| 1 | <?xml version='1.0' encoding="UTF-8"?> |
1 | <?xml version='1.0' encoding="UTF-8"?> |
| 2 | <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/pax-quickstart.xml,v 1.6 2005/04/18 19:39:05 solar Exp $ --> |
2 | <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/pax-quickstart.xml,v 1.7 2005/07/12 01:02:46 solar Exp $ --> |
| 3 | <!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
3 | <!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
| 4 | |
4 | |
| 5 | <guide link="/proj/en/hardened/pax-quickstart.xml"> |
5 | <guide link="/proj/en/hardened/pax-quickstart.xml"> |
| 6 | <title>Hardened Gentoo PaX Quickstart</title> |
6 | <title>Hardened Gentoo PaX Quickstart</title> |
| 7 | |
7 | |
| … | |
… | |
| 9 | <mail link="tseng@gentoo.org">Brandon Hale</mail> |
9 | <mail link="tseng@gentoo.org">Brandon Hale</mail> |
| 10 | </author> |
10 | </author> |
| 11 | <author title="Editor"> |
11 | <author title="Editor"> |
| 12 | <mail link="blackace@gentoo.org">Blackace</mail> |
12 | <mail link="blackace@gentoo.org">Blackace</mail> |
| 13 | </author> |
13 | </author> |
|
|
14 | <author title="Editor"> |
|
|
15 | <mail link="solar@gentoo.org">solar</mail> |
|
|
16 | </author> |
| 14 | |
17 | |
| 15 | <abstract> |
18 | <abstract> |
| 16 | A quickstart covering PaX and Hardened Gentoo. |
19 | A quickstart covering PaX and Hardened Gentoo. |
| 17 | </abstract> |
20 | </abstract> |
| 18 | |
21 | |
| 19 | <!-- The content of this document is licensed under the CC-BY-SA license --> |
22 | <!-- The content of this document is licensed under the CC-BY-SA license --> |
| 20 | <!-- See http://creativecommons.org/licenses/by-sa/2.0 --> |
23 | <!-- See http://creativecommons.org/licenses/by-sa/2.0 --> |
| 21 | <license/> |
24 | <license/> |
| 22 | |
25 | |
| 23 | <version>1.2</version> |
26 | <version>1.3</version> |
| 24 | <date>2004-08-07</date> |
27 | <date>2005-07-11</date> |
| 25 | |
28 | |
| 26 | <chapter> |
29 | <chapter> |
| 27 | <title>What is Hardened Gentoo?</title> |
30 | <title>What is Hardened Gentoo?</title> |
| 28 | <section> |
31 | <section> |
| 29 | <body> |
32 | <body> |
| 30 | |
33 | |
| 31 | <p> |
34 | <p> |
| 32 | Hardened Gentoo is a project interested in the hardening of a Gentoo system. |
35 | Hardened Gentoo is a project interested in the hardening of a Gentoo system. |
| 33 | Several different solutions are supported by us and there is a fair bit of |
36 | Several different solutions are supported by us and there is a fair bit of |
| 34 | flexibility to create your own setup. At the heart of Hardened Gentoo is |
37 | flexibility to create your own setup. At the heart of a common Hardened Gentoo |
| 35 | <e>PaX</e>. |
38 | setup is <e>PaX</e>. |
| 36 | </p> |
39 | </p> |
| 37 | |
40 | |
| 38 | </body> |
41 | </body> |
| 39 | </section> |
42 | </section> |
| 40 | </chapter> |
43 | </chapter> |
| … | |
… | |
| 115 | <p> |
118 | <p> |
| 116 | Several Gentoo kernel trees are already patched with PaX. |
119 | Several Gentoo kernel trees are already patched with PaX. |
| 117 | </p> |
120 | </p> |
| 118 | |
121 | |
| 119 | <p> |
122 | <p> |
| 120 | For 2.4 based machines, the recommended kernels are <c>hardened-sources</c> or |
123 | For 2.4/2.6 based machines, the recommended kernels are <c>hardened-sources</c> |
