Paranoid Kernel Settings

Discussion in 'all things UNIX' started by AutoCascade, Aug 12, 2016.

  1. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    624
    Location:
    United States
    Kees Cook tweeted that he had posted these today

    http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings


     
  2. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,966
    Location:
    Brasil
    Really interesting, thank you both. I'm saving this for later ;)
     
  3. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    720
    I checked which settings are enabled in the Fedora 24 kernel 4.6.5:

    CONFIGs
    # Make sure kernel page tables have safe permissions.
    CONFIG_DEBUG_KERNEL=y
    CONFIG_DEBUG_RODATA=y

    Both are enabled.

    # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
    CONFIG_CC_STACKPROTECTOR=y
    CONFIG_CC_STACKPROTECTOR_STRONG=y

    Both are enabled.

    # Blocks direct physical memory access.
    CONFIG_STRICT_DEVMEM=y

    Enabled.

    # Provides some protections against SYN flooding.
    CONFIG_SYN_COOKIES=y

    Enabled.

    # Perform additional validation of credentials.
    CONFIG_DEBUG_CREDENTIALS=y

    Not enabled.

    # Provide userspace with seccomp BPF API for syscall attack surface reduction.
    CONFIG_SECCOMP=y
    CONFIG_SECCOMP_FILTER=y

    Both are enabled.

    # Provide userspace with ptrace ancestry protections.
    CONFIG_SECURITY=y
    CONFIG_SECURITY_YAMA=y

    Both are enabled.

    # Perform usercopy bounds checking.
    CONFIG_HARDENED_USERCOPY=y

    Not existing. I believe this was introduced in kernel 4.8., hence no judging.

    # Randomize allocator freelists.
    CONFIG_SLAB_FREELIST_RANDOM=y

    Not existing. I believe this is related to usercopy bounds checking, hence no judging.

    # Allow allocator validation checking to be enabled.
    CONFIG_SLUB_DEBUG=y

    Not enabled. I believe this is related to usercopy bounds checking, hence no judging.

    # Dangerous; allows direct physical memory writing.
    # CONFIG_ACPI_CUSTOM_METHOD is not set

    CONFIG_ACPI_CUSTOM_METHOD=m

    # Dangerous; disables brk ASLR.
    # CONFIG_COMPAT_BRK is not set

    Not enabled - good!

    # Dangerous; disables VDSO ASLR.
    # CONFIG_COMPAT_VDSO is not set

    Not enabled - good!

    # Dangerous; allows direct kernel memory writing.
    # CONFIG_DEVKMEM is not set

    Not enabled - good!

    # Dangerous; allows replacement of running kernel.
    # CONFIG_KEXEC is not set

    Not existing - good!

    # Dangerous; allows replacement of running kernel.
    # CONFIG_HIBERNATION is not set

    Enabled!

    # Prior to v4.1, assists heap memory attacks; best to keep interface disabled.
    # CONFIG_INET_DIAG is not set

    CONFIG_INET_DIAG=m

    # Easily confused by misconfigured userspace, keep off.
    # CONFIG_BINFMT_MISC is not set

    CONFIG_BINFMT_MISC=m

    # Use the modern PTY interface (devpts) only.
    # CONFIG_LEGACY_PTYS is not set

    Not enabled - good!

    # Reboot devices immediately if kernel experiences an Oops.
    CONFIG_PANIC_ON_OOPS=y
    CONFIG_PANIC_TIMEOUT=-1

    The first one disabled.
    CONFIG_PANIC_TIMEOUT=0


    # Keep root from altering kernel memory via loadable modules.
    # CONFIG_MODULES is not set

    Not existing - good!


    x86_64
    # Full 64-bit means PAE and NX bit.
    CONFIG_X86_64=y

    Enabled.

    # Disallow allocating the first 64k of memory.
    CONFIG_DEFAULT_MMAP_MIN_ADDR=65536

    Enabled.

    # Randomize position of kernel and memory.
    CONFIG_RANDOMIZE_BASE=y
    CONFIG_RANDOMIZE_MEMORY=y

    The first one enabled.
    The second one doesn't exist.


    kernel command line options
    # Enable allocator free poisoning.
    slub_debug=P

    Not enabled.

    x86_64
    # Remove vsyscall entirely to avoid it being a fixed-position ROP target of any kind.
    vsyscall=none

    Not enabled.

    sysctls
    # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
    kernel.kptr_restrict = 1

    Not enabled.

    # Avoid kernel memory address exposures via dmesg.
    kernel.dmesg_restrict = 1

    Not enabled.

    # Block non-uid-0 profiling
    kernel.perf_event_paranoid = 3

    Not enabled.

    # Turn off kexec, even if it's built in.
    kernel.kexec_load_disabled = 1

    Not existing as disabled in CONFIG.

    # Avoid non-ancestor ptrace access to running processes and their credentials.
    kernel.yama.ptrace_scope = 1

    This is what /usr/lib/sysctl.d/10-default-yama-scope.conf says:
    # This runtime kernel parameter can be set to the following options:
    # (Note that setting this to anything except zero will break programs!)
    #
    # 0 - Default attach security permissions.
    # 1 - Restricted attach. Only child processes plus normal permissions.
    # 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
    # 3 - No attach. No process may call ptrace at all. Irrevocable.
    #
    kernel.yama.ptrace_scope = 0

    Conclusion: Several recommended settings are implemented, some are not, partially because they are new in kernel 4.7 and 4.8. Some might be not implemented because of heavy usage of SELinux in Fedora. Interesting - I'll try to find out what these settings mean.
     
  4. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,966
    Location:
    Brasil
    Thanks a lot for that.

    It seems Arch and Fedora are kinda on the same track, but Arch's is not so paranoid. The only differences are as follow:

    CONFIG_KEXEC=y
    CONFIG_BINFMT_MISC=y
    CONFIG_MODULES=y
    # CONFIG_RANDOMIZE_BASE is not set
    CONFIG_SLUB_DEBUG=y
    CONFIG_GENERIC_TIME_VSYSCALL=y

    Other than that, they look identical.
     
Loading...