store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Fri Oct 31, 2014 6:04 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: centos + asl + desktop
Unread postPosted: Sat Jun 04, 2011 4:54 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 645
Hi,

How can I run asl plus centos with x11? Typically when I run asl it turns off x11 and all those services so I cant run a gui - is there a way I can keep those running on my desktop/test box and still test asl?


Top
 Profile  
 
 Post subject: Re: centos + asl + desktop
Unread postPosted: Sat Jun 04, 2011 9:00 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3661
Location: Chantilly, VA
Quote:
How can I run asl plus centos with x11?


Thank you for the question. Yes, ASL will work with X11, you just need to change a couple of settings to use X11 with the secure kernel.

https://www.atomicorp.com/wiki/index.php/X_with_ASL

Process to configure the secure ASL kernel for X

Note: All these commands must be run as root. To become root, run this command "su -". The command "su" does not log or change an account into the root user, it just gives that user root privileges, which is not the same as "becoming root" and will cause all sorts of things not work correctly.

If X is already working for you, skip to step 4.

Step 1: Make sure you have X working first.

If X is not working on your system already, boot into a non-ASL kernel and setup X. This how to can not possibly cover every possible issue involved in getting X to work, so please contact your OS vendor if you do not know to install and configure X.

I'll try to provide what help I can in this step, but this is way beyond an ASL issue to get X working. So please contact your OS vendor if can not get X to work with a non-ASL kernel.

First, if you did a minimal install, you are likely missing a lot of components X needs to work, and I mean a LOT, so be prepared for hundreds of packages to be installed. If this sounds like your system, then you will also need to make sure you have all of X installed and working before you try to use X with a secure kernel.

If didn't do a minimal install, and you don't have X working now, then you are also likely missing a lot of packages. X is a very complex piece of software and you need lots of things to make it work.

So, if you do not have X installed, you will need to install the entire group. And if you aren't sure, run this command too:

yum groupinstall "X Window System" "GNOME Desktop Environment"

or if you prefer KDE as opposed to Gnome:

yum groupinstall "X Window System" "KDE (K Desktop Environment)"

This will install a lot of packages (see the comment on resources that X uses below, you can probably add disk space to that list too) and may take a long time, be patient.

During the install, X may start - don't reboot the system yet! Check to make sure yum is actually finished. To get the system back to the console, hit the keys "Ctrl+Alt+F1". This will take you back to the console where your yum groupinstall should be still running. Keep an eye on the yum process to make sure it finishes. Its likely to be only about 1/2 to 2/3rds thru the process at this point.

You may also want to install some other groups like "Graphical Internet" if you want to do other things with X, or just use the graphical installer from inside X to install software.

Again, if you have issues getting X to run, please contact your OS vendor. (Its their software afterall)

Step 2: If you do not have X setup to start on boot (or if you do have it installed but X does not start on boot), check the run level of your system and make sure its set to 5.

This means you need to change your runlevel in /etc/inittab from 3 to 5:

This line:

id:3:initdefault:

Needs to be changed to:

id:5:initdefault:

Step 3: Make sure for level 5, you have all the necessary X11 services enabled (check with your OS vendor if you are not sure, in Centos those are):

haldaemon
messagebus
(you might need "avahi" as well)

Step 4: Either log into the ASL GUI and change SYSTEM_TYPE (or from the command in /etc/asl/config) to "custom" and save.

Now reboot the system and make sure X is working for you. If you still can not get X to work, and you are using a non-ASL kernel, check to make sure you have all the processes running

Step 4: Allow privileged I/O on the system. Append this to /etc/sysctl.conf

kernel.grsecurity.disable_priv_io = 0



Step 6: Allow kernel module loading, again log into the GUI or from the command line change in /etc/asl/config

From

ALLOW_kmod_loading="no"

To

ALLOW_kmod_loading="yes"

(You will probably need to allow dynamic runtime module loading for various video drivers which may not load on boot, if yours do, then reenable kernel module protection by setting this back to "no". Its a pretty big hole, so if you can close it, please do!)

Step 7: And then reboot the system.

reboot into the secure kernel

Now I know you want to do this in a test environment, so please ignore the rest of this post which is targeted at anyone that wants to do this on an internet facing server. In your case, it sounds like you should be just fine. :-)

Reasons not use X11 on a server

OK, lemme engage soap box mode (*grin*) and explain why I recommend against running X11 on a server. (Its your system, so if you like it or need it, please go ahead, this is just my opinion so take it or leave it)

Reason 1: You probably don't need it on a server. You can do pretty much anything you can do from X11 from a command line, remotely, and you can even run GUI apps from the server without running X. (I cant think of anything you can't do, I dont run X11 on any of my servers and havent found anything I could do, but maybe someone can think of something, if so - I'll see if I can tell you how to it without X!) So why bother having yet one more thing to support or worry about if you don't have to.

Reason 2: X11 uses a lot of resources, memory and CPU. More the former than the later, but both take a toll on the system. So if you run X on a box, you will have less resources to do other things. For desktop, this is a no-brainer - you need X11. For server, if you disable X11 your system will have more memory, and more CPU cycles to do real work. So for a server, this is free memory and CPU cycles!

Reason 3: The big reason not to run X11 on a server is Security. To run X11 you have to allow your system to do things that can make it very easy to compromise a server. I'll explain that in a moment, but for a server, with untrusted users (that is anyone you wouldnt give root to), its VERY insecure to run X or to even allow it to be run.

For a desktop, with one user, and no exposed services (like a web server), you are mostly fine because all your users generally have root (so who cares if they can get root). For any system with outside users (people you dont want to have root) you are taking a huge risk with X. X needs to be able to do all sorts of privileged things to just run. This isn't to pick on X11, all the OS GUIs (Windows, MacOS, etc.) need those same priviliges, and for a desktop system that makes sense because you already control the hardware so you can do anything you want to the system, and you should be able to.

Unfortunately, all those privileges can lead to a root compromise. So, for a system with untrusted users (like a web server), running X is going to open the system up to all sorts of attacks and given that you an do anything (including running GUI applications from the server) without running X, in most cases its an unnecessary risk.

So, just so I'm clear, as a desktop, running X is fine (I'm doing that right now). Again because you trust you (and the voices in my head) and you already have root, its not a real risk. But if you have users on the same system that you don't trust, and its possible to run X on the system (or worse, its running), its also possible to gain root a lot easier than on a system without those holes.

So, this is why ASL closes those holes completely (X won't run with the default settings), and why ASL will also disable the X11 service(ses).

OK, soap box mode off. :-)

So, if you want to run X11 on a server, and who am I to stop you, thats how you do it. We recommend against it if you have untrusted users, but we also respect that you can manage your own risk and know whats right for you. :-)


Attachments:
Screenshot-centos_5_x64-asl-X11 Virtual Machine.png
Screenshot-centos_5_x64-asl-X11 Virtual Machine.png [ 175.37 KiB | Viewed 944 times ]

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.
Top
 Profile  
 
 Post subject: Re: centos + asl + desktop
Unread postPosted: Mon Jul 18, 2011 1:32 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Oct 29, 2007 6:51 pm
Posts: 645
I have a test machine that I use thats sitting on my desk - its strictly for testing - I use it to test several different linux components (asl, plesk, cpanel, nagios, etc) and do some basic development there as well so Im trying to see how I can combine everything into one quick and dirty test box for basic development and regression before seperating out in production.

Thanks for the steps, Scott had told me just not use the asl kernel and it would be fine so thats what I started with - but I think I will give this a shot as well so I can test out the kernel changes too :)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group