635 lines
14 KiB
HTML
635 lines
14 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Kernel Security</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Linux Security HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Password Security and Encryption "
|
|
HREF="password-security.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Network Security"
|
|
HREF="network-security.html"></HEAD
|
|
><BODY
|
|
CLASS="sect1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Linux Security HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="password-security.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="network-security.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="kernel-security"
|
|
></A
|
|
>7. Kernel Security</H1
|
|
><P
|
|
> This is a description of the kernel configuration options that relate
|
|
to security, and an explanation of what they do, and how to use them.
|
|
</P
|
|
><P
|
|
> As the kernel controls your computer's networking, it is important
|
|
that it be very secure, and not be
|
|
compromised. To prevent some of the latest networking attacks, you
|
|
should try to keep your kernel version current. You can find new
|
|
kernels at <A
|
|
HREF="ftp://ftp.kernel.org"
|
|
TARGET="_top"
|
|
>�</A
|
|
> or from your distribution
|
|
vendor.
|
|
</P
|
|
><P
|
|
> There is also a international group providing a single unified crypto
|
|
patch to the mainstream Linux kernel. This patch provides support for
|
|
a number of cryptographic subsystems and things that cannot be
|
|
included in the mainstream kernel due to export restrictions. For more
|
|
information, visit their web page at: <A
|
|
HREF="http://www.kerneli.org"
|
|
TARGET="_top"
|
|
>http://www.kerneli.org</A
|
|
>
|
|
</P
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="AEN735"
|
|
></A
|
|
>7.1. 2.0 Kernel Compile Options</H2
|
|
><P
|
|
> For 2.0.x kernels, the following options apply. You should see these
|
|
options during the kernel configuration process. Many of the comments
|
|
here are from <TT
|
|
CLASS="literal"
|
|
>./linux/Documentation/Configure.help</TT
|
|
>, which is
|
|
the same document that is referenced while using the Help facility during
|
|
the <TT
|
|
CLASS="literal"
|
|
>make config</TT
|
|
> stage of compiling the kernel.
|
|
</P
|
|
><P
|
|
>
|
|
<P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> Network Firewalls
|
|
(CONFIG_FIREWALL)
|
|
</P
|
|
><P
|
|
> This option should be on if you intend to run any firewalling or
|
|
masquerading on your Linux machine. If it's just going to be a regular
|
|
client machine, it's safe to say no.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> IP: forwarding/gatewaying
|
|
(CONFIG_IP_FORWARD)
|
|
</P
|
|
><P
|
|
> If you enable IP forwarding, your Linux box essentially becomes a
|
|
router. If your machine is on a network, you could be forwarding data
|
|
from one network to another, and perhaps subverting a firewall that
|
|
was put there to prevent this from happening. Normal dial-up users
|
|
will want to disable this, and other users should concentrate on the
|
|
security implications of doing this. Firewall machines will want this
|
|
enabled, and used in conjunction with firewall software.
|
|
</P
|
|
><P
|
|
> You can enable IP forwarding dynamically using the following command:
|
|
</P
|
|
><P
|
|
>
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> root# echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
|
|
and disable it with the command:
|
|
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> root# echo 0 > /proc/sys/net/ipv4/ip_forward
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
|
|
Keep in mind the files in /proc are "virtual" files and the shown size
|
|
of the file might not reflect the data output from it.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> IP: syn cookies
|
|
(CONFIG_SYN_COOKIES)
|
|
</P
|
|
><P
|
|
> a "SYN Attack" is a denial of service (DoS) attack that consumes all the
|
|
resources on your machine, forcing you to reboot. We can't think of a
|
|
reason you wouldn't normally enable this. In the 2.2.x kernel series
|
|
this config option merely allows syn cookies, but does not enable
|
|
them. To enable them, you have to do:
|
|
</P
|
|
><P
|
|
>
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> root# echo 1 > /proc/sys/net/ipv4/tcp_syncookies <P>
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> IP: Firewalling
|
|
(CONFIG_IP_FIREWALL)
|
|
</P
|
|
><P
|
|
> This option is necessary if you are going to configure your machine as
|
|
a firewall, do masquerading, or wish to protect your dial-up
|
|
workstation from someone entering via your PPP dial-up interface.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> IP: firewall packet logging
|
|
(CONFIG_IP_FIREWALL_VERBOSE)
|
|
</P
|
|
><P
|
|
> This option gives you information about packets your firewall
|
|
received, like sender, recipient, port, etc.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> IP: Drop source routed frames
|
|
(CONFIG_IP_NOSR)
|
|
</P
|
|
><P
|
|
> This option should be enabled. Source routed frames contain the
|
|
entire path to their destination inside of the packet. This means
|
|
that routers through which the packet goes do not need to inspect it,
|
|
and just forward it on. This could lead to data entering your system
|
|
that may be a potential exploit.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> IP: masquerading
|
|
(CONFIG_IP_MASQUERADE)
|
|
If one of the computers on your local network for which your Linux
|
|
box acts as a firewall wants to send something to the outside, your
|
|
box can "masquerade" as that host, i.e., it forewords the traffic
|
|
to the intended destination, but makes it look like it came from the
|
|
firewall box itself. See <A
|
|
HREF="http://www.indyramp.com/masq"
|
|
TARGET="_top"
|
|
>http://www.indyramp.com/masq</A
|
|
> for more information.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> IP: ICMP masquerading
|
|
(CONFIG_IP_MASQUERADE_ICMP)
|
|
This option adds ICMP masquerading to the previous option of only
|
|
masquerading TCP or UDP traffic.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> IP: transparent proxy support
|
|
(CONFIG_IP_TRANSPARENT_PROXY)
|
|
This enables your Linux firewall to transparently redirect any
|
|
network traffic originating from the local network and
|
|
destined for a remote host to a local server, called a "transparent
|
|
proxy server". This makes the local computers think they are talking
|
|
to the remote end, while in fact they are connected to the local proxy.
