Linux内核配置

本文最后更新于2017年5月23日,已超过 1 年没有更新,如果文章内容失效,还请反馈给我,谢谢!

=Start=

缘由:

今年早些时候爆出了一个由DCCP导致的本地提权漏洞「【漏洞预警】雪藏11年:Linux kernel DCCP double-free 权限提升漏洞(CVE-2017-6074)」,而这个漏洞需要内核编译的时候开启CONFIG_IP_DCCP ,许多Linux发行版本默认开启。不过在很多公司的生产环境中并没有主动加载,所以我们需要先提前判断一下系统是否已加载这个模块,如果没有加载的话我们可以通过某些方法限制该模块的加载;如果已经加载了,则要么升级内核并重启机器、要么先设置禁止开机加载然后重启生效。下面的内容就是我在检测并处理这个漏洞的时候学习到的一些和Linux内核配置相关的知识。

正文:

参考解答:

Linux下dccp漏洞的检测方法和缓解办法
# 查看内核编译时是否开启了CONFIG_IP_DCCP选项
$ grep "CONFIG_IP_DCCP=" /boot/config-`uname -r`
# 查看正在运行的系统中是否已经加载了dccp模块
$ lsmod | grep --color -i "dccp"
# 如果系统还没有加载dccp模块,则可以通过下面的命令禁止加载dccp模块;如果已经加载了,则需要先执行下面的命令,然后重启系统才可以生效
# echo "install dccp /bin/true" >> /etc/modprobe.d/disable-dccp.conf
Linux下如何查看当前用的哪个版本的内核以及对应的配置是什么?
$ cat /boot/config-$(uname -r)          # RHEL/CentOS/...
$ zcat /proc/config.gz > running.config  # only available if CONFIG_IKCONFIG_PROC was set when the kernel was built.
$ cat /boot/config                      # only available if CONFIG_IKCONFIG_PROC was set when the kernel was built.
Linux下如何查看已经加载的内核驱动/模块?
$ lsmod
$ cat /proc/modules
Linux下如何查看有哪些内核驱动/模块以及它们的详细信息?
$ find /lib/modules/$(uname -r) -type f -name "*.ko"
# 查看dccp模块的详细信息
$ modinfo dccp
Linux下内核配置的说明
The 3 states of the main selection option for the SCSI subsystem (which actually selects the SCSI mid level driver) follow. Only one of these should appear in an actual kernel config file:
CONFIG_SCSI=y   #直接编译进内核并在开机启动时加载
CONFIG_SCSI=m   #在内核编译的时候编译成模块,之后按需加载
# CONFIG_SCSI is not set    #在内核编译的时候没有设置,后期也不会被加载

 

参考链接:

Linux kernel: CVE-2017-6074 – local privilege escalation in DCCP
https://ma.ttias.be/linux-kernel-cve-2017-6074-local-privilege-escalation-dccp/

Linux下如何查看当前用的哪个版本的内核以及对应的配置是什么?
https://superuser.com/questions/287371/obtain-kernel-config-from-currently-running-linux-system
https://serverfault.com/questions/51032/how-do-i-check-what-kernel-options-were-compiled-without-looking-at-boot-config
https://unix.stackexchange.com/questions/123026/where-kernel-configuration-file-is-stored
https://unix.stackexchange.com/questions/83319/how-can-i-know-if-the-current-kernel-was-compiled-with-a-certain-option-enabled

Linux下如何查看已经加载的内核驱动/模块?
https://www.cyberciti.biz/tips/how-to-display-or-show-information-about-a-linux-kernel-module-or-drivers.html
https://www.cyberciti.biz/faq/howto-display-list-of-modules-or-device-drivers-in-the-linux-kernel/
https://serverfault.com/questions/62316/how-do-i-list-loaded-linux-module-parameter-values
https://serverfault.com/questions/10439/how-do-you-check-the-version-of-a-ko-kernel-module-in-linux
http://ask.xmodulo.com/find-information-builtin-kernel-modules-linux.html
https://stackoverflow.com/questions/9845877/how-to-determine-if-a-specific-module-is-loaded-in-linux-kernel

Linux下如何查看有哪些内核驱动/模块?
https://unix.stackexchange.com/questions/184877/how-to-list-all-loadable-kernel-modules

Linux内核配置说明
http://www.tldp.org/HOWTO/SCSI-2.4-HOWTO/kconfig.html
https://stackoverflow.com/questions/5392756/what-does-m-mean-in-kernel-configuration-file

=END=

声明: 除非注明,ixyzero.com文章均为原创,转载请以链接形式标明本文地址,谢谢!
https://ixyzero.com/blog/archives/3291.html

《Linux内核配置》上的8个想法

  1. Linux系统安全强化指南
    https://www.freebuf.com/articles/system/266248.html
    `
    # 文章目录

    选择正确的Linux发行版
    * 内核
    * Stable vs LTS 内核
    * Sysctl
    * — Kernel self-protection

