Linux内核配置


=Start=

缘由:

今年早些时候爆出了一个由DCCP导致的本地提权漏洞「【漏洞预警】雪藏11年:Linux kernel DCCP double-free 权限提升漏洞(CVE-2017-6074)」,而这个漏洞需要内核编译的时候开启CONFIG_IP_DCCP ,许多Linux发行版本默认开启。不过在很多公司的生产环境中并没有主动加载,所以我们需要先提前判断一下系统是否已加载这个模块,如果没有加载的话我们可以通过某些方法限制该模块的加载;如果已经加载了,则要么升级内核并重启机器、要么先设置禁止开机加载然后重启生效。下面的内容就是我在检测并处理这个漏洞的时候学习到的一些和Linux内核配置相关的知识。

正文:

参考解答:

Linux下dccp漏洞的检测方法和缓解办法
# 查看内核编译时是否开启了CONFIG_IP_DCCP选项
$ grep "CONFIG_IP_DCCP=" /boot/config-`uname -r`
# 查看正在运行的系统中是否已经加载了dccp模块
$ lsmod | grep --color -i "dccp"
# 如果系统还没有加载dccp模块,则可以通过下面的命令禁止加载dccp模块;如果已经加载了,则需要先执行下面的命令,然后重启系统才可以生效
# echo "install dccp /bin/true" >> /etc/modprobe.d/disable-dccp.conf
Linux下如何查看当前用的哪个版本的内核以及对应的配置是什么?
$ cat /boot/config-$(uname -r)          # RHEL/CentOS/...
$ zcat /proc/config.gz > running.config  # only available if CONFIG_IKCONFIG_PROC was set when the kernel was built.
$ cat /boot/config                      # only available if CONFIG_IKCONFIG_PROC was set when the kernel was built.
Linux下如何查看已经加载的内核驱动/模块?
$ lsmod
$ cat /proc/modules
Linux下如何查看有哪些内核驱动/模块以及它们的详细信息?
$ find /lib/modules/$(uname -r) -type f -name "*.ko"
# 查看dccp模块的详细信息
$ modinfo dccp
Linux下内核配置的说明
The 3 states of the main selection option for the SCSI subsystem (which actually selects the SCSI mid level driver) follow. Only one of these should appear in an actual kernel config file:
CONFIG_SCSI=y   #直接编译进内核并在开机启动时加载
CONFIG_SCSI=m   #在内核编译的时候编译成模块,之后按需加载
# CONFIG_SCSI is not set    #在内核编译的时候没有设置,后期也不会被加载

 

参考链接:

Linux kernel: CVE-2017-6074 – local privilege escalation in DCCP
https://ma.ttias.be/linux-kernel-cve-2017-6074-local-privilege-escalation-dccp/

Linux下如何查看当前用的哪个版本的内核以及对应的配置是什么?
https://superuser.com/questions/287371/obtain-kernel-config-from-currently-running-linux-system
https://serverfault.com/questions/51032/how-do-i-check-what-kernel-options-were-compiled-without-looking-at-boot-config
https://unix.stackexchange.com/questions/123026/where-kernel-configuration-file-is-stored
https://unix.stackexchange.com/questions/83319/how-can-i-know-if-the-current-kernel-was-compiled-with-a-certain-option-enabled

Linux下如何查看已经加载的内核驱动/模块?
https://www.cyberciti.biz/tips/how-to-display-or-show-information-about-a-linux-kernel-module-or-drivers.html
https://www.cyberciti.biz/faq/howto-display-list-of-modules-or-device-drivers-in-the-linux-kernel/
https://serverfault.com/questions/62316/how-do-i-list-loaded-linux-module-parameter-values
https://serverfault.com/questions/10439/how-do-you-check-the-version-of-a-ko-kernel-module-in-linux
http://ask.xmodulo.com/find-information-builtin-kernel-modules-linux.html
https://stackoverflow.com/questions/9845877/how-to-determine-if-a-specific-module-is-loaded-in-linux-kernel

Linux下如何查看有哪些内核驱动/模块?
https://unix.stackexchange.com/questions/184877/how-to-list-all-loadable-kernel-modules

Linux内核配置说明
http://www.tldp.org/HOWTO/SCSI-2.4-HOWTO/kconfig.html
https://stackoverflow.com/questions/5392756/what-does-m-mean-in-kernel-configuration-file

