2006-11-22 16:00:02 +03:00
|
|
|
.\" $NetBSD: security.8,v 1.6 2006/11/22 13:00:02 elad Exp $
|
2006-10-22 16:16:27 +04:00
|
|
|
.\"
|
|
|
|
|
.\" Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
|
|
|
|
|
.\" All rights reserved.
|
|
|
|
|
.\"
|
|
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
|
.\" are met:
|
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
|
|
|
.\" 3. All advertising materials mentioning features or use of this software
|
|
|
|
|
.\" must display the following acknowledgement:
|
|
|
|
|
.\" This product includes software developed by Elad Efrat.
|
|
|
|
|
.\" 4. The name of the author may not be used to endorse or promote products
|
|
|
|
|
.\" derived from this software without specific prior written permission.
|
|
|
|
|
.\"
|
|
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
|
|
|
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
|
|
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
|
|
|
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
|
|
|
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
|
|
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
|
|
|
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
|
|
|
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
|
|
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
|
.\"
|
2006-11-22 05:02:51 +03:00
|
|
|
.Dd November 22, 2006
|
2006-10-22 16:16:27 +04:00
|
|
|
.Dt SECURITY 8
|
|
|
|
|
.Os
|
|
|
|
|
.Sh NAME
|
|
|
|
|
.Nm security
|
|
|
|
|
.Nd
|
|
|
|
|
.Nx security features
|
|
|
|
|
.Sh DESCRIPTION
|
|
|
|
|
.Nx
|
|
|
|
|
supports a variety of security features.
|
|
|
|
|
Below is a brief description of them with some quick usage examples
|
|
|
|
|
that will help you get started.
|
|
|
|
|
.Sh VERIEXEC
|
|
|
|
|
.Em Veriexec
|
|
|
|
|
is an in-kernel, real-time, file-system idenependent, file integrity
|
|
|
|
|
subsystem.
|
|
|
|
|
It can be used for a variety of purposes, including defense against trojanned
|
|
|
|
|
binaries, indirect attacks via third-party remote file-systems, and
|
|
|
|
|
config file corruption.
|
2006-10-26 16:47:30 +04:00
|
|
|
It can operate in four modes, also referred to as strict levels:
|
2006-10-22 16:16:27 +04:00
|
|
|
.Em learning mode ,
|
|
|
|
|
.Em IDS mode ,
|
|
|
|
|
.Em IPS mode ,
|
|
|
|
|
and
|
|
|
|
|
.Em lockdown mode .
|
|
|
|
|
.Pp
|
|
|
|
|
.Em Veriexec
|
|
|
|
|
requires a list of monitored files, along with their digital fingerprint and
|
|
|
|
|
(optionally) access modes.
|
|
|
|
|
.Nx
|
|
|
|
|
provides a tool,
|
2006-10-26 16:47:30 +04:00
|
|
|
.Xr veriexecgen 8 ,
|
2006-10-22 16:16:27 +04:00
|
|
|
for this purpose.
|
|
|
|
|
Example usage:
|
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
|
# veriexecgen
|
|
|
|
|
.Ed
|
|
|
|
|
.Pp
|
|
|
|
|
.Em Veriexec
|
2006-10-31 04:59:12 +03:00
|
|
|
requires a pseudo-device to run:
|
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
|
pseudo-device veriexec 1
|
|
|
|
|
.Ed
|
|
|
|
|
.Pp
|
|
|
|
|
Additionally, one or more options for digital fingerprint algorithm support:
|
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
|
options VERIFIED_EXEC_FP_SHA256
|
|
|
|
|
options VERIFIED_EXEC_FP_SHA512
|
|
|
|
|
.Ed
|
|
|
|
|
.Pp
|
2006-10-22 16:16:27 +04:00
|
|
|
See your kernel's config file for an example.
|
|
|
|
|
.Pp
|
2006-10-31 04:59:12 +03:00
|
|
|
On amd64, i386, prep, and sparc64 GENERIC kernels,
|
|
|
|
|
.Em Veriexec
|
|
|
|
|
is enabled by default.
