search

a13xp0p0v / kernel-hardening-checker

A tool for checking the security hardening options of the Linux kernel
GNU General Public License v3.0
1.69k stars 156 forks source link

After kspp settings server if freezed #16

Closed bryn1u closed 5 years ago

bryn1u commented 5 years ago

Hey guys,

When i setup server Centos 7 with kspp settings (config below) and i install www hosting panels like Cpanel, CWP panel or ISPmanager and then reboot server, many services are freezed. My network is disabled i cant run with command systemct start network, i cant reboot server and etc... when i push these commend nothing happen, just waiting and waiting.

My KSPP config:

[+] config check is finished: 'OK' - 62 / 'FAIL' - 41 [root@proton kconfig-hardened-check]# ls config_files kconfig-hardened-check.py LICENSE README.md [root@proton kconfig-hardened-check]# ./kconfig-hardened-check.py -c /boot/config-5.0.4 > kspp_setting [root@proton kconfig-hardened-check]# cat kspp_setting [+] Trying to detect architecture in "/boot/config-5.0.4"... [+] Detected architecture: X86_64 [+] Checking "/boot/config-5.0.4" against hardening preferences... option name | desired val | decision | reason || check result

CONFIG_BUG | y |defconfig | self_protection || OK
CONFIG_STRICT_KERNEL_RWX | y |defconfig | self_protection || OK
CONFIG_STACKPROTECTOR_STRONG | y |defconfig | self_protection || OK
CONFIG_SLUB_DEBUG | y |defconfig | self_protection || OK
CONFIG_STRICT_MODULE_RWX | y |defconfig | self_protection || OK
CONFIG_PAGE_TABLE_ISOLATION | y |defconfig | self_protection || OK
CONFIG_RANDOMIZE_MEMORY | y |defconfig | self_protection || OK
CONFIG_RANDOMIZE_BASE | y |defconfig | self_protection || OK
CONFIG_RETPOLINE | y |defconfig | self_protection || OK
CONFIG_X86_SMAP | y |defconfig | self_protection || OK
CONFIG_X86_INTEL_UMIP | y |defconfig | self_protection || OK
CONFIG_SYN_COOKIES | y |defconfig | self_protection || OK
CONFIG_VMAP_STACK | y |defconfig | self_protection || OK
CONFIG_THREAD_INFO_IN_TASK | y |defconfig | self_protection || OK
CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection || OK
CONFIG_DEBUG_WX | y | kspp | self_protection || OK
CONFIG_SCHED_STACK_END_CHECK | y | kspp | self_protection || OK
CONFIG_SLAB_FREELIST_HARDENED | y | kspp | self_protection || OK
CONFIG_SLAB_FREELIST_RANDOM | y | kspp | self_protection || OK
CONFIG_FORTIFY_SOURCE | y | kspp | self_protection || OK
CONFIG_GCC_PLUGINS | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_STRUCTLEAK | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection || OK
CONFIG_DEBUG_LIST | y | kspp | self_protection || OK
CONFIG_DEBUG_SG | y | kspp | self_protection || OK
CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection || OK
CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection || OK
CONFIG_PAGE_POISONING | y | kspp | self_protection || OK
CONFIG_HARDENED_USERCOPY | y | kspp | self_protection || OK
CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection || OK
CONFIG_MODULE_SIG | y | kspp | self_protection || OK
CONFIG_MODULE_SIG_ALL | y | kspp | self_protection || OK
CONFIG_MODULE_SIG_SHA512 | y | kspp | self_protection || FAIL: "is not set"
CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection || FAIL: "is not set"
CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | kspp | self_protection || OK
CONFIG_REFCOUNT_FULL | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_STACKLEAK | y | my | self_protection || OK
CONFIG_LOCK_DOWN_KERNEL | y | my | self_protection || FAIL: not found
CONFIG_SLUB_DEBUG_ON | y | my | self_protection || OK
CONFIG_SECURITY_DMESG_RESTRICT | y | my | self_protection || OK
CONFIG_STATIC_USERMODEHELPER | y | my | self_protection || FAIL: "is not set"
CONFIG_SECURITY_LOADPIN | y | my | self_protection || FAIL: "is not set"
CONFIG_RESET_ATTACK_MITIGATION | y | my | self_protection || OK
CONFIG_SLAB_MERGE_DEFAULT | is not set | my | self_protection || FAIL: "y"
CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection || OK
CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection || OK
CONFIG_SECURITY | y |defconfig | security_policy || OK
CONFIG_SECURITY_YAMA | y | kspp | security_policy || OK
CONFIG_SECURITY_SELINUX_DISABLE | is not set | kspp | security_policy || OK
CONFIG_SECCOMP | y |defconfig | cut_attack_surface || OK
CONFIG_SECCOMP_FILTER | y |defconfig | cut_attack_surface || OK
CONFIG_STRICT_DEVMEM | y |defconfig | cut_attack_surface || OK
