Menu
▾
▴
devil-linux-discuss
|
From: Boursin O. <oli...@in...> - 2017-09-29 09:07:46
Attachments:
image001.jpg
|
Hello, I discover that compilation options were not the same between version 1.6.9 and 1.8.0 according to checksec (https://github.com/slimm609/checksec.sh), 1.6.9 option "proc-all" told me that processes were all Full RELRO, Stack Canaries, Pax enabled, PIE enabled and Fortify : checksec.sh --proc-all * System-wide ASLRPaX ASLR enabled * Does the CPU support NX: Yes COMMAND PID RELRO STACK CANARY SECCOMP NX/PaX PIE FORTIFY init 1 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes syslog-ng 1638 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes syslog-ng 1639 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes cron 1657 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes dhcpd 1732 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes sshd 1876 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes jk_socketd 2145 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes ntpd 2150 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes jk_socketd 3223 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes master 4167 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes pickup 4172 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes qmgr 4173 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes agetty 4216 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes agetty 4217 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes agetty 4218 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes agetty 4219 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes agetty 4220 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes agetty 4221 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes procinfo 4222 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes iptstate 4223 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes udevd 4225 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes udevd 4226 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes sshd 4234 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes bash 4236 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes udevd 480 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes With version 1.8.0, it seems that only some processes have those hardening mechanism (example sshd) : checksec.sh --proc-all * System-wide ASLRPaX ASLR enabled * Does the CPU support NX: Yes COMMAND PID RELRO STACK CANARY SECCOMP NX/PaX PIE FORTIFY init 1 Full RELRO No canary found No Seccomp PaX enabled No PIE No syslog-ng 1828 Full RELRO No canary found No Seccomp PaX enabled No PIE No syslog-ng 1829 Full RELRO No canary found No Seccomp PaX enabled No PIE No cron 1851 Full RELRO No canary found No Seccomp PaX enabled No PIE No dhcpd 1926 Full RELRO No canary found No Seccomp PaX enabled No PIE No sshd 2050 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes jk_socketd 2325 Full RELRO No canary found No Seccomp PaX enabled No PIE No ntpd 2329 Full RELRO No canary found No Seccomp PaX enabled No PIE No jk_socketd 3347 Full RELRO No canary found No Seccomp PaX enabled No PIE No master 4015 Full RELRO No canary found No Seccomp PaX enabled No PIE Yes qmgr 4019 Full RELRO No canary found No Seccomp PaX enabled No PIE Yes agetty 4062 Full RELRO No canary found No Seccomp PaX enabled No PIE No agetty 4063 Full RELRO No canary found No Seccomp PaX enabled No PIE No agetty 4064 Full RELRO No canary found No Seccomp PaX enabled No PIE No agetty 4065 Full RELRO No canary found No Seccomp PaX enabled No PIE No agetty 4066 Full RELRO No canary found No Seccomp PaX enabled No PIE No agetty 4067 Full RELRO No canary found No Seccomp PaX enabled No PIE No iptstate 4069 Full RELRO No canary found No Seccomp PaX enabled No PIE No udevd 745 Full RELRO No canary found No Seccomp PaX enabled No PIE No pickup 8223 Full RELRO No canary found No Seccomp PaX enabled No PIE Yes sshd 8413 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes bash 8419 Full RELRO No canary found No Seccomp PaX enabled No PIE Yes Is there any reason of that ? I know it is possible to build a customized version of Devil-Linux, but I have not found where to check or put customized gcc parameters, so any advices are welcome. Many thanks, OB |
|
From: Boursin O. <oli...@in...> - 2017-09-28 20:21:26
|
Hello, I discover that compilation options were not the same between version 1.6.9 and 1.8.0 : Using a tool like checksec (https://github.com/slimm609/checksec.sh), 1.6.9 option "proc-all" told me that processes were all Full RELRO, Stack Canaries, Pax enabled, PIE enabled and Fortify (see joined pictures). With version 1.8.0, it seems that only some processes have those hardening mechanism (example sshd). Is there any reason of that ? I know it is possible to build a customized version of Devil-Linux, but I have not found where to put customized gcc parameters, so any advices are welcome. Many thanks, OB |
|
From: Heiko Z. <he...@zu...> - 2017-10-08 14:58:55
|
Olivier, The behavior must have changed when we switched to the newer gcc version. Unfortunately we got a bigger issue right now, which I mentioned in the other email: grsecurity stopped releasing a public patch. Without that, a lot of our security features are useless. If anybody has an idea what to do, please share. I'm at a loss at the moment... Heiko Quoting Boursin Olivier <oli...@in...>: > Hello, > > > > I discover that compilation options were not the same between > version 1.6.9 and 1.8.0 according to checksec > (https://github.com/slimm609/checksec.sh), 1.6.9 option “proc-all” > told me that processes were all Full RELRO, Stack Canaries, Pax > enabled, PIE enabled and Fortify : > > > > > > > > > > checksec.sh --proc-all > > > > * System-wide ASLRPaX ASLR enabled > > > > > > > > > > * Does the CPU support NX: Yes > > > > > > > > > > COMMAND PID RELRO STACK CANARY > SECCOMP NX/PaX PIE FORTIFY > > > > init 1 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > syslog-ng 1638 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > syslog-ng 1639 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > cron 1657 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > dhcpd 1732 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > sshd 1876 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > jk_socketd 2145 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > ntpd 2150 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > jk_socketd 3223 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > master 4167 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > pickup 4172 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > qmgr 4173 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > agetty 4216 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > agetty 4217 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > agetty 4218 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > agetty 4219 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > agetty 4220 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > agetty 4221 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > procinfo 4222 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > iptstate 4223 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > udevd 4225 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > udevd 4226 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > sshd 4234 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > bash 4236 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > udevd 480 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > > > > > > > With version 1.8.0, it seems that only some processes have those > hardening mechanism (example sshd) : > > > > > > > > > > checksec.sh --proc-all > > > > * System-wide ASLRPaX ASLR enabled > > > > > > > > > > * Does the CPU support NX: Yes > > > > > > > > > > COMMAND PID RELRO STACK CANARY > SECCOMP NX/PaX PIE FORTIFY > > > > init 1 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > syslog-ng 1828 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > syslog-ng 1829 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > cron 1851 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > dhcpd 1926 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > sshd 2050 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > jk_socketd 2325 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > ntpd 2329 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > jk_socketd 3347 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > master 4015 Full RELRO No canary found > No Seccomp PaX enabled No PIE Yes > > > > qmgr 4019 Full RELRO No canary found > No Seccomp PaX enabled No PIE Yes > > > > agetty 4062 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > agetty 4063 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > agetty 4064 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > agetty 4065 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > agetty 4066 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > agetty 4067 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > iptstate 4069 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > udevd 745 Full RELRO No canary found > No Seccomp PaX enabled No PIE No > > > > pickup 8223 Full RELRO No canary found > No Seccomp PaX enabled No PIE Yes > > > > sshd 8413 Full RELRO Canary found > No Seccomp PaX enabled PIE enabled Yes > > > > bash 8419 Full RELRO No canary found > No Seccomp PaX enabled No PIE Yes > > > > > > > > > > Is there any reason of that ? > > > > I know it is possible to build a customized version of > Devil-Linux, but I have not found where to check or put customized > gcc parameters, so any advices are welcome. > > > > Many thanks, > > > > > > > > > > OB > > > > > > > > > > > > > > -- Regards Heiko Zuerker |
