kernel hardening flags

[ageis]

Description

I'm not sure if there's a dedicated repository for the kernel used on the SecureDrop servers anymore, so let me know where to put this. But this is a continuation of some prior updates I recommended to the configuration you're using to build. Thanks to a new tool from @a13xp0p0v called kconfig-hardened-check, we no longer have to manually watch changelogs, etc. for when security features and new config flags land in mainline (for those who are unaware, the KSPP has been porting a lot of grsecurity/PaX-inspired features into Linux proper). A brief chat I had with Spender a long time ago confirmed that these generally don't conflict or interfere with grsec.

As this article by @nettrino describes, Linux distributions are hit and miss and many are not taking advantage of the features.

The first obstacle is that you're still on 4.4, so that will narrow the modifications we can make to the config since much of this work landed with 4.14. We'd have to figure out which are available, which are too new, and perform enough testing and quality assurance of the new kernel.

In any event, as a launching-off point, I'm pasting the output of the kconfig-hardened-check script against the current SecureDrop kernel config.

[+] Detected architecture: X86_64
[+] Checking "config-4.4.167-grsec" against hardening preferences...
  option name                            | desired val | decision |       reason       ||        check result        
  ===================================================================================================================
  CONFIG_BUG                             |      y      |defconfig |  self_protection   ||             OK             
  CONFIG_STRICT_KERNEL_RWX               |      y      |defconfig |  self_protection   ||CONFIG_DEBUG_RODATA: OK ("y")
  CONFIG_STACKPROTECTOR_STRONG           |      y      |defconfig |  self_protection   ||      FAIL: not found       
  CONFIG_SLUB_DEBUG                      |      y      |defconfig |  self_protection   ||             OK             
  CONFIG_STRICT_MODULE_RWX               |      y      |defconfig |  self_protection   ||      FAIL: not found       
  CONFIG_PAGE_TABLE_ISOLATION            |      y      |defconfig |  self_protection   ||      FAIL: not found       
  CONFIG_RANDOMIZE_MEMORY                |      y      |defconfig |  self_protection   ||      FAIL: not found       
  CONFIG_RANDOMIZE_BASE                  |      y      |defconfig |  self_protection   ||      FAIL: not found       
  CONFIG_RETPOLINE                       |      y      |defconfig |  self_protection   ||             OK             
  CONFIG_X86_SMAP                        |      y      |defconfig |  self_protection   ||             OK             
  CONFIG_X86_INTEL_UMIP                  |      y      |defconfig |  self_protection   ||      FAIL: not found       
  CONFIG_SYN_COOKIES                     |      y      |defconfig |  self_protection   ||             OK             
  CONFIG_VMAP_STACK                      |      y      |defconfig |  self_protection   ||      FAIL: not found       
  CONFIG_THREAD_INFO_IN_TASK             |      y      |defconfig |  self_protection   ||      FAIL: not found       
  CONFIG_BUG_ON_DATA_CORRUPTION          |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_DEBUG_WX                        |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_SCHED_STACK_END_CHECK           |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_PAGE_POISONING                  |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_SLAB_FREELIST_HARDENED          |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_SLAB_FREELIST_RANDOM            |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_HARDENED_USERCOPY               |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_HARDENED_USERCOPY_FALLBACK      | is not set  |   kspp   |  self_protection   ||       OK: not found        
  CONFIG_FORTIFY_SOURCE                  |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGINS                     |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_GCC_PLUGIN_RANDSTRUCT           |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGIN_STRUCTLEAK           |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGIN_LATENT_ENTROPY       |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_DEBUG_LIST                      |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_DEBUG_SG                        |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_DEBUG_CREDENTIALS               |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_DEBUG_NOTIFIERS                 |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_MODULE_SIG                      |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_MODULE_SIG_ALL                  |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_MODULE_SIG_SHA512               |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_MODULE_SIG_FORCE                |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_DEFAULT_MMAP_MIN_ADDR           |    65536    |   kspp   |  self_protection   ||             OK             
  CONFIG_REFCOUNT_FULL                   |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGIN_STACKLEAK            |      y      |    my    |  self_protection   ||      FAIL: not found       
  CONFIG_LOCK_DOWN_KERNEL                |      y      |    my    |  self_protection   ||      FAIL: not found       
  CONFIG_SLUB_DEBUG_ON                   |      y      |    my    |  self_protection   ||     FAIL: "is not set"     
  CONFIG_SECURITY_DMESG_RESTRICT         |      y      |    my    |  self_protection   ||     FAIL: "is not set"     
  CONFIG_STATIC_USERMODEHELPER           |      y      |    my    |  self_protection   ||      FAIL: not found       
  CONFIG_SECURITY_LOADPIN                |      y      |    my    |  self_protection   ||      FAIL: not found       
