Grsecurity
Encyclopedia
grsecurity is a set of patches
for the Linux kernel
with an emphasis on enhancing security
. Its typical application is in computer systems that accept remote connections from untrusted locations, such as web server
s and systems offering shell access
to its users.
Released under the GNU General Public License
, the FSF considers grsecurity free software
.
. Amongst other things, the patch flag
s data memory—such as that on the stack
—as non-executable, and program memory as non-writable. The aim is to prevent memory from being overwritten, which prevents many types of security vulnerabilities, such as buffer overflow
s. PaX also provides address space layout randomization
(ASLR), which randomizes important memory addresses to hinder attacks that rely on such addresses being easily known. PaX is not itself developed by the grsecurity developers, and is also available independently from grsecurity.
(RBAC) system. RBAC is intended to restrict access to the system further than what is normally provided by Unix
access control list
s, with the aim of creating a fully least-privilege system, where users and processes have the absolute minimum privileges to work correctly and nothing more. This way, if the system is compromised, the ability by the attacker to damage or gain sensitive information on the system can be drastically reduced. RBAC works through a collection of roles. Each role can have individual restrictions on what they can or cannot do, and these roles and restrictions form an access policy, which can be amended as needed.
A list of RBAC features:
in a variety of ways to prevent a variety of vulnerabilities and privilege escalation attacks, as well as to add additional checks and balances.
Chroot Modifications:
ing/unmounting of devices, changes to the system time and date, and chdir
logging, amongst other things. Some of these other audits allow the admin to also log denied resource attempts, failed fork attempts, IPC
creation and removal, and Exec
logging with arguments.
Trusted path
execution is another optional feature that can be used to prevent users from executing binaries that are not owned by the root
user, or are world-writable. This is useful to prevent users from executing their own malicious binaries or accidentally executing world-writable system binaries that could have been modified by a malicious user.
grsecurity also hardens the way chroot "jails" work. A chroot jail can be used to isolate a particular process from the rest of the system, which can be used to minimise the potential for damage should the service be compromised. There are ways to "break out" of a chroot jail, which grsecurity attempts to prevent.
There are also other features that increase security and prevent users from gaining unnecessary knowledge about the system, such as restricting the dmesg
and netstat
commands to the root user.
List of additional features and security improvements:
Patch (computing)
A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance...
for the Linux kernel
Linux kernel
The Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software....
with an emphasis on enhancing security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
. Its typical application is in computer systems that accept remote connections from untrusted locations, such as web server
Web server
Web server can refer to either the hardware or the software that helps to deliver content that can be accessed through the Internet....
s and systems offering shell access
Shell account
A shell account is a user account on a remote server which gives access to a shell via a command-line interface protocol such as telnet or ssh....
to its users.
Released under the GNU General Public License
GNU General Public License
The GNU General Public License is the most widely used free software license, originally written by Richard Stallman for the GNU Project....
, the FSF considers grsecurity free software
Free software
Free software, software libre or libre software is software that can be used, studied, and modified without restriction, and which can be copied and redistributed in modified or unmodified form either without restriction, or with restrictions that only ensure that further recipients can also do...
.
PaX
A major component bundled with grsecurity is PaXPaX
PaX is a patch for the Linux kernel that implements least privilege protections for memory pages. The least-privilege approach allows computer programs to do only what they have to do in order to be able to execute properly, and nothing more. PaX was first released in 2000.PaX flags data memory as...
. Amongst other things, the patch flag
Flag (computing)
In computer programming, flag can refer to one or more bits that are used to store a binary value or code that has an assigned meaning, but can refer to uses of other data types...
s data memory—such as that on the stack
Stack (data structure)
In computer science, a stack is a last in, first out abstract data type and linear data structure. A stack can have any abstract data type as an element, but is characterized by only three fundamental operations: push, pop and stack top. The push operation adds a new item to the top of the stack,...
—as non-executable, and program memory as non-writable. The aim is to prevent memory from being overwritten, which prevents many types of security vulnerabilities, such as buffer overflow
Buffer overflow
In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
s. PaX also provides address space layout randomization
Address space layout randomization
Address space layout randomization is a computer security method which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space.- Benefits :Address space randomization hinders...
(ASLR), which randomizes important memory addresses to hinder attacks that rely on such addresses being easily known. PaX is not itself developed by the grsecurity developers, and is also available independently from grsecurity.
Role-based access control
Another notable component of grsecurity is that it provides a full role-based access controlRole-Based Access Control
In computer systems security, role-based access control is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can be implemented via mandatory access control or discretionary access control...
(RBAC) system. RBAC is intended to restrict access to the system further than what is normally provided by Unix
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
access control list
Access control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...
s, with the aim of creating a fully least-privilege system, where users and processes have the absolute minimum privileges to work correctly and nothing more. This way, if the system is compromised, the ability by the attacker to damage or gain sensitive information on the system can be drastically reduced. RBAC works through a collection of roles. Each role can have individual restrictions on what they can or cannot do, and these roles and restrictions form an access policy, which can be amended as needed.
