Grsecurity/Pax installation on Debian GNU/Linux

Share your own howto's etc. Not for support questions!

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby n_hologram » 2018-01-13 14:28

@timbgo: How is grsecurity holding up against spectre/meltdown?
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing

the crunkbong project: scripts, operating system, the list goes on...
n_hologram
 
Posts: 433
Joined: 2013-06-16 00:10

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2018-01-13 15:24

n_hologram wrote:@timbgo: How is grsecurity holding up against spectre/meltdown?

Hard work to do, that's how... They need the code that spender and PaX Team left (the last publicly available grsecurity), and they're using it (always you will find they cite them as their source, e.g. in the patches if you subscribe to KSPP)...
But, as...
minipli wrote:Expect it to be weeks/months/never. It's a pretty invasive change conflicting with a lot of PaX. :(

(pls. see that issue for details)
Things are probably happening, but slowly...
timbgo
 
Posts: 256
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2018-02-04 06:53

Retpoline-patched grsecunoff (AMD, but no meltdown protection yet for Intel) available under the "current" link, or:
https://www.croatiafidelis.hr/gnu/deb/l ... 180203-22/
timbgo
 
Posts: 256
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2018-02-06 04:41

It might be worth trying (and reporting if you can install and load amd64-microcode with):
https://www.croatiafidelis.hr/gnu/deb/l ... 180204-21/
Pls. read there, and the links, for the details.
timbgo
 
Posts: 256
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2018-06-01 10:59

The:
https://www.croatiafidelis.hr/gnu/deb/l ... c-current/
now points to:
https://www.croatiafidelis.hr/gnu/deb/l ... 180601-06/
That is the kernel package for Debian/Devuan that _may_ be worth trying out, bearing in mind the caveats of Dapper Linux patchset:
https://dapperlinux.com/
I.e. no meltdown protection, no spectre protection, currently no retpoline.

However, all the othe usual protection that grsec offered are there. And the kernel is up to date.

I am testing that kernel right now, it appears to be fine.

If you want to use it, pls. see previous posts, there are a lot of info how to dowload it, how to verify it, etc.

Regards!
timbgo
 
Posts: 256
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2018-06-01 12:40

The offered packages in the previous post (no issues have I had so far) are for any system hardware (well: x86_64 arch only).

The best way is surely, to compile. Nothing wrong with the other option. It's only that tailoring the compiled kernel for only your hardware reduces the huge attack surface.

While Dapper Secure Kernel Patchset (
https://github.com/dapperlinux/dapper-s ... e/releases
) is still grsecurity, my script for newbies has changed to help new GNU-Debianers/Devuaners who want to look into kernel compiling.

So pls. look up:

https://github.com/miroR/grsec-dapper-compile/

I'm not sure, you might need to get dapper-linux PGP key from:

https://dapperlinux.com/contact.html
https://dapperlinux.com/matthew_gpg_public_key.asc

Regards!
timbgo
 
Posts: 256
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2018-06-16 17:52

https://www.croatiafidelis.hr/gnu/deb/l ... 180615-20/
is now pointed to by:
https://www.croatiafidelis.hr/gnu/deb/l ... c-current/

Some new talk (some new indications) is at:
not an issue, but lack of issues #5
https://github.com/dapperlinux/dapper-s ... e/issues/5

as well as at:
PAX: RAP hash violation for return address: __ext4_get_inode_loc+0x258/0xab0 #17
https://github.com/minipli/linux-unoffi ... /issues/17

With vanilla kernel, a lot is lost, even though the Spectre and Meltdown are dealt with... In effect, there is no safety with Linux, after spender and PaX Team have gone... I believe it would be easier to deep-inspect figure out my browsing online, and protect my system against threats in real time, than to get vanilla kernel to be safe, or add Specter and Meltdown mitigations into any of the available forks remaining for the public of grsecurity...

