Menu
▾
▴
Re: [Devil-Linux-discuss] DL hardening compilation options
|
From: Heiko Z. <he...@zu...> - 2017-10-08 14:58:55
|
Olivier, The behavior must have changed when we switched to the newer gcc version. Unfortunately we got a bigger issue right now, which I mentioned in the other email: grsecurity stopped releasing a public patch. Without that, a lot of our security features are useless. If anybody has an idea what to do, please share. I'm at a loss at the moment... Heiko Quoting Boursin Olivier <oli...@in...>: > Hello, > > > > I discover that compilation options were not the same between > version 1.6.9 and 1.8.0 according to checksec > (https://github.com/slimm609/checksec.sh), 1.6.9 option “proc-all” > told me that processes were all Full RELRO, Stack Canaries, Pax > enabled, PIE enabled and Fortify : > > > > > > > > > > checksec.sh --proc-all > > > > * System-wide ASLRPaX ASLR enabled > > > > > > > > > > * Does the CPU support NX: Yes > > > > > > > > > > COMMAND PID RELRO STACK CANARY > SECCOMP NX/PaX PIE FORTIFY > > > > init 1 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > syslog-ng 1638 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > syslog-ng 1639 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > cron 1657 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > dhcpd 1732 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > sshd 1876 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > jk_socketd 2145 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > ntpd 2150 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > jk_socketd 3223 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > master 4167 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > pickup 4172 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > qmgr 4173 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > agetty 4216 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > agetty 4217 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > agetty 4218 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > agetty 4219 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > agetty 4220 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > agetty 4221 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > procinfo 4222 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > iptstate 4223 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > udevd 4225 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > udevd 4226 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > sshd 4234 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > bash 4236 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > udevd 480 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > > > > > > > With version 1.8.0, it seems that only some processes have those > hardening mechanism (example sshd) : > > > > > > > > > > checksec.sh --proc-all > > > > * System-wide ASLRPaX ASLR enabled > > > > > > > > > > * Does the CPU support NX: Yes > > > > > > > > > > COMMAND PID RELRO STACK CANARY > SECCOMP NX/PaX PIE FORTIFY > > > > init 1 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > syslog-ng 1828 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > syslog-ng 1829 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > cron 1851 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > dhcpd 1926 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > sshd 2050 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > jk_socketd 2325 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > ntpd 2329 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > jk_socketd 3347 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > master 4015 Full RELRO No canary found > No Seccomp PaX enabled No PIE Yes > > > > qmgr 4019 Full RELRO No canary found > No Seccomp PaX enabled No PIE Yes > > > > agetty 4062 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > agetty 4063 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > agetty 4064 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > agetty 4065 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > agetty 4066 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > agetty 4067 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > iptstate 4069 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > udevd 745 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > pickup 8223 Full RELRO No canary found > No Seccomp PaX enabled No PIE Yes > > > > sshd 8413 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > bash 8419 Full RELRO No canary found > No Seccomp PaX enabled No PIE Yes > > > > > > > > > > Is there any reason of that ? > > > > I know it is possible to build a customized version of > Devil-Linux, but I have not found where to check or put customized > gcc parameters, so any advices are welcome. > > > > Many thanks, > > > > > > > > > > OB > > > > > > > > > > > > > > -- Regards Heiko Zuerker |
