I’ve been a long time follower of the OpenBSD project, and their amazing work on detecting and protecting the kernel and applications from stack and heap overflows. Several of the concepts that were developed by the OpenBSD team were made available in Linux, and came by way of the exec-shield project. Of the many useful security features that are part of exec-shield, the two features that can be controlled by a SysAdmin are kernel virtual address space randomizations and the exec-shield operating mode.
Address space randomization are controlled through the kernel.randomize_va_space sysctl tunable, which defaults to 1 on my CentOS systems:
$ sysctl kernel.randomize_va_space
kernel.randomize_va_space = 1
The exec-shield operating mode is controlled through the kernel.exec-shield sysctl value, and can be set to one of the following four modes (the descriptions below came from Steve Grubb’s excellent post on exec-shield operating modes):
– A value of 0 completely disables ExecShield and Address Space Layout Randomization
– A value of 1 enables them ONLY if the application bits for these protections are set to “enable”
– A value of 2 enables them by default, except if the application bits are set to “disable”
– A value of 3 enables them always, whatever the application bits
The default exec-shield value on my CentoOS servers is 1, which enables exec-shield for applications that have been compiled to support it:
$ sysctl kernel.exec-shield
kernel.exec-shield = 1
To view the list of running processes that have exec-shield enabled, you can run Ingo Molnar and Ulrich Drepper’s lsexec utility:
$ lsexec –all |more
init, PID 1, UID root: no PIE, no RELRO, execshield enabled httpd, PID 11689, UID apache: DSO, no RELRO, execshield enabled httpd, PID 11691, UID apache: DSO, no RELRO, execshield enabled httpd, PID 11692, UID apache: DSO, no RELRO, execshield enabled httpd, PID 11693, UID apache: DSO, no RELRO, execshield enabled httpd, PID 12224, UID apache: DSO, no RELRO, execshield enabled httpd, PID 12236, UID apache: DSO, no RELRO, execshield enabled pickup, PID 16181, UID postfix: DSO, partial RELRO, execshield enabled appLoader, PID 2347, UID root: no PIE, no RELRO, execshield enabled auditd, PID 2606, UID root: DSO, partial RELRO, execshield enabled audispd, PID 2608, UID root: DSO, partial RELRO, execshield enabled restorecond, PID 2629, UID root: DSO, partial RELRO, execshield enabled
In this day and age of continuos security threats there is little to no reason that you shouldn’t be using these amazing technologies. When you combine exec-shield, SELinux and proper patching and security best practices you can really limit the attack vectors that can be used to break into your systems.