Bonjour/Bonsoir,
Un petit sujet à titre de renseignement et de précision.
La sécurité est un domaine non-négligeable en informatique, et en surfant sur le Oueb, je suis tombé là dessus :
linuxfr.org/2010/03/02/26532.html
L’article présente un script qui permet de “checker” les protections des processus et du kernel face aux attaques de type dépassement de pile ou un truc dans le genre… Enfin bref, j’ai executé ce script et les résultats pour Debian m’ont étonnés !
Voilà successivement ce que j’obtiens pour Ubuntu 10.10 Maverick Meerkat puis Debian Squeeze Freezée, toutes 2 64 bits :
[code] gnome-keyring-d 1509 Partial RELRO Canary found NX enabled No PIE
gnome-session 1527 Partial RELRO Canary found NX enabled No PIE
dbus-launch 1564 Partial RELRO Canary found NX enabled No PIE
dbus-daemon 1565 Partial RELRO Canary found NX enabled PIE enabled
gconfd-2 1568 Partial RELRO Canary found NX enabled No PIE
gnome-settings- 1575 Partial RELRO No canary found NX enabled No PIE
gvfsd 1577 Partial RELRO Canary found NX enabled No PIE
compiz 1580 Partial RELRO Canary found NX enabled No PIE
gnome-volume-co 1590 Partial RELRO Canary found NX enabled No PIE
gnome-power-man 1592 Partial RELRO Canary found NX enabled No PIE
gnome-panel 1593 Partial RELRO Canary found NX enabled No PIE
nm-applet 1594 Partial RELRO Canary found NX enabled No PIE
nautilus 1595 Partial RELRO Canary found NX enabled No PIE
polkit-gnome-au 1597 Partial RELRO No canary found NX enabled No PIE
pulseaudio 1602 Full RELRO Canary found NX enabled No PIE
gvfsd-trash 1612 Partial RELRO Canary found NX enabled No PIE
bonobo-activati 1614 Partial RELRO Canary found NX enabled No PIE
wnck-applet 1626 Partial RELRO No canary found NX enabled No PIE
trashapplet 1627 Partial RELRO No canary found NX enabled No PIE
gvfs-gdu-volume 1628 Partial RELRO Canary found NX enabled No PIE
sh 1632 Partial RELRO Canary found NX enabled No PIE
gtk-window-deco 1633 Partial RELRO Canary found NX enabled No PIE
gvfs-afc-volume 1636 Partial RELRO No canary found NX enabled No PIE
gvfs-gphoto2-vo 1639 Partial RELRO Canary found NX enabled No PIE
notification-ar 1644 Partial RELRO Canary found NX enabled No PIE
clock-applet 1645 Partial RELRO Canary found NX enabled No PIE
indicator-apple 1646 Partial RELRO No canary found NX enabled No PIE
indicator-apple 1647 Partial RELRO No canary found NX enabled No PIE
gvfsd-metadata 1652 Partial RELRO Canary found NX enabled No PIE
gconf-helper 1653 Partial RELRO Canary found NX enabled No PIE
indicator-me-se 1656 Partial RELRO No canary found NX enabled No PIE
indicator-appli 1659 Partial RELRO No canary found NX enabled No PIE
indicator-sound 1661 Partial RELRO No canary found NX enabled No PIE
indicator-sessi 1675 Partial RELRO No canary found NX enabled No PIE
gvfsd-burn 1678 Partial RELRO Canary found NX enabled No PIE
gnome-screensav 1682 Partial RELRO Canary found NX enabled No PIE
gdu-notificatio 1688 Partial RELRO No canary found NX enabled No PIE
python 1726 Partial RELRO Canary found NX enabled No PIE
update-notifier 1828 Partial RELRO Canary found NX enabled No PIE
firefox 1919 Partial RELRO Canary found NX enabled No PIE
run-mozilla.sh 1924 Partial RELRO Canary found NX enabled No PIE
firefox-bin 1928 Full RELRO Canary found NX enabled PIE enabled
gnome-terminal 1958 Partial RELRO Canary found NX enabled No PIE
bash 1960 Partial RELRO Canary found NX enabled No PIE
-
Kernel protection information:
Description - List the status of kernel protection mechanisms. Rather than
inspect kernel mechanisms that may aid in the prevention of exploitation of
userspace processes, this option lists the status of kernel configuration
options that harden the kernel itself against attack.Kernel config: /boot/config-2.6.32-25-generic
Warning: The config on disk may not represent running kernel config!
