Wednesday, June 2, 2010

SuPHP htaccess php_value _flag php.ini

Category: SkyHi @ Wednesday, June 02, 2010
On suphp servers you should remove the lines from .htaccess file that begin with “php_value” and “php_flag”. You will need to add the settings that you want to use to a file named php.ini and upload php.ini into your public_html directory.
You will need to remove php_value and php_flag from ALL .htaccess files you may have



in httpd.conf
<Directory "/var/www/html/sample.com/html">
Options FollowSymLinks
AllowOverride All
</Directory>


In .htaccess under public_html, add the following:
suPHP_ConfigPath /var/www/html/sample.com/html
##disallow anyone to access this file
<files php.ini>
order allow,deny
deny from all
</Files>

<files “.ht*”>
deny from all
</files>

In php.ini
register_globals = On
post_max_size 6M
upload_max_filesize 6M
max_execution_time 90
max_input_time 90
....

#NOTE: this custom php.ini uses default php.ini setting like memory_limt = 8M. Check phpinfo()

new Custom php.ini setting:
max_execution_time = 160     
max_input_time = 160    
memory_limit = 50M
post_max_size = 50M
upload_max_filesize = 50M
upload_tmp_dir = "/tmp/phpupload"
display_errors = Off
allow_url_fopen = Off

disable_functions = "dl, exec, shell_exec, system, passthru, popen, pclose, proc_open, proc_nice, proc_terminate, proc_
get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid
, posix_setuid, escapeshellcmd, escapeshellarg"

expose_php = Off




#chown user:group .htaccess
#chown user:group php.ini


To disable the .htaccess, you have to move the .htaccess and php.ini out of the way.



====================================================

When SuPHP is enabled, it is no longer possible to to

include php_value directives in .htaccess files.


Instead of adding these directives to your .htaccess file, add them into
a file called php.ini and place this file in the same directory that
your script runs in. Most often this will be public_html directory, but
in some cases you will install your script in a subdirectory. Wherever
your script runs, this is the place for your php.ini file. You will need
to drop the "php_flag" and "php_value" prefix. You will also need to

put an equals (=) sign between the setting and the value.



For example, if your script recommends these settings in a .htaccess file:

php_value upload_max_filesize 10M
php_value post_max_size 10
php_value max_execution_time 60



Put these directives in a php.ini file instead. Here is the proper syntax:
upload_max_filesize = 10M
post_max_size = 10M





To correct the permission on the files and directory: 

#!/bin/bash

for user in `ls /var/cpanel/users`; do
 chown -R ${user}:${user} /home/${user}/public_html
 chmod 755 /home/${user}/public_html
 find /home/${user}/public_html -group nobody -exec chgrp ${user} {} \; -print0
 find /home/${user}/public_html -perm 777 -type d -exec chmod 755 {} \; -print0
 find /home/${user}/public_html -perm 666 -type f -exec chmod 644 {} \; -print0
 find /home/${user}/public_html -perm 777 -type f -exec chmod 644 {} \; -print0

done
To remove ‘php_value’ from the .htaccess file:

find /home/*/public_html/. -type f -exec sed -i "s/php_value/###php_value/" {} \;


REFERENCES

http://www.hostingcustomers.com/showthread.php?tid=416

http://support.lunarpages.com/knowledge_bases/article/319

http://forums.cpanel.net/f5/switching-suphp-remove-php_value-correct-permission-98649.html
http://www.xxoom.com/linux/htaccess-suphp-php_value-_flag-php-ini

http://www.debiantutorials.net/tag/apache/

Category: SkyHi @ Wednesday, June 02, 2010

Stock CentOS with PHP SuPHP suhosin

Category: , , SkyHi @ Wednesday, June 02, 2010

Stock CentOS with PHP SuPHP suhosin

From PhoenixWing
Jump to: navigation, search
This article pertains to installing PHP from source code, along with the suhosin hardening patch and extension, and the SuPHP PHP wrapper on a CentOS 5.x Linux system.

REMEMBER Always make backups!


