemsIntegrity and Security in Filesystems
Integrity and Security in Filesystems
Conferencias FIST
 
Gentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile EverythingGentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile Everything
Donnie Berkholz
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
Craig Cannon
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
Giuseppe Paterno'
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
Giuseppe Paterno'
 

Similaire à Getting started with GrSecurity (20)

Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
Archivematica Technical Training Diagnostics Guide (September 2018)
Archivematica Technical Training Diagnostics Guide (September 2018)Archivematica Technical Training Diagnostics Guide (September 2018)
Archivematica Technical Training Diagnostics Guide (September 2018)
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
 
Linux cgroups and namespaces
Linux cgroups and namespacesLinux cgroups and namespaces
Linux cgroups and namespaces
 
Arch linux and whole security concepts in linux explained
Arch linux and whole security concepts in linux explained Arch linux and whole security concepts in linux explained
Arch linux and whole security concepts in linux explained
 
Integrity and Security in Filesystems
Integrity and Security in FilesystemsIntegrity and Security in Filesystems
Integrity and Security in Filesystems
 
Gentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile EverythingGentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile Everything
 
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,GrafanaPrometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
 
System Integrity
System IntegritySystem Integrity
System Integrity
 
Crypto policies-2016
Crypto policies-2016Crypto policies-2016
Crypto policies-2016
 
SC'18 BoF Presentation
SC'18 BoF PresentationSC'18 BoF Presentation
SC'18 BoF Presentation
 
Google File System
Google File SystemGoogle File System
Google File System
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-review
 
Building Container Defence Executable at a Time.pdf
Building Container Defence Executable at a Time.pdfBuilding Container Defence Executable at a Time.pdf
Building Container Defence Executable at a Time.pdf
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
 
Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
 

Dernier

%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 

Dernier (20)

%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 

Getting started with GrSecurity

  • 1. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) A set of patches to harden your Linux kernel
  • 2. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) What is • set of kernel patches • grsecurity itself, PaX, TPE • MAC tool with RBAC based on ACL • gradm, utility to manage the RBAC • PaX (memory protection) • paxctld, daemon to manage PaX
  • 3. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Development timeline • First lines back in 2000/2001 • Still in active development • Testing is open source • Stable went closed source last year • PaX devs collaborates but are a separated team • PaX is still open source!
  • 4. Hardening Two June 13, 2016 Francesco Pira (fpira.com) Keywords • roles • subjects • objects • policy • domains • the policy defines behaviour of roles / subjects / objects as higher abstraction of users as abstraction of executables as abstraction of system resources as a set of rules (usually system-wide) combine roles of different groups together
  • 5. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) How it works • object is a system resource or capability • subject is an executable (it access objects) • admin is the new root (root as compromised) • domains to combine roles and groups together • path-based ACL, deeper path = higher priority • hierarchies (user -> group -> default and path-based)
  • 6. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Features • double authentication (via password for grsec admin and shutdown roles) • system capabilities limitations • default is deny-all (no rule means no execution) • learning mode is available, full or per-process • kernel auditing • improved file-system and chroot() security • Trusted Path Execution (TPE) • kernel and userspace memory protection • customize before compile (via menuconfig) • underneath, edits setting via sysctl
  • 7. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) How it works
  • 8. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Installation 1. download Linux kernel sources 2. download grsecurity patch for your kernel 3. verify files, unzip and patch 4. customise with menuconfig 5. compile and install 6. install dependencies, gradm, paxctld
  • 9. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Post-installation 1. Set a password for basic roles • admin • shutdown 2. start the first learning mode (gradm -F -L /etc/grsec/learning.logs) 3. use the system normally (do not perform bad actions!) 4. check file output (/etc/grsec/learning.logs) 5. apply output file as policy (gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy) 6. enable grsec (gradm -E)
  • 10. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Usage • gradm -S to check the status • gradm -E to enable, gradm -D to disable • gradm -C for policy control • gradm -a [role] to login into a role • gradm -u to logout • gradm -F -L /etc/grsec/learning.logs, for learning mode • … -O /etc/grsec/policy to apply learned rules
  • 11. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) A policy excerpt # Role: utentex subject /usr/lib/firefox/firefox o { / h /home/utentex r /home/utentex/Downloads rwxcd /home/utentex/cartellasegreta h }
  • 12. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) The good • theoretically compatible with all Linux distress • can coexist with other LSM-based tools • good role management • inheritance of rules • policy syntax supports union, intersections and wildcards ( * , ? , [] ) • memory protection included • can’t enable a policy if it is too permissive • RAP to defend against code reuse attacks
  • 13. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) The bad • all policy sits in one file • inconvenient for manual editing • cannot write rules using gradm • per-subject learning mode is unfriendly • you only have access to testing code • stable is closed-source (and expensive!)
  • 14. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) About PaX • Protects from: • arbitrary code execution • original code execution but in different order • original code execution in order but + malicious code • How? • NOEXEC and runtime code checking • ASLR, to better randomise memory addresses • putting flags in the executable header (needs conversion!)
  • 15. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Resources • Official Wiki (https://en.wikibooks.org/wiki/Grsecurity) • Debian Wiki (https://wiki.debian.org/grsecurity) • Gentoo Wiki (wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart) • forums.grsecurity.net • official mailing list • irc.oftc.net #grsecurity • https://grsecurity.net/rap_faq.php • PaX - Gentoo Wiki (https://wiki.gentoo.org/wiki/Project:Hardened/PaX_Quickstart) • chpax (8) - man online (http://dev.man-online.org/man8/chpax/) • TPE (https://wiki.gentoo.org/wiki/Hardened/Grsecurity_Trusted_Path_Execution)
  • 16. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Questions? Thank you