Allow for various sysctl settings to initially be set to more secure defaults. Why: While you can easily set these values at boot time with sysctl (and most distros do). -Its nice to be able to set their initial value. -It also allows someone who is unfamiliar with all the security knobs the kernel exposes to easily turn one on or off (or even read about what it does). -Another benefit is every time a new security feature comes out (mmap_min_addr for example) you don't have to change the setting on every server. Or heck even be totally unaware of it until you read about it on months later. While some options (syncookies comes to mind) might be better places somewhere else... Im more interested to see if anyone thinks this is a good idea. I mainly did this because I wanted a way to turn on mmap_min_addr by default. After which i thought hrm, what other sysctl settings do I regularly change the default setting... Also it *seems* like it might be nice to move other security related (fstack-protector, seecomp) under Security. What does everyone else think? Oh and sorry about the gross use of Kconfig CONFIG_ defines, whats a better way to do this? static inlines #ifdef CONFIG_XXX in the headers? Signed-off-by: Alex Hunsaker diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c index 5b77bda..438eb1d 100644 --- a/net/ipv4/devinet.c +++ b/net/ipv4/devinet.c @@ -65,20 +65,24 @@ struct ipv4_devconf ipv4_devconf = { .data = { - [NET_IPV4_CONF_ACCEPT_REDIRECTS - 1] = 1, - [NET_IPV4_CONF_SEND_REDIRECTS - 1] = 1, + [NET_IPV4_CONF_ACCEPT_REDIRECTS - 1] = CONFIG_IPV4_ACCEPT_REDIRECTS, + [NET_IPV4_CONF_SEND_REDIRECTS - 1] = CONFIG_IPV4_SEND_REDIRECTS, [NET_IPV4_CONF_SECURE_REDIRECTS - 1] = 1, [NET_IPV4_CONF_SHARED_MEDIA - 1] = 1, + [NET_IPV4_CONF_LOG_MARTIANS - 1] = CONFIG_IPV4_LOG_MARTIANS, + [NET_IPV4_CONF_RP_FILTER - 1] = CONFIG_IPV4_RP_FILTER, }, }; static struct ipv4_devconf ipv4_devconf_dflt = { .data = { - [NET_IPV4_CONF_ACCEPT_REDIRECTS - 1] = 1, - [NET_IPV4_CONF_SEND_REDIRECTS - 1] = 1, + [NET_IPV4_CONF_ACCEPT_REDIRECTS - 1] = CONFIG_IPV4_ACCEPT_REDIRECTS, + [NET_IPV4_CONF_SEND_REDIRECTS - 1] = CONFIG_IPV4_SEND_REDIRECTS, [NET_IPV4_CONF_SECURE_REDIRECTS - 1] = 1, [NET_IPV4_CONF_SHARED_MEDIA - 1] = 1, - [NET_IPV4_CONF_ACCEPT_SOURCE_ROUTE - 1] = 1, + [NET_IPV4_CONF_ACCEPT_SOURCE_ROUTE - 1] = CONFIG_IPV4_ACCEPT_SOURCE_ROUTE, + [NET_IPV4_CONF_LOG_MARTIANS - 1] = CONFIG_IPV4_LOG_MARTIANS, + [NET_IPV4_CONF_RP_FILTER - 1] = CONFIG_IPV4_RP_FILTER, }, }; diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c index a12b08f..99e29e5 100644 --- a/net/ipv4/tcp_minisocks.c +++ b/net/ipv4/tcp_minisocks.c @@ -29,7 +29,7 @@ #include #ifdef CONFIG_SYSCTL -#define SYNC_INIT 0 /* let the user enable it */ +#define SYNC_INIT CONFIG_TCP_SYNCOOKIES_ON #else #define SYNC_INIT 1 #endif diff --git a/security/Kconfig b/security/Kconfig index 460e5c9..e469dd6 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -93,6 +93,8 @@ config SECURITY_ROOTPLUG If you are unsure how to answer this question, answer N. +source security/Kconfig.secure_defaults + source security/selinux/Kconfig endmenu diff --git a/security/Kconfig.secure_defaults b/security/Kconfig.secure_defaults new file mode 100644 index 0000000..2b2199e --- /dev/null +++ b/security/Kconfig.secure_defaults @@ -0,0 +1,92 @@ +config SECURITY_SECURE_DEFAULTS + tristate "Secure defaults" + depends on SECURITY + help + Allows tuning of various kernel knobs to be secure by default. + NOTE: all of these have equivalent sysctl options + +config SECURITY_MMAP_MIN_ADDR + int "default mmap min address" + help + Help prevent users from exploiting NULL dereferences in the kernel which have + not been discovered yet. + range 0 65536 + depends on SECURITY_SECURE_DEFAULTS + default "4096" + + +config SECURITY_TCP_SYNCOOKIES + bool "Turn on syncookies by default" + help + Syncookies can help prevent syn-flood attacks + (see Documentation/networking/ip-sysctl.txt for more) + depends on SYN_COOKIES + depends on SECURITY_SECURE_DEFAULTS + default y + +config TCP_SYNCOOKIES_ON + int + default 1 if SECURITY_TCP_SYNCOOKIES + default 0 + +config SECURITY_IPV4_NO_ACCEPT_REDIRECTS + bool "Don't accept IMCP redirects" + help + ICMP redirects can be used to set up MITM attacks and other nasties + depends on SECURITY_SECURE_DEFAULTS + default y + +config IPV4_ACCEPT_REDIRECTS + int + default 0 if SECURITY_IPV4_NO_ACCEPT_REDIRECTS + default 1 + +config SECURITY_IPV4_NO_SEND_REDIRECTS + bool "Don't send IMCP redirects" + help + Usually only needed if this computer functions as a router of some sort. + depends on SECURITY_SECURE_DEFAULTS + default y + +config IPV4_SEND_REDIRECTS + int + default 0 if SECURITY_IPV4_NO_SEND_REDIRECTS + default 1 + +config SECURITY_IPV4_NO_ACCEPT_SOURCE_ROUTE + bool "Don't accept source routes" + help + source routed packets are generally not needed and could potently allow MITM attacks. + depends on SECURITY_SECURE_DEFAULTS + default y + +config IPV4_ACCEPT_SOURCE_ROUTE + int + default 0 if SECURITY_IPV4_NO_ACCEPT_SOURE_ROUTE + default 1 + +config SECURITY_IPV4_LOG_MARTIANS + bool "Log martians by default" + depends on SECURITY_SECURE_DEFAULTS + help + Log packets with impossible addresses to the kernel log + default y + +config IPV4_LOG_MARTIANS + int + default 1 if SECURITY_IPV4_LOG_MARTIANS + default 0 + +config SECURITY_IPV4_RP_FILTER + bool "Turn on rp_filter by default" + depends on SECURITY_SECURE_DEFAULTS + help + Help protect against spoofed tcp/ip packets. + Could cause troubles for complicated networks. + (see Documentation/networking/ip-sysctl.txt for more) + default y + +config IPV4_RP_FILTER + int + default 1 if SECURITY_IPV4_RP_FILTER + default 0 diff --git a/security/security.c b/security/security.c index 27e5863..d82088c 100644 --- a/security/security.c +++ b/security/security.c @@ -64,6 +64,8 @@ int __init security_init(void) security_ops = &dummy_security_ops; do_security_initcalls(); + mmap_min_addr = CONFIG_SECURITY_MMAP_MIN_ADDR; + return 0; }