# PAXtest for the first time

## samota

Hi people

This is my firs time with Gentoo-Hardened and after doing a paxtest I get this.

Somebody could explain me what It means? 

Thank you very much.

```
XXX ~ # paxtest blackhat

PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>

Released under the GNU Public Licence version 2 or later

Writing output to paxtest.log

It may take a while for the tests to complete

Test results:

PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>

Released under the GNU Public Licence version 2 or later

Mode: blackhat

Linux Noveu 2.6.28-hardened-r9 #1 SMP Thu Feb 18 14:41:44 Local time zone must be set--see zic  x86_64 Intel(R) Pentium(R) D CPU 3.40GHz GenuineIntel GNU/Linux

Executable anonymous mapping             : Vulnerable

Executable bss                           : Vulnerable

Executable data                          : Vulnerable

Executable heap                          : Vulnerable

Executable stack                         : Vulnerable

Executable anonymous mapping (mprotect)  : Vulnerable

Executable bss (mprotect)                : Vulnerable

Executable data (mprotect)               : Vulnerable

Executable heap (mprotect)               : Vulnerable

Executable stack (mprotect)              : Vulnerable

Executable shared library bss (mprotect) : Vulnerable

Executable shared library data (mprotect): Vulnerable

Writable text segments                   : Killed

Anonymous mapping randomisation test     : 33 bits (guessed)

Heap randomisation test (ET_EXEC)        : 40 bits (guessed)

Heap randomisation test (ET_DYN)         : 40 bits (guessed)

Main executable randomisation (ET_EXEC)  : 32 bits (guessed)

Main executable randomisation (ET_DYN)   : 32 bits (guessed)

Shared library randomisation test        : 33 bits (guessed)

Stack randomisation test (SEGMEXEC)      : No randomisation

Stack randomisation test (PAGEEXEC)      : 40 bits (guessed)

Return to function (strcpy)              : *** buffer overflow detected ***: rettofunc1 - terminated

rettofunc1: buffer overflow attack in function <unknown> - terminated

Report to http://bugs.gentoo.org/

Killed

Return to function (memcpy)              : *** buffer overflow detected ***: rettofunc2 - terminated

rettofunc2: buffer overflow attack in function <unknown> - terminated

Report to http://bugs.gentoo.org/

Killed

Return to function (strcpy, RANDEXEC)    : *** buffer overflow detected ***: rettofunc1x - terminated

rettofunc1x: buffer overflow attack in function <unknown> - terminated

Report to http://bugs.gentoo.org/

Killed

Return to function (memcpy, RANDEXEC)    : *** buffer overflow detected ***: rettofunc2x - terminated

rettofunc2x: buffer overflow attack in function <unknown> - terminated

Report to http://bugs.gentoo.org/

Killed

Executable shared library bss            : Vulnerable

Executable shared library data           : Vulnerable
```

----------

## Sadako

Could you post the output of `grep '_GRKERNSEC_\|_PAX'` on your running kernel .config (or /proc/config.gz if enabled), along with `gcc-config -l`?

----------

## samota

 *Hopeless wrote:*   

> Could you post the output of `grep '_GRKERNSEC_\|_PAX'` on your running kernel .config (or /proc/config.gz if enabled), along with `gcc-config -l`?

 