=END=

, ,

《 “Linux内核配置” 》 有 12 条评论

  1. Linux系统安全强化指南
    https://www.freebuf.com/articles/system/266248.html
    `
    # 文章目录

    选择正确的Linux发行版
    * 内核
    * Stable vs LTS 内核
    * Sysctl
    * — Kernel self-protection

    * — 网络

    * — 用户空间


    引导参数
    * — Kernel self-protection

    * — CPU缓解

    * — 结果


    hidepid
    * 减少内核攻击面
    * — 其他内核指针泄漏

    * — 限制对sysfs的访问

    * — Linux强化

    * — Grsecurity

    * — 内核运行时防护

    * — 自编译内核


    强制访问措施
    * 沙箱
    * — 应用沙箱

    * — Systemd沙箱

    * — gVisor

    * — 虚拟机


    强化内存分配器
    * 强化编译标志
    * 内存安全语言
    * Root账户
    * — /etc/securetty

    * — 限制su

    * — 锁定root账户

    * — 拒绝通过SSH的远程root登陆

    * — 增加散列回合数

    * — 限制Xorg root访问

    * — 安全访问root


    防火墙
    * 身份标识
    * — 主机名和用户名

    * — Timezones / Locales / Keymaps

    * — 机器ID

    * — MAC地址欺骗

    * — 时间攻击

    * — 按键指纹


    文件权限
    * — setuid / setgid

    * — umask


    核心转储
    * — sysctl

    * — systemd

    * — ulimit

    * — setuid进程


    Swap
    * PAM
    * Microcode更新
    * IPv6隐私扩展
    * — NetworkManager

    * — systemd-networkd


    分区和挂载选项
    * 熵
    * — RDRAND


    以root身份编辑文件
    * 特定发行版的安全强化
    * — HTTP包管理器镜像

    * — APT seccomp-bpf


    物理安全
    * — BIOS / UEFI强化

    * — Bootloader密码

    * — 验证引导

    * — USBs

    * — DMA攻击

    * — 冷启动攻击


    最佳实践
    * 其他指南
    * 术语
    * 能力
    `

  2. Linux系统安全强化指南(Linux Hardening Guide)
    https://madaidans-insecurities.github.io/guides/linux-hardening.html
    `
    # Contents
    1. Choosing the right Linux distribution

    2. Kernel hardening
    2.1 Stable vs. LTS
    2.2 Sysctl
    2.2.1 Kernel self-protection
    2.2.2 Network
    2.2.3 User space
    2.3 Boot parameters
    2.3.1 Kernel self-protection
    2.3.2 CPU mitigations
    2.3.3 Result
    2.4 hidepid
    2.5 Kernel attack surface reduction
    2.5.1 Boot parameters
    2.5.2 Blacklisting kernel modules
    2.5.3 rfkill
    2.6 Other kernel pointer leaks
    2.7 Restricting access to sysfs
    2.8 linux-hardened
    2.9 Grsecurity
    2.10 Linux Kernel Runtime Guard
    2.11 Kernel self-compilation

    3. Mandatory access control

    4. Sandboxing
    4.1 Application sandboxing
    4.2 Common sandbox escapes
    4.2.1 PulseAudio
    4.2.2 D-Bus
    4.2.3 GUI isolation
    4.2.4 ptrace
    4.2.5 TIOCSTI
    4.3 Systemd service sandboxing
    4.4 gVisor
    4.5 Virtual machines

    5. Hardened memory allocator

    6. Hardened compilation flags

    7. Memory safe languages

    8. The root account
    8.1 /etc/securetty
    8.2 Restricting su
    8.3 Locking the root account
    8.4 Denying root login via SSH
    8.5 Increasing the number of hashing rounds
    8.6 Restricting Xorg root access
    8.7 Accessing root securely

    9. Firewalls

    10. Identifiers

    10.1 Hostnames and usernames
    10.2 Timezones / Locales / Keymaps
    10.3 Machine ID
    10.4 MAC address spoofing
    10.5 Time attacks
    10.5.1 ICMP timestamps
    10.5.2 TCP timestamps
    10.5.3 TCP initial sequence numbers
    10.5.4 Time synchronization
    10.6 Keystroke fingerprinting

