lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <34d269d40709091749i1541b821j1d26b11cd22cd239@mail.gmail.com>
Date:	Sun, 9 Sep 2007 18:49:12 -0600
From:	"Alex Hunsaker" <badalex@...il.com>
To:	linux-kernel@...r.kernel.org
Subject: [PATCH][RFC] Secure defaults (initial sysctl settings)

Allow for various sysctl settings to initially be set to more secure
defaults.

Why: While you can easily set these values at boot time with sysctl
(and most distros do).
-Its nice to be able to set their initial value.
-It also allows someone who is unfamiliar with all the security knobs
the kernel exposes to easily turn one on or off (or even read about
what it does).
-Another benefit is every time a new security feature comes out
(mmap_min_addr for example) you don't have to change the setting on
every server.  Or heck even be totally unaware of it until you read
about it on <insert favorite news source> months later.

While some options (syncookies comes to mind) might be better places
somewhere else...
Im more interested to see if anyone thinks this is a good idea.
I mainly did this because I wanted a way to turn on mmap_min_addr by default.
After which i thought hrm, what other sysctl settings do I regularly
change the default setting...

Also it *seems* like it might be nice to move other security related
(fstack-protector, seecomp) under Security.
What does everyone else think?

Oh and sorry about the gross use of Kconfig CONFIG_ defines, whats a
better way to do this?  static inlines #ifdef CONFIG_XXX in the
headers?

Signed-off-by: Alex Hunsaker <badalex@...il.com>

diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 5b77bda..438eb1d 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -65,20 +65,24 @@

 struct ipv4_devconf ipv4_devconf = {
    .data = {
-       [NET_IPV4_CONF_ACCEPT_REDIRECTS - 1] = 1,
-       [NET_IPV4_CONF_SEND_REDIRECTS - 1] = 1,
+       [NET_IPV4_CONF_ACCEPT_REDIRECTS - 1] = CONFIG_IPV4_ACCEPT_REDIRECTS,
+       [NET_IPV4_CONF_SEND_REDIRECTS - 1] = CONFIG_IPV4_SEND_REDIRECTS,
        [NET_IPV4_CONF_SECURE_REDIRECTS - 1] = 1,
        [NET_IPV4_CONF_SHARED_MEDIA - 1] = 1,
+       [NET_IPV4_CONF_LOG_MARTIANS - 1] = CONFIG_IPV4_LOG_MARTIANS,
+       [NET_IPV4_CONF_RP_FILTER - 1] = CONFIG_IPV4_RP_FILTER,
    },
 };

 static struct ipv4_devconf ipv4_devconf_dflt = {
    .data = {
-       [NET_IPV4_CONF_ACCEPT_REDIRECTS - 1] = 1,
-       [NET_IPV4_CONF_SEND_REDIRECTS - 1] = 1,
+       [NET_IPV4_CONF_ACCEPT_REDIRECTS - 1] = CONFIG_IPV4_ACCEPT_REDIRECTS,
+       [NET_IPV4_CONF_SEND_REDIRECTS - 1] = CONFIG_IPV4_SEND_REDIRECTS,
        [NET_IPV4_CONF_SECURE_REDIRECTS - 1] = 1,
        [NET_IPV4_CONF_SHARED_MEDIA - 1] = 1,
-       [NET_IPV4_CONF_ACCEPT_SOURCE_ROUTE - 1] = 1,
+       [NET_IPV4_CONF_ACCEPT_SOURCE_ROUTE - 1] =
CONFIG_IPV4_ACCEPT_SOURCE_ROUTE,
+       [NET_IPV4_CONF_LOG_MARTIANS - 1] = CONFIG_IPV4_LOG_MARTIANS,
+       [NET_IPV4_CONF_RP_FILTER - 1] = CONFIG_IPV4_RP_FILTER,
    },
 };

diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index a12b08f..99e29e5 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -29,7 +29,7 @@
 #include <net/xfrm.h>

 #ifdef CONFIG_SYSCTL
-#define SYNC_INIT 0 /* let the user enable it */
+#define SYNC_INIT CONFIG_TCP_SYNCOOKIES_ON
 #else
 #define SYNC_INIT 1
 #endif
diff --git a/security/Kconfig b/security/Kconfig
index 460e5c9..e469dd6 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -93,6 +93,8 @@ config SECURITY_ROOTPLUG

      If you are unsure how to answer this question, answer N.

