SlideShare ist ein Scribd-Unternehmen logo

Getting started with GrSecurity

Francesco Pira
Francesco Pira

An introduction to better understand and getting started with GrSecurity, a set of Linux patches to harden the Linux kernel.

Software
1 von 16
Downloaden Sie, um offline zu lesen
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) A set of patches to harden your Linux kernel
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) What is • set of kernel patches • grsecurity itself, PaX, TPE • MAC tool with RBAC based on ACL • gradm, utility to manage the RBAC • PaX (memory protection) • paxctld, daemon to manage PaX
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Development timeline • First lines back in 2000/2001 • Still in active development • Testing is open source • Stable went closed source last year • PaX devs collaborates but are a separated team • PaX is still open source!
Hardening Two June 13, 2016 Francesco Pira (fpira.com) Keywords • roles • subjects • objects • policy • domains • the policy defines behaviour of roles / subjects / objects as higher abstraction of users as abstraction of executables as abstraction of system resources as a set of rules (usually system-wide) combine roles of different groups together
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) How it works • object is a system resource or capability • subject is an executable (it access objects) • admin is the new root (root as compromised) • domains to combine roles and groups together • path-based ACL, deeper path = higher priority • hierarchies (user -> group -> default and path-based)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Features • double authentication (via password for grsec admin and shutdown roles) • system capabilities limitations • default is deny-all (no rule means no execution) • learning mode is available, full or per-process • kernel auditing • improved file-system and chroot() security • Trusted Path Execution (TPE) • kernel and userspace memory protection • customize before compile (via menuconfig) • underneath, edits setting via sysctl
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) How it works
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Installation 1. download Linux kernel sources 2. download grsecurity patch for your kernel 3. verify files, unzip and patch 4. customise with menuconfig 5. compile and install 6. install dependencies, gradm, paxctld
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Post-installation 1. Set a password for basic roles • admin • shutdown 2. start the first learning mode (gradm -F -L /etc/grsec/learning.logs) 3. use the system normally (do not perform bad actions!) 4. check file output (/etc/grsec/learning.logs) 5. apply output file as policy (gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy) 6. enable grsec (gradm -E)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Usage • gradm -S to check the status • gradm -E to enable, gradm -D to disable • gradm -C for policy control • gradm -a [role] to login into a role • gradm -u to logout • gradm -F -L /etc/grsec/learning.logs, for learning mode • … -O /etc/grsec/policy to apply learned rules
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) A policy excerpt # Role: utentex subject /usr/lib/firefox/firefox o { / h /home/utentex r /home/utentex/Downloads rwxcd /home/utentex/cartellasegreta h }
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) The good • theoretically compatible with all Linux distress • can coexist with other LSM-based tools • good role management • inheritance of rules • policy syntax supports union, intersections and wildcards ( * , ? , [] ) • memory protection included • can’t enable a policy if it is too permissive • RAP to defend against code reuse attacks
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) The bad • all policy sits in one file • inconvenient for manual editing • cannot write rules using gradm • per-subject learning mode is unfriendly • you only have access to testing code • stable is closed-source (and expensive!)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) About PaX • Protects from: • arbitrary code execution • original code execution but in different order • original code execution in order but + malicious code • How? • NOEXEC and runtime code checking • ASLR, to better randomise memory addresses • putting flags in the executable header (needs conversion!)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Resources • Official Wiki (https://en.wikibooks.org/wiki/Grsecurity) • Debian Wiki (https://wiki.debian.org/grsecurity) • Gentoo Wiki (wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart) • forums.grsecurity.net • official mailing list • irc.oftc.net #grsecurity • https://grsecurity.net/rap_faq.php • PaX - Gentoo Wiki (https://wiki.gentoo.org/wiki/Project:Hardened/PaX_Quickstart) • chpax (8) - man online (http://dev.man-online.org/man8/chpax/) • TPE (https://wiki.gentoo.org/wiki/Hardened/Grsecurity_Trusted_Path_Execution)
GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Questions? Thank you

