[PATCH][RFC] Secure defaults (initial sysctl settings)

From: Alex Hunsaker
Date: Sun Sep 09 2007 - 20:51:36 EST


Allow for various sysctl settings to initially be set to more secure
defaults.

Why: While you can easily set these values at boot time with sysctl
(and most distros do).
-Its nice to be able to set their initial value.
-It also allows someone who is unfamiliar with all the security knobs
the kernel exposes to easily turn one on or off (or even read about
what it does).
-Another benefit is every time a new security feature comes out
(mmap_min_addr for example) you don't have to change the setting on
every server. Or heck even be totally unaware of it until you read
about it on <insert favorite news source> months later.

While some options (syncookies comes to mind) might be better places
somewhere else...
Im more interested to see if anyone thinks this is a good idea.
I mainly did this because I wanted a way to turn on mmap_min_addr by default.
After which i thought hrm, what other sysctl settings do I regularly
change the default setting...

Also it *seems* like it might be nice to move other security related
(fstack-protector, seecomp) under Security.
What does everyone else think?

Oh and sorry about the gross use of Kconfig CONFIG_ defines, whats a
better way to do this? static inlines #ifdef CONFIG_XXX in the
headers?

Signed-off-by: Alex Hunsaker <badalex@xxxxxxxxx>

diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 5b77bda..438eb1d 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -65,20 +65,24 @@

struct ipv4_devconf ipv4_devconf = {
.data = {
- [NET_IPV4_CONF_ACCEPT_REDIRECTS - 1] = 1,
- [NET_IPV4_CONF_SEND_REDIRECTS - 1] = 1,
+ [NET_IPV4_CONF_ACCEPT_REDIRECTS - 1] = CONFIG_IPV4_ACCEPT_REDIRECTS,
+ [NET_IPV4_CONF_SEND_REDIRECTS - 1] = CONFIG_IPV4_SEND_REDIRECTS,
[NET_IPV4_CONF_SECURE_REDIRECTS - 1] = 1,
[NET_IPV4_CONF_SHARED_MEDIA - 1] = 1,
+ [NET_IPV4_CONF_LOG_MARTIANS - 1] = CONFIG_IPV4_LOG_MARTIANS,
+ [NET_IPV4_CONF_RP_FILTER - 1] = CONFIG_IPV4_RP_FILTER,
},
};

static struct ipv4_devconf ipv4_devconf_dflt = {
.data = {
- [NET_IPV4_CONF_ACCEPT_REDIRECTS - 1] = 1,
- [NET_IPV4_CONF_SEND_REDIRECTS - 1] = 1,
+ [NET_IPV4_CONF_ACCEPT_REDIRECTS - 1] = CONFIG_IPV4_ACCEPT_REDIRECTS,
+ [NET_IPV4_CONF_SEND_REDIRECTS - 1] = CONFIG_IPV4_SEND_REDIRECTS,
[NET_IPV4_CONF_SECURE_REDIRECTS - 1] = 1,
[NET_IPV4_CONF_SHARED_MEDIA - 1] = 1,
- [NET_IPV4_CONF_ACCEPT_SOURCE_ROUTE - 1] = 1,
+ [NET_IPV4_CONF_ACCEPT_SOURCE_ROUTE - 1] =
CONFIG_IPV4_ACCEPT_SOURCE_ROUTE,
+ [NET_IPV4_CONF_LOG_MARTIANS - 1] = CONFIG_IPV4_LOG_MARTIANS,
+ [NET_IPV4_CONF_RP_FILTER - 1] = CONFIG_IPV4_RP_FILTER,
},
};

diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index a12b08f..99e29e5 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -29,7 +29,7 @@
#include <net/xfrm.h>

#ifdef CONFIG_SYSCTL
-#define SYNC_INIT 0 /* let the user enable it */
+#define SYNC_INIT CONFIG_TCP_SYNCOOKIES_ON
#else
#define SYNC_INIT 1
#endif
diff --git a/security/Kconfig b/security/Kconfig
index 460e5c9..e469dd6 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -93,6 +93,8 @@ config SECURITY_ROOTPLUG

If you are unsure how to answer this question, answer N.