Contents

[hide]




Necessary RPM's

The following non-PHP related RPM's were installed: 
httpd httpd-devel mysql mysql-server mysql-devel
mod_ssl mod_auth_mysql perl-DBD-MySQL
In my case, I replaced the stock CentOS RPM's for MySQL with the one's from dev.mysql.com: 
MySQL-client-community-5.1.22-0.rhel5.i386.rpm
MySQL-devel-community-5.1.22-0.rhel5.i386.rpm
MySQL-server-community-5.1.22-0.rhel5.i386.rpm
MySQL-shared-compat-5.1.22-0.rhel5.i386.rpm



Optional RPM's

I consider these to be mandatory on a modern web server for the mere fact, that nearly all web developers utilize third party web applications that make use of them. Graphics utilities like GD and ImageMagick are used by most forum & bulletin board applications, and even security software such as CAPTCHA's may use GD and/or ImageMagick. Other additions include mod_python & mod_perl for those web developers that want cutting edge scripting abilities. With "cutting edge" in mind, I also have a habit of including the following (and all their dependencies): 
mod_perl mod_python libtidy libtidy-devel
gd gd-devel gd-progs ImageMagick ImageMagick-devel ImageMagick-perl



Download PHP, suhosin & SuPHP, then patch

  • I setup a directory on a large partition for my own compiles at /storage/compile/ and store my downloads in /storage/tarballs/, however, you can place the downloads wherever you see fit. At my place of employment, we store tarballs & source to be compiled in /usr/src/SCRIPTS/.
  • Untar/gunzip PHP, suhosing extensions & the patch file. Place the patch file outside of the PHP source directory: 
mv suhosin-patch-5.2.5-0.9.6.2.patch /storage/compile/
  • Copy the suhosin extension source code into the PHP source tree's ext/suhosin directory: 
cp -pr suhosin-0.9.22 /storage/compile/php-5.2.5/ext/suhosin
  • Patch PHP with the suhosing patch: 
patch -p 1 -i ../suhosin-patch-5.2.5-0.9.6.2.patch
  • If successful, you should see something similar to: 
patching file TSRM/TSRM.h
patching file TSRM/tsrm_virtual_cwd.c
patching file TSRM/tsrm_virtual_cwd.h
patching file Zend/Makefile.am
patching file Zend/Zend.dsp
...
patching file sapi/apache/mod_php5.c
patching file sapi/apache2filter/sapi_apache2.c
patching file sapi/apache2handler/sapi_apache2.c
patching file sapi/cgi/cgi_main.c
patching file sapi/cli/php_cli.c
patching file win32/build/config.w32



Configure & Compile PHP

  • Change to the PHP source directory: 
cd /storage/compile/php-5.2.5/
  • Configure: 
./buildconf --force

./configure --prefix=/usr --sysconfdir=/etc --with-config-file-path=/etc \
--enable-cgi --enable-force-cgi-redirect --enable-discard-path --with-mysql=/usr \
--enable-mbstring --with-bz2 --with-curl --enable-bcmath --enable-exif --with-gd \
--enable-gd-native-ttf --with-gettext --with-png-dir=/usr --with-jpeg-dir=/usr \
--with-freetype-dir=/usr --with-zlib --enable-calendar --with-openssl --with-gmp \
--enable-ftp --enable-magic-quotes --with-mcrypt --with-mhash --enable-ctype \
--enable-tidy --enable-dom --with-libxml-dir=/usr --enable-libxml --enable-xml \
--enable-xmlreader --enable-xmlwriter --enable-zip --enable-shmop --enable-wddx \
--with-pear --enable-pdo --with-pdo-mysql=/usr --disable-embedded-mysqli \
--with-mysqli=/usr/bin/mysql_config --enable-inline-optimization --enable-suhosin
  • Compile: 
make
make test
make install
  • Copy the php.ini file to /etc: 
cp ./php.ini-recommended /etc/php.ini
  • Edit /etc/php.ini to suit. I recommend the following changes: 
Change:
short_open_tag = Off
To:
short_open_tag = On

Change (lets you see full error messages):
log_errors_max_len = 1024
To:
log_errors_max_len = 0