+source security/Kconfig.secure_defaults
+
 source security/selinux/Kconfig

 endmenu
diff --git a/security/Kconfig.secure_defaults b/security/Kconfig.secure_defaults
new file mode 100644
index 0000000..2b2199e
--- /dev/null
+++ b/security/Kconfig.secure_defaults
@@ -0,0 +1,92 @@
+config SECURITY_SECURE_DEFAULTS
+   tristate "Secure defaults"
+   depends on SECURITY
+   help
+       Allows tuning of various kernel knobs to be secure by default.
+       NOTE: all of these have equivalent sysctl options
+
+config SECURITY_MMAP_MIN_ADDR
+   int "default mmap min address"
+   help
+     Help prevent users from exploiting NULL dereferences in the
kernel which have
+     not been discovered yet.
+   range 0 65536
+   depends on SECURITY_SECURE_DEFAULTS
+   default "4096"
+
+
+config SECURITY_TCP_SYNCOOKIES
+   bool "Turn on syncookies by default"
+   help
+     Syncookies can help prevent syn-flood attacks
+     (see Documentation/networking/ip-sysctl.txt for more)
+   depends on SYN_COOKIES
+   depends on SECURITY_SECURE_DEFAULTS
+   default y
+
+config TCP_SYNCOOKIES_ON
+   int
+   default 1 if SECURITY_TCP_SYNCOOKIES
+   default 0
+
+config SECURITY_IPV4_NO_ACCEPT_REDIRECTS
+   bool "Don't accept IMCP redirects"
+   help
+     ICMP redirects can be used to set up MITM attacks and other nasties
+   depends on SECURITY_SECURE_DEFAULTS
+   default y
+
+config IPV4_ACCEPT_REDIRECTS
+   int
+   default 0 if SECURITY_IPV4_NO_ACCEPT_REDIRECTS
+   default 1
+
+config SECURITY_IPV4_NO_SEND_REDIRECTS
+   bool "Don't send IMCP redirects"
+   help
+      Usually only needed if this computer functions as a router of some sort.
+   depends on SECURITY_SECURE_DEFAULTS
+   default y
+
+config IPV4_SEND_REDIRECTS
+   int
+   default 0 if SECURITY_IPV4_NO_SEND_REDIRECTS
+   default 1
+
+config SECURITY_IPV4_NO_ACCEPT_SOURCE_ROUTE
+   bool "Don't accept source routes"
+   help
+     source routed packets are generally not needed and could
potently allow MITM attacks.
+   depends on SECURITY_SECURE_DEFAULTS
+   default y
+
+config IPV4_ACCEPT_SOURCE_ROUTE
+   int
+   default 0 if SECURITY_IPV4_NO_ACCEPT_SOURE_ROUTE
+   default 1
+
+config SECURITY_IPV4_LOG_MARTIANS
+   bool "Log martians by default"
+   depends on SECURITY_SECURE_DEFAULTS
+   help
+     Log packets with impossible addresses to the kernel log
+   default y
+
+config IPV4_LOG_MARTIANS
+   int
+   default 1 if SECURITY_IPV4_LOG_MARTIANS
+   default 0
+
+config SECURITY_IPV4_RP_FILTER
+   bool "Turn on rp_filter by default"
+   depends on SECURITY_SECURE_DEFAULTS
+   help
+     Help protect against spoofed tcp/ip packets.
+     Could cause troubles for complicated networks.
+     (see Documentation/networking/ip-sysctl.txt for more)
+   default y
+
+config IPV4_RP_FILTER
+   int
+   default 1 if SECURITY_IPV4_RP_FILTER
+   default 0
diff --git a/security/security.c b/security/security.c
index 27e5863..d82088c 100644
--- a/security/security.c
+++ b/security/security.c
@@ -64,6 +64,8 @@ int __init security_init(void)
    security_ops = &dummy_security_ops;
    do_security_initcalls();

+   mmap_min_addr = CONFIG_SECURITY_MMAP_MIN_ADDR;
+
    return 0;
 }

Download attachment "secure-defaults.patch" of type "application/octet-stream" (6184 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