A very hard choice to make... I myself, I still opt for dappersec fork of grsecurity, rather than the now, in essence, Google in charge of security of Mr. Linux's GNU/Linux.
timbgo
 
Posts: 256
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby debiman » 2018-06-17 07:06

timbgo wrote:https://www.croatiafidelis.hr/

people should have a good look at that website before deciding to download anything from it.
User avatar
debiman
 
Posts: 2499
Joined: 2013-03-12 07:18

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby Head_on_a_Stick » 2018-06-17 09:02

debiman wrote:people should have a good look at that website

Yes, the OP does seem quite delusional in respect of homosexuality and intergender conditions but the grsec patchset does offer some value.

I can't get the graphical desktop to work properly with the official Debian grsec-patched kernels, I think they're intended for servers.
Charlie don't hack
User avatar
Head_on_a_Stick
 
Posts: 7633
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2018-06-17 13:49

Head_on_a_Stick wrote:
debiman wrote:people should have a good look at that website

Yes, the OP does seem quite delusional in respect of homosexuality and intergender conditions but the grsec patchset does offer some value.

I don't talk politics, and the fact that the place where I can offer my kernels from is at my NGO's website, I don't think that should matter.

Regarding this grsec topic, I'd realy kindly suggest that we don't talk politics.

I can't get the graphical desktop to work properly with the official Debian grsec-patched kernels, I think they're intended for servers.

Any report on the usefulness of my kernels, or of my newbie-oriented script ( with the latest stable kernels / with the currently available free patches: https://github.com/miroR/grsec-dapper-compile ) are welcome. I'd like to kind of still grow technically and do much more in FOSS.

Kind regards!
timbgo
 
Posts: 256
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby Head_on_a_Stick » 2018-06-17 14:08

timbgo wrote:I don't talk politics, and the fact that the place where I can offer my kernels from is at my NGO's website, I don't think that should matter.

Regarding this grsec topic, I'd realy kindly suggest that we don't talk politics.

Yes, I agree, I probably shouldn't have posted that, sorry.

timbgo wrote:
I can't get the graphical desktop to work properly with the official Debian grsec-patched kernels, I think they're intended for servers.

Any report on the usefulness of my kernels, or of my newbie-oriented script ( with the latest stable kernels / with the currently available free patches: https://github.com/miroR/grsec-dapper-compile ) are welcome.

My experience was with linux-image-grsec-amd64 rather than your kernels.

I've given up on Linux for important stuff, I now use OpenBSD's kernel instead.
Charlie don't hack
User avatar
Head_on_a_Stick
 
Posts: 7633
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2018-06-17 15:03

Head_on_a_Stick wrote:
timbgo wrote:I don't talk politics, and the fact that the place where I can offer my kernels from is at my NGO's website, I don't think that should matter.

Regarding this grsec topic, I'd realy kindly suggest that we don't talk politics.

Yes, I agree, I probably shouldn't have posted that, sorry.

Oh, you've talked some tollerance and I thank you for that (and I'm late to update my previous comment with a "thanks" for that, which I wanted to do, but you replied quicklier).

timbgo wrote:
I can't get the graphical desktop to work properly with the official Debian grsec-patched kernels, I think they're intended for servers.

Any report on the usefulness of my kernels, or of my newbie-oriented script ( with the latest stable kernels / with the currently available free patches: https://github.com/miroR/grsec-dapper-compile ) are welcome.

My experience was with linux-image-grsec-amd64 rather than your kernels.

But that's so old... Also, there was a newer one. Actually is: https://packages.debian.org/stretch-bac ... rsec-amd64 but that's still old, I offer way closer to the latest stable.

I've given up on Linux for important stuff, I now use OpenBSD's kernel instead.

I'm occasionally thinking about going that path too... But a few capable developers do appear to still be working on the few forks, and the dappersec works on my problematic system still without any bugs (two days this latest kernel --the one that I offer for download, the any-system kernel), so I can use that system, so far, reliably (wasn't the case with grsec-unoff, the minipli's one; long story, explained in the bugs linked previously)...

Thanks!
timbgo
 
Posts: 256
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2018-07-11 11:36

New stable packages:
https://www.croatiafidelis.hr/gnu/deb/l ... 180710-21/
( https://www.croatiafidelis.hr/gnu/deb/l ... c-current/ )
Any difficulty installing, pls. review previous long posts... (I'm probably too short on time currently)
timbgo
 
Posts: 256
Joined: 2013-04-14 12:17

Previous

Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable