Created attachment 319748 [details] grsec kernel configuration I haven't setup a hardened install for roughly a year, but here's what happens when I make a new one using the same steps I normally use: 1) Boot x64 minimal live cd 2) Grab latest (aka current folder) hardened stage3 3) Profile set to hardened (non-selinux) 4) Grsec enabled in kernel (High w/ process hiding) 5) Finish install and reboot test linux # ps -l Warning: /usr/src/linux/System.map has an incorrect kernel version. F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD 4 S 0 1921 1918 0 80 0 - 3948 - pts/1 00:00:00 bash 0 R 0 20080 1921 0 80 0 - 3729 - pts/1 00:00:00 ps Regular users can also see all processes when they shouldn't. Linux soulreaper 3.4.2-hardened-r1 #1 SMP Mon Jul 30 12:00:17 CDT 2012 x86_64 Intel(R) Xeon(R) CPU E5620 @ 2.40GHz GenuineIntel GNU/Linux Troubleshooting steps that have failed: 1) Rebuild package containing ps command 2) Test install of an x86 gentoo hardened w/ same settings 3) Copied system.map to /boot 4) Built multiple old version 3 kernels with same or similar settings 5) Tried older stage3 build stage3-amd64-hardened-20120517 Disabling grsec itself but keeping all of my existing kernel settings in tact seems to stop the issue, but obviously users can still see all processes. Next troubleshooting steps: Downloaded kernel from kernel.org, applied grsec patch: test home # ps -l Warning: /usr/src/linux/System.map has an incorrect kernel version. F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME CMD 4 S 0 1766 1762 0 80 0 - 11900 - pts/0 00:00:00 su 0 S 0 1767 1766 0 80 0 - 8275 - pts/0 00:00:00 bash 4 R 0 1771 1767 0 80 0 - 1883 - pts/0 00:00:00 ps test home # uname -a Linux test 3.4.6-grsec #1 SMP Sun Jul 29 17:23:48 CDT 2012 i686 Intel(R) Xeon(R) CPU E5620 @ 2.40GHz GenuineIntel GNU/Linux test home # exit user@test ~ $ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND user 1761 0.0 0.0 41284 1492 ? S 17:31 0:00 sshd: user@pts/0 user 1762 0.0 0.0 48100 1848 pts/0 Ss 17:31 0:00 -bash user 1773 0.0 0.0 37544 996 pts/0 R+ 17:33 0:00 ps aux User is forbidden from seeing others processes, as intended. Warning still appears in 'ps -l'
I have been able to confirm the issue on more hardware and this doesn't seem to be an issue with certain hardware. 1) VMware ESXi 4.1 VM (x86/64 tested) 2) Zotac ZBOX-ID41-U Intel Atom D525 (x64 tested)