old-www/HOWTO/Security-HOWTO/kernel-security.html

<HTML
><HEAD
><TITLE
>Kernel Security</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="Linux Security HOWTO"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Password Security and Encryption "
HREF="password-security.html"><LINK
REL="NEXT"
TITLE="Network Security"
HREF="network-security.html"></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Linux Security HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="password-security.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="network-security.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="kernel-security"
></A
>7. Kernel Security</H1
><P
>&#13;This is a description of the kernel configuration options that relate
to security, and an explanation of what they do, and how to use them.
</P
><P
>&#13;As the kernel controls your computer's networking, it is important
that it be very secure, and not be
compromised. To prevent some of the latest networking attacks, you 
should try to keep your kernel version current. You can find new
kernels at <A
HREF="ftp://ftp.kernel.org"
TARGET="_top"
>&#65533;</A
> or from your distribution
vendor.
</P
><P
>&#13;There is also a international group providing a single unified crypto
patch to the mainstream Linux kernel. This patch provides support for
a number of cryptographic subsystems and things that cannot be
included in the mainstream kernel due to export restrictions. For more 
information, visit their web page at: <A
HREF="http://www.kerneli.org"
TARGET="_top"
>http://www.kerneli.org</A
>
</P
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN735"
></A
>7.1. 2.0 Kernel Compile Options</H2
><P
>&#13;For 2.0.x kernels, the following options apply. You should see these
options during the kernel configuration process.  Many of the comments
here are from <TT
CLASS="literal"
>./linux/Documentation/Configure.help</TT
>, which is
the same document that is referenced while using the Help facility during 
the <TT
CLASS="literal"
>make config</TT
> stage of compiling the kernel. 
</P
><P
>&#13;
<P
></P
><UL
><LI
><P
>&#13;Network Firewalls
(CONFIG_FIREWALL)
</P
><P
>&#13;This option should be on if you intend to run any firewalling or
masquerading on your Linux machine. If it's just going to be a regular 
client machine, it's safe to say no.
</P
></LI
><LI
><P
>&#13;IP: forwarding/gatewaying
(CONFIG_IP_FORWARD)
</P
><P
>&#13;If you enable IP forwarding, your Linux box essentially becomes a
router.  If your machine is on a network, you could be forwarding data
from one network to another, and perhaps subverting a firewall that
was put there to prevent this from happening.  Normal dial-up users
will want to disable this, and other users should concentrate on the
security implications of doing this.  Firewall machines will want this
enabled, and used in conjunction with firewall software.
</P
><P
>&#13;You can enable IP forwarding dynamically using the following command:
</P
><P
>&#13;
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;	root#  echo 1 &#62; /proc/sys/net/ipv4/ip_forward
</PRE
></FONT
></TD
></TR
></TABLE
>

and disable it with the command:

<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;	root#  echo 0 &#62; /proc/sys/net/ipv4/ip_forward
</PRE
></FONT
></TD
></TR
></TABLE
>

Keep in mind the files in /proc are "virtual" files and the shown size
of the file might not reflect the data output from it. 
</P
></LI
><LI
><P
>&#13;IP: syn cookies
(CONFIG_SYN_COOKIES)
</P
><P
>&#13;a "SYN Attack" is a denial of service (DoS) attack that consumes all the
resources on your machine, forcing you to reboot.  We can't think of a
reason you wouldn't normally enable this. In the 2.2.x kernel series
this config option merely allows syn cookies, but does not enable
them. To enable them, you have to do:
</P
><P
>&#13;
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;		root# echo 1 &#62; /proc/sys/net/ipv4/tcp_syncookies &#60;P&#62;
</PRE
></FONT
></TD
></TR
></TABLE
>