CONFIG_MODULES | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_DEVMEM | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface || FAIL: "is not set"
CONFIG_ACPI_CUSTOM_METHOD | is not set | kspp | cut_attack_surface || FAIL: "m"
CONFIG_COMPAT_BRK | is not set | kspp | cut_attack_surface || OK
CONFIG_DEVKMEM | is not set | kspp | cut_attack_surface || OK
CONFIG_COMPAT_VDSO | is not set | kspp | cut_attack_surface || OK
CONFIG_BINFMT_MISC | is not set | kspp | cut_attack_surface || FAIL: "m"
CONFIG_INET_DIAG | is not set | kspp | cut_attack_surface || FAIL: "m"
CONFIG_KEXEC | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_PROC_KCORE | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_LEGACY_PTYS | is not set | kspp | cut_attack_surface || OK
CONFIG_HIBERNATION | is not set | kspp | cut_attack_surface || OK
CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface || FAIL: "is not set"
CONFIG_IA32_EMULATION | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_X86_X32 | is not set | kspp | cut_attack_surface || OK
CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_X86_PTDUMP | is not set |grsecurity| cut_attack_surface || OK
CONFIG_ZSMALLOC_STAT | is not set |grsecurity| cut_attack_surface || OK
CONFIG_PAGE_OWNER | is not set |grsecurity| cut_attack_surface || OK
CONFIG_DEBUG_KMEMLEAK | is not set |grsecurity| cut_attack_surface || OK
CONFIG_BINFMT_AOUT | is not set |grsecurity| cut_attack_surface || OK: not found
CONFIG_KPROBES | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_UPROBES | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_GENERIC_TRACER | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_PROC_VMCORE | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_PROC_PAGE_MONITOR | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_USELIB | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_CHECKPOINT_RESTORE | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_USERFAULTFD | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_HWPOISON_INJECT | is not set |grsecurity| cut_attack_surface || FAIL: "m"
CONFIG_MEM_SOFT_DIRTY | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface || OK
CONFIG_ACPI_TABLE_UPGRADE | is not set | lockdown | cut_attack_surface || FAIL: "y"
CONFIG_ACPI_APEI_EINJ | is not set | lockdown | cut_attack_surface || FAIL: "m"
CONFIG_PROFILING | is not set | lockdown | cut_attack_surface || FAIL: "y"
CONFIG_BPF_SYSCALL | is not set | lockdown | cut_attack_surface || FAIL: "y"
CONFIG_MMIOTRACE_TEST | is not set | lockdown | cut_attack_surface || OK: not found
CONFIG_MMIOTRACE | is not set | my | cut_attack_surface || OK
CONFIG_KEXEC_FILE | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_LIVEPATCH | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_USER_NS | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_IP_DCCP | is not set | my | cut_attack_surface || FAIL: "m"
CONFIG_IP_SCTP | is not set | my | cut_attack_surface || FAIL: "m"
CONFIG_FTRACE | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_BPF_JIT | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_ARCH_MMAP_RND_BITS | 32 | my |userspace_protection|| FAIL: "28"

[+] config check is finished: 'OK' - 62 / 'FAIL' - 41

Someone can help me with this, i would be graceful ? Could be impact because of this ? CONFIG_GCC_PLUGINS | y | kspp | self_protection || OK CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection || OK CONFIG_GCC_PLUGIN_STRUCTLEAK | y | kspp | self_protection || OK CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL | y | kspp | self_protection || OK CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection || OK

Bernhard40 commented 5 years ago

Could you post dmesg output?

bryn1u commented 5 years ago

Hey,

Sure. I put my KSPP config again but as a screen: https://ufile.io/epovx3h9 Second part of KSPP config: https://ufile.io/n4087vqn

Output from dmesg: dmesg 1 - https://ufile.io/2reh95ag dmesg 2 - https://ufile.io/mkt1sv73

Thanks,

a13xp0p0v commented 5 years ago

Hello @bryn1u,

As I can understand, you are trying to run Centos 7 with the mainline kernel (5.0.7). I would recommend you to move by smaller steps.

First -- update your kernel, but use make oldconfig with the original kernel config from Centos 7. Maybe something will break even after this step.

And then try to enable hardening options one by one performing your functional test after each change. You can speed up this procedure using bisection method (between the initial and final configs).

@Bernhard40, any other advices?