Arch - AppArmor + grsec

Discussion in 'all things UNIX' started by daario, Jul 14, 2016.

  1. daario

    daario Registered Member

    Joined:
    Jul 14, 2016
    Posts:
    11
    Location:
    Earth
    Hello,

    I installed linux-grsec and paxd on my Arch desktop and I'd like to set up a MAC.

    I tried RBAC but it seemed to complicated and lockdown for me. I read that Tomoyo is enabled by default, but I wasn't able to find many profiles for it on the internet and I don't want to write all profiles on my own...

    So I think that AppArmor would be the best solution for me since there are many available profiles.

    From what I read that would mean compiling a custom kernel. Unfortunately my experience with such things equals to zero and I've no idea how to configure grsecurity, I read that few options can even break X.

    Therefore I come here asking for help. I'm not asking anyone to compile the kernel for me or such thing. :D Just if you could point me to some resources or tell me which grsecurity options to enable/disable, I'd really appreciate it.

    Thanks for your time. :)
     
  2. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    Piece of cake :cool: I run this setup as a daily driver, and its very easy to do. Since you're on Arch, I'm going to go through the instructions swiftly:

    1. sudo pacman -S abs (You only need to do this once to get ABS installed on your system)
    2. sudo abs (Youll run this when you need to get an updated list of packages in your ABS tree)
    3. cp -r /var/abs/community/linux-grsec ~/linux-grsec
    4. cd ~/linux-grsec
    5. Open up a file manager, navigate to the linux-grsec folder in home, and open the file called PKGBUILD
    6. Scroll down in the PKGBUILD until you find the line that says "#make menuconfig" and change it to "make menuconfig", then save and close. (Please note if youre comfortable with vim or nano you can do steps 5 and 6 by just running an editor from the CLI e.g: vim PKGBUILD )
    7. Go back to your terminal: makepkg -s
    8. After a little work, the ncurses based interface for kernel config will popup- dont panic! Press the down key until you get to "Security Options", then scroll down until you have highlighted "AppArmor support", and press the space bar. I also disable the "Integrity Subsystem", but thats your choice completely.
    9. Press the right arrow key until you highlight save at the bottom, and press Enter. Save it as the default name it comes up with. Now use the arrow key to highlight Exit, and keep hitting Exit until youre out of the kernel config.
    10. The package will now start building with grsecurity AND apparmor support. It will take a while depending on hardware, so go play with the dog, grab a beer, browse the net, etc while it does its thing.
    11. Upon completion, install the resulting package with pacman. You will see a number of packages (like linux-grsec-headers, etc) so decide which ones you need. If you just want the kernel (thats all I use), look for the kernel package. In my case the last one I built was named: linux-grsec-4.6.4.201607112205-1-x86_64.pkg.tar.xz . To install, I can just run: sudo pacman -U linux-grsec-4.6.4*
    Thats it. Dont forget to make sure your bootloader is updated. I can help you with that if you need it :) If you use Grub you can test your new kernel by editing at the grub prompt your init and kernel lines to be: "initramfs-linux-grsec.img" instead of "initramfs-linux.img" and "linux-grsec" instead of "linux". Heres my relevant lines from Grub:

    linux /boot/vmlinuz-linux-grsec root=UUID=<insert your root partition UUID here> init=/usr/lib/systemd/systemd rw rootflags=subvol=rootfs cryptdevice=/dev/disk/by-uuid/<insert your crypt device partition UUID here>:root quiet rcutree.rcu_idle_gp_delay=1 systemd.restore_state=0 apparmor=1 security=apparmor audit=1 ipv6.disable=1
    echo 'Loading initial ramdisk ...'
    initrd /boot/intel-ucode.img /boot/initramfs-linux-grsec.img

    The crap about cryptdevice is for LUKS full disk encryption, so forget that if you dont have it. The apparmor stuff is because I build the kernel with apparmor disabled by default (where I have to use a kernel line parameter to enable it- this way its easy to disable if I need to do so).

    Finally, dont let it intimidate you- the above is an attempt to be thorough. Once you get grub setup for your new kernel (if youre using linux-grsec its already done except the apparmor parts, and you only need them if youve set apparmor to be not default), all you need to do is the steps above. Its literally about 2 minutes of interaction from you each time. The maintainer of linux-grsec releases frequently, so I personally upgrade every other time. If you have any more questions, ask :)

    **EDIT** If you do it the above way, you dont need to edit any of the grsecurity options- it will already have the grsecurity options as setup by the package maintainer. I have personally verified this using the "checksec" script to verify my grsecurity protections. The ONLY thing you need to worry about is enabling apparmor support itself.