    11. File permissions
    11.1 setuid / setgid
    11.2 umask

    12. Core dumps
    12.1 sysctl
    12.2 systemd
    12.3 ulimit
    12.4 setuid processes

    13. Swap

    14. PAM

    15. Microcode updates

    16. IPv6 privacy extensions
    16.1 NetworkManager
    16.2 systemd-networkd

    17. Partitioning and mount options

    18. Entropy
    18.1 Additional entropy sources
    18.2 RDRAND

    19. Editing files as root

    20. Distribution-specific hardening
    20.1 HTTPS package manager mirrors
    20.2 APT seccomp-bpf

    21. Physical security
    21.1 Encryption
    21.2 BIOS / UEFI hardening
    21.3 Bootloader passwords
    21.3.1 GRUB
    21.3.2 Syslinux
    21.3.3 systemd-boot
    21.4 Verified boot
    21.5 USBs
    21.6 DMA attacks
    21.7 Cold boot attacks

    22. Best practices
    `

  3. 《With Friends Like eBPF, Who Needs Enemies?》
    https://www.blackhat.com/us-21/briefings/schedule/#with-friends-like-ebpf-who-needs-enemies-23619

    GitHub
    https://github.com/Gui774ume/ebpfkit

    《Warping Reality – creating and countering the next generation of Linux rootkits using eBPF》
    https://defcon.org/html/defcon-29/dc-29-speakers.html#path

    GitHub
    https://github.com/pathtofile/bad-bpf

    Cilium eBPF实现机制源码分析
    https://mp.weixin.qq.com/s?__biz=MzUyMDM0OTY5NA==&mid=2247483747&idx=1&sn=6f0dce420f3dd412a52496e3ce3e2e38&scene=21#wechat_redirect

    Datadog的eBPF安全检测机制分析
    https://mp.weixin.qq.com/s?__biz=MzUyMDM0OTY5NA==&mid=2247483757&idx=1&sn=f0cc24e6bdf6e0dea683575f706ca279&scene=21#wechat_redirect

    Bad BPF – Warping reality using eBPF
    https://blog.tofile.dev/2021/08/01/bad-bpf.html

    Documentation for /proc/sys/kernel/
    https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#unprivileged-bpf-disabled

    BPF字节码签名计划
    https://lwn.net/Articles/853489/

    反对意见
    https://lwn.net/Articles/854386/

    GitHub/saBPF-project
    https://github.com/saBPF-project/sabpf-kernel

    bpf() subcommand reference
    https://www.kernel.org/doc/html/latest/userspace-api/ebpf/syscall.html

    elixir.bootlin.com/linux
    https://elixir.bootlin.com/linux/v5.16.10/source/tools/lib/bpf/netlink.c#L237

    TC命令分类器
    https://man7.org/linux/man-pages/man8/tc-bpf.8.html

    eBPF IDA Proc
    https://github.com/cylance/eBPF_processor

    Reverse Engineering Ebpfkit Rootkit With BlackBerry’s Enhanced IDA Processor Tool
    https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool

    BCC类库Demo lsm probe
    https://github.com/iovisor/bcc/blob/master/docs/reference_guide.md#11-lsm-probes

    GitHub/BCC
    https://github.com/iovisor/bcc

    Demo BPF applications
    https://github.com/libbpf/libbpf-bootstrap

    bpf-core-reference-guide
    https://nakryiko.com/posts/bpf-core-reference-guide/

    Creating and Countering the Next Generation of Linux Rootkits
    https://www.youtube.com/watch?v=g6SKWT7sROQ

    DEFCON 29 – eBPF, I thought we were friends
    https://www.youtube.com/watch?v=5zixNDolLrg

    Offensive BPF: Malicious bpftrace
    https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/

    Bad BPF – Warping reality using eBPF
    https://blog.tofile.dev/2021/08/01/bad-bpf.html

    Lifetime of BPF objects
    https://facebookmicrosites.github.io/bpf/blog/2018/08/31/object-lifetime.html

    BPF程序(BPF Prog)类型详解:使用场景、函数签名、执行位置及程序示例
    https://arthurchiao.art/blog/bpf-advanced-notes-1-zh

