Table of Contents

This script was used on Debian Wheezy 7.2!

Shortnote

PAX flags can be set to restrict the actions of binaries and provide an overall system protection. The problem is that PAX flags have to be reapplied once software is upgraded which makes setting them and tracking the binaries difficult. For that, a solution is to create a program that will run via cron and set the flags on the binaries based on a known set of working permissions (a template).

Setting Up

The configuration file can be found in the pax linux database and is formatted in JSON. It is additionally provided here for convenience:

FilenameFilesizeLast modified
paxflags.conf1.2 KiB2014/12/19 22:41

It has to be placed in the /etc/ directory. After that, the script below can be placed in /etc/cron.daily/ and made executable so that the PAX flags are reapplied.

Code

The code uses File::Slurp to read-in the configuration file from /etc/paxflags.conf and then uses JSON::XS to walk through the file. Both perl modules have to be installed for this script to work. Compared to strict JSON, the JSON::XS module allows hash-based comments (#) in the configuration file, so that lines can be commented out.

setpaxflags
#!/usr/bin/perl
###########################################################################
##  Copyright (C) Wizardry and Steamworks 2013 - License: GNU GPLv3      ##
##  Please see: http://www.gnu.org/licenses/gpl.html for legal details,  ##
##  rights of fair usage, the disclaimer and warranty conditions.        ##
###########################################################################
 
use JSON::XS;
use File::Slurp;
 
my $coder = JSON::XS->new->ascii->pretty->allow_nonref->relaxed;
my $json = read_file('/etc/paxflags.conf');
my $cfg = $coder->decode($json);
foreach $pax (keys $cfg) {
   foreach my $daemon (keys $cfg->{$pax}) {
      my $status=`service $daemon status 2>&1`;
      next if $status =~ /.+?unrecognized.+?/i;
      next if defined $ARGV[0] and $ARGV[0] ne $daemon;
      foreach my $file (@{$cfg->{$pax}->{$daemon}}) {
         my $flags = `paxctl -vqQ $file 2>/dev/null`;
         $flags =~ /([PEMRXSpemrxs\-]{12})/i;
         foreach(split(//, $pax)) {
            next if $_ eq "-";
            if($flags !~ /$_/) {
               `service $daemon stop`;
               `paxctl -q -c$pax $file`;
               last;
            }
         }
      }
      `service $daemon start`;
   }
}

linux/hardening/set_pax_flags.txt ยท Last modified: 2022/04/19 08:28 by 127.0.0.1

Access website using Tor Access website using i2p Wizardry and Steamworks PGP Key


For the contact, copyright, license, warranty and privacy terms for the usage of this website please see the contact, license, privacy, copyright.