    **EDIT2** Please note that the grsecurity team changes their patchset often. As a result, if Daniel (the maintainer of linux-grsec) releases linux-grsec on a Friday, often by Monday the grsecurity patch used in his PKGBUILD no longer exists. You can either update the URL and SHA256 sums in the PKGBUILD for the new grsecurity patch, or just wait until Daniel releases a new version. I find its best to go ahead and build up a kernel shortly after Daniel releases it. Just FYI

    Also note that you will have to edit your policy- the apparmor policies in the AUR are from Ubuntu land and not all paths are the same. This is NOT a big deal- aa-logprof makes editing the existing profile trivial. You enable auditd, set Firefox/whatever to complain mode, run the application, then run sudo aa-logprof so that apparmor can prompt you for suggestions.

    I really hope this massive response hasnt scared you off. It sounds way worse than it is. Once you get through the initial setup, it takes 1-2 minutes of interaction every 2 weeks or so. Small price to pay for a solid MAC implementation..
     
    Last edited: Jul 14, 2016
  3. daario

    daario Registered Member

    Joined:
    Jul 14, 2016
    Posts:
    11
    Location:
    Earth
    Wow, thanks alot! I admit I didn't expect so long and detailed post. :D

    Since it's already (mid)night here and I'm off tomorrow, I'll try it on Saturday and post here some feedback. ;)

    Just a quick question though (I believe I got everything except that), after compiling the kernel... Is it necessary to add "apparmor=1 security=apparmor" into the GRUB config file?
     
  4. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    You dont NEED to do so, depending on how you setup AppArmor. If you set AppArmor to be on by default, the options are unnecessary. I choose to make AppArmor NOT default to on- that way if I have a problem and need to test without it, I can. From the Arch wiki:

    When compiling the kernel, it needs the following options:
    CONFIG_SECURITY_APPARMOR=y
    CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
    CONFIG_DEFAULT_SECURITY_APPARMOR=y
    CONFIG_AUDIT=y

    Instead of setting CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE and CONFIG_DEFAULT_SECURITY_APPARMOR, you can also set kernel boot parameters: apparmor=1 security=apparmor.


    Rather than editing the kernel config by hand with a text editor (as the text above from the Arch Wiki is suggesting), you are using the ncurses-based kernel config to do all that for you.

    So basically, if you want AppArmor on by default, do as I posted above but leave out the "apparmor=1 security=apparmor" on the kernel line of your bootloader (or you can leave it there if you want- it doesnt matter).

    If you want to be able to easily turn off apparmor on a boot, consider adding my options to the kernel line, and one additional change to my instructions above: When you are in the kernel config and enable AppArmor, a new option will pop up right underneath it called: AppArmor boot parameter default value (NEW). Change the 1 to a 0 and now AppArmor will default to off unless you enable it with the kernel parameters I use above.

    Also, I use audit=1 as well. Since audit support is built into the kernel (once AppArmor support is enabled), this isnt really necessary. However, I do this because if I ever want to turn off audit, I can change it to audit=0 and the audit subsystem will be disabled on that boot. I do all this so that its easier for me to control apparmor/audit in the event I have issues or need to troubleshoot.

    I hope that clears things up- please ask if Ive not been clear :cool:
     
  5. daario

    daario Registered Member

    Joined:
    Jul 14, 2016
    Posts:
    11
    Location:
    Earth
    Yep, that clears it up. Thanks. :)
     
  6. daario

    daario Registered Member

    Joined:
    Jul 14, 2016
    Posts:
    11
    Location:
    Earth
    Hi,

    sorry for the delay. I decided to test it on my laptop (TP T60).

    I had to import a few keys using GPG at the beginning, but I figured it out. :)

    Anyway, I got a kernel panic, I know it's a little offtopic since even the original linux-grsec package caused a kernel panic, but do you have any idea what could the cause be? :D
     

    Attached Files:

  7. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,966
    Location:
    Brasil
    @daario Note the time of the KP, then after rebooting and loggin in open your Terminal and enter "journalctl", then press "End" on your keyboard to go to the end of the file, then keep pressing "page up" to scroll up until you find the exact time the crash happened. Usually you'll see RED text.
     
  8. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    Hard to say without seeing what journalctl has to say. I cant see why this kernel would panic unless it was a configuration issue. What is your bootloader entry for loading linux-grsec? Have you verified the paths to the initramfs image, verified that systemd is set as the init, etc? Can you post bootloader config here?

