SECURITY(8)             NetBSD System Manager's Manual             SECURITY(8)

NAME
     security -- NetBSD security features

DESCRIPTION
     NetBSD supports a variety of security features.  Below is a brief
     description of them with some quick usage examples that will help you get
     started.

VERIEXEC
     Veriexec is an in-kernel, real-time, file-system idenependent, file
     integrity subsystem.  It can be used for a variety of purposes, including
     defense against trojanned binaries, indirect attacks via third-party
     remote file-systems, and config file corruption.  It can operate in four
     modes, also referred to as strict levels:

     Learning mode (strict level 0)
           The only level at which the fingerprint tables can be modified,
           this level is used to help fine-tune the signature database.  No
           enforcement is made, and verbose information is provided (finger-
           print matches and mismatches, file removals, incorrect access,
           etc.).

     IDS mode (strict level 1)
           IDS (intrusion detection system) mode provides an adequate level of
           integrity for the files it monitors.  Implications:

           -   Monitored files cannot be removed
           -   If raw disk access is granted to a disk with monitored files on
               it, all monitored files' fingerprints will be invalidated
           -   Access to files with mismatched fingerprints is denied
           -   Write access to monitored files is allowed
           -   Access type is not enforced

     IPS mode (strict level 2)
           IPS (intrusion prevention system) mode provides a high level of
           integrity for the files it monitors.  Implications:

           -   All implications of IDS mode
           -   Write access to monitored files is denied
           -   Access type is enforced
           -   Raw disk access to disk devices with monitored files on them is
               denied
           -   Execution of non-monitored files is denied
           -   Write access to kernel memory via /dev/mem and /dev/kmem is
               denied

     Lockdown mode (strict level 3)
           Lockdown mode provides high assurance integrity for the entire sys-
           tem.  Implications:

           -   All implications of IPS mode
           -   Access to non-monitored files is denied
           -   Write access to files is allowed only if the file was opened
               before the strict level was raised to this mode
           -   Creation of new files is denied
           -   Raw access to system disks is denied

     Veriexec requires a list of monitored files, along with their digital
     fingerprint and (optionally) access modes.  NetBSD provides a tool,
     veriexecgen(8), for this purpose.  Example usage:

           # veriexecgen

     Veriexec requires a pseudo-device to run:

           pseudo-device veriexec 1

     Additionally, one or more options for digital fingerprint algorithm sup-
     port:

           options VERIFIED_EXEC_FP_SHA256
           options VERIFIED_EXEC_FP_SHA512

     See your kernel's config file for an example.

     On amd64, i386, prep, and sparc64 GENERIC kernels, Veriexec is enabled by
     default.

     Veriexec also requires enabling in rc.conf(5):

           veriexec=YES
           veriexec_strict=1 # IDS mode

EXPLOIT MITIGATION
     NetBSD incorporates some exploit mitigation features, mainly from the PaX
     project.

   PaX MPROTECT
     PaX MPROTECT are memory protection restrictions, meant to compliment non-
     executable mappings.  Their purpose is to prevent situations where mali-
     cious code attempts to mark writable memory regions as executable, often
     by trashing arguments to an mprotect(2) call.

     While it can be enabled globally, NetBSD provides a tool, paxctl(1), to
     enable PaX MPROTECT on a per-program basis.

     Example usage:

           # paxctl +M /usr/sbin/sshd

     Enabling PaX MPROTECT globally:

           # sysctl -w security.pax.mprotect.global=1

   PaX Segvguard
     PaX Segvguard monitors the number of segfaults in a program per-user, in
     an attempt to detect on-going exploitation attempts and possibly prevent
     them.  One common attack PaX Segvguard can help mitigate is when an
     attacker tries to brute-force a function return address, when wanting to
     perform a return-to-lib attack.

     PaX Segvguard makes use of kernel memory, so use it wisely.  While it
     provides rate-limiting protections, it works on a per-program basis for
     keeping its records, meaning that irresponsible use may result in keeping
     track of all segfaults in the system, easily wasting all kernel memory.

     For this reason, it is highly recommended to have PaX Segvguard enabled
     explicitly only for network services etc.  Enabling PaX Segvguard explic-
     itly works like this:

           # paxctl +G /usr/sbin/sshd

     However, a global knob is still provided, for use in strict environments
     with no local users (some network appliances, embedded devices, fire-
     walls, etc.):

           # sysctl -w security.pax.segvguard.global=1

     PaX Segvguard can be configured to work in your preferred way.  For exam-
     ple, watching for 5 segfaults from the same user in a time-frame of 60
     seconds:

           # sysctl -w security.pax.segvguard.max_crashes=5
           # sysctl -w security.pax.segvguard.expiry_timeout=60

     The number of seconds a user will be suspended from running the culprit
     program is also configurable.  For example, 10 minutes seem like a sane
     setting:

           # sysctl -w security.pax.segvguard.suspend_timeout=600

     Explicitly disabling PaX Segvguard can be done like this:

           # paxctl +g /bin/ls

   GCC Stack Smashing Protection (SSP)
     Since NetBSD 4.0, gcc(1) includes SSP, a set of compiler extensions to
     raise the bar on exploitation attempts via corruption of variables to
     affect program control flow or buffer overruns.

     You are encouraged to use SSP for software you build, by providing one of
     the -fstack-protector or -fstack-protector-all flags to gcc(1).

     The system (userland, kernel) can be built with SSP by using the
     ``USE_SSP'' flag in /etc/mk.conf:

           USE_SSP=yes

INFORMATION FILTERING
     NetBSD provides administrators with the ability to restrict information
     passed from the kernel to userland so that users can only view informa-
     tion they ``own''.

     The hooks that manage that are located in various parts of the system and
     effectively affect programs like ps(1), fstat(1), and netstat(1).  To
     enable:

           # sysctl -w security.curtain=1

SEE ALSO
     paxctl(1), sysctl(3), options(4), sysctl(8), veriexecctl(8),
     veriexecgen(8)

AUTHORS
     Elad Efrat <elad@NetBSD.org>

NetBSD 4.0                     November 23, 2006                    NetBSD 4.0