A list of RBAC features:
- Domain support for users and groups
- Role transition tables
- IPInternet ProtocolThe Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
-based roles - Non-rootSuperuserOn many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
access to special roles - Special roles that require no authentication
- Nested subjects
- Support for variableVariable (programming)In computer programming, a variable is a symbolic name given to some known or unknown quantity or information, for the purpose of allowing the name to be used independently of the information it represents...
s in the configuration - And, or, and difference set operations on variables in configuration
- Object mode that controls the creation of setuidSetuidsetuid and setgid are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group...
and setgid files - Create and delete object modes
- KernelKernel (computing)In computing, the kernel is the main component of most computer operating systems; it is a bridge between applications and the actual data processing done at the hardware level. The kernel's responsibilities include managing the system's resources...
interpretation of inheritance - Real-time regular expressionRegular expressionIn computing, a regular expression provides a concise and flexible means for "matching" strings of text, such as particular characters, words, or patterns of characters. Abbreviations for "regular expression" include "regex" and "regexp"...
resolution - Ability to deny ptracePtraceptrace is a system call found in several Unix and Unix-like operating systems. By using ptrace one process can control another, enabling the controller to inspect and manipulate the internal state of its target...
s to specific processes - User and group transition checking and enforcement on an inclusive or exclusive basis
- /dev/grsec entry for kernel authentication and learning logs
- Next-generation code that produces least-privilege policies for the entire system with no configuration
- Policy statistics for gradm
- Inheritance-based learning
- Learning configuration file that allows the administrator to enable inheritance-based learning or disable learning on specific paths
- Full path names for offending processProcess (computing)In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
and parent process - RBAC status function for gradm
- /proc/
/ipaddr gives the remote address of the person who started a given process - Secure policy enforcement
- Supports read, write, append, execute, view, and read-only ptrace object permissions
- Supports hide, protect, and override subject flags
- Supports the PaX flags
- Shared memory protection feature
- Integrated local attack response on all alerts
- Subject flag that ensures a process can never execute trojanedTrojan horse (computing)A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
code - Full-featured, fine-grained auditing
- Resource, socket, and capability support
- Protection against exploit bruteforcing
- /proc/pid filedescriptor/memory protection
- Rules can be placed on non-existent files/processes
- Policy regeneration on subjects and objects
- Configurable log suppression
- Configurable process accounting
- Human-readable configuration
- Not filesystem or architecture dependent
- Scales well: supports as many policies as memory can handle with the same performance hit
- No run-time memory allocation
- SMPSymmetric multiprocessingIn computing, symmetric multiprocessing involves a multiprocessor computer hardware architecture where two or more identical processors are connected to a single shared main memory and are controlled by a single OS instance. Most common multiprocessor systems today use an SMP architecture...
safe - OBig O notationIn mathematics, big O notation is used to describe the limiting behavior of a function when the argument tends towards a particular value or infinity, usually in terms of simpler functions. It is a member of a larger family of notations that is called Landau notation, Bachmann-Landau notation, or...
(1) time efficiency for most operations - Include directive for specifying additional policies
- Enable, disable, reload capabilities
- Option to hide kernel processes
Chroot restrictions
GRSecurity restricts chrootChroot
A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name files outside the designated directory tree. The term "chroot" may refer to the chroot...
in a variety of ways to prevent a variety of vulnerabilities and privilege escalation attacks, as well as to add additional checks and balances.
Chroot Modifications:
- No attaching shared memoryShared memoryIn computing, shared memory is memory that may be simultaneously accessed by multiple programs with an intent to provide communication among them or avoid redundant copies. Depending on context, programs may run on a single processor or on multiple separate processors...
outside of chroot - No kill outside of chroot
- No ptrace outside of chroot (architecture independent)
- No capget outside of chroot
- No setpgid outside of chroot
- No getpgid outside of chroot
- No getsid outside of chroot
- No sending of signals by fcntl outside of chroot
- No viewing of any process outside of chroot, even if /proc is mounted
- No mountMount (computing)Mounting takes place before a computer can use any kind of storage device . The user or their operating system must make it accessible through the computer's file system. A user can access only files on mounted media.- Mount point :A mount point is a physical location in the partition used as a...
ing or remounting - No pivot_root
- No double chroot
- No fchdir out of chroot
- Enforced chdirChdircd, sometimes also available as chdir , is a command line command to change the current working directory in operating systems such as Unix, DOS, OS/2, AmigaOS , Windows, and Linux...
("/") upon chroot - No (f)chmodChmodThe chmod command is a Unix command that lets a user tell the system how much access it should permit to a file. It changes the file system modes of files and directories. The modes include permissions and special modes...