    * — 网络

    * — 用户空间


    引导参数
    * — Kernel self-protection

    * — CPU缓解

    * — 结果


    hidepid
    * 减少内核攻击面
    * — 其他内核指针泄漏

    * — 限制对sysfs的访问

    * — Linux强化

    * — Grsecurity

    * — 内核运行时防护

    * — 自编译内核


    强制访问措施
    * 沙箱
    * — 应用沙箱

    * — Systemd沙箱

    * — gVisor

    * — 虚拟机


    强化内存分配器
    * 强化编译标志
    * 内存安全语言
    * Root账户
    * — /etc/securetty

    * — 限制su

    * — 锁定root账户

    * — 拒绝通过SSH的远程root登陆

    * — 增加散列回合数

    * — 限制Xorg root访问

    * — 安全访问root


    防火墙
    * 身份标识
    * — 主机名和用户名

    * — Timezones / Locales / Keymaps

    * — 机器ID

    * — MAC地址欺骗

    * — 时间攻击

    * — 按键指纹


    文件权限
    * — setuid / setgid

    * — umask


    核心转储
    * — sysctl

    * — systemd

    * — ulimit

    * — setuid进程


    Swap
    * PAM
    * Microcode更新
    * IPv6隐私扩展
    * — NetworkManager

    * — systemd-networkd


    分区和挂载选项
    * 熵
    * — RDRAND


    以root身份编辑文件
    * 特定发行版的安全强化
    * — HTTP包管理器镜像

    * — APT seccomp-bpf


    物理安全
    * — BIOS / UEFI强化

    * — Bootloader密码

    * — 验证引导

    * — USBs

    * — DMA攻击

    * — 冷启动攻击


    最佳实践
    * 其他指南
    * 术语
    * 能力
    `

  2. Linux系统安全强化指南(Linux Hardening Guide)
    https://madaidans-insecurities.github.io/guides/linux-hardening.html
    `
    # Contents
    1. Choosing the right Linux distribution

    2. Kernel hardening
    2.1 Stable vs. LTS
    2.2 Sysctl
    2.2.1 Kernel self-protection
    2.2.2 Network
    2.2.3 User space
    2.3 Boot parameters
    2.3.1 Kernel self-protection
    2.3.2 CPU mitigations
    2.3.3 Result
    2.4 hidepid
    2.5 Kernel attack surface reduction
    2.5.1 Boot parameters
    2.5.2 Blacklisting kernel modules
    2.5.3 rfkill
    2.6 Other kernel pointer leaks
    2.7 Restricting access to sysfs
    2.8 linux-hardened
    2.9 Grsecurity
    2.10 Linux Kernel Runtime Guard
    2.11 Kernel self-compilation

    3. Mandatory access control

    4. Sandboxing
    4.1 Application sandboxing
    4.2 Common sandbox escapes
    4.2.1 PulseAudio
    4.2.2 D-Bus
    4.2.3 GUI isolation
    4.2.4 ptrace
    4.2.5 TIOCSTI
    4.3 Systemd service sandboxing
    4.4 gVisor
    4.5 Virtual machines

    5. Hardened memory allocator

    6. Hardened compilation flags

    7. Memory safe languages

    8. The root account
    8.1 /etc/securetty
    8.2 Restricting su
    8.3 Locking the root account
    8.4 Denying root login via SSH
    8.5 Increasing the number of hashing rounds
    8.6 Restricting Xorg root access
    8.7 Accessing root securely

    9. Firewalls

    10. Identifiers

    10.1 Hostnames and usernames
    10.2 Timezones / Locales / Keymaps
    10.3 Machine ID
    10.4 MAC address spoofing
    10.5 Time attacks
    10.5.1 ICMP timestamps
    10.5.2 TCP timestamps
    10.5.3 TCP initial sequence numbers
    10.5.4 Time synchronization
    10.6 Keystroke fingerprinting

    11. File permissions
    11.1 setuid / setgid
    11.2 umask

    12. Core dumps
    12.1 sysctl
    12.2 systemd
    12.3 ulimit
    12.4 setuid processes

    13. Swap

    14. PAM

    15. Microcode updates

    16. IPv6 privacy extensions
    16.1 NetworkManager
    16.2 systemd-networkd

    17. Partitioning and mount options

    18. Entropy
    18.1 Additional entropy sources
    18.2 RDRAND

    19. Editing files as root

    20. Distribution-specific hardening
    20.1 HTTPS package manager mirrors
    20.2 APT seccomp-bpf

    21. Physical security
    21.1 Encryption
    21.2 BIOS / UEFI hardening
    21.3 Bootloader passwords
    21.3.1 GRUB
    21.3.2 Syslinux
    21.3.3 systemd-boot
    21.4 Verified boot
    21.5 USBs
    21.6 DMA attacks
    21.7 Cold boot attacks

    22. Best practices
    `

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注