Jump to: navigation, search

Grsecurity

Grsecurity + Pax[edit]

Introduction[edit]

Grsecurity is a GPL licensed, extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening that generally require no configuration. It has been actively developed and maintained for the past 14 years. Commercial support for Grsecurity is available through Open Source Security, Inc.

Instead of chasing and fixing individual bugs, Grsecurity and PaX end exploitation of entire bug classes and provide kernel self-protection against zero-days.

How-To[edit]

Grsecurity Kernel Setup[edit]

This guide is to get you up and running with the latest Grsecurity kernel inside a KVM Whonix guest or Host. The instructions here are inspired by the official Grsecurity guide but adapted for the command line and includes helpful information not mentioned in the original. It will cover downloading, verifying, configuring, compiling and installing the hardened kernel and how to install and use its admin tools. With minimal changes you can compile another architecture. There are many attempts to automate this and get them in upstream Debian but a solution is yet to exist.

The kernel should be anonymously compiled in Whonix-Workstation. Be sure to add more CPUs to speed up the compilation process before starting.

Import and verify developer keys. Always check the fingerprint for yourself:

pub  4096R/0x44D1C0F82525FE49 2013-11-10 Bradley Spengler (spender) <spender@grsecurity.net>
      Key fingerprint = DE94 52CE 46F4 2094 907F  108B 44D1 C0F8 2525 FE49
pub   4096R/0x38DBBDC86092693E 2011-09-23
      Key fingerprint = 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E


gpg --recv-keys "DE94 52CE 46F4 2094 907F  108B 44D1 C0F8 2525 FE49"

gpg --recv-keys "647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E"

gpg --list-keys --fingerprint "DE94 52CE 46F4 2094 907F  108B 44D1 C0F8 2525 FE49"

gpg --list-keys --fingerprint "647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E"

By the time you read this the file names may be outdated despite best efforts to keep this guide current so you may have to adjust file names accordingly.

Download the latest components for your chosen hardware architecture (Only the Testing branch is freely available) and their matching signatures: [1] [2]


scurl -J -O https://grsecurity.net/test/grsecurity-3.1-4.3.3-201512282134.patch
scurl -J -O https://grsecurity.net/test/grsecurity-3.1-4.3.3-201512282134.patch.sig
scurl -J -O https://grsecurity.net/stable/gradm-3.1-201507191652.tar.gz
scurl -J -O https://grsecurity.net/stable/gradm-3.1-201507191652.tar.gz.sig
scurl -J -O https://grsecurity.net/stable/grsecurity-2.2.0-iptables.patch
scurl -J -O https://grsecurity.net/stable/grsecurity-2.2.0-iptables.patch.sig
scurl -J -O https://grsecurity.net/paxctld/paxctld_1.0-4_i386.deb
scurl -J -O https://grsecurity.net/paxctld/paxctld_1.0-4_i386.deb.sig

Look at the matching kernel version number in the patch name grsecurity-3.1-4.2.7-201512092320.patch and fetch the tarball from kernel.org:

scurl -J -O https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.3.3.tar.xz
scurl -J -O https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.3.3.tar.sign


The command will verify everything just downloaded in the home directory. Look for file names that passed the check in this part of the output: assuming signed data in `paxctld_1.0-3_i386.deb'. You should see Good signature from "Bradley Spengler (spender) <spender@grsecurity.net> for each component.

gpg --verify --multifile grsecurity* gradm* paxctld*

The signature is made against the uncompressed version of the archive. This is done so there is only one signature required for .gz, .bz2 and .xz compressed versions of the release. Start by uncompressing the archive, using unxz. You should see Good signature from "Greg Kroah-Hartman:

sudo apt-get install xz-utils
unxz linux*.tar.xz
gpg --verify linux*.tar.sign

In this document the kernel source archive linux*.tar and the matching grsecurity patch grsecurity*.patch are both files are in the same directory.


tar -xf linux*.tar
cd linux*
sudo patch -p1 < ../grsecurity-*-*-*.patch

Install the build tools:

sudo apt-get install flex bison libncurses5-dev fakeroot gcc-4.9-plugin-dev libgmp-dev libmpfr-dev libmpc-dev libssl-dev build-essential

See what version of GCC you have installed and install the matching plugin-dev packages for it.[3]

gcc -v

To open the kernel configuration menu run:

sudo make menuconfig

Grsecurity is endlessly customizable and if you have different security requirements feel free to dive in the documentation[4][5] but be advised very high security settings usually break Xorg server and common packages like Iceweasel and OpenJDK. However for the purposes of compiling a kernel suitable for normal desktop use the Automatic configuration comes with sane defaults. Same for the other usage profiles provided. To have a bootable desktop you will need to disable PaX mprotect at first[6] It can be re-enabled later when an exception list is loaded.

