Secure SLinux - The Hardened Server Linux

Secure-SLinux Server V0.3.1stable binary installation

AUTHOR: Sebastian Faulborn

DATE: 2006/08/26

UPDATE: 2006/09/10 sslx-first_boot is not executable and must hence be started as /bin/bash /usr/bin/sslx-first_boot

ALL PACKAGES: a list of all packages installed with Secure-SLinux can be found here

LICENSE: GPL (see the license of the individual software packages)

SYNOPSIS: Installation of binary archive of Secure-SLinux Server (SSLX-Server)

CONTENTS:

...

Requirements:

To run SSLX-Server you need at least:

64MB RAM (recommended 256MB RAM or better)

i386 compatible architecture with i586 compatible processor or better (you can compile from source for i486)

2GB harddisk space (recommended 10GB for root partition and 1GB for swap on raid1)

For specific purposes such as embedded systems, you can tailor SSLX-Server so that it will consume a lot less RAM/harddisk space (down to a few MB).

Download:

Download the most recent SSLX-Server binary archive from here.

Documentation:

The core of Secure-SLinux is based on HLFS (glibc branch). Some additional packages are installed according to the instructions in BLFS and further packages are installed according to the package developer's instructions. Both HLFS and BLFS are subprojects of Linux From Scratch. The Linux From Scratch Project provides excellent documentation. Most of Secure-SLinux's configuration must be done as described in the HLFS book. So please have a look there since this documentation will only cover differences to HLFS.

Other places to look for documentation:

Linux From Scratch - the core of Secure-SLinux

linux.org - lots of docu, HOWTOs, etc.

gnu.org - the home of most of the software packages

kernel.org - the source of the linux kernel

google for "linux [package name]" or "linux [problem]" etc.

Quick Installation:

create partitions - at least swap 1GB and root 10GB

format with ext3 or reiserfs

create mount point /mnt/sslx and mount the new root partition

extract the binary archive to /mnt/sslx

configure:
/etc/sysconfig/console
/etc/hosts
/etc/sysconfig/network-devices/ifconfig.eth0/ipv4
/etc/sysconfig/network
/etc/fstab
/boot/grub/menu.lst
/etc/sysconfig/clock

install grub bootloader into MBR

reboot into Secure-SLinux installation

execute /bin/bash /usr/bin/sslx-first_boot

configure samhain and postfix and remove their files from /etc/rc.d/off.d

add a login-user with groups admin and suers and shell /bin/bash, set password

Installation:

This documentation assumes that you will be installing SSLX-Server on a harddisk of its own using the SSLX-CD live-cd. It is possible to use other linux live-cds. However some linux distros patch their filesystem commands such that extra features become available. If you create partitions/filesystem from within such distros, Secure-SLinux may not be able to boot. Also the SSLX-CD can be ejected while it is running which allows you to copy data from a second cd to the harddisk.

Creating partitions

Also have a look at "HLFS/Chapter03/Creating a New Partition".

Secure-SLinux boots with an initrd which should automatically detect your IDE/SCSI hardware. If the SSLX-CD did not detect your hardware, load your driver with insmode/modprobe.

For simplicity, we will assume in this documentation that you will install Secure-SLinux on a IDE harddisk (/dev/hdX). If you will install on a SCSI harddisk, your device will be /dev/sdX or even something totally different (eg. raid controller).

Secure-SLinux needs at least two partitions to run: swap and root.

swap partition
The swap partition needs to be greater than 512MB since Secure-SLinux by default mounts /tmp on a 512MB tmpfs filesystem. Since tmpfs lives on swap, we need more than that size. 1GB will be plenty for all applications.

There used to be a rather small limit for swap partitions so that people used to create lots of swap partitions in order to get the required ammount of swap. This limit does not exist anymore - so you only need on swap partition. If you use raid1 or some other raid to protect against harddisk failure, make sure that swap lives on your raid array. Otherwise your server will hang when a harddisk fails.

If you want to use a smaller swap partition, adjust the size if /tmp in /etc/fstab.

root partition (/)
Secure-SLinux will be about 950MB in size. So 1GB will be fine, but won't allow you to install much additional software or keep large amounts of data. If your root partition should ever become to small in size, you will spend a lot if time fixing this problem. Modern harddisks come with at least 36GB, so we recommend that you are a bit more generous with your root partition - 10GB will make sure you don't run into problems.

boot partition (/boot)
There seems to be a competition between motherboards and harddisks. The size of modern harddisks increases faster than the BIOS can support. The current limit for most BIOS's is 137GB or above. If your harddisk is larger in size than the BIOS's limit, you will only be able to access the lower part of your harddisk during the boot process. Secure-SLinux can access any sized harddisk once it is up and running. So the restriction only applies for the location of the bootloader and the kernel (ie. /boot/...).

The simplest solution is to always make sure that the /boot partition is the first primary partition starting at the beginning of the harddisk. If you don't want a seperate /boot partition, make sure that your root partition is located on the first primary partition starting at the beginning of the harddisk and that it does not exceed the BIOS's limit on harddisk sizes.

The advantages of a seperate boot partition: you have everything needed for booting on a seperate partition which helps in case of recovery and you can format it with a different filesystem than your root partition making it compatible with any recovery floppy/cd/dvd. You can make sure that this partition is located at the beginning of the harddisk which removes the restrictions on all the remaining partitions. Also /boot is used read-only (although its mounted rw, but linux itself does not write to /boot). This means if somethings hangs and you need to turn off your server while it is running, /boot will still be in a clean state since no writes are done to this partition.

100MB will be plenty for any purposes.

other partitions
Traditionally people used to create lots of extra partitions, such as /usr, /usr/local, /opt, /home, etc. The main reason originally was that harddisks were so small that the OS would not fit on a single harddisk. This is also one reason why linux comes with such a complex directory structure. Nowadays harddisk are much larger than even the biggest OS, so the only practical reasons for partitioning your harddisk are a) to choose among different filesystems for different purposes b) mount different directories with different (restrictive) options for security reasons c) seperate those partitions which contain variable content from the rest to make sure that if an application floods the harddisk, the other partitions are not affected and to OS keeps running.

Recommendations for Secure-SLinux:

Don't put /usr on a seperate partition otherwise Secure-SLinux won't boot

It is recommended to put /var on a seperate partition (5GB is plenty for almost all applications)

/tmp lives by default on a 512MB tmpfs

You can optionally place /usr/local and/or /opt on seperate partitions where you can install your own applications (Secure-SLinux does not use /usr/local or /opt for its files). Recommendation: don't bother and make your root partition large enough for all your programms.

You can place /home on a seperate partition if you allow lots of people to log into your server, to seperate their files from the rest of the system (otherwise don't bother)

It is recommended to create one extra partition to hold your projects including their data, software downloads and binaries. You can mount it at /data or /srv and create your own directory structure there. The recommended size is all of the remaining harddisk capacity.

Note: the more partitions you have the more difficult it becomes estimating in advance the required size for each partition.

The recommended layout for almost any server usage:

/boot: 100MB, first primary partition located at the beginning of your harddisk (ext3)

swap: 1GB (swap)

/: 10GB (reiserfs or ext3)

/var: 5GB (reiserfs or ext3)

/data: rest (reiserfs or ext3)

Start fdisk or cdfisk to create the partitions. All partitions should be of type 83 (linux) except for swap which has type 82 (linux swap). For software raids use type fd (Linux raid autodetect).

Formating partitions

Secure-SLinux recommends two filesystems: ext3 and reiserfs.

ext3
Ext3 is based on ext2. It has been on the market for ages. It is stable and fast. It is a journalling filesystem.

reiserfs
Is stable. Claims to be somewhat faster in certain situations than ext3. It is a journalling filesystem.

We recommend that you use ext3 for /boot or if you use a single root partition since ext3 can be accessed by any rescue floppy/cdrom and even by most other operating systems. This makes recovery easier. Reiserfs is recommended for database applications.

So the recommended layout is as follows:

/boot: ext3

swap: swap

/: ext3 or reiserfs (ext3 if its the only partition)

other partitions: ext3 or reiserfs

Create swap: mkswap /dev/[swap partition]
Create ext3: mkfs.ext3 /dev/[partition]
Create reiserfs: mkfs.reiserfs /dev/[partition]

Mounting partitions

Create a mount point for Secure-Slinux: mkdir /mnt/sslx
mount root: mount /dev/[root partition] /mnt/sslx
mount /boot: mkdir /mnt/sslx/boot && mount /dev/[boot partition] /mnt/sslx/boot
mount other partitions: mkdir /mnt/sslx/[mount point] && mount /dev/[partition] /mnt/sslx/[mount point]

Copying the binary archive to /mnt/sslx

There are several ways how you can get the binary archive onto your harddisk:

eject the live-cd and insert a second cd with the binary archive

burn the live-cd in multisession mode and append the archive at the end of the live-cd

start the network and download the archive using wget, ftp (use ncftp), lynx or scp from the Secure-SLinux homepage or some other computer in your local network

Check the md5 sum of the archive: md5sum /mnt/sslx/[archive]

Installing Secure-SLinux

... is a matter of unpacking the binary archive.

cd /mnt/sslx

tar xf [name of the binary archive].tar.bz2

Configuration:

Configuring the setclock Script

If your hardware clock in the BIOS is set to UTC set UTC=1 in /etc/sysconfig/clock - otherwise leave it:

cat > /etc/sysconfig/clock << "EOF"
# Begin /etc/sysconfig/clock

UTC=1

# End /etc/sysconfig/clock
EOF

It doesn't matter wether you set the hardware clock to UTC or localtime. If you also use your computer together with other operating systems then you must use whatever the other OSes are using as their clock settings. For example Windows uses localtime.

If unsure leave it as it is.

Note: Secure-SLinux runs by default once per day NTP which sets the time according to time servers on the internet. When you shutdown Secure-SLinux, the hardware clock will be updated to the current system time.

Configuring the Linux Console

Edit "/etc/sysconfig/console" to set the font and keyboard. The defaults are set for Germany.

Setting the locale

Secure-SLinux sets the locale to "en_US". This setting is guaranteed to work with all software.

Most distros tell you to set the locale to your language/country. However the locale system is nowadays used by just very few utilities to display help messages in your language and format the date or currencies correctly. Most modern applications such as databases, web-servers, editors or OpenOffice will handle locales in their own ways since they fullfill a much more complex task which cannot be handled with linux's locale system. For example databases have to be able to handle all languages at the same time. You might edit a XML file in UTF-8 in one window and a HTML file in ISO-8859-1 in another window. Your letter might be written in German and contains a quote in French!

If you are happy reading man pages in English, we recommend you leave the settings as is. It make sure that all applications run without problems. If you choose to set the locale to something different (possibly because your language needs something different than ISO-8859-1 character encoding), note:

Read documentation about locales: use man/info on locale resp. localedef.

"locale -a" shows you all locales installed on your system.

On some locales, certain special characters can cause problems and the man pages are not displayed correctly.

Secure-SLinux does not support UTF-8.

Originally linux only supported "language_COUNTRY". Now it is recommended to also include the character encoding (eg. de_DE.8859-1) - however lots of programs are confused by this (some software packages in the core of Secure-SLinux do not compile with such a locale).

Some programs do not compile with exotic locales (eg. perl modules don't compile in UTF-8 local).

A lot of software which is not part of a core linux system only supports English messages, so what ever you set the locale to, you will only get English output.

You will still be able to use your language's special characters even if you don't set the locale to your language/country as long as you set the keyboard/font correctly (see configuring console).

Configuring the localnet Script

We assume here, that your server is called "myserver" and your domain is "my-company.com". The fully qualified name of your server will then be "myserver.my-company.com".

Set the hostname of your server by editing "/etc/sysconfig/network" (eg. myserver).

Configuring the /etc/hosts File

Edit "/etc/hosts" to setup some basic name resolution.

Add a line representing your server. If the ip is "192.168.1.27" add:

192.168.1.27 myserver.my-company.com myserver

Configuring the network Script

edit "/etc/sysconfig/network-devices/ifconfig.eth0/ipv4" to set the IP, Gateway and PREFIX of your first network card. You also need to set ONBOOT to "yes" (note: case sensitive).

Have a look at "HLFS/Chapter 07/Configuring the network Script". There are also other services available, such as "ipv4-static" and "ipv4-static-route". The latter allows you to setup routing tables.

If you want to setup more than one interface, create directories like "/etc/sysconfig/network-devices/ifconfig.eth1" etc. with corresponding contents.

If you want to setup more than one ip per interface, create directories like "/etc/sysconfig/network-devices/ifconfig.eth0", "/etc/.../ifconfig.eth0:0", "/etc/.../ifconfig.eth0:1", etc. with corresponding contents.

Configuring name resolution

Usually there is no need to edit "/etc/resolv.conf" since Secure-SLinux comes with its own name server (dnscache). If you have a localnet with several servers it is recommended that you install tinydns or some alternative on one of the servers and configure dnscache on each server to use the tinydns server as its source. See the documentation at djbs dnscache homepage.