Thank you for your answer

####################################################

# Security options

#

#

# Grsecurity

#

CONFIG_GRKERNSEC=y

# CONFIG_GRKERNSEC_LOW is not set

# CONFIG_GRKERNSEC_MEDIUM is not set

# CONFIG_GRKERNSEC_HIGH is not set

# CONFIG_GRKERNSEC_HARDENED_SERVER is not set

# CONFIG_GRKERNSEC_HARDENED_WORKSTATION is not set

CONFIG_GRKERNSEC_CUSTOM=y

#

# Address Space Protection

#

# CONFIG_GRKERNSEC_KMEM is not set

# CONFIG_GRKERNSEC_IO is not set

# CONFIG_GRKERNSEC_PROC_MEMMAP is not set

# CONFIG_GRKERNSEC_BRUTE is not set

# CONFIG_GRKERNSEC_MODSTOP is not set

CONFIG_GRKERNSEC_HIDESYM=y

#

# Role Based Access Control Options

#

CONFIG_GRKERNSEC_ACL_HIDEKERN=y

CONFIG_GRKERNSEC_ACL_MAXTRIES=3

CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#

# Filesystem Protections

#

CONFIG_GRKERNSEC_PROC=y

# CONFIG_GRKERNSEC_PROC_USER is not set

CONFIG_GRKERNSEC_PROC_USERGROUP=y

CONFIG_GRKERNSEC_PROC_GID=10

CONFIG_GRKERNSEC_PROC_ADD=y

CONFIG_GRKERNSEC_LINK=y

CONFIG_GRKERNSEC_FIFO=y

CONFIG_GRKERNSEC_CHROOT=y

CONFIG_GRKERNSEC_CHROOT_MOUNT=y

CONFIG_GRKERNSEC_CHROOT_DOUBLE=y

CONFIG_GRKERNSEC_CHROOT_PIVOT=y

CONFIG_GRKERNSEC_CHROOT_CHDIR=y

CONFIG_GRKERNSEC_CHROOT_CHMOD=y

CONFIG_GRKERNSEC_CHROOT_FCHDIR=y

CONFIG_GRKERNSEC_CHROOT_MKNOD=y

CONFIG_GRKERNSEC_CHROOT_SHMAT=y

CONFIG_GRKERNSEC_CHROOT_UNIX=y

CONFIG_GRKERNSEC_CHROOT_FINDTASK=y

CONFIG_GRKERNSEC_CHROOT_NICE=y

CONFIG_GRKERNSEC_CHROOT_SYSCTL=y

CONFIG_GRKERNSEC_CHROOT_CAPS=y

#

# Kernel Auditing

#

# CONFIG_GRKERNSEC_AUDIT_GROUP is not set

CONFIG_GRKERNSEC_EXECLOG=y

CONFIG_GRKERNSEC_RESLOG=y

CONFIG_GRKERNSEC_CHROOT_EXECLOG=y

CONFIG_GRKERNSEC_AUDIT_CHDIR=y

CONFIG_GRKERNSEC_AUDIT_MOUNT=y

CONFIG_GRKERNSEC_AUDIT_IPC=y

CONFIG_GRKERNSEC_SIGNAL=y

CONFIG_GRKERNSEC_FORKFAIL=y

CONFIG_GRKERNSEC_TIME=y

CONFIG_GRKERNSEC_PROC_IPADDR=y

# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#

# Executable Protections

#

CONFIG_GRKERNSEC_EXECVE=y

CONFIG_GRKERNSEC_DMESG=y

CONFIG_GRKERNSEC_TPE=y

CONFIG_GRKERNSEC_TPE_ALL=y

# CONFIG_GRKERNSEC_TPE_INVERT is not set

CONFIG_GRKERNSEC_TPE_GID=100

#

# Network Protections

#

# CONFIG_GRKERNSEC_RANDNET is not set

# CONFIG_GRKERNSEC_SOCKET is not set

#

# Sysctl support

#

# CONFIG_GRKERNSEC_SYSCTL is not set

#

# Logging Options

#

CONFIG_GRKERNSEC_FLOODTIME=10

CONFIG_GRKERNSEC_FLOODBURST=4

#

# PaX

#

CONFIG_PAX=y

#

# PaX Control

#

# CONFIG_PAX_SOFTMODE is not set

CONFIG_PAX_EI_PAX=y

CONFIG_PAX_PT_PAX_FLAGS=y

CONFIG_PAX_NO_ACL_FLAGS=y

# CONFIG_PAX_HAVE_ACL_FLAGS is not set

# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#

# Non-executable pages

#

CONFIG_PAX_NOEXEC=y

CONFIG_PAX_PAGEEXEC=y

CONFIG_PAX_EMUTRAMP=y

CONFIG_PAX_MPROTECT=y

# CONFIG_PAX_NOELFRELOCS is not set

# CONFIG_PAX_KERNEXEC is not set

#

# Address Space Layout Randomization

#

CONFIG_PAX_ASLR=y

CONFIG_PAX_RANDUSTACK=y

CONFIG_PAX_RANDMMAP=y

#

# Miscellaneous hardening features

#

# CONFIG_PAX_MEMORY_SANITIZE is not set

# CONFIG_PAX_REFCOUNT is not set

# CONFIG_KEYS is not set

CONFIG_SECURITY=y

CONFIG_SECURITYFS=y

# CONFIG_SECURITY_NETWORK is not set

CONFIG_SECURITY_FILE_CAPABILITIES=y

# CONFIG_SECURITY_ROOTPLUG is not set

CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=65536

CONFIG_CRYPTO=y

###############################################

XXX ~ # gcc-config -l

 [1] x86_64-pc-linux-gnu-4.3.4 *

 [2] x86_64-pc-linux-gnu-4.3.4-hardenednopie

 [3] x86_64-pc-linux-gnu-4.3.4-vanilla

----------

## cach0rr0

ok, so...a few things

-if this is a server, would highly recommend you select the "Hardened Server" option when configuring your kernel; it does a lot of the hard decision-making for you

-if you want to do a custom grsec/pax setup, you're still missing a ton of stuff (see my .config snippet below)

-you're using stock standard GCC (unless you're running the hardened GCC 4.x from one of the overlays, which I highly doubt). You need this for SSP specifically. 