  CONFIG_PAGE_POISONING_NO_SANITY        | is not set  |    my    |  self_protection   ||       OK: not found        
  CONFIG_PAGE_POISONING_ZERO             | is not set  |    my    |  self_protection   ||       OK: not found        
  CONFIG_SLAB_MERGE_DEFAULT              | is not set  |    my    |  self_protection   ||       OK: not found        
  CONFIG_SECURITY                        |      y      |defconfig |  security_policy   ||             OK             
  CONFIG_SECURITY_YAMA                   |      y      |   kspp   |  security_policy   ||      FAIL: not found       
  CONFIG_SECURITY_SELINUX_DISABLE        | is not set  |   kspp   |  security_policy   ||         FAIL: "y"          
  CONFIG_SECCOMP                         |      y      |defconfig | cut_attack_surface ||             OK             
  CONFIG_SECCOMP_FILTER                  |      y      |defconfig | cut_attack_surface ||             OK             
  CONFIG_STRICT_DEVMEM                   |      y      |defconfig | cut_attack_surface ||             OK             
  CONFIG_IO_STRICT_DEVMEM                |      y      |   kspp   | cut_attack_surface ||      FAIL: not found       
  CONFIG_ACPI_CUSTOM_METHOD              | is not set  |   kspp   | cut_attack_surface ||       OK: not found        
  CONFIG_COMPAT_BRK                      | is not set  |   kspp   | cut_attack_surface ||             OK             
  CONFIG_DEVKMEM                         | is not set  |   kspp   | cut_attack_surface ||       OK: not found        
  CONFIG_COMPAT_VDSO                     | is not set  |   kspp   | cut_attack_surface ||       OK: not found        
  CONFIG_BINFMT_MISC                     | is not set  |   kspp   | cut_attack_surface ||         FAIL: "m"          
  CONFIG_INET_DIAG                       | is not set  |   kspp   | cut_attack_surface ||         FAIL: "m"          
  CONFIG_KEXEC                           | is not set  |   kspp   | cut_attack_surface ||       OK: not found        
  CONFIG_PROC_KCORE                      | is not set  |   kspp   | cut_attack_surface ||       OK: not found        
  CONFIG_LEGACY_PTYS                     | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_HIBERNATION                     | is not set  |   kspp   | cut_attack_surface ||       OK: not found        
  CONFIG_LEGACY_VSYSCALL_NONE            |      y      |   kspp   | cut_attack_surface ||     FAIL: "is not set"     
  CONFIG_IA32_EMULATION                  | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_X86_X32                         | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_MODIFY_LDT_SYSCALL              | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_X86_PTDUMP                      | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_ZSMALLOC_STAT                   | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_PAGE_OWNER                      | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_DEBUG_KMEMLEAK                  | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_BINFMT_AOUT                     | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_KPROBES                         | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_UPROBES                         | is not set  |grsecurity| cut_attack_surface ||             OK             
  CONFIG_GENERIC_TRACER                  | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_PROC_VMCORE                     | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_PROC_PAGE_MONITOR               | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_USELIB                          | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_CHECKPOINT_RESTORE              | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_USERFAULTFD                     | is not set  |grsecurity| cut_attack_surface ||             OK             
  CONFIG_HWPOISON_INJECT                 | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_MEM_SOFT_DIRTY                  | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_DEVPORT                         | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_DEBUG_FS                        | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_NOTIFIER_ERROR_INJECTION        | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_ACPI_TABLE_UPGRADE              | is not set  | lockdown | cut_attack_surface ||       OK: not found        
  CONFIG_ACPI_APEI_EINJ                  | is not set  | lockdown | cut_attack_surface ||       OK: not found        
  CONFIG_PROFILING                       | is not set  | lockdown | cut_attack_surface ||         FAIL: "y"          
  CONFIG_BPF_SYSCALL                     | is not set  | lockdown | cut_attack_surface ||             OK             
  CONFIG_MMIOTRACE_TEST                  | is not set  | lockdown | cut_attack_surface ||       OK: not found        
  CONFIG_MMIOTRACE                       | is not set  |    my    | cut_attack_surface ||       OK: not found        
  CONFIG_KEXEC_FILE                      | is not set  |    my    | cut_attack_surface ||             OK             
  CONFIG_LIVEPATCH                       | is not set  |    my    | cut_attack_surface ||       OK: not found        
  CONFIG_USER_NS                         | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_IP_DCCP                         | is not set  |    my    | cut_attack_surface ||         FAIL: "m"          
  CONFIG_IP_SCTP                         | is not set  |    my    | cut_attack_surface ||         FAIL: "m"          
  CONFIG_FTRACE                          | is not set  |    my    | cut_attack_surface ||       OK: not found        
  CONFIG_BPF_JIT                         | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_ARCH_MMAP_RND_BITS              |     32      |    my    |userspace_protection||      FAIL: not found       