The advantage of dnscache over other solutions is:

Its secure: it runs chrooted as a non-privileged user

Its known to be stable

It only accepts authentic sources for DNS queries

Configuring the /etc/fstab

Edit "/etc/fstab" to reflect your partitions.

Making the HLFS System Bootable

Edit "/boot/grub/menu.lst" to create the desired boot menu on startup.
Also read "HLFS/Chapter 07/Making the HLFS System Bootable".

Secure-SLinux comes with a variaty of precompiled kernels:

2.6.17.8-grsec-sslx-single: all patches, all security options (grsec/pax) active, single processor

2.6.17.8-grsec-sslx-smp: all patches, all security options (grsec/pax) active, multi processor

2.6.17.8-grsec-sslx-livecd: all patches, all security options (grsec/pax) active except for PAX options which kill testsuites (use when compiling Secure-SLinux from source), single processor

2.6.17.8-grsec-sslx-grsec-off: all patches, all security options (grsec/pax) disabled, single processor

2.6.17.8-sslx-no-patches:no patches, single processor (this kernel does not have frandom support so certain applications may not work correctly).

The kernel images in /boot will be prepended by "linux-", the corresponding System.map files with "System.map-" and the corresponding ".config" files with "config-".

A typical entry in menu.lst looks as follows:

title Secure-SLinux V0.3.1stable
root (hd1,0)
kernel /boot/linux-2.6.17.8-grsec-sslx-single root=/dev/ram0 ramdisk_size=50000 vga=0x31B sslx_root=/dev/md2
initrd /boot/initrd.gz

if "/boot" is on a seperate partition from "/", ommit "/boot". Eg. "/boot/initrd.gz" becomes "/initrd.gz". The same holds for the path to the kernel.

grub's "root" command can also be used in the main section above the first entry. In this case all entries will be loaded from the same root device unless an entry has its own root command.

set sslx_root to the partition where "/" will be mounted

Secure-SLinux boots with framebuffer support (see documentation at "fb/vesafb.txt" in the kernel documentation). Use the vga parameter as follows (or remove it completely to boot with default resolution without framebuffers):

    | 640x480  800x600  1024x768 1280x1024
----+-------------------------------------
256 |  0x301    0x303    0x305    0x307
32k |  0x310    0x313    0x316    0x319
64k |  0x311    0x314    0x317    0x31A
16M |  0x312    0x315    0x318    0x31B

Note: in the menu.lst it says that Secure-SLinux is by default configured for 1024x768. That is wrong - it is actually configured for 1280x1024.

see the description on how to compile the kernel if you want to modify the initrd (add drivers, change linuxrc script, etc.)

Install the bootloader in the MBR:

Note: "root" in this context means the partition which contains /boot/grub/*

start grub by entering: "grub"

set grubs root (where /boot/grub is located) - eg. for /dev/hda2: root (hd0,1)

install grub into the harddisks MBR - eg. for /dev/hda: setup (hd0)

quit grub: quit

Note: there is no need to setup grub again when you change menu.lst (as you would for lilo).

Boot into Secure-SLinux installation

reboot: reboot

The root password for the new Secure-SLinux installation is empty (ie. press [return])

After booting into the new Secure-SLinux installation:

Recreate the sshd keys, recreate keys for samhain, set root password:

Enter: /bin/bash /usr/bin/sslx-first_boot

Note:

you can use "sslx-gen_passwd [length]" to create random passwords

it is best to call sslx-first_boot as the last step of your installation to make sure that the random number generators had a chance to gather enough entropy before generating keys. Right after booting into Secure-SLinux the first time, the entropy will be somewhat predictable. When you boot Secure-SLinux normally, there is no entropy problem, since Secure-SLinux stores some entropy when it shutsdown which is used after booting.

Congratulations! You have successfully installed Secure-SLinux on your server!

Adding users and security:

If you were trying to login to Secure-SLinux from the outside right now, you would not be able to succeed - whatever you do! You need to understand how Secure-SLinux handles users before you can login via sshd.

Sshd and security

Sshd cannot drop privileges since it needs to be able become any user during the login process. To make the process as secure as possible, Secure-SLinux uses all available means of protecting you from unwanted intruders.