In order to use the hardened GCC stuff, among other things, you should set your profile accordingly - note mine:

```

gentoob0x log # eselect profile list

Available profile symlink targets:

  [1]   default/linux/amd64/10.0

  [2]   default/linux/amd64/10.0/desktop

  [3]   default/linux/amd64/10.0/developer

  [4]   default/linux/amd64/10.0/no-multilib

  [5]   default/linux/amd64/10.0/server

  [6]   hardened/linux/amd64/10.0 *

  [7]   hardened/linux/amd64/10.0/no-multilib

  [8]   selinux/2007.0/amd64

  [9]   selinux/2007.0/amd64/hardened

  [10]  selinux/v2refpolicy/amd64

  [11]  selinux/v2refpolicy/amd64/desktop

  [12]  selinux/v2refpolicy/amd64/developer

  [13]  selinux/v2refpolicy/amd64/hardened

  [14]  selinux/v2refpolicy/amd64/server

```

One would normally, after having built out a hardened-sources kernel, and selecting a hardened profile, rebuild their toolchain (gcc, binutils, libc - see following links), then rebuild world

links - http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml and http://www.gentoo.org/proj/en/hardened/grsecurity.xml

For reference, this is my relevant info

```

# gcc-config -l

 [1] x86_64-pc-linux-gnu-3.4.6 *

 [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie

 [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp

 [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp

 [5] x86_64-pc-linux-gnu-3.4.6-vanilla

```

```

Mode: blackhat

Linux gentoob0x 2.6.28-hardened-r9 #3 SMP Sun Aug 16 21:05:07 CDT 2009 x86_64 AMD Phenom(tm) 9950 Quad-Core Processor AuthenticAMD GNU/Linux

Executable anonymous mapping             : Killed

Executable bss                           : Killed

Executable data                          : Killed

Executable heap                          : Killed

Executable stack                         : Killed

Executable anonymous mapping (mprotect)  : Killed

Executable bss (mprotect)                : Killed

Executable data (mprotect)               : Killed

Executable heap (mprotect)               : Killed

Executable stack (mprotect)              : Killed

Executable shared library bss (mprotect) : Killed

Executable shared library data (mprotect): Killed

Writable text segments                   : Killed

Anonymous mapping randomisation test     : 33 bits (guessed)

Heap randomisation test (ET_EXEC)        : 40 bits (guessed)

Heap randomisation test (ET_DYN)         : 40 bits (guessed)

Main executable randomisation (ET_EXEC)  : 33 bits (guessed)

Main executable randomisation (ET_DYN)   : 33 bits (guessed)

Shared library randomisation test        : 33 bits (guessed)

Stack randomisation test (SEGMEXEC)      : No randomisation

Stack randomisation test (PAGEEXEC)      : 40 bits (guessed)

Return to function (strcpy)              : Killed

Return to function (memcpy)              : Killed

Return to function (strcpy, RANDEXEC)    : Killed

Return to function (memcpy, RANDEXEC)    : Killed

Executable shared library bss            : Killed

Executable shared library data           : Killed