[-] config check is NOT PASSED: 48 errors```

[ageis]

Here is another popular script which is useful for auditing kernel configuration (among other things) for security: https://github.com/slimm609/checksec.sh

Example syntax:
checksec --format=cli --verbose --kernel=/boot/config-4.4.182-grsec

I have styled in bold those items which may need attention, but note they're based off my desktop rather than a SecureDrop server (I don't have the same sysctl settings or boot parameters).

• Kernel protection information for : /boot/config-4.4.182-grsec

  Description - List the status of kernel protection mechanisms. Rather than
  inspect kernel mechanisms that may aid in the prevention of exploitation of
  userspace processes, this option lists the status of kernel configuration
  options that harden the kernel itself against attack.

  Kernel config:
  Warning: The config /home/kevin/dev/boot/config-4.4.182-grsec on disk may not represent running kernel config!

  Vanilla Kernel ASLR: Full
  Protected symlinks: sysctl: permission denied on key 'fs.protected_symlinks'
  Disabled
  Protected hardlinks: sysctl: permission denied on key 'fs.protected_hardlinks'
  Disabled
  Ipv4 reverse path filtering: Enabled
  Ipv6 reverse path filtering: Disabled
  Kernel heap randomization: Enabled
  GCC stack protector support: Enabled
  GCC stack protector strong: Disabled
  Restrict /dev/mem access: Enabled
  Restrict I/O access to /dev/mem: Disabled
  Exec Shield: Disabled