Empfohlen

An introduction to MAC RBAC and LSM
An introduction to MAC RBAC and LSMAn introduction to MAC RBAC and LSM
An introduction to MAC RBAC and LSMFrancesco Pira
 
Linux 4.6 and memory protections
Linux 4.6 and memory protectionsLinux 4.6 and memory protections
Linux 4.6 and memory protectionsFrancesco Pira
 
Getting started with AppArmor
Getting started with AppArmorGetting started with AppArmor
Getting started with AppArmorFrancesco Pira
 
Apparmor
ApparmorApparmor
Apparmorn|u - The Open Security Community
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
Ubuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesUbuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesDustin Kirkland
 
Windows Security Crash Course
Windows Security Crash CourseWindows Security Crash Course
Windows Security Crash CourseUTD Computer Security Group
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 

Empfohlen

An introduction to MAC RBAC and LSM
An introduction to MAC RBAC and LSMAn introduction to MAC RBAC and LSM
An introduction to MAC RBAC and LSMFrancesco Pira
 
Linux 4.6 and memory protections
Linux 4.6 and memory protectionsLinux 4.6 and memory protections
Linux 4.6 and memory protectionsFrancesco Pira
 
Getting started with AppArmor
Getting started with AppArmorGetting started with AppArmor
Getting started with AppArmorFrancesco Pira
 
Apparmor
ApparmorApparmor
Apparmorn|u - The Open Security Community
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
Ubuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesUbuntu 16.04 LTS Security Features
Ubuntu 16.04 LTS Security FeaturesDustin Kirkland
 
Windows Security Crash Course
Windows Security Crash CourseWindows Security Crash Course
Windows Security Crash CourseUTD Computer Security Group
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux SecurityMichael Boman
 
Linux Security
Linux SecurityLinux Security
Linux Securitynayakslideshare
 
Intro to Exploitation
Intro to ExploitationIntro to Exploitation
Intro to ExploitationUTD Computer Security Group
 
Ubuntu 9.10 Party Tainan - small talk
Ubuntu 9.10 Party Tainan - small talkUbuntu 9.10 Party Tainan - small talk
Ubuntu 9.10 Party Tainan - small talkIrvin Chen
 
Linux Security Crash Course
Linux Security Crash CourseLinux Security Crash Course
Linux Security Crash CourseUTD Computer Security Group
 
Lifnaaaaaa e
Lifnaaaaaa eLifnaaaaaa e
Lifnaaaaaa ehenelpj
 
Rust
RustRust
RustNaga Dinesh
 
Using metasploit
Using metasploitUsing metasploit
Using metasploitCyberRad
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Vincent Batts
 
IoT mit Rust programmieren
IoT mit Rust programmierenIoT mit Rust programmieren
IoT mit Rust programmierenLars Gregori
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginnern|u - The Open Security Community
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 
Linux security
Linux securityLinux security
Linux securitytrilokchandra prakash
 
Metasploit @ 2010 Utah Open Source Conference
Metasploit @ 2010 Utah Open Source ConferenceMetasploit @ 2010 Utah Open Source Conference
Metasploit @ 2010 Utah Open Source ConferenceJason Wood
 
Snort
SnortSnort
Snortbala150985
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux SecurityRizky Ariestiyansyah
 
Request For Comments (RFC)
Request For Comments (RFC)Request For Comments (RFC)
Request For Comments (RFC)Subhajit Sahu
 
Sweden11
Sweden11Sweden11
Sweden11Dru Lavigne
 
Securing Your Linux System
Securing Your Linux SystemSecuring Your Linux System
Securing Your Linux SystemNovell
 
WordPress Security Hardening
WordPress Security HardeningWordPress Security Hardening
WordPress Security HardeningTimothy Wood
 

Weitere ähnliche Inhalte

Was ist angesagt?

Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux SecurityMichael Boman
 
Ubuntu 9.10 Party Tainan - small talk
Ubuntu 9.10 Party Tainan - small talkUbuntu 9.10 Party Tainan - small talk
Ubuntu 9.10 Party Tainan - small talkIrvin Chen
 
Lifnaaaaaa e
Lifnaaaaaa eLifnaaaaaa e
Lifnaaaaaa ehenelpj
 
Using metasploit
Using metasploitUsing metasploit
Using metasploitCyberRad
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Vincent Batts
 
IoT mit Rust programmieren
IoT mit Rust programmierenIoT mit Rust programmieren
IoT mit Rust programmierenLars Gregori
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 
Metasploit @ 2010 Utah Open Source Conference
Metasploit @ 2010 Utah Open Source ConferenceMetasploit @ 2010 Utah Open Source Conference
Metasploit @ 2010 Utah Open Source ConferenceJason Wood
 
Request For Comments (RFC)
Request For Comments (RFC)Request For Comments (RFC)
Request For Comments (RFC)Subhajit Sahu
 

Was ist angesagt? (20)

Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
Intro to Exploitation
Intro to ExploitationIntro to Exploitation
Intro to Exploitation
 
Ubuntu 9.10 Party Tainan - small talk
Ubuntu 9.10 Party Tainan - small talkUbuntu 9.10 Party Tainan - small talk
Ubuntu 9.10 Party Tainan - small talk
 
Linux Security Crash Course
Linux Security Crash CourseLinux Security Crash Course
Linux Security Crash Course
 
Lifnaaaaaa e
Lifnaaaaaa eLifnaaaaaa e
Lifnaaaaaa e
 
Rust
RustRust
Rust
 
Using metasploit
Using metasploitUsing metasploit
Using metasploit
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]
 
IoT mit Rust programmieren
IoT mit Rust programmierenIoT mit Rust programmieren
IoT mit Rust programmieren
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
 
Linux security
Linux securityLinux security
Linux security
 
Metasploit @ 2010 Utah Open Source Conference
Metasploit @ 2010 Utah Open Source ConferenceMetasploit @ 2010 Utah Open Source Conference
Metasploit @ 2010 Utah Open Source Conference
 
Snort
SnortSnort
Snort
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Request For Comments (RFC)
Request For Comments (RFC)Request For Comments (RFC)
Request For Comments (RFC)
 
Sweden11
Sweden11Sweden11
Sweden11
 

Andere mochten auch

Securing Your Linux System
Securing Your Linux SystemSecuring Your Linux System
Securing Your Linux SystemNovell
 
WordPress Security Hardening
WordPress Security HardeningWordPress Security Hardening
WordPress Security HardeningTimothy Wood
 
Hardening Linux Server Security
Hardening Linux Server SecurityHardening Linux Server Security
Hardening Linux Server SecurityIlham Kurniawan
 
grsecurity and PaX
grsecurity and PaXgrsecurity and PaX
grsecurity and PaXKernel TLV
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxSecurity Session
 
Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsSunil Paudel
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using AnsibleSonatype
 
Evitando execução de códigos arbitrários com GRsecurity e PaX
Evitando execução de códigos arbitrários com GRsecurity e PaXEvitando execução de códigos arbitrários com GRsecurity e PaX
Evitando execução de códigos arbitrários com GRsecurity e PaXNullbyte Security Conference
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewKaiwan Billimoria
 

Andere mochten auch (12)

Securing Your Linux System
Securing Your Linux SystemSecuring Your Linux System
Securing Your Linux System
 
WordPress Security Hardening
WordPress Security HardeningWordPress Security Hardening
WordPress Security Hardening
 
Hardening Linux Server Security
Hardening Linux Server SecurityHardening Linux Server Security
Hardening Linux Server Security
 
grsecurity and PaX
grsecurity and PaXgrsecurity and PaX
grsecurity and PaX
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server Hardening
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
 
Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by Steps
 
Linux Hardening
Linux HardeningLinux Hardening
Linux Hardening
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
Evitando execução de códigos arbitrários com GRsecurity e PaX
Evitando execução de códigos arbitrários com GRsecurity e PaXEvitando execução de códigos arbitrários com GRsecurity e PaX
Evitando execução de códigos arbitrários com GRsecurity e PaX
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
 

Ähnlich wie Getting started with GrSecurity

Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
Archivematica Technical Training Diagnostics Guide (September 2018)
Archivematica Technical Training Diagnostics Guide (September 2018)Archivematica Technical Training Diagnostics Guide (September 2018)
Archivematica Technical Training Diagnostics Guide (September 2018)Artefactual Systems - Archivematica
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Walid Shaari
 
Linux cgroups and namespaces
Linux cgroups and namespacesLinux cgroups and namespaces
Linux cgroups and namespacesLocaweb
 
Arch linux and whole security concepts in linux explained
Arch linux and whole security concepts in linux explained Arch linux and whole security concepts in linux explained
Arch linux and whole security concepts in linux explained krishna kakade
 
Integrity and Security in Filesystems
Integrity and Security in FilesystemsIntegrity and Security in Filesystems
Integrity and Security in FilesystemsConferencias FIST
 
Gentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile EverythingGentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile EverythingDonnie Berkholz
 
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,GrafanaPrometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,GrafanaSridhar Kumar N
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guideCraig Cannon
 
SC'18 BoF Presentation
SC'18 BoF PresentationSC'18 BoF Presentation
SC'18 BoF Presentationrcastain
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxGiuseppe Paterno'
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-reviewabinaya m
 
Building Container Defence Executable at a Time.pdf
Building Container Defence Executable at a Time.pdfBuilding Container Defence Executable at a Time.pdf
Building Container Defence Executable at a Time.pdfSuraj Deshmukh
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxFFRI, Inc.
 
Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Anthony Wong
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxGiuseppe Paterno'
 

Ähnlich wie Getting started with GrSecurity (20)

Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
Archivematica Technical Training Diagnostics Guide (September 2018)
Archivematica Technical Training Diagnostics Guide (September 2018)Archivematica Technical Training Diagnostics Guide (September 2018)
Archivematica Technical Training Diagnostics Guide (September 2018)
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
 
Linux cgroups and namespaces
Linux cgroups and namespacesLinux cgroups and namespaces
Linux cgroups and namespaces
 
Arch linux and whole security concepts in linux explained
Arch linux and whole security concepts in linux explained Arch linux and whole security concepts in linux explained
Arch linux and whole security concepts in linux explained
 
Integrity and Security in Filesystems
Integrity and Security in FilesystemsIntegrity and Security in Filesystems
Integrity and Security in Filesystems
 
Gentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile EverythingGentoo Linux, or Why in the World You Should Compile Everything
Gentoo Linux, or Why in the World You Should Compile Everything
 
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,GrafanaPrometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
 
System Integrity
System IntegritySystem Integrity
System Integrity
 
Crypto policies-2016
Crypto policies-2016Crypto policies-2016
Crypto policies-2016
 
SC'18 BoF Presentation
SC'18 BoF PresentationSC'18 BoF Presentation
SC'18 BoF Presentation
 
Google File System
Google File SystemGoogle File System
Google File System
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-review
 
Building Container Defence Executable at a Time.pdf
Building Container Defence Executable at a Time.pdfBuilding Container Defence Executable at a Time.pdf
Building Container Defence Executable at a Time.pdf
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinuxMR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
 
Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
 

Kürzlich hochgeladen

Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 

Kürzlich hochgeladen (20)

Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 

Getting started with GrSecurity

  • 1. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) A set of patches to harden your Linux kernel
  • 2. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) What is • set of kernel patches • grsecurity itself, PaX, TPE • MAC tool with RBAC based on ACL • gradm, utility to manage the RBAC • PaX (memory protection) • paxctld, daemon to manage PaX
  • 3. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Development timeline • First lines back in 2000/2001 • Still in active development • Testing is open source • Stable went closed source last year • PaX devs collaborates but are a separated team • PaX is still open source!
  • 4. Hardening Two June 13, 2016 Francesco Pira (fpira.com) Keywords • roles • subjects • objects • policy • domains • the policy defines behaviour of roles / subjects / objects as higher abstraction of users as abstraction of executables as abstraction of system resources as a set of rules (usually system-wide) combine roles of different groups together
  • 5. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) How it works • object is a system resource or capability • subject is an executable (it access objects) • admin is the new root (root as compromised) • domains to combine roles and groups together • path-based ACL, deeper path = higher priority • hierarchies (user -> group -> default and path-based)
  • 6. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Features • double authentication (via password for grsec admin and shutdown roles) • system capabilities limitations • default is deny-all (no rule means no execution) • learning mode is available, full or per-process • kernel auditing • improved file-system and chroot() security • Trusted Path Execution (TPE) • kernel and userspace memory protection • customize before compile (via menuconfig) • underneath, edits setting via sysctl
  • 7. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) How it works
  • 8. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Installation 1. download Linux kernel sources 2. download grsecurity patch for your kernel 3. verify files, unzip and patch 4. customise with menuconfig 5. compile and install 6. install dependencies, gradm, paxctld
  • 9. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Post-installation 1. Set a password for basic roles • admin • shutdown 2. start the first learning mode (gradm -F -L /etc/grsec/learning.logs) 3. use the system normally (do not perform bad actions!) 4. check file output (/etc/grsec/learning.logs) 5. apply output file as policy (gradm -F -L /etc/grsec/learning.logs -O /etc/grsec/policy) 6. enable grsec (gradm -E)
  • 10. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Usage • gradm -S to check the status • gradm -E to enable, gradm -D to disable • gradm -C for policy control • gradm -a [role] to login into a role • gradm -u to logout • gradm -F -L /etc/grsec/learning.logs, for learning mode • … -O /etc/grsec/policy to apply learned rules
  • 11. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) A policy excerpt # Role: utentex subject /usr/lib/firefox/firefox o { / h /home/utentex r /home/utentex/Downloads rwxcd /home/utentex/cartellasegreta h }
  • 12. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) The good • theoretically compatible with all Linux distress • can coexist with other LSM-based tools • good role management • inheritance of rules • policy syntax supports union, intersections and wildcards ( * , ? , [] ) • memory protection included • can’t enable a policy if it is too permissive • RAP to defend against code reuse attacks
  • 13. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) The bad • all policy sits in one file • inconvenient for manual editing • cannot write rules using gradm • per-subject learning mode is unfriendly • you only have access to testing code • stable is closed-source (and expensive!)
  • 14. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) About PaX • Protects from: • arbitrary code execution • original code execution but in different order • original code execution in order but + malicious code • How? • NOEXEC and runtime code checking • ASLR, to better randomise memory addresses • putting flags in the executable header (needs conversion!)
  • 15. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Resources • Official Wiki (https://en.wikibooks.org/wiki/Grsecurity) • Debian Wiki (https://wiki.debian.org/grsecurity) • Gentoo Wiki (wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart) • forums.grsecurity.net • official mailing list • irc.oftc.net #grsecurity • https://grsecurity.net/rap_faq.php • PaX - Gentoo Wiki (https://wiki.gentoo.org/wiki/Project:Hardened/PaX_Quickstart) • chpax (8) - man online (http://dev.man-online.org/man8/chpax/) • TPE (https://wiki.gentoo.org/wiki/Hardened/Grsecurity_Trusted_Path_Execution)
  • 16. GrSecurity | Hardening Two 2016 Francesco Pira (fpira.com) Questions? Thank you