+source security/Kconfig.secure_defaults
+
source security/selinux/Kconfig

endmenu
diff --git a/security/Kconfig.secure_defaults b/security/Kconfig.secure_defaults
new file mode 100644
index 0000000..2b2199e
--- /dev/null
+++ b/security/Kconfig.secure_defaults
@@ -0,0 +1,92 @@
+config SECURITY_SECURE_DEFAULTS
+ tristate "Secure defaults"
+ depends on SECURITY
+ help
+ Allows tuning of various kernel knobs to be secure by default.
+ NOTE: all of these have equivalent sysctl options
+
+config SECURITY_MMAP_MIN_ADDR
+ int "default mmap min address"
+ help
+ Help prevent users from exploiting NULL dereferences in the
kernel which have
+ not been discovered yet.
+ range 0 65536
+ depends on SECURITY_SECURE_DEFAULTS
+ default "4096"
+
+
+config SECURITY_TCP_SYNCOOKIES
+ bool "Turn on syncookies by default"
+ help
+ Syncookies can help prevent syn-flood attacks
+ (see Documentation/networking/ip-sysctl.txt for more)
+ depends on SYN_COOKIES
+ depends on SECURITY_SECURE_DEFAULTS
+ default y
+
+config TCP_SYNCOOKIES_ON
+ int
+ default 1 if SECURITY_TCP_SYNCOOKIES
+ default 0
+
+config SECURITY_IPV4_NO_ACCEPT_REDIRECTS
+ bool "Don't accept IMCP redirects"
+ help
+ ICMP redirects can be used to set up MITM attacks and other nasties
+ depends on SECURITY_SECURE_DEFAULTS
+ default y
+
+config IPV4_ACCEPT_REDIRECTS
+ int
+ default 0 if SECURITY_IPV4_NO_ACCEPT_REDIRECTS
+ default 1
+
+config SECURITY_IPV4_NO_SEND_REDIRECTS
+ bool "Don't send IMCP redirects"
+ help
+ Usually only needed if this computer functions as a router of some sort.
+ depends on SECURITY_SECURE_DEFAULTS
+ default y
+
+config IPV4_SEND_REDIRECTS
+ int
+ default 0 if SECURITY_IPV4_NO_SEND_REDIRECTS
+ default 1
+
+config SECURITY_IPV4_NO_ACCEPT_SOURCE_ROUTE
+ bool "Don't accept source routes"
+ help
+ source routed packets are generally not needed and could
potently allow MITM attacks.
+ depends on SECURITY_SECURE_DEFAULTS
+ default y
+
+config IPV4_ACCEPT_SOURCE_ROUTE
+ int
+ default 0 if SECURITY_IPV4_NO_ACCEPT_SOURE_ROUTE
+ default 1
+
+config SECURITY_IPV4_LOG_MARTIANS
+ bool "Log martians by default"
+ depends on SECURITY_SECURE_DEFAULTS
+ help
+ Log packets with impossible addresses to the kernel log
+ default y
+
+config IPV4_LOG_MARTIANS
+ int
+ default 1 if SECURITY_IPV4_LOG_MARTIANS
+ default 0
+
+config SECURITY_IPV4_RP_FILTER
+ bool "Turn on rp_filter by default"
+ depends on SECURITY_SECURE_DEFAULTS
+ help
+ Help protect against spoofed tcp/ip packets.
+ Could cause troubles for complicated networks.
+ (see Documentation/networking/ip-sysctl.txt for more)
+ default y
+
+config IPV4_RP_FILTER
+ int
+ default 1 if SECURITY_IPV4_RP_FILTER
+ default 0
diff --git a/security/security.c b/security/security.c
index 27e5863..d82088c 100644
--- a/security/security.c
+++ b/security/security.c
@@ -64,6 +64,8 @@ int __init security_init(void)
security_ops = &dummy_security_ops;
do_security_initcalls();

+ mmap_min_addr = CONFIG_SECURITY_MMAP_MIN_ADDR;
+
return 0;
}

Attachment: secure-defaults.patch
Description: Binary data