| 121 | <c>grsec-sources</c>. For 2.6 machines, <c>hardened-dev-sources</c> are |
|
|
| 122 | recommended. |
|
|
| 123 | </p> |
124 | </p> |
| 124 | |
125 | |
| 125 | <p> |
126 | <p> |
| 126 | Grab one of the recommended source trees, or apply the appropriate patch from |
127 | Grab one of the recommended source trees, or apply the appropriate patch from |
| 127 | <uri>http://pax.grsecurity.net</uri> to your own tree and configure it as you |
128 | <uri>http://pax.grsecurity.net</uri> to your own tree and configure it as you |
| … | |
… | |
| 177 | Hardened Gentoo has added support for transparent PIE/SSP building via GCC's |
178 | Hardened Gentoo has added support for transparent PIE/SSP building via GCC's |
| 178 | specfile. This means that any users upgrading an older Hardened install should |
179 | specfile. This means that any users upgrading an older Hardened install should |
| 179 | remove any LDFLAGS or CFLAGS used to trigger PIE/SSP. Also, the |
180 | remove any LDFLAGS or CFLAGS used to trigger PIE/SSP. Also, the |
| 180 | <c>hardened-gcc</c> package is now deprecated and should be unmerged |
181 | <c>hardened-gcc</c> package is now deprecated and should be unmerged |
| 181 | (version 5.0 is a dummy package). To get the current GCC, add |
182 | (version 5.0 is a dummy package). To get the current GCC, add |
| 182 | <c>USE="hardened pic"</c> to <path>/etc/make.conf</path>. |
183 | <c>USE="hardened pic"</c> to <path>/etc/make.conf</path> if not using the hardened |
|
|
184 | profile. |
| 183 | </p> |
185 | </p> |
| 184 | |
186 | |
| 185 | <p> |
187 | <p> |
| 186 | To maintain a consistant toolchain, first <c>emerge binutils gcc virtual/libc</c>. |
188 | To maintain a consistant toolchain, first <c>emerge binutils gcc virtual/libc</c>. |
| 187 | Next, rebuild the entire system with <c>emerge -e world</c>. All future packages |
189 | Next, rebuild the entire system with <c>emerge -e world</c>. All future packages |
| 188 | will be built with PIE/SSP. |
190 | will be built with PIE/SSP. |
| 189 | </p> |
191 | </p> |
| 190 | |
192 | |
| 191 | <warn> |
193 | <warn> |
| 192 | Both PIE and SSP are known to cause issues with some packages. If you come |
194 | Both PIE and SSP are known to cause issues with some packages. If you come |
| 193 | across a package that fails to compile, please file a bug report including a log |
195 | across a package that fails to compile, please file a detailed bug report including |
| 194 | of the failed compile and the output of <c>emerge info</c> to |
196 | a log of the failed compile and the output of <c>emerge info</c> to |
| 195 | <uri>http://bugs.gentoo.org/</uri>. |
197 | <uri>http://bugs.gentoo.org/</uri>. |
| 196 | </warn> |
198 | </warn> |
|
|
199 | |
|
|
200 | <p> |
|
|
201 | You will probably also want to merge pax-utils. |
|
|
202 | Often if an ELF has executable relocations in the text segment these can cause problems for us. |
|
|
203 | scanelf -BRylptq |
|
|
204 | </p> |
|
|
205 | |
| 197 | |
206 | |
| 198 | </body> |
207 | </body> |
| 199 | </section> |
208 | </section> |
| 200 | </chapter> |
209 | </chapter> |
| 201 | |
210 | |
| … | |
… | |
| 209 | executed out of memory. Naturally, PaX does not allow this and it will promptly |
218 | executed out of memory. Naturally, PaX does not allow this and it will promptly |
| 210 | kill the offending application. |
219 | kill the offending application. |
| 211 | </p> |
220 | </p> |
| 212 | |
221 | |
| 213 | <note> |
222 | <note> |
| 214 | The most notable of these applications are XFree, mplayer and multimedia tools |
223 | The most notable of these applications are XFree/Xorg, mplayer and multimedia tools |
| 215 | based on xine-lib. The easiest way around these problems are to disable PaX |
224 | based on xine-lib. The easiest way around these problems are to disable PaX |
| 216 | protections. |
225 | protections. |
| 217 | </note> |
226 | </note> |
| 218 | |
227 | |
| 219 | <p> |
228 | <p> |
| … | |
… | |
| 247 | The first option we will note is <c>-v</c>, which can display flags set on a |
256 | The first option we will note is <c>-v</c>, which can display flags set on a |
| 248 | particular binary. |
257 | particular binary. |
| 249 | </p> |
258 | </p> |
| 250 | |
259 | |
| 251 | <pre caption="paxctl -v"> |
260 | <pre caption="paxctl -v"> |
| 252 | y0shi brandon # paxctl -v /usr/X11R6/bin/XFree86 |
261 | shell user # paxctl -v /usr/bin/Xorg |
| 253 | PaX control v0.2 |
262 | PaX control v0.2 |
| 254 | Copyright 2004 PaX Team <pageexec@freemail.hu> |
263 | Copyright 2004 PaX Team <pageexec@freemail.hu> |
| 255 | |
264 | |
| 256 | - PaX flags: -p-sM--x-eR- [/usr/X11R6/bin/XFree86] |
265 | - PaX flags: -p-sM--x-eR- [/usr/bin/Xorg] |
| 257 | PAGEEXEC is disabled |
266 | PAGEEXEC is disabled |
| 258 | SEGMEXEC is disabled |
267 | SEGMEXEC is disabled |
| 259 | MPROTECT is enabled |
268 | MPROTECT is enabled |
| 260 | RANDEXEC is disabled |
269 | RANDEXEC is disabled |
| 261 | EMUTRAMP is disabled |
270 | EMUTRAMP is disabled |
| … | |
… | |
| 270 | To set flags on a binary, the <c>-z</c> flag is useful as it restores the |
279 | To set flags on a binary, the <c>-z</c> flag is useful as it restores the |
| 271 | default flags. |
280 | default flags. |
| 272 | </p> |
281 | </p> |
| 273 | |
282 | |
| 274 | <p> |
283 | <p> |
| 275 | To disable protections on XFree, run |
284 | To disable protections on Xorg, run |
| 276 | <c>paxctl -zpeMRxs /usr/X11R6/bin/XFree86</c>. |
285 | <c>paxctl -zpeMRxs /usr/bin/Xorg</c>. |
| 277 | </p> |
286 | </p> |
| 278 | |
287 | |
| 279 | <p> |
288 | <p> |
| 280 | Play around with disabling/enabling protections to see what is the least needed |
289 | Play around with disabling/enabling protections to see what is the least needed |
| 281 | to run. |
290 | to run. Often we fine that we need the -m -sp combos. |
|
|
291 | </p> |
|
|
292 | |
|
|
293 | <p> |
|
|
294 | A default init/conf.d script gets installed when you merge the chpax package |
|
|
295 | that setups some reasonable defaults on the well known misbehaviors. |
|
|
296 | You may want to enable the setting of these permissions at every boot. |
|
|
297 | Todo that you can run the following command |
|
|
298 | <c>emerge chpax ; rc-update add chpax default ; /etc/inid.d/chpax start</c> |
| 282 | </p> |
299 | </p> |
| 283 | |
300 | |
| 284 | </body> |
301 | </body> |
| 285 | </section> |
302 | </section> |
| 286 | </chapter> |
303 | </chapter> |
Parent Directory
| 
Revision Log
| 
Patch