Please also read the documentation at www.openssh.com

OpenSSH handles connections as follows:

There is a single privileged sshd process which accepts all ssh connections. Basically its job is the same as that of xinetd. If you would run sshd from xinetd, sshd would have to generate the server key every time which would make logins rather slow - so using sshd for receiving connections for itself is a lot faster. The server key will be regenerated once every hour.
When you connect to Secure-SLinux, this first process spawns off a second privileged process which does all the handling of the connection and the login. Finally a third process is spawned which runs under the same user which you used for loging in.
When ever possible, processes are run chrooted within an empty directory (/var/empty). Since GRSecurity enforces chroots, it will be impossible to break out of this empty directory.

Since the third process runs under the user which you used for loging in, and since it is not possible to run this process inside a chroot environment, there is a security problem should there be a bug in OpenSSH. So its a lot safer to only login as an unprivileged user and change later using "su" to whatever else you want so that this unprotected process never runs as root. For this reason, root logins are disallowed by default.

Other reasons for disallowing root logins are:

You need a lot more knowledge about the system to login: a) the fact that root login is not permitted b) the name of the user c) the password of the user d) the password of root.

The administrator should only use root when needed. Its not safe to login as root and do all your work as root. Instead login as an unprivileged user and change to root as needed.

Sshd and authentification

There are two recommended ways to authorize when you login.

username/password: simple and secure if password is random and larger than eight characters in length

public/private key authorization with passphrase: More secure since the key behaves like a very long password. You need to have two things to login: the key and the passphrase. The passphrase should still be as long/secure as a password.

Sshd and tcpwrapper

Tcpwrapper restricts connections from the outside according to the files "/etc/hosts.allow" and "/etc/hosts.deny".

By default Secure-SLinux is setup to allow all connections to ssh. This is not insecure since ssh is by its very nature very hard to break into. However for highest security, limit connections to specific IPs (eg. your company). If you do not have a static IP (such as when working from home) you can still limit connections to your provider. Eg. all connections from your provider have the domain name "[something].myprovider.net" (login und have a look at "who" to find out) then put into "/etc/hosts.allow": "sshd: 127.0.0.1,.myprovider.net". This increases security a lot since a hacker won't know why he is not allowed to make connections and hackers usually don't attack your servers from dynamic connections via some provider since those connections are too easily traced back to their origins.

Creating users

Basically to log into Secure-SLinux you have to create an unprivileged user.

Some mainstream linux distros have wrapped useradd with a script which automatically creates groups and directories. Secure-SLinux comes with the original useradd program. It is configured to automatically create users with the default shell "/sbin/nologin" - which disables logins for such users (you can configure this behaviour in "/etc/default/useradd"). The reason is that most users on most servers are used to allow the daemons to run in unprivileged mode. Also Secure-SLinux follows the policy: everything is disallowed until it is specifically allowed.

If you want to create a user (under the default group "users") which you can use for login enter:

useradd -m -s /bin/bash [newuser]

The -m option creates a home directory "/home/[newuser]" and copies all files in "/etc/skel" to this new directory.

To set a password enter: passwd [newuser]

Allowing su

There are certain commands on linux which are installed suid root. This is potentially dangerous. For this reason all such commands have the suid permission removed apart from those commands contained in "/usr/suid-bin".

This means that some commands will only as root have all their functionallity available (eg. traceroute, nmap). All other commands belong to the group "admin" apart from "su" which belongs to "suers". Only "ping" and "passwd" are accessible by all users. This means that if you need to use those commands listed in "suid-bin", you will have to add the groups "admin" or "suers" to your user.

To create a user which allows you to change to root, enter:

useradd -m -s /bin/bash --groups suers [newuser]

This user can now change to root or any other user with "su - [user]"

To create a user which allows you to change to root and which can access all admin suid root commands, enter:

useradd -m -s /bin/bash --groups admin,suers [newuser]

Cronjobs:

Secure-SLinux has fcron installed which replaces vixie cron and the at daemon. With fcron you can run programs delayed, once after boot, repeatedly, only when the load is low, etc. Have a look at fcron.free.fr. Basically fcron should be 100% compatible with vixie cron's syntax. Instead of using "crontab" simply use "fcrontab" to edit your configuration. You can also drop scripts into the directories "/etc/fcron.d/{hourly,daily,weekly,monthly}" to run them at the apropriate intervalls. By default Secure-SLinux has certain cronjobs installed under the fcron user "root" and "systab".