• X86 only:
  Address space layout randomization: Enabled

• SELinux: Disabled

  SELinux infomation available here:
  http://selinuxproject.org/

• grsecurity / PaX: Auto GRKERNSEC

  Non-executable kernel pages: Enabled
  Non-executable pages: Enabled
  Paging Based Non-executable pages: Enabled
  Restrict MPROTECT: Enabled
  Address Space Layout Randomization: Enabled
  Randomize Kernel Stack: Enabled
  Randomize User Stack: Enabled
  Randomize MMAP Stack: Enabled
  Sanitize freed memory: Enabled
  Sanitize Kernel Stack: Enabled
  Prevent userspace pointer deref: Enabled
  Prevent kobject refcount overflow: Enabled
  Bounds check heap object copies: Enabled
  JIT Hardening: Disabled
  Thread Stack Random Gaps: Enabled
  Disable writing to kmem/mem/port: Enabled
  Disable privileged I/O: Enabled
  Harden module auto-loading: Enabled
  Chroot Protection: Enabled
  Deter ptrace process snooping: Enabled
  Larger Entropy Pools: Disabled
  TCP/UDP Blackhole: Enabled
  Deter Exploit Bruteforcing: Enabled
  Hide kernel symbols: Enabled
  Pax softmode: Disabled
  Grsec sysctl options:
  grsecurity.audit_chdir: Disabled
  grsecurity.audit_gid: Disabled
  grsecurity.audit_group: Disabled
  grsecurity.audit_mount: Disabled
  grsecurity.audit_ptrace: Disabled
  grsecurity.chroot_caps: Disabled
  grsecurity.chroot_deny_bad_rename: Disabled
  grsecurity.chroot_deny_chmod: Disabled
  grsecurity.chroot_deny_chroot: Disabled
  grsecurity.chroot_deny_fchdir: Disabled
  grsecurity.chroot_deny_mknod: Disabled
  grsecurity.chroot_deny_mount: Disabled
  grsecurity.chroot_deny_pivot: Disabled
  grsecurity.chroot_deny_shmat: Disabled
  grsecurity.chroot_deny_sysctl: Disabled
  grsecurity.chroot_deny_unix: Disabled
  grsecurity.chroot_enforce_chdir: Disabled
  grsecurity.chroot_execlog: Disabled
  grsecurity.chroot_findtask: Disabled
  grsecurity.chroot_restrict_nice: Disabled
  grsecurity.consistent_setxid: Disabled
  grsecurity.deny_new_usb: Disabled
  grsecurity.deter_bruteforce: Disabled
  grsecurity.disable_priv_io: Disabled
  grsecurity.dmesg: Disabled
  grsecurity.enforce_symlinksifowner: Disabled
  grsecurity.exec_logging: Disabled
  grsecurity.fifo_restrictions: Disabled
  grsecurity.forkfail_logging: Disabled
  grsecurity.grsec_lock: Disabled
  grsecurity.harden_ipc: Disabled
  grsecurity.harden_ptrace: Disabled
  grsecurity.ip_blackhole: Disabled
  grsecurity.lastack_retries: Disabled
  grsecurity.linking_restrictions: Disabled
  grsecurity.ptrace_readexec: Disabled
  grsecurity.resource_logging: Disabled
  grsecurity.romount_protect: Disabled
  grsecurity.rwxmap_logging: Disabled
  grsecurity.signal_logging: Disabled
  grsecurity.socket_all: Disabled
  grsecurity.socket_all_gid: Disabled
  grsecurity.socket_client: Disabled
  grsecurity.socket_client_gid: Disabled
  grsecurity.socket_server: Disabled
  grsecurity.socket_server_gid: Disabled
  grsecurity.symlinkown_gid: Disabled
  grsecurity.timechange_logging: Disabled
  grsecurity.harden_tty: Disabled
  grsecurity.tpe: Disabled
  grsecurity.tpe_gid: Disabled
  grsecurity.tpe_invert: Disabled
  grsecurity.tpe_restrict_all: Disabled

[evilaliv3]

@ageis @redshiftzero : I'm rechecking on this topic and it seems that on Debian/Ubuntu only python2 is currently complied with -fpie; this causes that on python3 ASLR is not effective.

This issue seems to have been previously notified here:
https://bugs.launchpad.net/ubuntu/+source/python3.6/+bug/1452115

Output of hardening-check on Ubuntu Bionic for: python3 and python2:

evilaliv3@evilaliv3:~$ hardening-check /usr/bin/python3
/usr/bin/python3:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!

hardening-check /usr/bin/python2
/usr/bin/python2:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes

I'm trying to reach out to the Debian/Ubuntu security team to see which are the reasons of this choice and if it would be possible to get python3 compiled with -fpie as well.

[ageis]

@evilaliv3 Excellent find; that is a really important thing to get rectified.

[evilaliv3]

@ageis: we have some updates on this. would you please check freedomofpress/securedrop#1861 ?

[ageis]

Hi @evilaliv3. I read that ticket, and it's not clear to me whether you've either:
A) explicitly added new flags to the kernel boot cmdline
B) enabled certain security build flags during the kernel compilation processs

This is what I was suggesting. cc @conorsch ?

Update: Ah, just read about some of the issues in freedomofpress/securedrop#4962.