|
|
See the IP-Masquerading HOWTO and <A
|
|
HREF="http://www.indyramp.com/masq"
|
|
TARGET="_top"
|
|
>http://www.indyramp.com/masq</A
|
|
> for more information.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> IP: always defragment
|
|
(CONFIG_IP_ALWAYS_DEFRAG)
|
|
</P
|
|
><P
|
|
> Generally this option is disabled, but if you are building a firewall
|
|
or a masquerading host, you will want to enable it. When data is sent
|
|
from one host to another, it does not always get sent as a single
|
|
packet of data, but rather it is fragmented into several pieces. The
|
|
problem with this is that the port numbers are only stored in the
|
|
first fragment. This means that someone can insert information into
|
|
the remaining packets that isn't supposed to be there.
|
|
It could also prevent a teardrop attack against an internal
|
|
host that is not yet itself patched against it.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Packet Signatures
|
|
(CONFIG_NCPFS_PACKET_SIGNING)
|
|
</P
|
|
><P
|
|
> This is an option that is available in the 2.2.x kernel series that will
|
|
sign NCP packets for stronger security. Normally you can leave it
|
|
off, but it is there if you do need it.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> IP: Firewall packet netlink device
|
|
(CONFIG_IP_FIREWALL_NETLINK)
|
|
</P
|
|
><P
|
|
> This is a really neat option that allows you to analyze the first 128
|
|
bytes of the packets in a user-space program, to determine if you would
|
|
like to accept or deny the packet, based on its validity.
|
|
</P
|
|
></LI
|
|
></UL
|
|
>
|
|
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="AEN783"
|
|
></A
|
|
>7.2. 2.2 Kernel Compile Options</H2
|
|
><P
|
|
> For 2.2.x kernels, many of the options are the same, but a few new
|
|
ones have been developed. Many of the comments here are from
|
|
<TT
|
|
CLASS="literal"
|
|
>./linux/Documentation/Configure.help</TT
|
|
>, which is the same
|
|
document that is referenced while using the Help facility during
|
|
the <TT
|
|
CLASS="literal"
|
|
>make config</TT
|
|
> stage of compiling the kernel. Only the newly-
|
|
added options are listed below. Consult the 2.0 description for a
|
|
list of other necessary options. The most significant change in the
|
|
2.2 kernel series is the IP firewalling code. The <TT
|
|
CLASS="literal"
|
|
>ipchains</TT
|
|
>
|
|
program is now used to install IP firewalling, instead of the
|
|
<TT
|
|
CLASS="literal"
|
|
>ipfwadm</TT
|
|
> program used in the 2.0 kernel.
|
|
</P
|
|
><P
|
|
>
|
|
<P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> Socket Filtering
|
|
(CONFIG_FILTER)
|
|
</P
|
|
><P
|
|
> For most people, it's safe to say no to this option. This option
|
|
allows you to connect a user-space filter to any socket and determine
|
|
if packets should be allowed or denied. Unless you have a very
|
|
specific need and are capable of programming such a filter, you should
|
|
say no. Also note that as of this writing, all protocols were
|
|
supported except TCP.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Port Forwarding
|
|
</P
|
|
><P
|
|
> Port Forwarding is an addition to IP Masquerading which allows some
|
|
forwarding of packets from outside to inside a firewall on given
|
|
ports. This could be useful if, for example, you want to run a web
|
|
server behind the firewall or masquerading host and that web server
|
|
should be accessible from the outside world. An external client
|
|
sends a request to port 80 of the firewall, the firewall forwards
|
|
this request to the web server, the web server handles the request
|
|
and the results are sent through the firewall to the original
|
|
client. The client thinks that the firewall machine itself is
|
|
running the web server. This can also be used for load balancing if
|
|
you have a farm of identical web servers behind the firewall.
