SECURITY(8) NetBSD System Manager's Manual SECURITY(8) NAME security -- NetBSD security features DESCRIPTION NetBSD supports a variety of security features. Below is a brief description of them with some quick usage examples that will help you get started. VERIEXEC Veriexec is an in-kernel, real-time, file-system idenependent, file integrity subsystem. It can be used for a variety of purposes, including defense against trojanned binaries, indirect attacks via third-party remote file-systems, and config file corruption. It can operate in four modes, also referred to as strict levels: Learning mode (strict level 0) The only level at which the fingerprint tables can be modified, this level is used to help fine-tune the signature database. No enforcement is made, and verbose information is provided (finger- print matches and mismatches, file removals, incorrect access, etc.). IDS mode (strict level 1) IDS (intrusion detection system) mode provides an adequate level of integrity for the files it monitors. Implications: - Monitored files cannot be removed - If raw disk access is granted to a disk with monitored files on it, all monitored files' fingerprints will be invalidated - Access to files with mismatched fingerprints is denied - Write access to monitored files is allowed - Access type is not enforced IPS mode (strict level 2) IPS (intrusion prevention system) mode provides a high level of integrity for the files it monitors. Implications: - All implications of IDS mode - Write access to monitored files is denied - Access type is enforced - Raw disk access to disk devices with monitored files on them is denied - Execution of non-monitored files is denied - Write access to kernel memory via /dev/mem and /dev/kmem is denied Lockdown mode (strict level 3) Lockdown mode provides high assurance integrity for the entire sys- tem. Implications: - All implications of IPS mode - Access to non-monitored files is denied - Write access to files is allowed only if the file was opened before the strict level was raised to this mode - Creation of new files is denied - Raw access to system disks is denied Veriexec requires a list of monitored files, along with their digital fingerprint and (optionally) access modes. NetBSD provides a tool, veriexecgen(8), for this purpose. Example usage: # veriexecgen Veriexec requires a pseudo-device to run: pseudo-device veriexec 1 Additionally, one or more options for digital fingerprint algorithm sup- port: options VERIFIED_EXEC_FP_SHA256 options VERIFIED_EXEC_FP_SHA512 See your kernel's config file for an example. On amd64, i386, prep, and sparc64 GENERIC kernels, Veriexec is enabled by default. Veriexec also requires enabling in rc.conf(5): veriexec=YES veriexec_strict=1 # IDS mode EXPLOIT MITIGATION NetBSD incorporates some exploit mitigation features, mainly from the PaX project. PaX MPROTECT PaX MPROTECT are memory protection restrictions, meant to compliment non- executable mappings. Their purpose is to prevent situations where mali- cious code attempts to mark writable memory regions as executable, often by trashing arguments to an mprotect(2) call. While it can be enabled globally, NetBSD provides a tool, paxctl(1), to enable PaX MPROTECT on a per-program basis. Example usage: # paxctl +M /usr/sbin/sshd Enabling PaX MPROTECT globally: # sysctl -w security.pax.mprotect.global=1 PaX Segvguard PaX Segvguard monitors the number of segfaults in a program per-user, in an attempt to detect on-going exploitation attempts and possibly prevent them. One common attack PaX Segvguard can help mitigate is when an attacker tries to brute-force a function return address, when wanting to perform a return-to-lib attack. PaX Segvguard makes use of kernel memory, so use it wisely. While it provides rate-limiting protections, it works on a per-program basis for keeping its records, meaning that irresponsible use may result in keeping track of all segfaults in the system, easily wasting all kernel memory. For this reason, it is highly recommended to have PaX Segvguard enabled explicitly only for network services etc. Enabling PaX Segvguard explic- itly works like this: # paxctl +G /usr/sbin/sshd However, a global knob is still provided, for use in strict environments with no local users (some network appliances, embedded devices, fire- walls, etc.): # sysctl -w security.pax.segvguard.global=1 PaX Segvguard can be configured to work in your preferred way. For exam- ple, watching for 5 segfaults from the same user in a time-frame of 60 seconds: # sysctl -w security.pax.segvguard.max_crashes=5 # sysctl -w security.pax.segvguard.expiry_timeout=60 The number of seconds a user will be suspended from running the culprit program is also configurable. For example, 10 minutes seem like a sane setting: # sysctl -w security.pax.segvguard.suspend_timeout=600 Explicitly disabling PaX Segvguard can be done like this: # paxctl +g /bin/ls GCC Stack Smashing Protection (SSP) Since NetBSD 4.0, gcc(1) includes SSP, a set of compiler extensions to raise the bar on exploitation attempts via corruption of variables to affect program control flow or buffer overruns. You are encouraged to use SSP for software you build, by providing one of the -fstack-protector or -fstack-protector-all flags to gcc(1). The system (userland, kernel) can be built with SSP by using the ``USE_SSP'' flag in /etc/mk.conf: USE_SSP=yes INFORMATION FILTERING NetBSD provides administrators with the ability to restrict information passed from the kernel to userland so that users can only view informa- tion they ``own''. The hooks that manage that are located in various parts of the system and effectively affect programs like ps(1), fstat(1), and netstat(1). To enable: # sysctl -w security.curtain=1 SEE ALSO paxctl(1), sysctl(3), options(4), sysctl(8), veriexecctl(8), veriexecgen(8) AUTHORS Elad Efrat <elad@NetBSD.org> NetBSD 4.0 November 23, 2006 NetBSD 4.0