```

```

CONFIG_GRKERNSEC=y                                        

# CONFIG_GRKERNSEC_LOW is not set                         

# CONFIG_GRKERNSEC_MEDIUM is not set                      

# CONFIG_GRKERNSEC_HIGH is not set                        

CONFIG_GRKERNSEC_HARDENED_SERVER=y                        

# CONFIG_GRKERNSEC_HARDENED_WORKSTATION is not set        

# CONFIG_GRKERNSEC_CUSTOM is not set                      

CONFIG_GRKERNSEC_KMEM=y                                   

CONFIG_GRKERNSEC_IO=y                                     

CONFIG_GRKERNSEC_PROC_MEMMAP=y                            

CONFIG_GRKERNSEC_BRUTE=y                                  

CONFIG_GRKERNSEC_MODSTOP=y                                

CONFIG_GRKERNSEC_HIDESYM=y                                

CONFIG_GRKERNSEC_ACL_HIDEKERN=y                           

CONFIG_GRKERNSEC_ACL_MAXTRIES=3                           

CONFIG_GRKERNSEC_ACL_TIMEOUT=30                           

CONFIG_GRKERNSEC_PROC=y                                   

CONFIG_GRKERNSEC_PROC_USER=y                              

CONFIG_GRKERNSEC_PROC_USERGROUP=y                         

CONFIG_GRKERNSEC_PROC_GID=10                              

CONFIG_GRKERNSEC_PROC_ADD=y                               

CONFIG_GRKERNSEC_LINK=y                                   

CONFIG_GRKERNSEC_FIFO=y                                   

CONFIG_GRKERNSEC_CHROOT=y                                 

CONFIG_GRKERNSEC_CHROOT_MOUNT=y                           

CONFIG_GRKERNSEC_CHROOT_DOUBLE=y                          

CONFIG_GRKERNSEC_CHROOT_PIVOT=y                           

CONFIG_GRKERNSEC_CHROOT_CHDIR=y                           

CONFIG_GRKERNSEC_CHROOT_CHMOD=y                           

CONFIG_GRKERNSEC_CHROOT_FCHDIR=y                          

CONFIG_GRKERNSEC_CHROOT_MKNOD=y                           

CONFIG_GRKERNSEC_CHROOT_SHMAT=y                           

CONFIG_GRKERNSEC_CHROOT_UNIX=y                            

CONFIG_GRKERNSEC_CHROOT_FINDTASK=y                        

CONFIG_GRKERNSEC_CHROOT_NICE=y                            

CONFIG_GRKERNSEC_CHROOT_SYSCTL=y                          

CONFIG_GRKERNSEC_CHROOT_CAPS=y                            

# CONFIG_GRKERNSEC_AUDIT_GROUP is not set                 

# CONFIG_GRKERNSEC_EXECLOG is not set                     

CONFIG_GRKERNSEC_RESLOG=y                                 

# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set              

# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set                 

CONFIG_GRKERNSEC_AUDIT_MOUNT=y                            

# CONFIG_GRKERNSEC_AUDIT_IPC is not set                   

CONFIG_GRKERNSEC_SIGNAL=y                                 

CONFIG_GRKERNSEC_FORKFAIL=y                               

CONFIG_GRKERNSEC_TIME=y                                   

CONFIG_GRKERNSEC_PROC_IPADDR=y                            

# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set               

CONFIG_GRKERNSEC_EXECVE=y                                 

CONFIG_GRKERNSEC_DMESG=y                                  

CONFIG_GRKERNSEC_TPE=y                                    

CONFIG_GRKERNSEC_TPE_ALL=y                                

CONFIG_GRKERNSEC_TPE_INVERT=y                             

CONFIG_GRKERNSEC_TPE_GID=10                               

CONFIG_GRKERNSEC_RANDNET=y                                

# CONFIG_GRKERNSEC_SOCKET is not set                      

CONFIG_GRKERNSEC_SYSCTL=y                                 

CONFIG_GRKERNSEC_SYSCTL_ON=y                              

CONFIG_GRKERNSEC_FLOODTIME=10                             

CONFIG_GRKERNSEC_FLOODBURST=4                             

CONFIG_PAX=y                                              

# CONFIG_PAX_SOFTMODE is not set                          

CONFIG_PAX_EI_PAX=y                                       

CONFIG_PAX_PT_PAX_FLAGS=y                                 

# CONFIG_PAX_NO_ACL_FLAGS is not set                      

CONFIG_PAX_HAVE_ACL_FLAGS=y                               

# CONFIG_PAX_HOOK_ACL_FLAGS is not set                    

CONFIG_PAX_NOEXEC=y                                       

CONFIG_PAX_PAGEEXEC=y                                     

# CONFIG_PAX_EMUTRAMP is not set                          

CONFIG_PAX_MPROTECT=y                                     

CONFIG_PAX_NOELFRELOCS=y                                  

CONFIG_PAX_ASLR=y                                         

CONFIG_PAX_RANDUSTACK=y                                   

CONFIG_PAX_RANDMMAP=y                                     

CONFIG_PAX_MEMORY_SANITIZE=y                              

CONFIG_PAX_REFCOUNT=y

```

----------

## samota

Thank you

Im gonna change sthgs and post it here as It goes.

----------