|
|
|
|
|
.Pp
|
2006-10-22 16:16:27 +04:00
|
|
|
.Em Veriexec
|
|
|
|
|
also requires enabling in
|
|
|
|
|
.Xr rc.conf 5 :
|
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
|
veriexec=YES
|
|
|
|
|
veriexec_strict=1 # IDS mode
|
|
|
|
|
.Ed
|
2006-11-22 05:02:51 +03:00
|
|
|
.Sh EXPLOIT MITIGATION
|
2006-10-22 16:16:27 +04:00
|
|
|
.Nx
|
2006-11-22 05:02:51 +03:00
|
|
|
incorporates some exploit mitigation features, mainly from the
|
2006-10-22 16:16:27 +04:00
|
|
|
.Em PaX
|
|
|
|
|
project.
|
|
|
|
|
.Ss PaX MPROTECT
|
|
|
|
|
.Em PaX MPROTECT
|
|
|
|
|
are memory protection restrictions, meant to compliment non-executable
|
|
|
|
|
mappings.
|
|
|
|
|
Their purpose is to prevent situations where malicious code attempts to mark
|
|
|
|
|
writable memory regions as executable, often by trashing arguments to an
|
|
|
|
|
.Xr mprotect 2
|
|
|
|
|
call.
|
|
|
|
|
.Pp
|
|
|
|
|
While it can be enabled globally,
|
|
|
|
|
.Nx
|
|
|
|
|
provides a tool,
|
|
|
|
|
.Xr paxctl 1 ,
|
|
|
|
|
to enable
|
|
|
|
|
.Em PaX MPROTECT
|
|
|
|
|
on a per-program basis.
|
|
|
|
|
.Pp
|
|
|
|
|
Example usage:
|
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
|
# paxctl +M /usr/sbin/sshd
|
|
|
|
|
.Ed
|
|
|
|
|
.Pp
|
|
|
|
|
Enabling
|
|
|
|
|
.Em PaX MPROTECT
|
|
|
|
|
globally:
|
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
|
# sysctl -w security.pax.mprotect.global=1
|
|
|
|
|
.Ed
|
2006-11-22 05:02:51 +03:00
|
|
|
.Ss PaX Segvguard
|
|
|
|
|
.Em PaX Segvguard
|
|
|
|
|
monitors the number of segfaults in a program per-user, in an attempt to
|
|
|
|
|
detect on-going exploitation attempts and possibly prevent them.
|
|
|
|
|
One common attack
|
|
|
|
|
.Em PaX Segvguard
|
|
|
|
|
can help mitigate is when an attacker tries to brute-force a function
|
|
|
|
|
return address, when wanting to perform a return-to-lib attack.
|
|
|
|
|
.Pp
|
|
|
|
|
.Em PaX Segvguard
|
|
|
|
|
makes use of kernel memory, so use it wisely.
|
|
|
|
|
While it provides rate-limiting protections, it works on a per-program
|
|
|
|
|
basis for keeping its records, meaning that irresponsible use may result
|
|
|
|
|
in keeping track of all segfaults in the system, easily wasting all kernel
|
|
|
|
|
memory.
|
|
|
|
|
.Pp
|
|
|
|
|
For this reason, it is highly recommended to have
|
|
|
|
|
.Em PaX Segvguard
|
|
|
|
|
enabled explicitly only for network services etc.
|
|
|
|
|
Enabling
|
|
|
|
|
.Em PaX Segvguard
|
|
|
|
|
explicitly works like this:
|
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
|
# paxctl +G /usr/sbin/sshd
|
|
|
|
|
.Ed
|
|
|
|
|
.Pp
|
|
|
|
|
However, a global knob is still provided, for use in strict environments
|
|
|
|
|
with no local users (some network appliances, embedded devices, firewalls,
|
|
|
|
|
etc.):
|
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
|
# sysctl -w security.pax.segvguard.global=1
|
|
|
|
|
.Ed
|
|
|
|
|
.Pp
|
|
|
|
|
.Em PaX Segvguard
|
|
|
|
|
can be configured to work in your preferred way.
