新闻报道

联系我们

  • 联系人:北京炼石网络技术有限公司
  • 电话:010-88459460
  • 地址:北京市海淀区人民大学南路大华天坛大厦二层
  • 邮编:100097

您现在的位置: 新闻报道»CGLab技术文章

Debian system kernel harden

浏览:206   日期: 2015-08-14

Use Grsecurity/PaX to improve kernel security for Debian , in order to run JAVA and Docker well we adjust some options.




Grsecurity/PaX is applied widely, especially in high security environment. In Gnu/Linux distributions, Gentoo provide PaX as their harden options. Debian community recently launched project named Mempo which against large-scale monitoring also use Grsecurity/PaX in the kernel. This time we use Grsecurity/PaX to improve kernel security for Debian 8.1, in order to run JAVA and Docker well we adjust some options. Every step have verified for several times, you can harden your system according to this document.


--[ Debian system kernel harden steps


1. Open the file '/etc/apt/sources.list',check whether there are the following three debian sources, if not ,please add by yourself, at the same time comment or delete other software sources, by the way, avoid using source which does not come from community.



nano /etc/apt/sources.list
deb http://ftp.debian.org/debian jessie main contrib
deb http://security.debian.org/jessie/updates main contrib
deb http://ftp.debian.org/debian jessie-updates main contrib

2. Edit the file 'sudoers',add the current user to group of sudoers. Please ignore this step if you use root identity.




su - root
nano /etc/sudoers
add "user ALL=(ALL:ALL)ALL"

3. Grsecurity need to be packed into kernal before recompile the kernal. Due to the version is 3.14.48 which grsec long-term support while the version of debian8 kernel is 3.16, we need to lower our kernel version to 3.14.48. Check the kernel version please use the command bellow:




cat /proc/version

4. Please go to kernel.org and download the source code which version is 3.14.48.



wget https://kernel.org/pub/linux/kernel/v3.x/linux-3.14.48.tar.xz



5. Go to Grsecurity web and download the corresponding patch,please pay attention to its version.

(You can go to 'http://grsecurity.net/download.php' check version of "grsecurity - stable kernel patch" and " paxctld - PaX flags maintenance daemon - binary packages"):



wget http://grsecurity.net/stable/grsecurity-3.1-3.14.48-201507261203.patch

wget http://grsecurity.net/paxctld/paxctld_1.0-2_amd64.deb


6. Before compilation make sure you have installed GCC which supports plug-in.

("gcc --version" please use X.X rather than X.X.X




apt-get install libncurses* kernel-package build-essential
gcc --version
apt-get install gcc-`gcc --version`-plugin-dev

7. Unzip the kernel packages and patches,packed patch into kernal.




xz -d linux-3.14.48.tar.xz
tar -xvf linux-3.14.48.tar
cd linux-3.14.48/
patch -p1 < ../grsecurity-3.1-3.14.48-201507261203.patch
8. Configure the kernel.




make menuconfig

9. Configuration interface will appear after execute the command :

Choose "security options"



security options --> Grsecurity



Chose Grsecurity(NEW)




Configuration Method -->Chose automatic

(There are two options "automatic" and "custom", "automatic" option is general basic configuration, after configure in automatic option,we can adjust in "custom".There are two steps for custom Settings which will introduce next.)



Security Options -->Grsecurity -->customize configuration -->PAX -->Nonexcutable pages-->disable restrict mprotect

(The first step is to set during the compile process, due to JAVA will produce binary code while compile class file ,during this process memory data page turn to perform page ,but this will be stoped by pax's option "mprotect",in order to run java well we need change this configure.)




10. Then compile the kernal ,this while take a long time .

make deb-pkg -j'your cpu`s + 1'

('your cpu`s + 1' set number of cpu +1 to improve compile speed

11. Install after compile well.



cd ..
dpkg -i linux*.deb
dpkg -i paxctld_1.0-2_amd64.deb

12. Set 'chmod'、'mknod' valid.

(Another custom setting is change pax optionedit file /etc/sysctl.confkernel will load this file while launch.Settings in "/etc/sysctl.conf" priority is higher than compiler options,we need to set "chmod" and "mknod" available in order to run docker well.

su
vi /etc/sysctl.conf:
kernel.grsecurity.chroot_deny_chmod=0
kernel.grsecurity.chroot_deny_mknod=0

13. Reboot after install and choose the hardened kernal.
reboot

14. Run paxctld.

(Use ommand "paxctld" can automatically scans the current running program in the system ,also add special privileges to ensure they can run normally,so execute command "paxctl -d" after each boot.)




su
paxctld -d

15. Uninstall the old kernel .

(Use dpkg command to check the version of kernal, remove the corresponding kernel deb package, and replace it before execute the command ,don't copy the following command directly).



dpkg -l | grep linux-headers
dpkg -l | grep linux-image
apt-get remove linux-headers* linux-image*




16. Follow the minimize installation principle, uninstall the compile tool chain.

apt-get remove kernel-package build-essential
apt-get remove libncursesada-dbg libncursesada3-dev libncursesada-doc libncurses5-dbg libncurses5-dev libncursesw5-dbg libncurses-gst libncursesw5-dev libncursesada3
apt-get autoremove

--[ Attention

This document is the staged achievement of Debian system kernal harden process.Detailed configuration of Grsecurity/Pax options need to be setted in order to get a more secure system.