    Features of bpftool: the thread of tips and examples to work with eBPF objects
    https://qmonnet.github.io/whirl-offload/2021/09/23/bpftool-features-thread/

    Reverse Engineering Ebpfkit Rootkit With BlackBerry’s Enhanced IDA Processor Tool
    https://blogs.blackberry.com/en/2021/12/reverse-engineering-ebpfkit-rootkit-with-blackberrys-free-ida-processor-tool

    eBPF Syscall
    https://www.kernel.org/doc/html/latest/userspace-api/ebpf/syscall.html

    ebpfkit is a rootkit powered by eBPF
    https://github.com/Gui774ume/ebpfkit

  4. On Bypassing eBPF Security Monitoring(译文)
    https://tttang.com/archive/1779/
    https://blog.doyensec.com/2022/10/11/ebpf-bypass-security-monitoring.html
    `
    前言
    正文
    eBPF 如何工作的简述
    常见的缺点和潜在的绕过(这里是重点)
    1. 了解捕获了哪些事件
    1.1 执行绕过
    1.2 网络绕过
    2. 延迟执行
    3. 规避基于 cgroup 的范围事件监控
    4. 内存限制和事件丢失
    5. 永远不要相信用户空间
    6. 滥用 seccomp-bpf 和内核差异的缺失
    7.干扰代理
    来源

    * A few words on how eBPF works
    * Common shortcomings & potential bypasses (here be dragons)
    – * 1. Understand which events are caught
    – – * 1.1 Execution bypasses
    – – * 1.2 Network bypasses
    – * 2. Delayed execution
    – * 3. Evade scoped event monitoring based on cgroup
    – * 4. Memory limits and loss of events
    – * 5. Never trust the userspace
    – * 6. Abuse the lack of seccomp-bpf & kernel discrepancies
    – * 7. Interfere with the agents
    `

  5. 中国eBPF大会演讲slide
    https://gitee.com/linuxkerneltravel/ebpf-conference/tree/master
    `
    首届中国eBPF大会演讲题目、项目征集以及建议征集。

    PPT/主会场
    PPT/主会场/5.基于eBPF的Service Mesh性能瓶颈定位与优化.pdf
    PPT/主会场/4.基于eBPF的Linux内核探索之旅—开源项目LMP.pptx
    PPT/主会场/2.从Linux内核到eBPF.pptx
    PPT/主会场/3.Linux Tracing System 浅析 & eBPF框架开发经验分享.pptx
    PPT/分会场三
    PPT/分会场三/4.bcc应用最佳实践.pdf
    PPT/分会场三/8.观测云采集器.pptx
    PPT/分会场三/2.eBPF技术在CT领域的分布式性能追踪的实践.pptx
    PPT/分会场三/6.eBPF在Android平台的实践.pptx
    PPT/分会场三/3.Extend Database Mesh with eBPF.pptx
    PPT/分会场三/7.DeepFlow基于eBPF的高度自动化可观测性实践.pdf
    PPT/分会场三/1.阿里基于eBPF的应用可观测技术实践.pptx
    PPT/分会场三/5.基于eBPF的程序摄像头—Trace Profiling的设想.pdf
    PPT/分会场一
    PPT/分会场一/5.Hardware accelerator for eBPF.pdf
    PPT/分会场一/1.基于eBPF构建可编程调度框架.pptx
    PPT/分会场一/6.ARM64 eBPF JIT现状介绍.pptx
    PPT/分会场一/2.Coolbpf在各内核版本的应用实践.pptx
    PPT/分会场一/3.eunomia:让eBPF程序的开发和部署尽可能简单.pptx
    PPT/分会场一/4.eBPF急先锋:surftrace.pptx
    PPT/分会场一/8.基于eBPF的服务网格应用加速器.pptx
    PPT/分会场一/7.基于eBPF系统调用钩子检测工具.key
    PPT/分会场二
    PPT/分会场二/1.基于 eBPF 的内存泄露(增长)通用分析方法.pptx
    PPT/分会场二/5.首届eBPF大会_eBPF技术在服务网格场景应用经验总结与展望.pptx
    PPT/分会场二/8.eCapture旁观者-CFC4N-首届中国eBPF研讨会.pdf
    PPT/分会场二/7.沈典-东南大学-基于eBPF的多路径网络传输协议栈扩展.pdf
    PPT/分会场二/2.首届eBPF大会交流-李强&张绪峰_final.pptx
    PPT/分会场二/6.Agith宣讲材料.pptx
    PPT/分会场二/4.基于eBPF的内核漏洞检测实践—许庆伟.pptx
    PPT/分会场二/3.首届eBPF大会_gala-gopher:基于eBPF技术的系统白盒观测能力 v1.0.pptx
    `

