The last time I wrote about basic “Linux Server Hardening Security” tips. In this post I will write about the /proc/sys/kernel/cap-bound file which act as a powerful Linux hardening tool. This file holds the value of the kernel capability bounding set (expressed as a signed decimal number). This set is ANDed against the capabilities permitted to a process during exec. You can make changes to this file (bit value of cap-bound) and you can restrict many capabilities of process and put restrictions on root related process too. Using capability you can enable or disable Linux kernel modules loading, firewall, routing, raw sockets, locking of memory segments, restrictions on changing file ownership, restrictions on read and search of files and directories, sending signals to processes owned by others, modification of immutable and append-only file attributes, use of chroot(), rebooting the system, conman sys admin tasks such as mount, quotas, swapping and much more.
How Do I See Default or Current Capability Values?
Type the following command:
$ cat /proc/sys/kernel/cap-bound
How Do I Set New Capability Values?
Use the echo command as follows:
echo 0xHexValue > /proc/sys/kernel/cap-bound
The bounding set is expressed as a bitmask so you can use hexnumber or use bash shell left bit bitwise shifts ARITHMETIC EVALUATION operators. A word of warning – be very careful when making changes to the bounding set. You may end up locking the system due to wrong values.
Example: Stop Loading Modules (Drivers) After System Has Booted
The CAP_SYS_MODULE allows to insert and remove kernel modules without limit. The capability number is 16 for CAP_SYS_MODULE. So you can use bash shell left bit bitwise shifts as follows to disable loading of drivers as follows (you must be root user):
echo 0xFFFEFFFF > /proc/sys/kernel/cap-bound
Now try to load or unload modules:
# modprobe ide_cd
FATAL: Error inserting ide_cd (/lib/modules/2.6.18-194.3.1.el5/kernel/drivers/ide/ide-cd.ko): Operation not permitted
OR try to remove module:
# modprobe -r cdrom
FATAL: Error removing cdrom (/lib/modules/2.6.18-194.3.1.el5/kernel/drivers/cdrom/cdrom.ko): Operation not permitted
How Do I Make Changes To Capability Permanently?
To make changes to /proc filesystem permanently, add them to /etc/sysctl.conf file:
# vi /etc/sysctl.conf
Append the following line:
# Do not load or remove any kernel drivers # Clear bit # 16 echo 0xFFFEFFFF > /proc/sys/kernel/cap-bound
Save and close the file. Load changes:
# sysctl -p
How Do I Find Out List Of All Supported Capabilities?
To get an overview of Linux capabilities and its numbers see /usr/src/linux/include/linux/capability.h file, enter:
$ vi /usr/src/linux/include/linux/capability.h
OR use the grep command to find out numbers quickly:
grep '#define CAP' /usr/src/linux/include/linux/capability.h
#define CAP_CHOWN 0 #define CAP_DAC_OVERRIDE 1 #define CAP_DAC_READ_SEARCH 2 #define CAP_FOWNER 3 #define CAP_FSETID 4 #define CAP_KILL 5 #define CAP_SETGID 6 #define CAP_SETUID 7 #define CAP_SETPCAP 8 #define CAP_LINUX_IMMUTABLE 9 #define CAP_NET_BIND_SERVICE 10 #define CAP_NET_BROADCAST 11 #define CAP_NET_ADMIN 12 #define CAP_NET_RAW 13 #define CAP_IPC_LOCK 14 #define CAP_IPC_OWNER 15 #define CAP_SYS_MODULE 16 #define CAP_SYS_RAWIO 17 #define CAP_SYS_CHROOT 18 #define CAP_SYS_PTRACE 19 #define CAP_SYS_PACCT 20 #define CAP_SYS_ADMIN 21 #define CAP_SYS_BOOT 22 #define CAP_SYS_NICE 23 #define CAP_SYS_RESOURCE 24 #define CAP_SYS_TIME 25 #define CAP_SYS_TTY_CONFIG 26 #define CAP_MKNOD 27 #define CAP_LEASE 28 #define CAP_AUDIT_WRITE 29 #define CAP_AUDIT_CONTROL 30 #define CAP_SETFCAP 31 #define CAP_MAC_OVERRIDE 32 #define CAP_MAC_ADMIN 33 #define CAP_LAST_CAP CAP_MAC_ADMIN #define CAP_TO_INDEX(x) ((x) >> 5) /* 1 << 5 == bits in __u32 */ #define CAP_TO_MASK(x) (1 << ((x) & 31)) /* mask for indexed __u32 */ #define CAP_FOR_EACH_U32(__capi) \ #define CAP_INIT_INH_SET CAP_EMPTY_SET #define CAP_BOP_ALL(c, a, b, OP) \ #define CAP_UOP_ALL(c, a, OP) \
The capabilities man page also offers good overview of Linux capabilities:
$ man 7 capabilities