Change (security):
magic_quotes_gpc = Off
To:
magic_quotes_gpc = On

Change:
upload_max_filesize = 2M
To:
upload_max_filesize = 16M

Change (I've seen this needed on many app'z, like [http://gallery.sf.net Gallery]):
allow_url_include = Off
To:
allow_url_include = On

Change (Set to your timezone, as found in /usr/share/zoneinfo/):
;date.timezone =
To:
date.timezone = America/Phoenix



Install SuPHP

  • Untar/gunzip SuPHP source code, and go into the directory 
cd /storage/compile/suphp-0.6.2
  • HACK: Edit the following with your favorite editor: 
nano src/apache2/mod_suphp.c
- Find line 324 & 325
Change Line 324:
... suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, ACCESS_CONF, ...
To:
... suPHP_AddHandler", suphp_handle_cmd_add_handler, NULL, RSRC_CONF | ACCESS_CONF, ...
Change Line 325:
... suPHP_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, ACCESS_CONF, ...
To:
... suPHP_RemoveHandler", suphp_handle_cmd_remove_handler, NULL, RSRC_CONF | ACCESS_CONF, ...
  • Configure suphp: 
./configure --prefix=/usr --sysconfdir=/etc --enable-checkpath \
--with-apr=/usr --with-apxs=/usr/sbin/apxs --with-setid-mode=paranoid --with-min-uid=100 \
--with-min-gid=500 --with-apache-user=apache --with-logfile=/var/log/httpd/suphp_log

make
make install
  • Copy configuration file to /etc: 
cp doc/suphp.conf-example /etc/suphp.conf
  • Create mod_suphp.conf file for apache: 
cd /etc/httpd/conf.d/
nano -w mod_suphp.conf (or your editor of choice: vi, joe, elvis, etc)
  • mod_suphp.conf contents: 
# This is the Apache server configuration file providing suPHP support.
# It contains the configuration directives to instruct the server how to
# serve php pages while switching to the user context before rendering.
LoadModule suphp_module modules/mod_suphp.so

# This option tells mod_suphp if a PHP-script requested on this server (or
# VirtualHost) should be run with the PHP-interpreter or returned to the
# browser "as it is".
suPHP_Engine on

# To use suPHP to parse PHP-Files
AddHandler x-httpd-php .php .php5 .php4 .php3 .phtml

# This option tells mod_suphp which path to pass on to the PHP-interpreter
# (by setting the PHPRC environment variable).
# Do *NOT* refer to a file but to the directory the file resides in.
#
# E.g.: If you want to use "/path/to/server/config/php.ini", use "suPHP_Config
# /path/to/server/config".
#
# If you don't use this option, PHP will use its compiled in default path.
suPHP_ConfigPath /etc

# If you compiled suphp with setid-mode "force" or "paranoid", you can
# specify the user- and groupname to run PHP-scripts with.
# Example: suPHP_UserGroup foouser bargroup
#
# -NOTE- WE SET THIS ON A PER VHOST SETTING. DON'T SET HERE
#
# suPHP_UserGroup apache apache

# This option tells mod_suphp to handle requests with the type .
# Please note this only works, if an action for the handler is specified
# in the suPHP configuration file.
suPHP_AddHandler x-httpd-php

# This option tells mod_suphp to NOT handle requests with the type .
# suPHP_RemoveHandler
  • Edit /etc/suphp.conf: 
Change:
logfile=/var/log/suphp.log
To:
logfile=/var/log/httpd/suphp_log

Change:
webserver_user=wwwrun
To:
webserver_user=apache

Change:
docroot=/
To:
docroot=/var/www/virtual/

Change (if you're not concerned with security):
errors_to_browser=false
To:
errors_to_browser=true

Change:
umask=0077
To:
umask=0133

Change:
min_gid=100
To:
min_gid=500

Change:
x-httpd-php=php:/usr/bin/php
To:
x-httpd-php=php:/usr/bin/php-cgi



Editing Apache and suPHP Configs

  • First, I want to stop the loading of mod_php, or the PHP Apache module, if it exists, so it does not load on startup. To do this, rename the php module config file: 
mv /etc/httpd/conf.d/php.conf /etc/httpd/conf.d/php.conf.orig2007
  • Next, edit /etc/httpd/conf/httpd.conf file. In this example, we'll comment out a few global defaults, and make a few minor changes: 
Change (For security reasons):
ServerTokens OS
To:
ServerTokens Prod