Firewall:

Secure-SLinux starts the iptables packet filter capability of the linux kernel during the boot process. By default you can open any connection from the inside to the outside but no connections are allowed from the outside to the inside except for established connections and sshd.

Due to the very powerfull capabilities of linux's packet filter, only a few rules are necessary to achieve this - even for such complex rules such as ftp connections. The default rules are pretty safe for most purposes, however if you want to use your linux box as a firewall between the internet and your intranet or as a gateway etc. you may want to use more limiting rules (such as disabling sshd totally and only allow login from the console).

/etc/rc.d/init.d/iptables start: sets the iptables rules as specified

/etc/rc.d/init.d/iptables lock: completely blocks the firewall except for lo

/etc/rc.d/init.d/iptables clear: completely opens the firewall

/etc/rc.d/init.d/iptables status: shows the current rules

When you start the firewall, the script "/etc/sysconfig/firewall.base" is called which sets up the firewall such that no connections are allowed from the outside and all connections are allowed from the inside. This script calls "/etc/sysconfig/firewall.conf" which can be used to open up the firewall. By default it only opens up the firewall for connections to sshd.

Every server - even within the intranet behind a firewall - should have its own packet filtering. So leave the firewall for your protection.

You should normally only edit firewall.conf except when you use your server as a firewall or gateway, etc.

It is recommended that you leave the sshd configuration as is and limit sshd by editing "/etc/hosts.allow" as described under "tcp_wrapper".

It is safe to have your box open for connections from the inside. Once one used to limit connections from the inside too, but there are too many ways one can overcome this protection so it really just makes you "feel" more safe but causes all sorts of difficulties when administrating your linux box. You can use the grsecurity options in the kernel to restrict certain users in what sockets they are allowed to open.

TCP_Wrapper:

Secure-SLinux has TCP_Wrapper support. Sshd is compiled with it. The advantage of TCP_Wrapper over iptables is that iptables can only handle rules based on ip while TCP_Wrapper also supports rules based on DNS names and more importantly partial names.

We recommend you limit access to sshd to specific IPs. If that is not possible because you want to access your server from home and your provider only supports dynamic IPs, you can still limit access to your provider. See the documentation about sshd above.

Configure "/etc/hosts.allow". "/etc/hosts.deny" can usually be left as is (everything disallowed until it is specifically allowed).

EMails:

If you need to setup a full email server, we recommend qmail by djb. QMail is used by some of the largest email providers. There is an excellent documentation at www.lifewithqmail.org.

QMail is fast and extremely robust. Its installation is a bit lengthy but simple. Once installed administration is much simpler than most other mta's. You will need a few patches to make qmail work with the newest email standards, overly long DNS answers and to be able to use anti virus checkers (all explained in the documentation).

Secure-SLinux comes with postfix. Its already setup for relaying emails via your provider. Please read the postfix documentation here.

To setup postfix as an email relay:

edit /etc/postfix/main.cf

set "myhostname" to your fully qualified server name (eg. myserver.my-company.com)

set "mydomain" to your server's domain name (eg. my-company.com). An email to eg. "root" will then be forwarded to "root@my-company.com".

set "relayhost" to the ip/domain of your relay provider (optionally with port - eg. "mail.myprovider.com:25"). Note: the port can be different for ssl connections).

set "smtp_use_tls" to configure ssl/tls. Note: you should only use authorized connections with ssl/tls.

create /etc/postfix/sasl_passwd:

cat > /etc/postfix/sasl_passwd <<"EOF"
mail.myprovider.com   user:password
EOF

edit /etc/postfix/aliases and set at least the root alias to your admin's email address (first entry)

recreate databases: enter "newaliases" and "postmap /etc/postfix/sasl_passwd"

remove /etc/rc.d/off.d/postfix

When you boot the next time into Secure-SLinux, postfix will automatically be started.
You can ignore the error messages during startup of postfix about wrong owner of files.

If you want to configure postfix as a email system, see the postfix documentation.

Samhain:

Samhain is a file integrity checker and intrusion detection system. Please read the documentation here.

edit /etc/samhainrc to suit your needs (in a lot of cases you can leave it as is).

recreate the database with "samhain -t update"

remove /etc/rc.d/off.d/samhain

When you boot the next time into Secure-SLinux, samhain will automatically be started.

GRSecurity:

GRSecurity is one of the measurements used to harden Secure-SLinux. It will kill applications if they do something which they are not permitted to do. You can configure GRSecurity via options in the kernel (make menuconfig -> security) and there are some sysctl options (sysctl -a shows you a list of available options) which you can change.

have a look at www.grsecurity.net for more information

use gradm to set up security rules

by default signal logging is turned on which means you will sometimes see signal 11 messages in /var/log/syslog. This does not mean that GRSecurity killed that application - it just shows that there was such a signal which was send to the killed application. Unfortunately the log does not reveal which application send the signal - it just tells you the parent process. This happens especially with multithreaded java applications (eg. web servers) since java's threading is based on processes. Don't worry - this is totally normal. If you get too many messages you can tell syslog-ng to filter those messages and send them to an alternative log file.

By default all options are enabled except those which make X-Windows impossible to run (privileged IO and kmem).

Basically grsecurity should not normally kill a perfectly sane application. It greatly enhances security especially by strengthening the chroot restrictions. On normal linux systems, it is still possible to break out of a chroot jail (by using /proc or some device nodes or the chroot() function). GRSecurity will disallow anything dangerous within a chroot jail. So setting up chroot jails for problematic services (eg. web servers or email) is definitively a goot idea.

PAX:

Pax is now part of GRSecurity. Its homepage is pax.grsecurity.net.

Pax kills an application if it accesses the memory in a way which it is not allowed to (eg. if an application tries to execute code in memory allocated for data or the stack). If an application gets killed unexpectedly then it has probably been killed by pax (in rare circumstances by glibc - eg. memory management). You will see a message in /var/log/syslog which makes clear that pax killed that application and why.

By default all pax options are enabled. You can disable certain features on a per binary base with paxctl/chpax or in general with some sysctl options or in the kernel itself (make menuconfig -> security).

Use "paxctl -v [full path to binary]" to see the current settings. On binaries which have not been compiled with pax enabled kernels or on old systems, you will see no output of paxctl. In those cases use chpax with the same syntax - it operates on the older headers of those binaries. Note that if a binary uses libraries or calles other binaries you will always have to change the pax flags of the first binary started (unless the binaries started create completely new processes). So if the plugins in your firefox browser don't start, you will have to change the pax settings of the firefox binary and not those of the plugins (however not on the firefox script!).

In very rare circumstances, an application tries to execute code on the stack (eg. some browser plugins). To allow such applications to run, use "execstack" to change the binary's headers accordingly (if paxctl -m does not help - see its man page for details).

Most of the time, you will have to use "paxctl -m " to make something work.

If you install java in /opt (the binaries from sun), you will have to execute "chpax -pemrxs /path /to/jdk/{jre,}/bin/*" to make it work

I keep getting the message: "error while loading shared libraries: cannot make segment writable for relocation: Permission denied."
This error occurs since Secure-SLinux has "Disallow ELF text relocations" enabled in the kernel and you want to use binaries/libraries which contain text relocations. Secure-SLinux makes sure that all binaries/libraries are compiled PIC/PIE which means they are relocateable. However some software which you install may contain text relocations (often assembly). Try to compile from sources. Secure-SLinux will try to compile as PIC/PIE. If that does not help recompile with all assembly disabled. If thats not possible try "paxctl -m/chpax -m". If that does not help either you will have to disable that feature in the kernel. This does decrease security a lot since most attacks need to know where certain functions are located and pax cannot randomly move binaries/libraries in the address space.

SSP and PIC/PIE:

Secure-SLinux compiles every software with SSP and PIC/PIE enabled. SSP (see the introduction to HLFS) kills an application if the stack has been changed illegally by a function. This applies especially to pointers (return address) and variables stored on the stack. Basically the pointers are placed at the beginning and variables at the end. A random number is placed at the end of the stack. If there is a buffer overflow in a function, this random number will change and the application is killed. In this simple way, your computer is protected from one of the single most common ways of attack.

PIC/PIE (see the introduction to HLFS) compiles a program/library in such a way that its code can be moved to any location when it is executed. Pax will move the program to a random address when it is started so that a hacker does not know where a specific function is located. This is one of the most important informations a hacker needs when he wants to attack your computer by using eg. a buffer overflow to break into your machine.

Only if you compile software from source will those features be enabled (or use the binaries specifically compiled for Secure-SLinux). So compiling from source can improve security a lot compared to binary installs.
In very rare cases, your program might not work when compiled with SSP or PIC/PIE. You can turn of gcc's hardened specs by executing "sslx-gcc-hardenedspecs stop" before you compile your software. Don't forget to use "sslx-gcc-hardenedspecs start" when you are finished to make sure that future compilations will use the hardened specs again.