GCC stack protector support: Enabled
Strict user copy checks: Disabled
Enforce read-only kernel data: Enabled
Restrict /dev/mem access: Enabled
Restrict /dev/kmem access: Enabled -
grsecurity / PaX: No GRKERNSEC[/code]
[code] Does the CPU support NX: Yes
COMMAND PID RELRO STACK CANARY NX/PaX PIE
gnome-keyring-d 25951 No RELRO No canary found NX enabled No PIE
gnome-session 25975 No RELRO No canary found NX enabled No PIE
dbus-launch 26012 No RELRO No canary found NX enabled No PIE
dbus-daemon 26013 Partial RELRO No canary found NX enabled PIE enabled
seahorse-agent 26023 No RELRO No canary found NX enabled No PIE
gvfsd 26025 No RELRO No canary found NX enabled No PIE
gconfd-2 26030 No RELRO No canary found NX enabled No PIE
gnome-power-man 26034 No RELRO No canary found NX enabled No PIE
gnome-settings- 26039 No RELRO No canary found NX enabled No PIE
gnome-panel 26043 No RELRO No canary found NX enabled No PIE
gvfs-gdu-volume 26045 No RELRO No canary found NX enabled No PIE
gvfs-afc-volume 26050 No RELRO No canary found NX enabled No PIE
gvfs-gphoto2-vo 26053 No RELRO No canary found NX enabled No PIE
nautilus 26054 No RELRO No canary found NX enabled No PIE
bonobo-activati 26056 No RELRO No canary found NX enabled No PIE
compiz 26058 No RELRO No canary found NX enabled No PIE
python 26059 No RELRO No canary found NX enabled No PIE
nm-applet 26063 No RELRO No canary found NX enabled No PIE
update-notifier 26064 No RELRO No canary found NX enabled No PIE
kerneloops-appl 26065 No RELRO Canary found NX enabled No PIE
polkit-gnome-au 26066 No RELRO No canary found NX enabled No PIE
gdu-notificatio 26068 No RELRO No canary found NX enabled No PIE
trashapplet 26079 No RELRO No canary found NX enabled No PIE
gvfsd-trash 26082 No RELRO No canary found NX enabled No PIE
gnome-screensav 26085 No RELRO No canary found NX enabled No PIE
redshift 26086 No RELRO No canary found NX enabled No PIE
mixer_applet2 26097 No RELRO No canary found NX enabled No PIE
gvfsd-metadata 26107 No RELRO No canary found NX enabled No PIE
sh 26108 No RELRO No canary found NX enabled No PIE
compiz-decorato 26109 No RELRO No canary found NX enabled No PIE
gvfsd-burn 26111 No RELRO No canary found NX enabled No PIE
icedove 26121 No RELRO No canary found NX enabled No PIE
run-mozilla.sh 26137 No RELRO No canary found NX enabled No PIE
icedove-bin 26141 No RELRO No canary found NX enabled No PIE
rhythmbox 26206 No RELRO No canary found NX enabled No PIE
firefox-bin 26288 No RELRO No canary found NX enabled No PIE
gvfsd-http 26312 No RELRO No canary found NX enabled No PIE
gnome-terminal 26597 No RELRO No canary found NX enabled No PIE
bash 26599 No RELRO No canary found NX enabled No PIE
bash 26712 No RELRO No canary found NX enabled No PIE
gnome-system-mo 28708 No RELRO No canary found NX enabled No PIE
notification-da 29700 No RELRO No canary found NX enabled No PIE
-
Kernel protection information:
Description - List the status of kernel protection mechanisms. Rather than
inspect kernel mechanisms that may aid in the prevention of exploitation of
userspace processes, this option lists the status of kernel configuration
options that harden the kernel itself against attack.Kernel config: /boot/config-2.6.32-5-amd64
Warning: The config on disk may not represent running kernel config!
GCC stack protector support: Enabled
Strict user copy checks: Disabled
Enforce read-only kernel data: Enabled
Restrict /dev/mem access: Enabled
Restrict /dev/kmem access: Enabled
[/code]
Les différences se situent aux niveaux de RELRO, des Canaries.
J’ai toujours entendu dire que Debian était Top niveau sécurité, alors là je suis étonné
D’où ma question assez pointue : pourquoi Debian n’active-t-elle pas ces protections lors de la compilation de ces paquets ?
Peut-être les paquets sont-ils tous recompilés avec ces options lors du passage en Stable ?
PS : Bien évidemment on ne répétera jamais assez qu’une bonne sécurité ne repose pas que sur des mécanismes internes supplémentaires, bien que ceux-ci ajoutent un petit plus, ils sont inefficaces dans un système n’ayant pas le minimum de sécurité, à savoir un bon mot de passe, un pare-feu bien configuré. Mais c’est pas une raison…