Change to your liking:

StartServers       8
MinSpareServers    5
MaxSpareServers   20
ServerLimit      256
MaxClients       256
MaxRequestsPerChild  4000

Example:

StartServers      10
MinSpareServers   10
MaxSpareServers   25
ServerLimit     1024
MaxClients      1024
MaxRequestsPerChild  4000



Change (if uncommented):
ServerName www.example.com:80
To:
#ServerName www.example.com:80


Change:
DirectoryIndex index.html index.html.var
To:
DirectoryIndex index.php index.html index.htm index.html.var


Change:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
To: (comment it out)
#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined


Change:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
To: (comment out example, copy and change end from "combinedio" to "combined")
#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combined


Change:
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
To: (comment out global scope)
#ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"


Change:

AllowOverride None
Options None
Order allow,deny
Allow from all

To: (comment out)
#
#    AllowOverride None
#    Options None
#    Order allow,deny
#    Allow from all
#
Now add NameVirtualHost & VirtualHost directives. Note that I have included "suPHP_UserGroup userid groupid", required for suPHP to work properly AND I've also enabled SuEXEC for CGI scripts. Example: 
NameVirtualHost ip.add.re.ss:80


ServerAdmin webmaster@int.domain
ServerName web.int.domain
ServerAlias *.web.int.domain

SuexecUserGroup userid groupid
suPHP_UserGroup userid groupid
ErrorLog logs/web.int.domain-error_log
CustomLog logs/web.int.domain-access_log combined

DocumentRoot /var/www/virtual/default_vhost/htdocs

Options -Indexes SymLinksifOwnerMatch
AllowOverride Options FileInfo AuthConfig Limit


ScriptAlias /cgi-bin/ "/var/www/virtual/default_vhost/cgi-bin/"

AllowOverride None
Options SymLinksifOwnerMatch
Order allow,deny
Allow from all


# Personal addition to disable TRACE method in Apache

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]



Editing /etc/php.ini

Change the following under [sessions]: 
session.save_path=/tmp/sess
Create the directory if necessary, and type: 
chmod 1777 /tmp/sess



Creating a new /tmp if partition

If a /tmp partition was not created on a Linux system, you can go about creating one with the following: 
cd /dev

# Create 500MB file for our /tmp partition. If you need
# more or less space, make count size larger or smaller.
dd if=/dev/zero of=tmpMnt bs=1024 count=500000

# Make an EXT3 filesystem for our tmpMnt file
/sbin/mke2fs -j /dev/tmpMnt

# Backup your /tmp dir- I had mysql.sock file that I
# needed to recreate the symbolic link for. Other
# programs may use it to store cache files or whatever.

cd /
cp -r /tmp /tmp_backup

# Mount the new /tmp filesystem with noexec, nosuid
# and read/write, and set permissions.
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
chmod 1777 /tmp

# Copy everything back to new /tmp and remove backup
cp -r /tmp_backup/* /tmp/
rm -rf /tmp_backup


REFERENCES
http://www.phoenixwing.com/wiki/Stock_CentOS_with_PHP_SuPHP_suhosin#Download_PHP.2C_suhosin_.26_SuPHP.2C_then_patch