Compiling the kernel:

The directory /usr/src/kernel/sslx contains everything which has to do with compiling the kernel. It is recommended that you leave this directory as is since it contains the state of precompiled kernel images as provided by Secure-SLinux.

/usr/src/kernel/sslx/:

boot: a copy of the contents of /boot. If you mess up /boot you can recover by copying files from this dir.

initrd: contains a copy of the work dir of the precompiled initrd.gz

linux-2.6.17.8.tar.bz2: the currently used kernel

patches: all the patches for the kernel as applied by Secure-SLinux

scripts: helper scripts for compiling the kernel and regenerating initrd.gz

compiling the kernel

create an empty directory: mkdir /usr/src/kernel/mykernel && cd /usr/src/kernel/mykernel

unpack and patch the kernel: /usr/src/kernel/sslx/scripts/sslx-patch_kernel && cd linux-2.6.17.8

copy the configuration: cp /usr/src/kernel/sslx/boot/config-2.6.17.8-grsec-sslx-single .config

edit options: make menuconfig

compile kernel: sslx-kernel-make

install new kernel: cp arch/i386/boot/bzImage /boot/mykernel

Note:

"make bzImage" will fail since gcc by default uses hardenedspecs which the kernel does not support. Use "sslx-kernel-make" instead which will also call "make modules_install" (which installs all modules in /lib/modules). It will also copy the contents of /usr/src/kernel/static-modules to /lib/modules. This allows you to simply drop any precompiled modules (eg. proprietary drivers) to the corresponding directory in static-modules.

Every kernel has its own name which can be set with the kernel option "General setup/Local version - append to kernel release". This allows you to name a kernel and its System.map to "linux-[version]-myName" and "System.map-myName". The modules will be copied to their own respective directories in /lib (also see the multiple kernel hint at LFS).

Creating the initrd.gz

create an empty directory: mkdir -p /usr/src/kernel/myinitrd/initrd.d && cd /usr/src/kernel/myinitrd/initrd.d

fill the directory: /usr/src/kernel/sslx/scripts/sslx-create_initrd.d

add files, edit linuxrc

configure etc/rootfs.conf

create initrd.gz: /usr/src/kernel/sslx/scripts/sslx-create_initrd_image

install initrd.gz: cp initrd.gz /boot/myInitrd.gz

Note:

etc/rootfs.conf is called just before mounting the rootfs. It should mount the root filesystem. You can add here more complex task such as starting raid, encrypt root or lvm2.

sslx-create_initrd.d copies all modules from all kernels which are necessary to start IDE and/or SCSI. You may add or remove modules as needed. Other modules (eg. network drivers) are automatically loaded when /sbin/init has been started. So they should not be added to the initrd.

Secure-SLinux comes with loop-aes. It is automatically added to the initrd and will be started by rootfs.conf. Make sure that you disable "loop device" in the kernel - otherwise loop-aes or any other loop won't work (see the loop-aes documentation).

Compiling in general:

By default, gcc uses the hardened specs. Use "sslx-gcc-hardened-specs start|stop" to turn this feature on or off. If enabled, gcc will compile everything with SSP and PIC.

Most software packages use "uname" to find out for which architecture they are supposed to compile the software for. Secure-SLinux allows you to configure uname by editing /etc/sslx-uname.conf. Basically this allows you to cross compile a package for another architecture. Note that you can only compile software for architectures which are compatible with your processor (eg. i686 can compile for i586 but i486 cannot compile for i686).

You can specify the architecture (i486/i586/i686) and the processor type. If the architecture is set to "*" then the real architecture/processor are used and uname behaves as normal. Other settings replace the real architecure/processor. If you set processor to "unknown" and architecture to "i586" your binaries will run on any current machine (this is the default for Secure-SLinux). Use "uname.orig -a" to find out your machines real architecure and processor.

Note: A few packages don't use uname to check the architecure (eg, perl and openssl).

Helper applications:

memtest86: There is an entry for memtest86 in /boot/grub/menu.lst. To use memtest86 you need to reboot and select its entry in grub. Memtest86 is an excellent memory and hardware checker. It checks for faulty memory and communication/timing problems between CPU/cache/memory and motherboard. It is best to leave this program running for a few hours until the hardware has become hot to check for problems which arise because of heating. Never install an important production server before checking the hardware!