From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1JMV5S-00080P-2J for garchives@archives.gentoo.org; Tue, 05 Feb 2008 21:12:14 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E6930E06CF; Tue, 5 Feb 2008 21:12:08 +0000 (UTC) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by pigeon.gentoo.org (Postfix) with SMTP id 82CFEE06CF for ; Tue, 5 Feb 2008 21:12:08 +0000 (UTC) Received: (qmail invoked by alias); 05 Feb 2008 21:12:01 -0000 Received: from dslb-084-057-108-055.pools.arcor-ip.net (EHLO localhost) [84.57.108.55] by mail.gmx.net (mp014) with SMTP; 05 Feb 2008 22:12:01 +0100 X-Authenticated: #6909227 X-Provags-ID: V01U2FsdGVkX18RJPsxNEAR6EBlRuiv2ZlO5lnbcEWFGD84MhgEvO SRMD+I0UbykjMt From: Andreas Baier To: gentoo-user-de@lists.gentoo.org Subject: [gentoo-user-de] gentoo-hardened: pax: =?utf-8?q?Verst=C3=A4ndnisfrage_zur?= Einrichtung Date: Tue, 5 Feb 2008 22:11:40 +0100 User-Agent: KMail/1.9.7 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user-de@lists.gentoo.org Reply-to: gentoo-user-de@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200802052211.41008.don.ande@gmx.de> X-Y-GMX-Trusted: 0 X-Archives-Salt: 96ffa5f0-d6e8-4860-a6ca-a2cd0f6c8bb4 X-Archives-Hash: 8e55cd6faf62f1e6106fb01bcd68707d Hallo, ich lese mich gerade in Selinux ein und habe deshalb unseren Server auf das= =20 selinux/hardened-Profil umgestellt. Als Basis habe ich zun=C3=A4chst einmal die Toolchain auf gcc 3.4.6 downgeg= raded,=20 hardened-kernel installiert, sowie das ganze System neu kompiliert und von= =20 Altlasten bereinigt. Leider scheint das quickstart-Tutorial auf der hardened-Projekt-Seite aber= =20 nicht mehr ganz auf dem Neuesten Stand zu sein, denn Optionen und Ausgaben= =20 entsprechen nicht den dort abgebildeten. Daher kann mir jemand sagen, ob aus den unten abgebildeten Ausgaben=20 ersichtlich ist, ob pax global im System aktiviert ist, oder nicht? Mir scheint es so als w=C3=A4ren Pax-F=C3=A4higkeiten vorhanden aber nicht = in der=20 installierten Software aktiviert. Muss man dies nun manuell tun? Wenn ich mich richtig erinnere hatte das fr=C3=BCher einmal ein chpax-init-= script=20 getan, dass auch schon Standard-Ausnahmen (Xorg, wine) eingerichtet hat. Zun=C3=A4chst das Essentielle: # gzip -d < /proc/config.gz | grep -E 'PAX|_GR|_SELINUX' # CONFIG_GRKERNSEC is not set CONFIG_PAX=3Dy # CONFIG_PAX_SOFTMODE is not set CONFIG_PAX_EI_PAX=3Dy CONFIG_PAX_PT_PAX_FLAGS=3Dy CONFIG_PAX_NO_ACL_FLAGS=3Dy # CONFIG_PAX_HAVE_ACL_FLAGS is not set # CONFIG_PAX_HOOK_ACL_FLAGS is not set CONFIG_PAX_NOEXEC=3Dy CONFIG_PAX_PAGEEXEC=3Dy CONFIG_PAX_SEGMEXEC=3Dy CONFIG_PAX_EMUTRAMP=3Dy CONFIG_PAX_MPROTECT=3Dy # CONFIG_PAX_NOELFRELOCS is not set CONFIG_PAX_ASLR=3Dy CONFIG_PAX_RANDKSTACK=3Dy CONFIG_PAX_RANDUSTACK=3Dy CONFIG_PAX_RANDMMAP=3Dy # CONFIG_PAX_MEMORY_SANITIZE is not set # CONFIG_PAX_MEMORY_UDEREF is not set CONFIG_SECURITY_SELINUX=3Dy CONFIG_SECURITY_SELINUX_BOOTPARAM=3Dy CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=3D0 # CONFIG_SECURITY_SELINUX_DISABLE is not set CONFIG_SECURITY_SELINUX_DEVELOP=3Dy # CONFIG_SECURITY_SELINUX_AVC_STATS is not set CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=3D1 # CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT is not set # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set Notiz: habe CONFIG_PAX_NO_ACL_FLAGS=3Dy statt der Auswahl Hooks gew=C3=A4hl= t, da ich=20 Selinux noch nicht aktiviert habe. # paxtest blackhat PaXtest - Copyright(c) 2003,2004 by Peter Busser Released under the GNU Public Licence version 2 or later Writing output to paxtest.log It may take a while for the tests to complete Test results: PaXtest - Copyright(c) 2003,2004 by Peter Busser Released under the GNU Public Licence version 2 or later Mode: blackhat Linux karla 2.6.23-hardened-r4 #4 SMP Mon Feb 4 15:55:41 CET 2008 i686=20 Intel(R) Xeon(R) CPU 3060 @ 2.40GHz GenuineIntel GNU/Linux Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable anonymous mapping (mprotect) : Killed Executable bss (mprotect) : Killed Executable data (mprotect) : Killed Executable heap (mprotect) : Killed Executable stack (mprotect) : Killed Executable shared library bss (mprotect) : Killed Executable shared library data (mprotect): Killed Writable text segments : Killed Anonymous mapping randomisation test : 18 bits (guessed) Heap randomisation test (ET_EXEC) : 13 bits (guessed) Heap randomisation test (ET_DYN) : 24 bits (guessed) Main executable randomisation (ET_EXEC) : No randomisation Main executable randomisation (ET_DYN) : 16 bits (guessed) Shared library randomisation test : 18 bits (guessed) Stack randomisation test (SEGMEXEC) : 23 bits (guessed) Stack randomisation test (PAGEEXEC) : 24 bits (guessed) Return to function (strcpy) : Vulnerable Return to function (memcpy) : Vulnerable Return to function (strcpy, RANDEXEC) : Vulnerable Return to function (memcpy, RANDEXEC) : Vulnerable Executable shared library bss : Killed Executable shared library data : Killed Jede Software gibt aber aus: # paxctl -v /sbin/agetty PaX control v0.5 Copyright 2004,2005,2006,2007 PaX Team =2D PaX flags: -------x-e-- [/sbin/agetty] RANDEXEC is disabled EMUTRAMP is disabled Kurz: Ein Gro=C3=9Fteil der Flags scheint gar nicht aktiviert zu sein, RAND= EXEC-,=20 EMUTRAMP scheint =C3=BCberall deaktiviert zu sein Hier noch meine Links: http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml http://www.gentoo.org/proj/en/hardened/grsecurity.xml http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#paxinformation http://www.gentoo.org/proj/en/hardened/pax-utils.xml Danke schon mal im Voraus Gru=C3=9F Andreas -- gentoo-user-de@lists.gentoo.org mailing list