How to configure grsec on a Cpanel box

Category: , SkyHi @ Wednesday, June 02, 2010
First lets start by moving into the correct directory 
cd /usr/src
Now let's download the kernel from kernel.org 
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.27.10.tar.gz
Let's open the tar file now 
tar zxvf linux-2.6.27.10.tar.gz
We need to also create a symlink 
ln -s linux-2.6.27.10 linux
Let's grab the grsec patch 
wget http://grsecurity.net/grsecurity-2.1.12-2.6.27.10-200812271347.patch.gz
Let's open the grsec patch 
gzip -d grsecurity-2.1.12-2.6.27.10-200812271347.patch.gz
Let's apply the patch now 
patch -p0 < grsecurity-2.1.12-2.6.27.10-200812271347.patch
We will need to move a current config into the new config directory 
cd /boot
Let's look at the contents 
ls
Now the current config should look something like this 
config-2.6.18-x
Let's move it to the new kernel location and rename it to .conf (Don't forget to change the "x" to the correct name) 
cp config-2.6.18-x /usr/src/linux/.config
Now we need to move back to our new kernel directory 
cd /usr/src/linux
Let's go ahead and start configuring it 
make menuconfig
Note: If you get an error saying "Please upgrade your binutils to 2.18 or newer" please go to this link
Now for cpanel to continue working without errors lets use these settings 
arrow down to "Security options" and press enter
Press enter on "Grsecurity"
Now in the new window press spacebar on "Grsecurity"
arrow down to "Security Level (Custom)" and press enter
Then arrow to "Medium" and press the spacebar
Then use the "" until it asks you do you want to save and click yes
Once the kernel is saved we need to start compiling it 
make bzImage; make modules; make modules_install; make install
Note: If you get an error saying "Please upgrade your binutils to 2.18 or newer" please go to this link
Now it should be added to /boot/grub/menu.lst you can check by doing the following 
cat /boot/grub/menu.1st
It should look something like this 
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00
#          initrd /initrd-version.img
#boot=/dev/sda
default=1
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.27.10-grsec)
       root (hd0,0)
       kernel /vmlinuz-2.6.27.10 ro root=/dev/VolGroup00/LogVol00
       initrd /initrd-2.6.27.10.img
title CentOS (2.6.18-92.el5)
       root (hd0,0)
       kernel /vmlinuz-2.6.18-92.el5 ro root=/dev/VolGroup00/LogVol00
       initrd /initrd-2.6.18-92.el5.img
Please note that the locations of the kernel and initrd might not be the same as ours. This is just giving you and idea of how the kernel will be added above the current one.
Now you will want to change it to look like this one. ( We change the default=1 to default=0 which is the new kernel) 
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00
#          initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.27.10-grsec)
       root (hd0,0)
       kernel /vmlinuz-2.6.27.10 ro root=/dev/VolGroup00/LogVol00
       initrd /initrd-2.6.27.10.img
title CentOS (2.6.18-92.el5)
       root (hd0,0)
       kernel /vmlinuz-2.6.18-92.el5 ro root=/dev/VolGroup00/LogVol00
       initrd /initrd-2.6.18-92.el5.img
Now reboot the machine and it should come up with the new kernel!


REFERENCES
http://wiki.fiber-hosting.com/Cpanel-with-grsec-how-to

Linux Kernel Security (SELinux vs AppArmor vs Grsecurity)

Category: , , SkyHi @ Wednesday, June 02, 2010

Linux kernel is the central component of Linux operating systems. It is responsible for managing the system's resources, the communication between hardware and software and security. Kernel play a critical role in supporting security at higher levels. Unfortunately, stock kernel is not secured out of box. There are some important Linux kernel patches to secure your box. They differ significantly in how they are administered and how they integrate into the system. They also allow for easy control of access between processes and objects, processes and other processes, and objects and other objects. The following pros and cons list is based upon my personal experience.


SELinux


Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies for Linux kernel. It is included with CentOS / RHEL / Fedora Linux, Debian / Ubuntu, Suse, Slackware and many other distributions.


SELinux features


  1. Clean separation of policy from enforcement
  2. Well-defined policy interfaces
  3. Support for applications querying the policy and enforcing access control
  4. Independent of specific policies and policy languages
  5. Independent of specific security label formats and contents
  6. Individual labels and controls for kernel objects and services
  7. Caching of access decisions for efficiency
  8. Support for policy changes
  9. Separate measures for protecting system integrity (domain-type) and data confidentiality (multilevel security)
  10. Very flexible policy
  11. Controls over process initialization and inheritance and program execution
  12. Controls over file systems, directories, files, and open file descriptors
  13. Controls over sockets, messages, and network interfaces
  14. Controls over use of "capabilities"