|
|
</P
|
|
><P
|
|
> Information about this feature is available from
|
|
http://www.monmouth.demon.co.uk/ipsubs/portforwarding.html (to
|
|
browse the WWW, you need to have access to a machine on the Internet
|
|
that has a program like lynx or Netscape). For general info, please
|
|
see ftp://ftp.compsoc.net/users/steve/ipportfw/linux21/
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Socket Filtering
|
|
(CONFIG_FILTER)
|
|
</P
|
|
><P
|
|
> Using this option, user-space programs can attach a filter to any
|
|
socket and thereby tell the kernel that it should allow or disallow
|
|
certain types of data to get through the socket. Linux socket
|
|
filtering works on all socket types except TCP for now. See the
|
|
text file <TT
|
|
CLASS="literal"
|
|
>./linux/Documentation/networking/filter.txt</TT
|
|
> for
|
|
more information.
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> IP: Masquerading
|
|
</P
|
|
><P
|
|
> The 2.2 kernel masquerading has been improved. It provides additional
|
|
support for masquerading special protocols, etc. Be sure to read
|
|
the IP Chains HOWTO for more information.
|
|
</P
|
|
></LI
|
|
></UL
|
|
>
|
|
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="AEN806"
|
|
></A
|
|
>7.3. Kernel Devices</H2
|
|
><P
|
|
> There are a few block and character devices available on Linux that
|
|
will also help you with security.
|
|
</P
|
|
><P
|
|
> The two devices <TT
|
|
CLASS="literal"
|
|
>/dev/random</TT
|
|
> and <TT
|
|
CLASS="literal"
|
|
>/dev/urandom</TT
|
|
> are provided by the
|
|
kernel to provide random data at any time.
|
|
</P
|
|
><P
|
|
> Both <TT
|
|
CLASS="literal"
|
|
>/dev/random</TT
|
|
> and <TT
|
|
CLASS="literal"
|
|
>/dev/urandom</TT
|
|
> should be secure enough to use in
|
|
generating PGP keys, <TT
|
|
CLASS="literal"
|
|
>ssh</TT
|
|
> challenges, and other applications where
|
|
secure random numbers are required. Attackers should be unable to
|
|
predict the next number given any initial sequence of numbers from these
|
|
sources. There has been a lot of effort put in to ensuring that the
|
|
numbers you get from these sources are random in every sense of the word.
|
|
</P
|
|
><P
|
|
> The only difference between the two devices, is that <TT
|
|
CLASS="literal"
|
|
>/dev/random</TT
|
|
> runs out of random bytes
|
|
and it makes you wait for more to be accumulated. Note that on some
|
|
systems, it can block for a long time waiting for new user-generated
|
|
entropy to be entered into the system. So you have to use care before
|
|
using <TT
|
|
CLASS="literal"
|
|
>/dev/random</TT
|
|
>. (Perhaps the best thing to do is to use it when
|
|
you're generating sensitive keying information, and you tell the user to
|
|
pound on the keyboard repeatedly until you print out "OK, enough".)
|
|
</P
|
|
><P
|
|
> <TT
|
|
CLASS="literal"
|
|
>/dev/random</TT
|
|
> is high quality entropy, generated from measuring the
|
|
inter-interrupt times etc. It blocks until enough bits of random data
|
|
are available.
|
|
</P
|
|
><P
|
|
> <TT
|
|
CLASS="literal"
|
|
>/dev/urandom</TT
|
|
> is similar, but when the store of entropy is running low,
|
|
it'll return a cryptographically strong hash of what there is. This
|
|
isn't as secure, but it's enough for most applications.
|
|
</P
|
|
><P
|
|
> You might read from the devices using something like:
|
|
</P
|
|
><P
|
|
>
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> root# head -c 6 /dev/urandom | mimencode
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
|
|
This will print six random characters on the console, suitable for
|
|
password generation. You can find <TT
|
|
CLASS="literal"
|
|
>mimencode</TT
|
|
> in the <TT
|
|
CLASS="literal"
|
|
>metamail</TT
|
|
>
|
|
package.
|
|
</P
|
|
><P
|
|
> See <TT
|
|
CLASS="literal"
|
|
>/usr/src/linux/drivers/char/random.c</TT
|
|
> for a description of the
|
|
algorithm.
|
|
</P
|
|
><P
|
|
> Thanks to Theodore Y. Ts'o, Jon Lewis, and others from Linux-kernel
|
|
for helping me (Dave) with this.
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="password-security.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="network-security.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Password Security and Encryption</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Network Security</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |