|
The Paranoid.nl Kernel Module
This is a FreeBSD 5 kernel module, for adding some extra security in cases you are too paranoid to
trust the default OS :)
The goal is: "Build a last line of defense". If everything else (network security, host security,
application security) fails, build kernelsecurity :-) With that in mind I wrote it to force myself to
move around in kernelcode, to play around with idea's and to find out if it
is worth spending time in building 'security layers' like this one.
It's easy to install (or deinstall) without rebooting since it is a kernel module. It's easy to
configure, in source and sysctl. It wraps around existing syscalls, so even I developped it on FreeBSD
5.4 it should work on any 5.x version
Download:
paranoid v1.2 for freebsd 6 and 7
It consist of the following parts:
- Trusted Path Execution (TPE)
A wrapper for execve() to only allow executing from trusted paths.
Usually, a path is considered trusted if the parent directory or executable is owned by 'root' and is
neither group or world writeable.
Example logfile:
Jul 8 17:44:16 crash2 kernel: TPE: world/group writeable dir, halting execution
Jul 8 17:44:16 crash2 kernel: TPE: ./test (uid:1001 gid:1001 pid:1542) (rejected)
- Lockdown
A wrapper for open() and other calls, to disable user access to other dirs than /home and neccesary
dirs like /lib
Example logfile:
Jul 8 17:45:51 crash2 kernel: Lockdown: ls / (uid:1001 gid:1001 pid:1546) (rejected)
Side effects:
$ cp /usr/bin/uptime ~
cp: /usr/bin/uptime: Resource temporarily unavailable
$ /usr/bin/uptime
5:48PM up 6:38, 3 users, load averages: 0.00, 0.02, 0.00
- Restrictport
wrapper for bind(), to restrict (and/or log) attempts to bind to a port. This can be convienient for
shellboxes or webservers, where people can upload faulty cgi's, bind to a port and give shell. If the
server got compromised programs like psybnc are not usefull because it can't take a port to listen to. It
also gives a warning in your logfiles.
Example logfile:
Jul 8 11:09:34 crash2 kernel: Restrictport: sendmail (uid:0 gid:25 pid:518) port 0.0.0.0:25
(rejected)
Installation:
- Download the tarfile, unpack it, cd into the new directory
- if desired, edit the Makefile to remove modules you don't want
- if desired, edit config.h to change the defaults
- make
- kldload ./paranoid.ko
After loading the module you'll see some output in your logs:
Jul 8 11:08:49 crash2 kernel: ParanoidKLD v1.0 [http://www.paranoid.nl/~eilander/freebsd/kld]
Jul 8 11:08:49 crash2 kernel: => Trusted Path Execution (TPE) v1.0
Jul 8 11:08:49 crash2 kernel: => Lockdown v1.0
Jul 8 11:08:49 crash2 kernel: => Restrictport v1.0
You will have access to new sysctl's:
| paranoid.trustedgid: 999 |
Global trusted usergid, assign this groupid to users to trust them |
| paranoid.even_root: 0 |
exclude root from trusted users (where possible) |
| paranoid.tpe.on: 1 |
Enable the "Trusted Path Execution" module |
| paranoid.lockdown.on: 1 |
Enable the "Lockdown" module |
| paranoid.resport.on: 1 |
Enable the "Restricted port" module |
| paranoid.resport.log_only: 0 |
In the restrictedport module, don't deny anything and log everything |
| paranoid.resport.log_allow: 1 |
Enable logging if a program is allowed to take a port. |
| paranoid.resport.log_deny: 1 |
Enable logging if a program is rejected |
| paranoid.resport.port22: 1 |
Always enable port 22 so you won't lock yourself out with sshd |
| |
|
Links:
Stephanie #1
Stephanie #2
Lids Trusted Path Execution
TODO
- Post mortem module
log everything to find out if you have been hacked. load module at boot and log, for example,
exec(),open(),bind() and new syscalls
- Better (finemazed) configuration and more uniform logging.
- Expand the lockdown module with mkdir,rmdir,link,unlink and others. Lock a user in /home/$user
instead of /home
- For TPE, find a nice clean way to disable running scripts with an interpreter (like perl).
- better website :-)
Idea's, contributions and fixes can be send to nomad@paranoid.nl
/* 8 Juli 2005 Thijs Eilander nomad@paranoid.nl */
|