maandag 10 september 2012

Compile a stable 3.2.28 grsecurity kernel with AppArmor and TPE trusted patch execution enabled

I noticed i had a spare pentium4 with 384MB RAM left and decided to install a
grsecurity+AppArmor hardened kernel with Trusted Path Execution enabled.
As OS i will use a fresh install of the latest xubuntu with xfce4 desktop and ext2/ext3
filesystem.The purpose of configuring TPE later on is to prevent a non root user from
executing executable files other than the ones installed by root himself.So any
executable and scripts will not execute from /home/username
You could also first add a least privilege user right after a fresh install of xubuntu
and start from there.
 ubuntu-least-privilege-instead-of-power



For indepth documentation regarding grsecurity i gladly refer to the exellent Grsecurity website:

http://grsecurity.net

From there you will need to download the grsec patch for the vanilla 3.2.28 kernel
From http://www.kernel.org/pub/linux/kernel/v3.x/ you will to download
linux-3.2.28.tar.bz2 and copy the package as root to: /usr/src
eg:
#cp /home/username/Downloads/linux-3.2.28.tar.bz2 /usr/src

now unpack the package:

#tar -xvjpf linux-3.2.28.tar.bz2

copy the downloaded grsec patch as well to the /usr/src directory

#cp  /home/username/Downloads/grsecurity-2.9.1-3.2.28-201209062131.patch /usr/src

change directory to the just unpacked kernel:

#cd /usr/src/linux-3.2.28
 
patch the 3.2.28 vanilla kernel with the grsecurity patch,
while in the  /usr/src/linux-3.2.28 dir

# patch -p1 < ../grsecurity-2.9.1-3.2.28-201209062131.patch

Before we can actually configure and compile the hardened kernel we have to
install some needed packages.And we need to know the group ID of the sudo or
least privilege user in order to configure a grsec option later on.

# apt-get install git-core kernel-package fakeroot build-essential ncurses-dev gcc-4.6-plugin-dev
 
Open a second terminal and enter id:
 
$id 


remember the number after gid=




you can close the second terminal now


 


Now configure the kernel while in de linux-3.2.28 kernel-source directory in first


terminal.Make sure to compile the ext2 and or ext3 filesystem within the kernel instead of as module


(*) instead of (M)


 






 


By pressing the space bar you can select the options in case you didn't know


Configure the options as in the pictures. 


#make menuconfig 













 The RBAC system (grsec's equivalent of AppArmor) is disabled.





 AppArmor selected as default RBAC





 Notice the gid 1001










 Now let's compile the kernel:


 


#make && make modules_install && make install 












Gepost door



op





Geen opmerkingen:
  










































Ubuntu least privilege instead of power user










After a default Ubuntu install you login with a equivalent of the windows "Power user" who is member of the following groups:


 


adm cdrom sudo dip plugdev






To increase the system security a little bit further add another user with a 

different password and uncheck all the group memberships.This way an attacker must know the username of the power user first and than the different password.

Furthermore if something with the least privilege gets compromized a direct sudo

can't be run.



Let's say we have two users: brick (power user) and wall (least privilege user)

In order to run: sudo apt-get update && sudo apt-get dist-upgrade,

you will have to su to brick first after which you have to enter another password

to be able to run whatever sudo command.



eg: su brick

passwd:

brick@blah-blah :/home/wall$

and then you can you can run something like: sudo apt-get update && sudo dist-upgrade or sudo psad -L or sudo psad -S.












Gepost door



op





Geen opmerkingen:
  


































          

        

          

        

zondag 9 september 2012


          

        
















Install and configure a working port scan attack daemon PSAD on a Ubuntu 12.04

desktop with one network interface.There are not that many handson websites dealing with psad for a specific linux distro.And the ones who exist miss some essential details to get things working.

So i thought ,why not write a quick recipy that quickly gives you  both a working iptables script and psad.



I assume you have Ubuntu 12.04 installed and xtables-addons.



For the installation of psad and dependancies i also refer to the following website:



http://bodhizazen.net/Tutorials/psad



Although i prefer to install packages from a official repository as much as possible

your mileage may vary.You can perfectly well use ufw or the iptables example from the above mentioned website although I used the desk firewall example from the nixcraft website:



http://www.cyberciti.biz/faq/linux-detect-port-scan-attacks/





Configure psad:





sudo nano -w /etc/psad/psad.conf  ###de rest of the default settings will do fine



HOME_NET                    NOT_USED;

EXTERNAL_NET                any;

ENABLE_SNORT_SIG_STRICT     N;

ENABLE_AUTO_IDS             Y;

ENABLE_AUTO_IDS_REGEX       N;  ### if you say Y here psad will not auto-block

IPTABLES_BLOCK_METHOD       Y;

TCPWRAPPERS_BLOCK_METHOD    N;

AUTO_IDS_DANGER_LEVEL 2;



Make sure your router is whitelisted:

sudo nano  -w /etc/psad/auto_dl.conf

and append:

eg: 192.192.178.1.1 0; ### all is well explained in the file though, zero means:ignore



Remove rsyslog,install sysklogd,run the iptables script,restart psad

sudo apt-get install sysklogd

 append to /etc/syslog.conf: kern.info       |/var/lib/psad/psadfifo

chmod +x desk.fw

./desk.fw 

sudo psad --sig-update && sudo psad -H

sudo /etc/init.d/sysklogd restart



Now it´s time to go to a site such as nmap onlie in order to test psad.

After a while online without directly provoking a psad reaction yourself you could see something like this:

sudo psad -H ### which displays the psad block chains



Chain PSAD_BLOCK_INPUT (1 references)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DROP       all  --  *      *       62.58.48.30          0.0.0.0/0           

    0     0 DROP       all  --  *      *       111.1.76.214         0.0.0.0/0           

    0     0 DROP       all  --  *      *       174.36.4.18          0.0.0.0/0           



Chain PSAD_BLOCK_OUTPUT (1 references)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DROP       all  --  *      *       0.0.0.0/0            62.58.48.30         

    0     0 DROP       all  --  *      *       0.0.0.0/0            111.1.76.214        

    0     0 DROP       all  --  *      *       0.0.0.0/0            174.36.4.18         



Chain PSAD_BLOCK_FORWARD (1 references)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DROP       all  --  *      *       0.0.0.0/0            62.58.48.30         

    0     0 DROP       all  --  *      *       62.58.48.30          0.0.0.0/0           

    0     0 DROP       all  --  *      *       0.0.0.0/0            111.1.76.214        

    0     0 DROP       all  --  *      *       111.1.76.214         0.0.0.0/0           

    0     0 DROP       all  --  *      *       0.0.0.0/0            174.36.4.18         

    0     0 DROP       all  --  *      *       174.36.4.18          0.0.0.0/0  















$host 85.190.0.3

$3.0.190.85.in-addr.arpa domain name pointer proxyscan.freenode.net




















Gepost door



op





Geen opmerkingen:
  


































        

      









Abonneren op:
Posts (Atom)