    Ive had stuff like this almost every time Ive decided I wanted some new partition/bootloader scheme :cool: Its always some dumb error Ive made :isay:
     
  9. daario

    daario Registered Member

    Joined:
    Jul 14, 2016
    Posts:
    11
    Location:
    Earth
    Apologies for delayed response, it's holiday and hot, so I'm usually either off somewhere or too tired to do anything. :D

    Nevertheless, I've fixed it (rebuiling kernel with different options and updating bootloader did the trick) and I've got it working now! So thanks very much @Anonfame1 for guidance! :)

    So right now I've got firewall, firejail, grsecurity, AppArmor and rkhunter. Do you have any other suggestions to further enhance security?

    I read something about hardening-wrapper, didn't find much on that though...
     
  10. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    Cool.. strange you had to tweak anything though- from what I can tell the linux-grsec kernel pretty much has the kitchen sink enabled in its configuration. Mind if I ask what was/wasnt enabled that caused the problem (if it doesnt invade your privacy of course)?

    You say "firewall," but on Linux that doesnt say much. Iptables? UFW/iptables? Ebtables? Any of these options are pretty good, though iptables/ebtables afford you the most power (with a large learning curve to go along with that power).

    hardening-wrapper is in the Community repo packaged by the same guy who packages linux-grsec, and its handy if you have packages you want to harden using ABS/makepkg. This involves RELRO/Canary/PIE, which has to do with memory protections. Hardening-wrapper attempts to build a package with these protections in place. I have all my running processes built this way, but it requires work. I would say just rebuild networkmanager, wpa_supplicant, dhclient, and any other network facing applications and leave the rest. I should note that right on the Arch news feed the devs have sent out a call asking people for benchmarks on hardening and they appear to be willing at some point soon to start hardening packages by default.

    I could give tons of other security advice and I am not even remotely close to an expert. Im sure guys here could give way more than I could. So what should you do? Make sure your root and user passwords are different (and different from any online passwords), use ublock origin on your browser, and use common sense when browsing. Dont go to every security page turning your computer into a fortress- it still wont be bulletproof and it will be much more of a pain to maintain/deal with. Having firejail, apparmor, grsecurity/pax, and linux already puts you ahead of 99.9% of threats found in the wild.

    If in the future you want more control, then start adding more security-focused modifications- for now get really comfortable with what you have. I hope that doesn't sound preachy or too lax given the content matter of this forums- its just one man's opinion :)
     
  11. daario

    daario Registered Member

    Joined:
    Jul 14, 2016
    Posts:
    11
    Location:
    Earth
    I was also quite surprised, I had to disable GRKERNSEC_KMEM, I didn't have time to investigate why yet, but I'll look into it. Odd. o_O

    Classic iptables, I took a few rules from here: https://www.wilderssecurity.com/threads/tutorial-expert-linux-firewalling.376935/
    What do you think of nftables? It looks interesting.

    Um, I know you already spent a lotta time helping me here and I feel a bit bad asking this, but would you mind briefly explaining me how to harden packages using hardening-wrapper? I found only some documentation for deb-based distros, sadly it doesn't apply to me. :(

    Do I just have to install hardening-wrapper and then rebuild the packages or do I have to edit something somewhere?
     
  12. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    No you got it- simply install hardening-wrapper and thats it. Now whenever you build a package using ABS/makepkg, it will be built hardened. You dont have to put in any special build command or do any voodoo dance for it to build hardened :) How you choose to build is up to you- you can do it the manual way as I outlined above with linux-grsec, or you can use srcpac or something to help automate the process for you. I use yaourt and customizepkg (both in the AUR), but I should note besides its source-building abilities yaourt is one of the poorest AUR helpers available.

    I really havent tried nftables so I cant give you an opinion other than I'm sure its awesome-er. What I do know is that documentation is sparse atm, and iptables is enough for me atm. I actually use UFW since im very lazy, but I've been meaning to setup an actual iptables ruleset one of these days- UFW is very very easy but it lacks the finer control of ebtables/nftables/iptables.

    If you ever figure out why you need to disable GRKERNSEC_KMEM, I'd be interested to hear why. You might consider emailing linux-grsec's packager (Daniel) and letting him know. He has a ton of projects though (Copperhead OS for android, bunch of AUR/community stuff, etc) so he might take a few days to respond. He can prolly provide you with more information than any of us here can.
     
Loading...