  6. EBPF入门文献汇总
    http://blog.nsfocus.net/ebpf/
    `
    2022.9.26之前,我对eBPF一无所知,历史上用于抓包的BPF不算。后来陆续看了很多eBPF文献,算是入了门,写点入门心得。

    eBPF最近几年发展迅速,许多新特性挑内核,有些过时的eBPF限制没必要与之较劲,入门时完全可以在较新内核上学习,比较熟了再去生产环境考虑向后兼容性。我在Ubuntu 22.04.1 LTS (Jammy Jellyfish)上测试eBPF,5.15.0-52-generic内核,这个内核版本已经较高,即便如此,仍有一些eBPF新特性未被支持。

    一、 bpftrace
    入门最好从bpftrace开始,遍历如下文献,不要挑着看,全都看一遍,没必要零敲碎打地看其他的。

    二、 BCC
    bpftrace简捷明了,但对bpf-helpers(7)的封装不完整,没有bpf_probe_write_user。BCC Python Bindings相比bpftrace,能实现更多功能,遍历如下文献。BCC编程细节不在此介绍,看完下面这堆自然就会。

    三、 BPF Performance Tools
    参看 https://github.com/brendangregg/bpf-perf-tools-book

    四、 unprivileged_bpf_disabled
    参看 https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html

    五、Offensive BPF
    遍历这个系列
    https://embracethered.com/blog/tags/ebpf/
    https://embracethered.com/blog/posts/2021/offensive-bpf/
    https://github.com/wunderwuzzi23/Offensive-BPF/

    六、 Bad BPF
    遍历
    ————————————————————————–
    Detecting Kernel Hooking using eBPF – Pat H [2021-07-07]
    https://blog.tofile.dev/2021/07/07/ebpf-hooks.html
    (介绍BPF-HookDetect的原理,用到bpf_get_stackid)

    BPF-HookDetect
    https://github.com/pathtofile/bpf-hookdetect
    (Detect Kernel Rootkits hooking syscalls)

    Using eBPF to uncover in-memory loading – Pat H [2021-02-15]
    https://blog.tofile.dev/2021/02/15/ebpf-01.html
    (有个从内存中加载ELF的完整例子)

    七、 libbpf (eBPF loader)
    libbpf号称要替换BCC,遍历

    ————————————————————————–
    https://github.com/libbpf/libbpf

    https://github.com/iovisor/bcc/tree/master/libbpf-tools

    LIBBPF API
    https://libbpf.readthedocs.io/en/latest/api.html

    八、 libbpf-bootstrap
    8.1 编译

    参看

    《GIT与GFW》
    http://scz.617.cn:8/unix/202211231303.txt

    8.2 eBPF代码兼容性

    九、 其他文献
    前面说”遍历”的,就是要一个字一个字看过去的,有些我反复看过,第二遍看比第一遍看领会更多。后面是一些其他相关文献,时间允许时,建议也遍历之。
    `

    https://github.com/iovisor/bpftrace
    https://github.com/iovisor/bpftrace/tree/master/tools
    https://github.com/iovisor/bpftrace/blob/master/INSTALL.md
    https://github.com/iovisor/bpftrace/blob/master/docs/tutorial_one_liners.md
    https://www.brendangregg.com/BPF/bpftrace-cheat-sheet.html

    https://github.com/iovisor/bcc
    https://github.com/iovisor/bcc/tree/master/tools

    BPF Documentation
    https://docs.kernel.org/bpf/

    Linux Extended BPF (eBPF) Tracing Tools
    https://www.brendangregg.com/ebpf.html

    Linux Tracing Workshops Materials
    https://github.com/goldshtn/linux-tracing-workshop

    Comparing SystemTap and bpftrace – Emanuele Rocca [2021-04-13]
    https://lwn.net/Articles/852112/

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注