1 | <?xml version='1.0' encoding="UTF-8"?> |
1 | <?xml version='1.0' encoding="UTF-8"?> |
2 | <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/pax-quickstart.xml,v 1.6 2005/04/18 19:39:05 solar Exp $ --> |
2 | <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/pax-quickstart.xml,v 1.7 2005/07/12 01:02:46 solar Exp $ --> |
3 | <!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
3 | <!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
4 | |
4 | |
5 | <guide link="/proj/en/hardened/pax-quickstart.xml"> |
5 | <guide link="/proj/en/hardened/pax-quickstart.xml"> |
6 | <title>Hardened Gentoo PaX Quickstart</title> |
6 | <title>Hardened Gentoo PaX Quickstart</title> |
7 | |
7 | |
… | |
… | |
9 | <mail link="tseng@gentoo.org">Brandon Hale</mail> |
9 | <mail link="tseng@gentoo.org">Brandon Hale</mail> |
10 | </author> |
10 | </author> |
11 | <author title="Editor"> |
11 | <author title="Editor"> |
12 | <mail link="blackace@gentoo.org">Blackace</mail> |
12 | <mail link="blackace@gentoo.org">Blackace</mail> |
13 | </author> |
13 | </author> |
|
|
14 | <author title="Editor"> |
|
|
15 | <mail link="solar@gentoo.org">solar</mail> |
|
|
16 | </author> |
14 | |
17 | |
15 | <abstract> |
18 | <abstract> |
16 | A quickstart covering PaX and Hardened Gentoo. |
19 | A quickstart covering PaX and Hardened Gentoo. |
17 | </abstract> |
20 | </abstract> |
18 | |
21 | |
19 | <!-- The content of this document is licensed under the CC-BY-SA license --> |
22 | <!-- The content of this document is licensed under the CC-BY-SA license --> |
20 | <!-- See http://creativecommons.org/licenses/by-sa/2.0 --> |
23 | <!-- See http://creativecommons.org/licenses/by-sa/2.0 --> |
21 | <license/> |
24 | <license/> |
22 | |
25 | |
23 | <version>1.2</version> |
26 | <version>1.3</version> |
24 | <date>2004-08-07</date> |
27 | <date>2005-07-11</date> |
25 | |
28 | |
26 | <chapter> |
29 | <chapter> |
27 | <title>What is Hardened Gentoo?</title> |
30 | <title>What is Hardened Gentoo?</title> |
28 | <section> |
31 | <section> |
29 | <body> |
32 | <body> |
30 | |
33 | |
31 | <p> |
34 | <p> |
32 | Hardened Gentoo is a project interested in the hardening of a Gentoo system. |
35 | Hardened Gentoo is a project interested in the hardening of a Gentoo system. |
33 | Several different solutions are supported by us and there is a fair bit of |
36 | Several different solutions are supported by us and there is a fair bit of |
34 | flexibility to create your own setup. At the heart of Hardened Gentoo is |
37 | flexibility to create your own setup. At the heart of a common Hardened Gentoo |
35 | <e>PaX</e>. |
38 | setup is <e>PaX</e>. |
36 | </p> |
39 | </p> |
37 | |
40 | |
38 | </body> |
41 | </body> |
39 | </section> |
42 | </section> |
40 | </chapter> |
43 | </chapter> |
… | |
… | |
115 | <p> |
118 | <p> |
116 | Several Gentoo kernel trees are already patched with PaX. |
119 | Several Gentoo kernel trees are already patched with PaX. |
117 | </p> |
120 | </p> |
118 | |
121 | |
119 | <p> |
122 | <p> |
120 | For 2.4 based machines, the recommended kernels are <c>hardened-sources</c> or |
123 | For 2.4/2.6 based machines, the recommended kernels are <c>hardened-sources</c> |
121 | <c>grsec-sources</c>. For 2.6 machines, <c>hardened-dev-sources</c> are |
|
|
122 | recommended. |
|
|
123 | </p> |
124 | </p> |
124 | |
125 | |
125 | <p> |
126 | <p> |
126 | Grab one of the recommended source trees, or apply the appropriate patch from |
127 | Grab one of the recommended source trees, or apply the appropriate patch from |
127 | <uri>http://pax.grsecurity.net</uri> to your own tree and configure it as you |
128 | <uri>http://pax.grsecurity.net</uri> to your own tree and configure it as you |
… | |
… | |
177 | Hardened Gentoo has added support for transparent PIE/SSP building via GCC's |
178 | Hardened Gentoo has added support for transparent PIE/SSP building via GCC's |
178 | specfile. This means that any users upgrading an older Hardened install should |
179 | specfile. This means that any users upgrading an older Hardened install should |
179 | remove any LDFLAGS or CFLAGS used to trigger PIE/SSP. Also, the |
180 | remove any LDFLAGS or CFLAGS used to trigger PIE/SSP. Also, the |
180 | <c>hardened-gcc</c> package is now deprecated and should be unmerged |
181 | <c>hardened-gcc</c> package is now deprecated and should be unmerged |
181 | (version 5.0 is a dummy package). To get the current GCC, add |
182 | (version 5.0 is a dummy package). To get the current GCC, add |
182 | <c>USE="hardened pic"</c> to <path>/etc/make.conf</path>. |
183 | <c>USE="hardened pic"</c> to <path>/etc/make.conf</path> if not using the hardened |
|
|
184 | profile. |
183 | </p> |
185 | </p> |
184 | |
186 | |
185 | <p> |
187 | <p> |
186 | To maintain a consistant toolchain, first <c>emerge binutils gcc virtual/libc</c>. |
188 | To maintain a consistant toolchain, first <c>emerge binutils gcc virtual/libc</c>. |
187 | Next, rebuild the entire system with <c>emerge -e world</c>. All future packages |
189 | Next, rebuild the entire system with <c>emerge -e world</c>. All future packages |
188 | will be built with PIE/SSP. |
190 | will be built with PIE/SSP. |
189 | </p> |
191 | </p> |
190 | |
192 | |
191 | <warn> |
193 | <warn> |
192 | Both PIE and SSP are known to cause issues with some packages. If you come |
194 | Both PIE and SSP are known to cause issues with some packages. If you come |
193 | across a package that fails to compile, please file a bug report including a log |
195 | across a package that fails to compile, please file a detailed bug report including |
194 | of the failed compile and the output of <c>emerge info</c> to |
196 | a log of the failed compile and the output of <c>emerge info</c> to |
195 | <uri>http://bugs.gentoo.org/</uri>. |
197 | <uri>http://bugs.gentoo.org/</uri>. |
196 | </warn> |
198 | </warn> |
|
|
199 | |
|
|
200 | <p> |
|
|
201 | You will probably also want to merge pax-utils. |
|
|
202 | Often if an ELF has executable relocations in the text segment these can cause problems for us. |
|
|
203 | scanelf -BRylptq |
|
|
204 | </p> |
|
|
205 | |
197 | |
206 | |
198 | </body> |
207 | </body> |
199 | </section> |
208 | </section> |
200 | </chapter> |
209 | </chapter> |
201 | |
210 | |
… | |
… | |
209 | executed out of memory. Naturally, PaX does not allow this and it will promptly |
218 | executed out of memory. Naturally, PaX does not allow this and it will promptly |
210 | kill the offending application. |
219 | kill the offending application. |
211 | </p> |
220 | </p> |
212 | |
221 | |
213 | <note> |
222 | <note> |
214 | The most notable of these applications are XFree, mplayer and multimedia tools |
223 | The most notable of these applications are XFree/Xorg, mplayer and multimedia tools |
215 | based on xine-lib. The easiest way around these problems are to disable PaX |
224 | based on xine-lib. The easiest way around these problems are to disable PaX |
216 | protections. |
225 | protections. |
217 | </note> |
226 | </note> |
218 | |
227 | |
219 | <p> |
228 | <p> |
… | |
… | |
247 | The first option we will note is <c>-v</c>, which can display flags set on a |
256 | The first option we will note is <c>-v</c>, which can display flags set on a |
248 | particular binary. |
257 | particular binary. |
249 | </p> |
258 | </p> |
250 | |
259 | |
251 | <pre caption="paxctl -v"> |
260 | <pre caption="paxctl -v"> |
252 | y0shi brandon # paxctl -v /usr/X11R6/bin/XFree86 |
261 | shell user # paxctl -v /usr/bin/Xorg |
253 | PaX control v0.2 |
262 | PaX control v0.2 |
254 | Copyright 2004 PaX Team <pageexec@freemail.hu> |
263 | Copyright 2004 PaX Team <pageexec@freemail.hu> |
255 | |
264 | |
256 | - PaX flags: -p-sM--x-eR- [/usr/X11R6/bin/XFree86] |
265 | - PaX flags: -p-sM--x-eR- [/usr/bin/Xorg] |
257 | PAGEEXEC is disabled |
266 | PAGEEXEC is disabled |
258 | SEGMEXEC is disabled |
267 | SEGMEXEC is disabled |
259 | MPROTECT is enabled |
268 | MPROTECT is enabled |
260 | RANDEXEC is disabled |
269 | RANDEXEC is disabled |
261 | EMUTRAMP is disabled |
270 | EMUTRAMP is disabled |
… | |
… | |
270 | To set flags on a binary, the <c>-z</c> flag is useful as it restores the |
279 | To set flags on a binary, the <c>-z</c> flag is useful as it restores the |
271 | default flags. |
280 | default flags. |
272 | </p> |
281 | </p> |
273 | |
282 | |
274 | <p> |
283 | <p> |
275 | To disable protections on XFree, run |
284 | To disable protections on Xorg, run |
276 | <c>paxctl -zpeMRxs /usr/X11R6/bin/XFree86</c>. |
285 | <c>paxctl -zpeMRxs /usr/bin/Xorg</c>. |
277 | </p> |
286 | </p> |
278 | |
287 | |
279 | <p> |
288 | <p> |
280 | Play around with disabling/enabling protections to see what is the least needed |
289 | Play around with disabling/enabling protections to see what is the least needed |
281 | to run. |
290 | to run. Often we fine that we need the -m -sp combos. |
|
|
291 | </p> |
|
|
292 | |
|
|
293 | <p> |
|
|
294 | A default init/conf.d script gets installed when you merge the chpax package |
|
|
295 | that setups some reasonable defaults on the well known misbehaviors. |
|
|
296 | You may want to enable the setting of these permissions at every boot. |
|
|
297 | Todo that you can run the following command |
|
|
298 | <c>emerge chpax ; rc-update add chpax default ; /etc/inid.d/chpax start</c> |
282 | </p> |
299 | </p> |
283 | |
300 | |
284 | </body> |
301 | </body> |
285 | </section> |
302 | </section> |
286 | </chapter> |
303 | </chapter> |