|
|
|
|
|
For example, watching for 5 segfaults from the same user in a time-frame of
|
|
|
|
|
60 seconds:
|
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
|
# sysctl -w security.pax.segvguard.max_crashes=5
|
|
|
|
|
# sysctl -w security.pax.segvguard.expiry_timeout=60
|
|
|
|
|
.Ed
|
|
|
|
|
.Pp
|
|
|
|
|
The number of seconds a user will be suspended from running the culprit
|
|
|
|
|
program is also configurable.
|
|
|
|
|
For example, 10 minutes seem like a sane setting:
|
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
|
# sysctl -w security.pax.segvguard.suspend_timeout=600
|
|
|
|
|
.Ed
|
|
|
|
|
.Pp
|
|
|
|
|
Explicitly disabling
|
|
|
|
|
.Em PaX Segvguard
|
|
|
|
|
can be done like this:
|
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
|
# paxctl +g /bin/ls
|
|
|
|
|
.Ed
|
2006-10-22 16:16:27 +04:00
|
|
|
.Ss GCC Stack Smashing Protection (SSP)
|
|
|
|
|
Since
|
|
|
|
|
.Nx 4.0 ,
|
|
|
|
|
.Xr gcc 1
|
|
|
|
|
includes
|
|
|
|
|
.Em SSP ,
|
|
|
|
|
a set of compiler extensions to raise the bar on exploitation attempts via
|
|
|
|
|
corruption of variables to affect program control flow or buffer overruns.
|
|
|
|
|
.Pp
|
2006-11-22 16:00:02 +03:00
|
|
|
You are encouraged to use
|
|
|
|
|
.Em SSP
|
|
|
|
|
for software you build, by providing one of the
|
2006-10-22 16:16:27 +04:00
|
|
|
.Fl fstack-protector
|
|
|
|
|
or
|
|
|
|
|
.Fl fstack-protector-all
|
|
|
|
|
flags to
|
|
|
|
|
.Xr gcc 1 .
|
2006-11-22 05:02:51 +03:00
|
|
|
.Pp
|
|
|
|
|
The system (userland, kernel) can be built with
|
|
|
|
|
.Em SSP
|
|
|
|
|
by using the
|
|
|
|
|
.Dq USE_SSP
|
|
|
|
|
flag in
|
|
|
|
|
.Pa /etc/mk.conf:
|
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
|
USE_SSP=yes
|
|
|
|
|
.Ed
|
2006-10-22 16:16:27 +04:00
|
|
|
.Sh INFORMATION FILTERING
|
|
|
|
|
.Nx
|
|
|
|
|
provides administrators with the ability to restrict information passed from
|
2006-10-26 16:47:30 +04:00
|
|
|
the kernel to userland so that users can only view information they
|
|
|
|
|
.Dq own .
|
2006-10-22 16:16:27 +04:00
|
|
|
.Pp
|
|
|
|
|
The hooks that manage that are located in various parts of the system and
|
|
|
|
|
effectively affect programs like
|
|
|
|
|
.Xr ps 1 ,
|
|
|
|
|
.Xr fstat 1 ,
|
|
|
|
|
and
|
|
|
|
|
.Xr netstat 1 .
|
|
|
|
|
To enable:
|
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
|
# sysctl -w security.curtain=1
|
|
|
|
|
.Ed
|
|
|
|
|
.Sh SEE ALSO
|
|
|
|
|
.Xr paxctl 1 ,
|
|
|
|
|
.Xr sysctl 3 ,
|
|
|
|
|
.Xr options 4 ,
|
|
|
|
|
.Xr sysctl 8 ,
|
|
|
|
|
.Xr veriexecctl 8 ,
|
|
|
|
|
.Xr veriexecgen 8
|
|
|
|
|
.Sh AUTHORS
|
|
|
|
|
.An Elad Efrat Aq elad@NetBSD.org
|