</P
></LI
><LI
><P
>&#13;IP: Firewalling
(CONFIG_IP_FIREWALL)
</P
><P
>&#13;This option is necessary if you are going to configure your machine as
a firewall, do masquerading, or wish to protect your dial-up
workstation from someone entering via your PPP dial-up interface.
</P
></LI
><LI
><P
>&#13;IP: firewall packet logging
(CONFIG_IP_FIREWALL_VERBOSE)
</P
><P
>&#13;This option gives you information about packets your firewall
received, like sender, recipient, port, etc.
</P
></LI
><LI
><P
>&#13;IP: Drop source routed frames
(CONFIG_IP_NOSR)
</P
><P
>&#13;This option should be enabled.  Source routed frames contain the
entire path to their destination inside of the packet.  This means
that routers through which the packet goes do not need to inspect it,
and just forward it on. This could lead to data entering your system
that may be a potential exploit.
</P
></LI
><LI
><P
>&#13;IP: masquerading
(CONFIG_IP_MASQUERADE)
If one of the computers on your local network for which your Linux
box acts as a firewall wants to send something to the outside, your
box can "masquerade" as that host, i.e., it forewords the traffic
to the intended destination, but makes it look like it came from the
firewall box itself.  See <A
HREF="http://www.indyramp.com/masq"
TARGET="_top"
>http://www.indyramp.com/masq</A
> for more information.
</P
></LI
><LI
><P
>&#13;IP: ICMP masquerading
(CONFIG_IP_MASQUERADE_ICMP)
This option adds ICMP masquerading to the previous option of only 
masquerading TCP or UDP traffic.
</P
></LI
><LI
><P
>&#13;IP: transparent proxy support
(CONFIG_IP_TRANSPARENT_PROXY)
This enables your Linux firewall to transparently redirect any
network traffic originating from the local network and
destined for a remote host to a local server, called a "transparent
proxy server".  This makes the local computers think they are talking
to the remote end, while in fact they are connected to the local proxy.
See the IP-Masquerading HOWTO and <A
HREF="http://www.indyramp.com/masq"
TARGET="_top"
>http://www.indyramp.com/masq</A
> for more information.
</P
></LI
><LI
><P
>&#13;IP: always defragment
(CONFIG_IP_ALWAYS_DEFRAG)
</P
><P
>&#13;Generally this option is disabled, but if you are building a firewall
or a masquerading host, you will want to enable it.  When data is sent
from one host to another, it does not always get sent as a single
packet of data, but rather it is fragmented into several pieces.  The
problem with this is that the port numbers are only stored in the
first fragment.  This means that someone can insert information into
the remaining packets that isn't supposed to be there.
It could also prevent a teardrop attack against an internal
host that is not yet itself patched against it.
</P
></LI
><LI
><P
>&#13;Packet Signatures
(CONFIG_NCPFS_PACKET_SIGNING)
</P
><P
>&#13;This is an option that is available in the 2.2.x kernel series that will
sign NCP packets for stronger security.  Normally you can leave it
off, but it is there if you do need it.
</P
></LI
><LI
><P
>&#13;IP: Firewall packet netlink device
(CONFIG_IP_FIREWALL_NETLINK)
</P
><P
>&#13;This is a really neat option that allows you to analyze the first 128
bytes of the packets in a user-space program, to determine if you would
like to accept or deny the packet, based on its validity.
</P
></LI
></UL
>

</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN783"
></A
>7.2. 2.2 Kernel Compile Options</H2
><P
>&#13;For 2.2.x kernels, many of the options are the same, but a few new
ones have been developed.  Many of the comments here are from
<TT
CLASS="literal"
>./linux/Documentation/Configure.help</TT
>, which is the same
document that is referenced while using the Help facility during 
the <TT
CLASS="literal"
>make config</TT
> stage of compiling the kernel. Only the newly-
added options are listed below.  Consult the 2.0 description for a
list of other necessary options.  The most significant change in the
2.2 kernel series is the IP firewalling code.  The <TT
CLASS="literal"
>ipchains</TT
>
program is now used to install IP firewalling, instead of the
<TT
CLASS="literal"
>ipfwadm</TT
> program used in the 2.0 kernel.
</P
><P
>&#13;
<P
></P
><UL
><LI
><P
>&#13;Socket Filtering
(CONFIG_FILTER)
</P
><P
>&#13;For most people, it's safe to say no to this option. This option
allows you to connect a user-space filter to any socket and determine
if packets should be allowed or denied. Unless you have a very
specific need and are capable of programming such a filter, you should 
say no. Also note that as of this writing, all protocols were
supported except TCP. 
</P
></LI
><LI
><P
>&#13;Port Forwarding
</P
><P
>&#13;Port Forwarding is an addition to IP Masquerading which allows some
forwarding of packets from outside to inside a firewall on given
ports. This could be useful if, for example, you want to run a web
server behind the firewall or masquerading host and that web server
should be accessible from the outside world. An external client
sends a request to port 80 of the firewall, the firewall forwards
this request to the web server, the web server handles the request
and the results are sent through the firewall to the original
client. The client thinks that the firewall machine itself is
running the web server. This can also be used for load balancing if
you have a farm of identical web servers behind the firewall.
</P
><P
>&#13;Information about this feature is available from
http://www.monmouth.demon.co.uk/ipsubs/portforwarding.html (to
browse the WWW, you need to have access to a machine on the Internet
that has a program like lynx or Netscape). For general info, please
see ftp://ftp.compsoc.net/users/steve/ipportfw/linux21/
</P
></LI
><LI
><P
>&#13;Socket Filtering
(CONFIG_FILTER)
</P
><P
>&#13;Using this option, user-space programs can attach a filter to any
socket and thereby tell the kernel that it should allow or disallow
certain types of data to get through the socket.  Linux socket
filtering works on all socket types except TCP for now.  See the
text file <TT
CLASS="literal"
>./linux/Documentation/networking/filter.txt</TT
> for
more information.
</P
></LI
><LI
><P
>&#13;IP: Masquerading
</P
><P
>&#13;The 2.2 kernel masquerading has been improved.  It provides additional
support for masquerading special protocols, etc. Be sure to read
the IP Chains HOWTO for more information.
</P
></LI
></UL
>

</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN806"
></A
>7.3. Kernel Devices</H2
><P
>&#13;There are a few block and character devices available on Linux that
will also help you with security.
</P
><P
>&#13;The two devices <TT
CLASS="literal"
>/dev/random</TT
> and <TT
CLASS="literal"
>/dev/urandom</TT
> are provided by the
kernel to provide random data at any time.
</P
><P
>&#13;Both <TT
CLASS="literal"
>/dev/random</TT
> and <TT
CLASS="literal"
>/dev/urandom</TT
> should be secure enough to use in
generating PGP keys, <TT
CLASS="literal"
>ssh</TT
> challenges, and other applications where
secure random numbers are required.  Attackers should be unable to
predict the next number given any initial sequence of numbers from these
sources.  There has been a lot of effort put in to ensuring that the
numbers you get from these sources are random in every sense of the word.
</P
><P
>&#13;The only difference between the two devices, is that <TT
CLASS="literal"
>/dev/random</TT
> runs out of random bytes
and it makes you wait for more to be accumulated.  Note that on some
systems, it can block for a long time waiting for new user-generated
entropy to be entered into the system.  So you have to use care before
using <TT
CLASS="literal"
>/dev/random</TT
>.  (Perhaps the best thing to do is to use it when
you're generating sensitive keying information, and you tell the user to
pound on the keyboard repeatedly until you print out "OK, enough".)
</P
><P
>&#13;<TT
CLASS="literal"
>/dev/random</TT
> is high quality entropy, generated from measuring the
inter-interrupt times etc. It blocks until enough bits of random data
are available.
</P
><P
>&#13;<TT
CLASS="literal"
>/dev/urandom</TT
> is similar, but when the store of entropy is running low,
it'll return a cryptographically strong hash of what there is. This
isn't as secure, but it's enough for most applications.
</P
><P
>&#13;You might read from the devices using something like:
</P
><P
>&#13;
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;	root#  head -c 6 /dev/urandom | mimencode
</PRE
></FONT
></TD
></TR
></TABLE
>

This will print six random characters on the console, suitable for
password generation.  You can find <TT
CLASS="literal"
>mimencode</TT
> in the <TT
CLASS="literal"
>metamail</TT
>
package.
</P
><P
>&#13;See <TT
CLASS="literal"
>/usr/src/linux/drivers/char/random.c</TT
> for a description of the
algorithm.
</P
><P
>&#13;Thanks to Theodore Y. Ts'o, Jon Lewis, and others from Linux-kernel
for helping me (Dave) with this.
</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="password-security.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="network-security.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Password Security and Encryption</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Network Security</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>