I've seen mention of securing /dev/shm and /proc and I was wondering how you do that and what it consists of doing? I assume this involves /etc/sysctl.conf editing of some kind right.
Like these?
kernel.exec-shield = 1
kernel.randomize_va_space = 1
Asked
Active
Viewed 3,236 times
8
Tiffany Walker
- 6,681
- 14
- 56
- 82
-
For `/dev/shm`, I suppose you could disable it or restrict the permissions if you don't have any applications that require POSIX shared memory. But for `/proc` I can't think of anything you could do. That filesystem is actually quite vital for commands like `ps` to work. Do you have any references concerning such hardening practices? – Celada Feb 01 '13 at 22:01
-
Nope. I've just heard of them. I know with CloudLinux and GRSecurity Kernels, users can only ps their processes in /proc. Just not sure if you can do similar security on a default kernel. – Tiffany Walker Feb 01 '13 at 22:32
-
Which version of Linux are you currently using? – ewwhite Feb 01 '13 at 23:13
-
1 server CL. Another GRSec. and several others just use the default CentOS 6.x – Tiffany Walker Feb 01 '13 at 23:26
2 Answers
11
The process I use, based on the CIS Linux Security Benchmark, is to modify /etc/fstab to restrict device creation, execution and suid privs on the /dev/shm mount.
shmfs /dev/shm tmpfs nodev,nosuid,noexec 0 0
For the sysctl settings, simply adding some of these to /etc/sysctl.conf works. Run sysctl -p to activate.
# CIS benchmarks
fs.suid_dumpable = 0
kernel.exec-shield = 1
kernel.randomize_va_space = 2
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
Michael Hampton
- 244,070
- 43
- 506
- 972
ewwhite
- 197,159
- 92
- 443
- 809
-
2Thanks for mentioning the CIS Security Benchmark, every security conscious sys admin should read and apply the relevant recommendations. – Daniel t. Feb 02 '13 at 05:36
-
How would you mount it? Is tmpfs the same as shmfs? I get tmpfs for /dev/shm – Tiffany Walker Feb 07 '13 at 19:53
6
ewwhite has already mentioned the CIS Linux Security Benchmark recommendations, I would also like to add another security guideline worth mentioning - Guide to the Secure Configuration of Red Hat Enterprise Linux 5 by the NSA. In addition to adding nodev,nosuid,noexec options for /dev/shm, the recommendations for kernel parameters which affect networking are mentioned in section 2.5.1 -
Host only
net.ipv4.ip forward = 0
net.ipv4.conf.all.send redirects = 0
net.ipv4.conf.default.send redirects = 0
Host and Router
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_messages = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
Michael Hampton
- 244,070
- 43
- 506
- 972
Daniel t.
- 9,291
- 1
- 33
- 36