The configuration should look like this. A lack of mention means leave as default:


Networking Support -> Networking options -> Network packet filtering framework (Netfilter) -> IP:Netfilter Configuration -> Enable: IPv4 masquerade support + iptables NAT support

Security options -> Grsecurity -> Configuration Method -> Automatic
			       -> Usage Type -> Desktop
			       -> Virtualization Type -> Guest
			       -> Virtualization Software -> KVM		
                               -> Required Priorities -> Security	       
			       -> Customize Configuration -> PaX -> Non-executable pages -> Deselect: Restrict mprotect
                               -> Customize Configuration -> Memory Protections -> Disable privileged I/O
                               -> Customize Configuration -> Role Based Access Control Options -> Hide kernel processes
                               -> Customize Configuration -> Sysctl Support -> Deselect: Sysctl support 

To save time you can compile one kernel for both the guest and host . NB This only works if you compiled a custom Whonix x64. A x64 Linux Host/Guest configuration would look like:

64-bit kernel

Networking Support -> Networking options -> Network packet filtering framework (Netfilter) -> IP:Netfilter Configuration -> Enable: IPv4 masquerade support + iptables NAT support

Security options -> Grsecurity -> Configuration Method -> Automatic
			       -> Usage Type -> Desktop
			       -> Virtualization Type -> Host
			       -> Virtualization Software -> KVM
                               -> Required Priorities -> Security	       
			       -> Customize Configuration -> PaX -> Non-executable pages -> Deselect: Restrict mprotect
                               -> Customize Configuration -> Memory Protections -> Disable privileged I/O
                               -> Customize Configuration -> Role Based Access Control Options -> Hide kernel processes
                               -> Customize Configuration -> Sysctl Support -> Deselect: Sysctl support 

Once you are done select save and keep the .config name then exit out of all menus.


Compile while specifying the number of cores after the -j option. The number should be the number of cores assigned to the VM + 1. This will result in a huge speed up during compilation and reduce compilation time drastically.

sudo fakeroot make -j 5 deb-pkg

Now sit tight. Go make yourself a cup of coffee or read a book until its finished.

To install your new packages including Pax's configuration utility in the guest run:

cd ..
sudo dpkg -i linux-image-*-grsec_*-*_*.deb
sudo dpkg -i linux-firmware*.deb
sudo dpkg -i linux-headers*.deb
sudo dpkg -i linux-libc*.deb
sudo dpkg -i paxctld*.deb

Move the package to the host via a shared folder and install with dpkg from there.

mv linux-image-*-grsec_*-*_*.deb /mnt/shared
mv linux-firmware*.deb /mnt/shared
mv linux-headers*.deb /mnt/shared
mv linux-libc*.deb /mnt/shared

Done. After installation the system should automatically boot up with the Grsecurity kernel. To inspect the kernel version type:

uname -r

Upgraded Kernel Builds[edit]

Backup your customized kernel configuration file [named .config]. Its available in the root of the kernel source code folder. You may need to enable viewing of hidden files to see it.

To build with newer kernel releases, restore the .config file to the source folder and run:

sudo make oldconfig

Hold 'Enter' to answer questions about new kernel features.

Gradm[edit]

Gradm is the administration tool for RBAC, Grsecurity's intelligent Mandatory Access Control system. Unlike other MACs that require painstaking attention to configuration, RBAC is capable of automatic behavior learning and auto-generating safe program acess policies.

Compilation and Installation[edit]

To prepare and compile:

tar xzf gradm*.tar.gz
cd gradm

Add the iptables patch:

sudo patch -p1 < ../grsecurity-*-iptables.patch

Compile and install:

sudo make install

For the Host install the required build dependencies (make sure apt-transport-tor is installed on host first) then move the patched extracted and patched gradm directory via the shared folder into your home directory. Then run the same commands as above.

sudo apt-get install bison flex

Its very important you choose a long password that's different from your root account's.

To upgrade to a newer gradm release, re-run the same build commands above.

Usage[edit]

A detailed guide on generating and enforcing RBAC policy is available on the ArchLinux wiki. Note these instructions apply to all distros.

Footnotes[edit]

  1. https://grsecurity.net/download.php
  2. https://superuser.com/questions/301044/how-to-wget-a-file-with-correct-name-when-redirected
  3. https://forums.grsecurity.net/viewtopic.php?f=3&t=3484
  4. https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options
  5. https://en.wikibooks.org/wiki/Grsecurity/Runtime_Configuration
  6. http://www.insanitybit.com/2012/05/31/compile-and-patch-your-own-secure-linux-kernel-with-pax-and-grsecurity/

Random News:

We are looking for video makers.


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.