# hardened kernel allow icmp sockets for non-root user [solved

## ping-uino

hi community,

i need your help...

I successfully compiled and booted a hardened kernel and hardened toolchain,

i installed all (or almost) the software that i need included nagios.

I read that nagios don't live very well with /proc restriction and i don't exagerate

in this direction. (follow kernel .config)

I also installed check_icmp for checking hosts, but give me this error:

```

nagios@myhost~ $ /usr/nagios/libexec/check_icmp -H localhost

check_icmp: Failed to obtain ICMP socket: Operation not permitted

```

I suied the binary:

```

-rwxr-xr-x 1 root root 33251 Oct 19 11:57 /usr/nagios/libexec/check_icmp

```

and in a non-hardend enviroment i get it works.

Then, i believe it's something too much strict for my needs in my hardened profile.

```

[ebuild   R   ] sys-kernel/hardened-sources-2.6.16-r11

```

my .config (the most relevant part):

```

#

# Security options

#

#

# PaX

#

CONFIG_PAX=y

#

# PaX Control

#

# CONFIG_PAX_SOFTMODE is not set

CONFIG_PAX_EI_PAX=y

CONFIG_PAX_PT_PAX_FLAGS=y

CONFIG_PAX_NO_ACL_FLAGS=y

# CONFIG_PAX_HAVE_ACL_FLAGS is not set

# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#

# Non-executable pages

#

CONFIG_PAX_NOEXEC=y

CONFIG_PAX_PAGEEXEC=y

CONFIG_PAX_SEGMEXEC=y

# CONFIG_PAX_DEFAULT_PAGEEXEC is not set

CONFIG_PAX_DEFAULT_SEGMEXEC=y

CONFIG_PAX_EMUTRAMP=y

CONFIG_PAX_MPROTECT=y

# CONFIG_PAX_NOELFRELOCS is not set

# CONFIG_PAX_KERNEXEC is not set

#

# Address Space Layout Randomization

#

CONFIG_PAX_ASLR=y

CONFIG_PAX_RANDKSTACK=y

CONFIG_PAX_RANDUSTACK=y

CONFIG_PAX_RANDMMAP=y

CONFIG_PAX_NOVSYSCALL=y

#

# Grsecurity

#

CONFIG_GRKERNSEC=y

# CONFIG_GRKERNSEC_LOW is not set

# CONFIG_GRKERNSEC_MEDIUM is not set

# CONFIG_GRKERNSEC_HIGH is not set

CONFIG_GRKERNSEC_CUSTOM=y

#

# Address Space Protection

#

# CONFIG_GRKERNSEC_KMEM is not set

# CONFIG_GRKERNSEC_IO is not set

CONFIG_GRKERNSEC_PROC_MEMMAP=y

# CONFIG_GRKERNSEC_BRUTE is not set

CONFIG_GRKERNSEC_MODSTOP=y

CONFIG_GRKERNSEC_HIDESYM=y

#

# Role Based Access Control Options

#

# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set

CONFIG_GRKERNSEC_ACL_MAXTRIES=3

CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#

# Filesystem Protections

#

CONFIG_GRKERNSEC_PROC=y

# CONFIG_GRKERNSEC_PROC_USER is not set

CONFIG_GRKERNSEC_PROC_USERGROUP=y

CONFIG_GRKERNSEC_PROC_GID=1001

CONFIG_GRKERNSEC_PROC_ADD=y

CONFIG_GRKERNSEC_LINK=y

CONFIG_GRKERNSEC_FIFO=y

# CONFIG_GRKERNSEC_CHROOT is not set

#

# Kernel Auditing

#

# CONFIG_GRKERNSEC_AUDIT_GROUP is not set

CONFIG_GRKERNSEC_EXECLOG=y

CONFIG_GRKERNSEC_RESLOG=y

# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set

# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set

CONFIG_GRKERNSEC_AUDIT_MOUNT=y

CONFIG_GRKERNSEC_AUDIT_IPC=y

CONFIG_GRKERNSEC_SIGNAL=y

CONFIG_GRKERNSEC_FORKFAIL=y

CONFIG_GRKERNSEC_TIME=y

# CONFIG_GRKERNSEC_PROC_IPADDR is not set

# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#

# Executable Protections

#

CONFIG_GRKERNSEC_EXECVE=y

CONFIG_GRKERNSEC_SHM=y

CONFIG_GRKERNSEC_DMESG=y

CONFIG_GRKERNSEC_RANDPID=y

CONFIG_GRKERNSEC_TPE=y

CONFIG_GRKERNSEC_TPE_ALL=y

# CONFIG_GRKERNSEC_TPE_INVERT is not set

CONFIG_GRKERNSEC_TPE_GID=1005

#

# Network Protections

#

CONFIG_GRKERNSEC_RANDNET=y

# CONFIG_GRKERNSEC_SOCKET is not set

#

# Sysctl support

#

CONFIG_GRKERNSEC_SYSCTL=y

# CONFIG_GRKERNSEC_SYSCTL_ON is not set

#

# Logging Options

#

CONFIG_GRKERNSEC_FLOODTIME=10

CONFIG_GRKERNSEC_FLOODBURST=4

# CONFIG_KEYS is not set

# CONFIG_SECURITY is not set

```

Someone can illuminate me?

Ask me if you need more information about the system.

Thanks!

----------

## ping-uino

it works!

I switched to the last hardened kernel 2.6.17

And repeat all the steps, then i don't know where the problem was.

Sorry.

----------

