kernel hardening flags - Githubissues

ageis commented 5 years ago

Description

I'm not sure if there's a dedicated repository for the kernel used on the SecureDrop servers anymore, so let me know where to put this. But this is a continuation of some prior updates I recommended to the configuration you're using to build. Thanks to a new tool from @a13xp0p0v called kconfig-hardened-check, we no longer have to manually watch changelogs, etc. for when security features and new config flags land in mainline (for those who are unaware, the KSPP has been porting a lot of grsecurity/PaX-inspired features into Linux proper). A brief chat I had with Spender a long time ago confirmed that these generally don't conflict or interfere with grsec.

As this article by @nettrino describes, Linux distributions are hit and miss and many are not taking advantage of the features.

The first obstacle is that you're still on 4.4, so that will narrow the modifications we can make to the config since much of this work landed with 4.14. We'd have to figure out which are available, which are too new, and perform enough testing and quality assurance of the new kernel.

In any event, as a launching-off point, I'm pasting the output of the kconfig-hardened-check script against the current SecureDrop kernel config.


[+] Detected architecture: X86_64
[+] Checking "config-4.4.167-grsec" against hardening preferences...
  option name                            | desired val | decision |       reason       ||        check result        
  ===================================================================================================================
  CONFIG_BUG                             |      y      |defconfig |  self_protection   ||             OK             
  CONFIG_STRICT_KERNEL_RWX               |      y      |defconfig |  self_protection   ||CONFIG_DEBUG_RODATA: OK ("y")
  CONFIG_STACKPROTECTOR_STRONG           |      y      |defconfig |  self_protection   ||      FAIL: not found       
  CONFIG_SLUB_DEBUG                      |      y      |defconfig |  self_protection   ||             OK             
  CONFIG_STRICT_MODULE_RWX               |      y      |defconfig |  self_protection   ||      FAIL: not found       
  CONFIG_PAGE_TABLE_ISOLATION            |      y      |defconfig |  self_protection   ||      FAIL: not found       
  CONFIG_RANDOMIZE_MEMORY                |      y      |defconfig |  self_protection   ||      FAIL: not found       
  CONFIG_RANDOMIZE_BASE                  |      y      |defconfig |  self_protection   ||      FAIL: not found       
  CONFIG_RETPOLINE                       |      y      |defconfig |  self_protection   ||             OK             
  CONFIG_X86_SMAP                        |      y      |defconfig |  self_protection   ||             OK             
  CONFIG_X86_INTEL_UMIP                  |      y      |defconfig |  self_protection   ||      FAIL: not found       
  CONFIG_SYN_COOKIES                     |      y      |defconfig |  self_protection   ||             OK             
  CONFIG_VMAP_STACK                      |      y      |defconfig |  self_protection   ||      FAIL: not found       
  CONFIG_THREAD_INFO_IN_TASK             |      y      |defconfig |  self_protection   ||      FAIL: not found       
  CONFIG_BUG_ON_DATA_CORRUPTION          |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_DEBUG_WX                        |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_SCHED_STACK_END_CHECK           |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_PAGE_POISONING                  |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_SLAB_FREELIST_HARDENED          |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_SLAB_FREELIST_RANDOM            |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_HARDENED_USERCOPY               |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_HARDENED_USERCOPY_FALLBACK      | is not set  |   kspp   |  self_protection   ||       OK: not found        
  CONFIG_FORTIFY_SOURCE                  |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGINS                     |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_GCC_PLUGIN_RANDSTRUCT           |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGIN_STRUCTLEAK           |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGIN_LATENT_ENTROPY       |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_DEBUG_LIST                      |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_DEBUG_SG                        |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_DEBUG_CREDENTIALS               |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_DEBUG_NOTIFIERS                 |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_MODULE_SIG                      |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_MODULE_SIG_ALL                  |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_MODULE_SIG_SHA512               |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_MODULE_SIG_FORCE                |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_DEFAULT_MMAP_MIN_ADDR           |    65536    |   kspp   |  self_protection   ||             OK             
  CONFIG_REFCOUNT_FULL                   |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGIN_STACKLEAK            |      y      |    my    |  self_protection   ||      FAIL: not found       
  CONFIG_LOCK_DOWN_KERNEL                |      y      |    my    |  self_protection   ||      FAIL: not found       
  CONFIG_SLUB_DEBUG_ON                   |      y      |    my    |  self_protection   ||     FAIL: "is not set"     
  CONFIG_SECURITY_DMESG_RESTRICT         |      y      |    my    |  self_protection   ||     FAIL: "is not set"     
  CONFIG_STATIC_USERMODEHELPER           |      y      |    my    |  self_protection   ||      FAIL: not found       
  CONFIG_SECURITY_LOADPIN                |      y      |    my    |  self_protection   ||      FAIL: not found       
  CONFIG_PAGE_POISONING_NO_SANITY        | is not set  |    my    |  self_protection   ||       OK: not found        
  CONFIG_PAGE_POISONING_ZERO             | is not set  |    my    |  self_protection   ||       OK: not found        
  CONFIG_SLAB_MERGE_DEFAULT              | is not set  |    my    |  self_protection   ||       OK: not found        
  CONFIG_SECURITY                        |      y      |defconfig |  security_policy   ||             OK             
  CONFIG_SECURITY_YAMA                   |      y      |   kspp   |  security_policy   ||      FAIL: not found       
  CONFIG_SECURITY_SELINUX_DISABLE        | is not set  |   kspp   |  security_policy   ||         FAIL: "y"          
  CONFIG_SECCOMP                         |      y      |defconfig | cut_attack_surface ||             OK             
  CONFIG_SECCOMP_FILTER                  |      y      |defconfig | cut_attack_surface ||             OK             
  CONFIG_STRICT_DEVMEM                   |      y      |defconfig | cut_attack_surface ||             OK             
  CONFIG_IO_STRICT_DEVMEM                |      y      |   kspp   | cut_attack_surface ||      FAIL: not found       
  CONFIG_ACPI_CUSTOM_METHOD              | is not set  |   kspp   | cut_attack_surface ||       OK: not found        
  CONFIG_COMPAT_BRK                      | is not set  |   kspp   | cut_attack_surface ||             OK             
  CONFIG_DEVKMEM                         | is not set  |   kspp   | cut_attack_surface ||       OK: not found        
  CONFIG_COMPAT_VDSO                     | is not set  |   kspp   | cut_attack_surface ||       OK: not found        
  CONFIG_BINFMT_MISC                     | is not set  |   kspp   | cut_attack_surface ||         FAIL: "m"          
  CONFIG_INET_DIAG                       | is not set  |   kspp   | cut_attack_surface ||         FAIL: "m"          
  CONFIG_KEXEC                           | is not set  |   kspp   | cut_attack_surface ||       OK: not found        
  CONFIG_PROC_KCORE                      | is not set  |   kspp   | cut_attack_surface ||       OK: not found        
  CONFIG_LEGACY_PTYS                     | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_HIBERNATION                     | is not set  |   kspp   | cut_attack_surface ||       OK: not found        
  CONFIG_LEGACY_VSYSCALL_NONE            |      y      |   kspp   | cut_attack_surface ||     FAIL: "is not set"     
  CONFIG_IA32_EMULATION                  | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_X86_X32                         | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_MODIFY_LDT_SYSCALL              | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_X86_PTDUMP                      | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_ZSMALLOC_STAT                   | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_PAGE_OWNER                      | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_DEBUG_KMEMLEAK                  | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_BINFMT_AOUT                     | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_KPROBES                         | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_UPROBES                         | is not set  |grsecurity| cut_attack_surface ||             OK             
  CONFIG_GENERIC_TRACER                  | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_PROC_VMCORE                     | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_PROC_PAGE_MONITOR               | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_USELIB                          | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_CHECKPOINT_RESTORE              | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_USERFAULTFD                     | is not set  |grsecurity| cut_attack_surface ||             OK             
  CONFIG_HWPOISON_INJECT                 | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_MEM_SOFT_DIRTY                  | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_DEVPORT                         | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_DEBUG_FS                        | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_NOTIFIER_ERROR_INJECTION        | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_ACPI_TABLE_UPGRADE              | is not set  | lockdown | cut_attack_surface ||       OK: not found        
  CONFIG_ACPI_APEI_EINJ                  | is not set  | lockdown | cut_attack_surface ||       OK: not found        
  CONFIG_PROFILING                       | is not set  | lockdown | cut_attack_surface ||         FAIL: "y"          
  CONFIG_BPF_SYSCALL                     | is not set  | lockdown | cut_attack_surface ||             OK             
  CONFIG_MMIOTRACE_TEST                  | is not set  | lockdown | cut_attack_surface ||       OK: not found        
  CONFIG_MMIOTRACE                       | is not set  |    my    | cut_attack_surface ||       OK: not found        
  CONFIG_KEXEC_FILE                      | is not set  |    my    | cut_attack_surface ||             OK             
  CONFIG_LIVEPATCH                       | is not set  |    my    | cut_attack_surface ||       OK: not found        
  CONFIG_USER_NS                         | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_IP_DCCP                         | is not set  |    my    | cut_attack_surface ||         FAIL: "m"          
  CONFIG_IP_SCTP                         | is not set  |    my    | cut_attack_surface ||         FAIL: "m"          
  CONFIG_FTRACE                          | is not set  |    my    | cut_attack_surface ||       OK: not found        
  CONFIG_BPF_JIT                         | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_ARCH_MMAP_RND_BITS              |     32      |    my    |userspace_protection||      FAIL: not found       

[-] config check is NOT PASSED: 48 errors```

ageis commented 5 years ago

Here is another popular script which is useful for auditing kernel configuration (among other things) for security: https://github.com/slimm609/checksec.sh

Example syntax: checksec --format=cli --verbose --kernel=/boot/config-4.4.182-grsec

I have styled in bold those items which may need attention, but note they're based off my desktop rather than a SecureDrop server (I don't have the same sysctl settings or boot parameters).

Kernel protection information for : /boot/config-4.4.182-grsec

Description - List the status of kernel protection mechanisms. Rather than inspect kernel mechanisms that may aid in the prevention of exploitation of userspace processes, this option lists the status of kernel configuration options that harden the kernel itself against attack.

Kernel config: Warning: The config /home/kevin/dev/boot/config-4.4.182-grsec on disk may not represent running kernel config!

Vanilla Kernel ASLR: Full Protected symlinks: sysctl: permission denied on key 'fs.protected_symlinks' Disabled Protected hardlinks: sysctl: permission denied on key 'fs.protected_hardlinks' Disabled Ipv4 reverse path filtering: Enabled Ipv6 reverse path filtering: Disabled Kernel heap randomization: Enabled GCC stack protector support: Enabled GCC stack protector strong: Disabled Restrict /dev/mem access: Enabled Restrict I/O access to /dev/mem: Disabled Exec Shield: Disabled
X86 only:
Address space layout randomization: Enabled
SELinux: Disabled

SELinux infomation available here: http://selinuxproject.org/
grsecurity / PaX: Auto GRKERNSEC

Non-executable kernel pages: Enabled Non-executable pages: Enabled Paging Based Non-executable pages: Enabled Restrict MPROTECT: Enabled Address Space Layout Randomization: Enabled Randomize Kernel Stack: Enabled Randomize User Stack: Enabled Randomize MMAP Stack: Enabled Sanitize freed memory: Enabled Sanitize Kernel Stack: Enabled Prevent userspace pointer deref: Enabled Prevent kobject refcount overflow: Enabled Bounds check heap object copies: Enabled JIT Hardening: Disabled Thread Stack Random Gaps: Enabled Disable writing to kmem/mem/port: Enabled Disable privileged I/O: Enabled Harden module auto-loading: Enabled Chroot Protection: Enabled Deter ptrace process snooping: Enabled Larger Entropy Pools: Disabled TCP/UDP Blackhole: Enabled Deter Exploit Bruteforcing: Enabled Hide kernel symbols: Enabled Pax softmode: Disabled Grsec sysctl options: grsecurity.audit_chdir: Disabled grsecurity.audit_gid: Disabled grsecurity.audit_group: Disabled grsecurity.audit_mount: Disabled grsecurity.audit_ptrace: Disabled grsecurity.chroot_caps: Disabled grsecurity.chroot_deny_bad_rename: Disabled grsecurity.chroot_deny_chmod: Disabled grsecurity.chroot_deny_chroot: Disabled grsecurity.chroot_deny_fchdir: Disabled grsecurity.chroot_deny_mknod: Disabled grsecurity.chroot_deny_mount: Disabled grsecurity.chroot_deny_pivot: Disabled grsecurity.chroot_deny_shmat: Disabled grsecurity.chroot_deny_sysctl: Disabled grsecurity.chroot_deny_unix: Disabled grsecurity.chroot_enforce_chdir: Disabled grsecurity.chroot_execlog: Disabled grsecurity.chroot_findtask: Disabled grsecurity.chroot_restrict_nice: Disabled grsecurity.consistent_setxid: Disabled grsecurity.deny_new_usb: Disabled grsecurity.deter_bruteforce: Disabled grsecurity.disable_priv_io: Disabled grsecurity.dmesg: Disabled grsecurity.enforce_symlinksifowner: Disabled grsecurity.exec_logging: Disabled grsecurity.fifo_restrictions: Disabled grsecurity.forkfail_logging: Disabled grsecurity.grsec_lock: Disabled grsecurity.harden_ipc: Disabled grsecurity.harden_ptrace: Disabled grsecurity.ip_blackhole: Disabled grsecurity.lastack_retries: Disabled grsecurity.linking_restrictions: Disabled grsecurity.ptrace_readexec: Disabled grsecurity.resource_logging: Disabled grsecurity.romount_protect: Disabled grsecurity.rwxmap_logging: Disabled grsecurity.signal_logging: Disabled grsecurity.socket_all: Disabled grsecurity.socket_all_gid: Disabled grsecurity.socket_client: Disabled grsecurity.socket_client_gid: Disabled grsecurity.socket_server: Disabled grsecurity.socket_server_gid: Disabled grsecurity.symlinkown_gid: Disabled grsecurity.timechange_logging: Disabled grsecurity.harden_tty: Disabled grsecurity.tpe: Disabled grsecurity.tpe_gid: Disabled grsecurity.tpe_invert: Disabled grsecurity.tpe_restrict_all: Disabled

evilaliv3 commented 5 years ago

@ageis @redshiftzero : I'm rechecking on this topic and it seems that on Debian/Ubuntu only python2 is currently complied with -fpie; this causes that on python3 ASLR is not effective.

This issue seems to have been previously notified here: https://bugs.launchpad.net/ubuntu/+source/python3.6/+bug/1452115

Output of hardening-check on Ubuntu Bionic for: python3 and python2:

evilaliv3@evilaliv3:~$ hardening-check /usr/bin/python3
/usr/bin/python3:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!

hardening-check /usr/bin/python2
/usr/bin/python2:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes

I'm trying to reach out to the Debian/Ubuntu security team to see which are the reasons of this choice and if it would be possible to get python3 compiled with -fpie as well.

ageis commented 5 years ago

@evilaliv3 Excellent find; that is a really important thing to get rectified.

evilaliv3 commented 5 years ago

@ageis: we have some updates on this. would you please check https://github.com/freedomofpress/securedrop/issues/1861 ?

ageis commented 4 years ago

Hi @evilaliv3. I read that ticket, and it's not clear to me whether you've either: A) explicitly added new flags to the kernel boot cmdline B) enabled certain security build flags during the kernel compilation processs

This is what I was suggesting. cc @conorsch ?

Update: Ah, just read about some of the issues in freedomofpress/securedrop#4962.

freedomofpress / kernel-builder

kernel hardening flags #28

Description