+s - No mknod
- No sysctlSysctlSysctl is an interface for examining and dynamically changing parameters in the BSD and Linux operating systems. The implementation mechanism in these two systems is very different....
writes - No raising of scheduler priority
- No connecting to abstract unix domain sockets outside of chroot
- Removal of harmful privileges via cap
Miscellaneous features
grsecurity also adds enhanced auditing to the Linux kernel. It can be configured to audit a specific group of users, mountMount (Unix)
The Unix command line utility mount instructs the operating system that a file system is ready to use, and associates it with a particular point in the system's file system hierarchy . The counterpart umount instructs the operating system that the file system should be disassociated from its mount...
ing/unmounting of devices, changes to the system time and date, and chdir
Chdir
cd, sometimes also available as chdir , is a command line command to change the current working directory in operating systems such as Unix, DOS, OS/2, AmigaOS , Windows, and Linux...
logging, amongst other things. Some of these other audits allow the admin to also log denied resource attempts, failed fork attempts, IPC
Inter-process communication
In computing, Inter-process communication is a set of methods for the exchange of data among multiple threads in one or more processes. Processes may be running on one or more computers connected by a network. IPC methods are divided into methods for message passing, synchronization, shared...
creation and removal, and Exec
Exec (operating system)
The exec collection of functions of Unix-like operating systems cause the running process to be completely replaced by the program passed as an argument to the function...
logging with arguments.
Trusted path
Trusted path
A trusted path is simply some mechanism that provides confidence that the user is communicating with what the user intended to communicate with, ensuring that attackers can't intercept or modify whatever information is being communicated....
execution is another optional feature that can be used to prevent users from executing binaries that are not owned by the root
Superuser
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
user, or are world-writable. This is useful to prevent users from executing their own malicious binaries or accidentally executing world-writable system binaries that could have been modified by a malicious user.
grsecurity also hardens the way chroot "jails" work. A chroot jail can be used to isolate a particular process from the rest of the system, which can be used to minimise the potential for damage should the service be compromised. There are ways to "break out" of a chroot jail, which grsecurity attempts to prevent.
There are also other features that increase security and prevent users from gaining unnecessary knowledge about the system, such as restricting the dmesg
Dmesg
dmesg is a command on most Linux and Unix based operating systems that prints the message buffer of the kernel.-Booting:...
and netstat
Netstat
netstat is a command-line tool that displays network connections , routing tables, and a number of network interface statistics...
commands to the root user.
List of additional features and security improvements:
- /proc restrictions that don't leak information about process owners
- Symlink/hardlink restrictions to prevent /tmp races
- FIFOFIFOFIFO is an acronym for First In, First Out, an abstraction related to ways of organizing and manipulation of data relative to time and prioritization...
restrictions - DmesgDmesgdmesg is a command on most Linux and Unix based operating systems that prints the message buffer of the kernel.-Booting:...
(8) restriction - Enhanced implementation of Trusted Path Execution
- GIDGroup identifier (Unix)In Unix-like systems, multiple users can be categorized into groups. POSIX and conventional Unix file system permissions are organized into three classes, user, group, and others. The use of groups allows additional abilities to be delegated in an organized fashion, such as access to disks,...
-based socket restrictions - Nearly all options are sysctlSysctlSysctl is an interface for examining and dynamically changing parameters in the BSD and Linux operating systems. The implementation mechanism in these two systems is very different....
-tunable, with a locking mechanism - All alerts and audits support a feature that logs the IP address of the attacker with the log
- Stream connections across unix domain sockets carry the attacker's IP address with them (on 2.4 only)
- Detection of local connections: copies attacker's IP address to the other task
- Automatic deterrence of exploit brute-forcingBrute force attackIn cryptography, a brute-force attack, or exhaustive key search, is a strategy that can, in theory, be used against any encrypted data. Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system that would make the task easier...
- Low, Medium, High, and Custom security levels
- Tunable flood-time and burst for logging
See also
- Exec ShieldExec ShieldExec Shield is a project started at Red Hat, Inc in late 2002 with the aim of reducing the risk of worm or other automated remote attacks on Linux systems. The first result of the project was a security patch for the Linux kernel that emulates an NX bit on x86 CPUs that lack a native NX...
- Linux Security ModulesLinux Security ModulesLinux Security Modules is a framework that allows the Linux kernel to support a variety of computer security models while avoiding favoritism toward any single security implementation. The framework is licensed under the terms of the GNU General Public License and is standard part of the Linux...
- PaXPaXPaX is a patch for the Linux kernel that implements least privilege protections for memory pages. The least-privilege approach allows computer programs to do only what they have to do in order to be able to execute properly, and nothing more. PaX was first released in 2000.PaX flags data memory as...
- Security-Enhanced LinuxSecurity-Enhanced LinuxSecurity-Enhanced Linux is a Linux feature that provides a mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls, through the use of Linux Security Modules in the Linux kernel...
- Tor-ramdiskTor-ramdiskTor-ramdisk is an i686 uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet...