Page 1 of 1

Grsecurity Wikibook

PostPosted: Mon Feb 02, 2009 2:50 pm
by meev0
About a moth ago I started playing around with grsecurity again. This was the second time I took interest in it. I found myself in the same situation as the last time: Gathering little bits of information from here and there. Some of the information was somewhat outdated, but usable. Sometimes I would find information that differed quite a lot from a another piece of information about the same subject.

I didn't have a single up-to-date guide to follow. So I decided to write a short guide for myself in my own wiki. A bit later I thought why not make it good enough to publish on a public wiki? Well, that didn't quite happen the way I imagined, but I did manage to make it good enough to publish. At least It's a start, I thought, and I and others would expand it over time. I wanted to publish the mini-guide now, because I knew I wouldn't have the time to expand it as much as I'd like.

I edited the guide's wiki formatting to match Wikipedia's and started a Wikibook, simply called Grsecurity.

The guide can be found here: http://en.wikibooks.org/wiki/Grsecurity

The biggest subject missing from the wiki is of course ACL's.

I've also made updated wiki-formatted tables of
  • Table 1: Subject Modes
  • Table 2: Object Modes
  • Table 3: Role Modes
  • Table 4: PaX Flags
  • Table 5: Capability Names and Descriptions

which I will add to the Wikibook when I have the time.

Criticism is welcome, but remember that the good thing about a wiki is that you can edit it yourself.

Re: Grsecurity Wikibook

PostPosted: Sun Feb 08, 2009 9:32 am
by meev0
I've begun restructuring the Wikibook stub I started last week.

This is the structure I'm aiming for:
  1. Obtaining grsecurity - http://en.wikibooks.org/wiki/Grsecurity ... grsecurity
  2. Configuring and Installing grsecurity - http://en.wikibooks.org/wiki/Grsecurity ... grsecurity
  3. Installing the Utilities
    a) gradm
    b) paxctl
    c) pax-utils
  4. Administering the RBAC System
    a) Using the gradm Utility
    b) Using the paxctl Utility
  5. Access Control Lists
    a) Basic Structure
    b) Inheritance
    c) Flow of Matches
    d) Resource Restrictions
    e) IP ACLs
    f) PaX Flags
    g) Object Globbing
    h) Building a Solid ACL
  6. Appendix - http://en.wikibooks.org/wiki/Grsecurity/Appendix

The structure of page 5 ("Access Control Lists") is identical with page 8 of the Grsecurity ACL Documentation. I have not yet started on pages 3-5.

The cover page of the book is now less intimidating. It's got a short introduction and a table of contents only. I'm hoping this re-structuring will incourage others to expand the book. Nonetheless I will update it again next weekend.

Re: Grsecurity Wikibook

PostPosted: Sun Feb 08, 2009 1:03 pm
by spender
If you manage to integrate the information from the Wiki on the grsecurity website, I'll link to this wiki instead of hosting my own. It's looking nice!

Thanks for your effort,
-Brad

Re: Grsecurity Wikibook

PostPosted: Sun Feb 08, 2009 2:28 pm
by meev0
Thanks, Brad!

The FAQ in the grsecurity wiki will fit well into the book. It may be possible to expand it a bit by going through the forums. I'll look into it next week.

The RBAC object/subject/role mode tables at http://www.grsecurity.net/wiki/index.ph ... figuration have now been added to the book (see http://en.wikibooks.org/wiki/Grsecurity/Appendix).

Re: Grsecurity Wikibook

PostPosted: Sat Mar 21, 2009 8:16 pm
by spender
I've done a little redesigning of the website, and have included a link to the Wiki you created.

Thanks again,
-Brad

Re: Grsecurity Wikibook

PostPosted: Sat Apr 18, 2009 11:28 am
by meev0
Lately I've been distracted by personal woes relating to the "economical downturn". Things are looking better now and I finally have time to work on the documentation again. Other problems I had before were with the virtual machine that I use to test grsecurity.

First I like what you've done to the site, Brad. Second, I noticed that at least specs had contributed to the Wikibook, so thanks to him/her! I hope others will start to contribute too.

The only thing I did today was fix a number of typos in the grsecurity and PaX kernel option descriptions and added description for the PaX option "Prevent various kernel object reference counter overflows". I'll make a real update in the following weeks.

Re: Grsecurity Wikibook

PostPosted: Fri Sep 11, 2009 5:21 pm
by spender
Great work on the wiki. I'll be contributing some to it this weekend, and hopefully others will join in.

-Brad

Re: Grsecurity Wikibook

PostPosted: Mon Oct 03, 2011 2:43 pm
by tjh
EDIT PaX Team have confirmed on IRC that EI_PAX isn't required for default protection

The wiki book still mentions:

"If you have applications not marked by the PT_PAX_FLAGS ELF program header then you MUST enable the EI_PAX marking support. Othwerwise they will not get any protection."

I'm fairly sure that this is wrong now?

Code: Select all
micro:/home/tim# pspax
USER     PID    PAX    MAPS ETYPE      NAME             CAPS
root     26757  peMRS  w^x  ET_EXEC    bash              =
root     26758  peMRS  w^x  ET_EXEC    pspax             =
root     26774  peMRS  w^x  ET_DYN     apache2           =
root     27160  peMRS  w^x  ET_DYN     udevd             =
root     27161  peMRS  w^x  ET_DYN     udevd             =


Code: Select all
micro:/home/tim# cat /boot/config-3.0.4-grsec-sept25 | grep EI_PAX
# CONFIG_PAX_EI_PAX is not set


Code: Select all
micro:/home/tim# paxctl -v /bin/bash
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <[email protected]>

file /bin/bash does not have a PT_PAX_FLAGS program header, try conversion


The kernel help also doesn't carry this large warning anymore. Can the Wikibook be updated? I'd update it, but I want to ensure I'm doing the right thing!

Re: Grsecurity Wikibook

PostPosted: Fri Oct 07, 2011 3:57 am
by PaX Team
tjh wrote:The kernel help also doesn't carry this large warning anymore. Can the Wikibook be updated? I'd update it, but I want to ensure I'm doing the right thing!
note that this is true of the version of PaX in grsec, not standalone PaX, so if you update the wiki, you should somehow make this clear.

Re: Grsecurity Wikibook

PostPosted: Tue Oct 29, 2013 4:21 pm
by sfs6dzs
Sorry to revive this thread although the Wiki misses some changes that are included in the post that can be found here from chapter V. Configuring the GRSEC security modules.

Not sure if they reflect the nowadays up to date changes but should complete the Wiki a little bit more if anyone has the time to do it.