November 15, 2005

Enhancing kernel security with grsecurity

Author: Paul Virijevich

Is your server as secure as it could be? Sure, you use a firewall, mandate strong passwords, and patch regularly. You even take a proactive approach by performing security audits with tools such as nmap and Nessus. Yet you may still be vulnerable to zero-day exploits and privilege escalation attacks. If these possibilities keep you awake at night, you're not alone. The sleepless folks with the grsecurity project have developed an easy-to-use set of security enhancements to help put your fears to rest.

To say that grsecurity provides many enhancements is an understatement. There are more than 30 options to choose from after installation, including:

  • A role-based access control (RBAC) system that automatically generates least-privilege policies
  • Change root (chroot) hardening
  • /tmp race prevention
  • Extensive auditing
  • Address space protection with PaX
  • Additional randomness in the TCP/IP stack
  • Restrictions on users to view only their own processes
  • Security alerts and audits that contain the IP address of the machine that caused the
    event

Take note that grsecurity requires the use of a vanilla kernel from www.kernel.org. The kernel source supplied by your distribution's vendor has most likely been patched beyond recognition to grsecurity. With that caveat in mind, installation is simple. First, download the patch for the 2.4 or 2.6 kernel and the matching version of gradm. The latest 2.6 kernel grsecurity supports is 2.6.11.12. To install, apply the grsecurity patch from within your kernel source directory with a command similar to:

gunzip grsecurity-2.1.6-2.6.11.12-200506141713.patch.gz | patch -p1

If compiling a kernel is new to you, you can read instructions from the Linux Documentation Project. The grsecurity project provides a generic kernel configuration file to help speed things along. When configuring the kernel with make menuconfig, you can find the grsecurity options under the Security Options section.

If the prospect of configuring 30+ options seems daunting, relax. You can choose from predefined low, medium, and high settings. In fact, it's a good idea to start with the low setting and see how things go. After rebooting into the grsecurity-enhanced kernel, check that all of your services are still running. If everything goes okay, try bumping the security level up to medium and then up to high. There is also a custom setting that allows you to mix and match options.

In addition to the grsecurity section, you will also notice a section for PaX. PaX is a separate but bundled project that provides address space protection. PaX makes data memory non-executable and program memory non-writeable, and randomizes the location of program memory. This is just a fancy way of saying that PaX protects against many common exploits, including buffer overflows. Choosing medium or high grsecurity levels enables PaX.

Along with the various filesystem and network protections, grsecurity also provides a role-based access control system that uses a least privilege approach to running processes. With this approach, a process runs with the lowest privileges required to complete its task. By doing this, an RBAC takes away the need for an all-powerful root account. By running grsecurity in this mode, you can restrict the amount of damage done if a process with full root privileges is compromised.

The gradm utility controls only grsecurity's RBAC system; it cannot alter the behavior of grsecurity's other features. In a grsecurity-enabled kernel, gradm installs with a simple make; make install. You can set an admin password for gradm, which is a good idea, as once RBAC is enabled, even root's power will be restricted, and to get it back, you need to assume the admin role. You also need a password to shut down RBAC. Set the admin password with the command:

gradm -P admin

Once you've set up a password, you can log into gradm as admin with the command:

gradm -a

An innovative way to set up RBAC is to use grsecurity's learning mode. In learning mode, grsecurity watches for processes that run with root privileges, access the Internet, or write to key system files or directories. Grsecurity then generates an access control list (ACL) that instructs grsecurity to run these processes using the least privilege approach mentioned earlier. To enable learning mode, run:

gradm -F -L /etc/grsec/learning.log

Let this mode run for a day or two to catch any time-sensitive processes. Avoid any administrative tasks during this time -- remember, the root account is no longer trusted. After grsecurity has had enough time to recognize normal system usage, shut down learning mode and log into gradm as admin. Shutting down learning mode is necessary because grsecurity hides its configuration files when RBAC is running, as it is during learning mode. This means that the system will display an error message about not being able to find learning.log. In fact, the directory /etc/grsec will not appear to exist, even to root.

To write the ACL to disk, run the command:

gradm -F -L /etc/grsec/learning.log -O /etc/grsec/acl

To start RBAC with your new ACL, run:

gradm -E

You can now enjoy the security advantages of processes running with the least amount of privileges necessary.

If you encounter any problems, disable RBAC by first logging in with the admin password and then running:

gradm -D

Think of grsecurity as yet another layer of protection for your system. As with any security technology, don't rely on it as a catchall solution. When used with in conjunction with standard security practices, it can help to make your system more secure.

Paul Virijevich is working to eliminate the "Linux consultants cost more" TCO myth. He recently started a consultancy providing cost-effective open source solutions to small businesses.

Category:

  • Security
Click Here!