Pros and Cons


  • Admin skill set (learning curve) - High
  • Complex and powerful access control mechanism - Yes
  • Detailed configuration required - Yes
  • GUI tools to write / modify rules set - Yes
  • CLI tools to write / modify rules set - Yes (see list of commands here)
  • Ease of use - No (often described as horrible to use)
  • Binary package - Available for most Linux distributions
  • System performance impact: None
  • Security Framework: Mandatory access controls using Flask
  • Auditing and logging supported - Yes
  • Typical user base - Enterprise users
  • Documentation - Well documented

=> Official project website : nsa.gov


AppArmor


AppArmor (Application Armor) is another security software for Linux which maintained and released by Novell under GPL. AppArmor was created as an alternative to SELinux. AppArmor works with file paths. According to official Novell FAQ:


AppArmor is the most effective and easy-to-use Linux application security system available on the market today. AppArmor is a security framework that proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good program behavior and preventing even unknown software flaws from being exploited. AppArmor security profiles completely define what system resources individual programs can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours.


AppArmor is default in OpenSUSE and Suse Enterprise Linux. It was first successfully packaged for Ubuntu Linux.


Features


  1. Full integration.
  2. Easy deployment.
  3. AppArmor includes a full suite of console and YaST-based tools to help you develop, deploy and maintain application security policies.
  4. Protects the operating system, custom and third-party applications from both external and internal threats by enforcing appropriate application behavior.
  5. Reporting and alerting. Built-in features allow you to schedule detailed event reports and configure alerts based on user-defined events.
  6. Sub-process confinement. AppArmor allows you to define security policies for individual Perl and PHP scripts for tighter Web-server security.

Pros and Cons


  • Admin skill set (learning curve) - Medium
  • Complex and powerful access control mechanism - Yes.
  • Detailed configuration required - Yes.
  • GUI tools to write / modify rules set - Yes (yast2 and wizards).
  • CLI tools to write / modify rules set - Yes.
  • Ease of use - Yes (often described as less complex and easier for the average user to learn than SELinux).
  • Binary package - Available for Ubuntu / Suse / Opensuse and distros.
  • System performance impact - None.
  • Security Framework - Mandatory access controls.
  • Auditing and logging supported - Yes.
  • Typical user base - Enterprise users.
  • Documentation - Documented (mostly available from Opensuse and Suse enterprise Linux).

=> Official project website : novell.com


grsecurity


grsecurity is a set of patches for the Linux kernel with an emphasis on enhancing security. It utilizes a multi-layered detection, prevention, and containment model. It is licensed under the GPL.


Features


  1. An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
  2. Change root (chroot) hardening
  3. /tmp race prevention
  4. Extensive auditing
  5. Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
  6. Prevention of arbitrary code execution in the kernel
  7. Randomization of the stack, library, and heap bases
  8. Kernel stack base randomization
  9. Protection against exploitable null-pointer dereference bugs in the kernel
  10. Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
  11. A restriction that allows a user to only view his/her processes
  12. Security alerts and audits that contain the IP address of the person causing the alert

Pros and Cons


  • Admin skill set (learning curve) - Low.
  • Complex and powerful access control mechanism - No (it is simpler to administer than other two implementations. Also, policies are simpler to create, since there are no roles or complicated domain/file transitions).
  • Detailed configuration required - No (works in learning mode).
  • GUI tools to write / modify rules set - No.
  • CLI tools to write / modify rules set - Yes (gradm tool).
  • Ease of use - Yes.
  • Binary package - Available for Ubuntu / RHEL / CentOS / Debian distros.
  • System performance impact - None.
  • Security Framework - Mandatory access controls (precisely, it is a RBAC implementation) using access control lists.
  • Auditing and logging supported - Yes.
  • Typical user base - Webserver and hosting companies.
  • Documentation - unfortunately, is not well documented.

=> Official project website : grsecurity.net


Conclusion:


All three offers very good protection and I can select them based upon the following simple criteria:


  • New user / ease of use : Grsecurity
  • Easy to understand policy and tools : AppArmor
  • Most powerful access control mechanism : SELinux












































FeatureSELinuxAppArmorgrsecurity
AutomatedNo (audit2allow and system-config-selinux)Yes (Yast wizard)Yes (auto traning / gradm)
Powerful policy setupYes (very complex)Yes Yes
Default and recommended integrationCentOS / RedHat / DebianSuse / OpenSuseAny Linux distribution
Training and vendor supportYes (Redhat)Yes (Novell)No (community forum and lists)
Recommend forAdvanced userNew / advanced userNew users
FeaturePathname based system does not require labelling or relabelling filesystemAttaches labels to all files, processes and objectsACLs

My personal choice is grsecurity as it is easier to use and offers many other security features. I've used SELinux as it is default choice under RHEL. AppArmor was only tested in lab under OpenSuse. I suggest you download and install all 3 patches (also available via binary deb and rpm files) and compare them as per your setup to gain a deeper understanding of their differences.


Resources:


Installing a grsec-patched kernel on a CentOS 5 or RHEL 5 server

Category: SkyHi @ Wednesday, June 02, 2010

How to configure grsec on a Cpanel box

First lets start by moving into the correct directory 

cd /usr/src

Now let's download the kernel from kernel.org 

wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.27.10.tar.gz

Let's open the tar file now 

tar zxvf linux-2.6.27.10.tar.gz

We need to also create a symlink 

ln -s linux-2.6.27.10 linux

Let's grab the grsec patch 

wget http://grsecurity.net/grsecurity-2.1.12-2.6.27.10-200812271347.patch.gz

Let's open the grsec patch 

gzip -d grsecurity-2.1.12-2.6.27.10-200812271347.patch.gz

Let's apply the patch now 

patch -p0 < grsecurity-2.1.12-2.6.27.10-200812271347.patch

We will need to move a current config into the new config directory 

cd /boot

Let's look at the contents 

ls

Now the current config should look something like this 

config-2.6.18-x

Let's move it to the new kernel location and rename it to .conf (Don't forget to change the "x" to the correct name) 

cp config-2.6.18-x /usr/src/linux/.config

Now we need to move back to our new kernel directory 

cd /usr/src/linux

Let's go ahead and start configuring it 

make menuconfig

Note: If you get an error saying "Please upgrade your binutils to 2.18 or newer" please go to this link

Now for cpanel to continue working without errors lets use these settings 

arrow down to "Security options" and press enter
Press enter on "Grsecurity"
Now in the new window press spacebar on "Grsecurity"
arrow down to "Security Level (Custom)" and press enter
Then arrow to "Medium" and press the spacebar
Then use the "" until it asks you do you want to save and click yes

Once the kernel is saved we need to start compiling it 

make bzImage; make modules; make modules_install; make install

Note: If you get an error saying "Please upgrade your binutils to 2.18 or newer" please go to this link

Now it should be added to /boot/grub/menu.lst you can check by doing the following 

cat /boot/grub/menu.1st

It should look something like this 

# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00
#          initrd /initrd-version.img
#boot=/dev/sda
default=1
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.27.10-grsec)
      root (hd0,0)
      kernel /vmlinuz-2.6.27.10 ro root=/dev/VolGroup00/LogVol00
      initrd /initrd-2.6.27.10.img
title CentOS (2.6.18-92.el5)
      root (hd0,0)
      kernel /vmlinuz-2.6.18-92.el5 ro root=/dev/VolGroup00/LogVol00
      initrd /initrd-2.6.18-92.el5.img

Please note that the locations of the kernel and initrd might not be the same as ours. This is just giving you and idea of how the kernel will be added above the current one.

Now you will want to change it to look like this one. ( We change the default=1 to default=0 which is the new kernel) 

# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00
#          initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.27.10-grsec)
      root (hd0,0)
      kernel /vmlinuz-2.6.27.10 ro root=/dev/VolGroup00/LogVol00
      initrd /initrd-2.6.27.10.img
title CentOS (2.6.18-92.el5)
      root (hd0,0)
      kernel /vmlinuz-2.6.18-92.el5 ro root=/dev/VolGroup00/LogVol00
      initrd /initrd-2.6.18-92.el5.img

Now reboot the machine and it should come up with the new kernel!


REFERENCES
http://www.dufault.info/blog/installing-a-grsec-patched-kernel-on-a-centos-5-or-rhel-5-server/

cPanel Tutorial

Category: SkyHi @ Wednesday, June 02, 2010
Subscribe to: Comments (Atom)