Grsecurity/Pax installation on Debian GNU/Linux

Share your own howto's etc. Not for support questions!

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby Head_on_a_Stick » 2016-08-03 19:25

pcalvert wrote:How is it that they have the stable version of Grsecurity

Ah, perhaps I was being a fanboi with that statement...

At the moment, the current stable grsec release is 4.4.16 but my Alpine system has:
Code: Select all
empty@alpine ~ % uname -a
Linux alpine 4.4.15-1-grsec #2-Alpine SMP Mon Jul 18 11:27:31 GMT 2016 x86_64 GNU/Linux

IIRC from the last upgrade, the 4.4.16 will be added a few days after grsec move on to 4.4.17 so it is always one version down (if you see what I mean).
"Are you quite sure that all those bells and whistles, all those wonderful facilities of your so called powerful programming languages, belong to the solution set rather than the problem set?" — Edsger W. Dijkstra
User avatar
Head_on_a_Stick
 
Posts: 6577
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2017-09-18 12:39

I'd be interested to know if my method, which can be read about, and the script is renewed, with grsecurity having taken, appears to me good care of by minipli and friends (just the LTS kernel being patched, but that is still very valuable)...

I'd be interested to know if my method, works fine with Debian and Ubuntu.

See (skip to recent posts there):
Grsecurity/Pax installation on Devuan GNU/Linux
https://dev1galaxy.org/viewtopic.php?id=596

The renewed script is at:
https://github.com/miroR/grsec-dev1-compile

The new patches are now from:
https://github.com/minipli/linux-unoffi ... cial_grsec

I see people from Subgraph are also engaged... and Parazyd a Devuan and Gentoo developer.

In the latest release from:
https://github.com/minipli/linux-unoffi ... /releases/

it seems they had been successful in getting some of the RAP protection back in...
(
https://github.com/minipli/linux-unoffi ... dc6f20cded
)


Of course mine is just a helper script for newbies, I'm not an expert (just a reminder).

But I do believe my script should work for Debian/Ubuntu and others from the family...

Pls. let me know if you find it useful! Regards!
timbgo
 
Posts: 241
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2017-09-24 04:44

There are also packages available. But first, they are actually NOT recommended, and the big fat warning says so.

https://croatiafidelis.hr/gnu/deb/linux ... 170923-22/

But you can always compile, as I wrote there as well!

Regards!
timbgo
 
Posts: 241
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby Head_on_a_Stick » 2017-09-24 17:27

@timbgo, thank you very much for all of your efforts, they are very much appreciated :)

I haven't had time to try any of this in Debian yet (I'm running Alpine Linux atm and that still has the grsec patches included) but I do intend to.

Do you know if the patches will apply to the Debian kernels?

https://kernel-handbook.alioth.debian.o ... n-official

I am tempted to file a Request for Packaging for a KSPP-patched kernel version, Arch has a linux-hardened package that offers this.
"Are you quite sure that all those bells and whistles, all those wonderful facilities of your so called powerful programming languages, belong to the solution set rather than the problem set?" — Edsger W. Dijkstra
User avatar
Head_on_a_Stick
 
Posts: 6577
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2017-09-25 16:20

Head_on_a_Stick wrote:@timbgo, thank you very much for all of your efforts, they are very much appreciated :)

I haven't had time to try any of this in Debian yet (I'm running Alpine Linux atm and that still has the grsec patches included) but I do intend to.

Do you know if the patches will apply to the Debian kernels?

https://kernel-handbook.alioth.debian.o ... n-official

Very probably yes. Devuan and Debian, and Ubuntu and other of the Debian family do have the samy kernels. Often bit by bit same.
Head_on_a_Stick wrote:I am tempted to file a Request for Packaging for a KSPP-patched kernel version, Arch has a linux-hardened package that offers this.

No, not KSPP (well, not in my opinion)! They go a whole different way. Not the grsec way. minipli's unofficial-grsecurity (links are where due) does go the grsecurity way!

I'm ill today (ah, just strong but cripling allergy), can't write longer.

Regards!
timbgo
 
Posts: 241
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2017-09-28 22:11

This is also a good reference page (with old clumsy occasional naming, read on):

https://packages.debian.org/source/stretch/linux

In Devuan we use the exact same kernel(s) as is used in Debian. Probably the rest of the kernels from the list too, but I know about mine.

This is my machine (I grep out 4.9.3 and 4.9.5, such as 4.9.39 and 4.9.51 --soon also 4.9.52-- because I have a few minipli grsecurity-hardened kernels, and the topic is Debian/Devuan kernels compatibility):
Code: Select all
# ls -l /boot/ | grep -vE '4.9.3|4.9.5'
total 195663
...
-rw-r--r-- 1 root root   190055 2017-01-06 20:17 config-4.4.0-59-generic
-rw-r--r-- 1 root root   186386 2017-06-26 15:27 config-4.9.0-3-amd64
drwxr-xr-x 2 root root     1024 2017-07-24 19:19 efi
drwxr-xr-x 6 root root     1024 2017-09-27 19:56 grub
-rw-r--r-- 1 root root 33548826 2017-09-13 12:33 initrd.img-4.4.0-59-generic
-rw-r--r-- 1 root root 19462711 2017-09-15 11:54 initrd.img-4.9.0-3-amd64
...
-rw------- 1 root root  3888958 2017-01-06 20:17 System.map-4.4.0-59-generic
-rw-r--r-- 1 root root  3180497 2017-06-26 15:27 System.map-4.9.0-3-amd64
-rw-r--r-- 1 root root  6969744 2017-01-30 17:03 vmlinuz-4.4.0-59-generic
-rw-r--r-- 1 root root  4204320 2017-06-26 15:27 vmlinuz-4.9.0-3-amd64
#


The 4.4.0-59-generic is actually some Ubuntu that I dual boot into, at this time.

But 4.9.0.3 is the same kernel in Debian and in Devuan. And I base my 4.9.5x configs on that one, which is actually generic kernel, except that it is described, currently on that page linked above as:

Code: Select all
linux-image-4.9.0-3-amd64
Linux 4.9 for 64-bit PCs


while the other of the kernels listed:

linux-image-4.9.0-3-686-pae
Linux 4.9 for modern PCs

Just saying about clumsy naming :-). Because the 64-bit PCs on the market are small share AMD64, much greater share Intel (IIUC), and 686:

Code: Select all
linux-image-4.9.0-3-686-pae
    Linux 4.9 for modern PCs


, be it even https://en.wikipedia.org/wiki/Physical_ ... _Extension , is it so modern?

(I mean other than Udoo x86, which I'd never recommend to anybody, because I'd very strongly expect Intel owns it, not you, and owns you through it: it's closed source, black box hardware. IIUC.)

But on the question about compatibility, I'd believe Devuan and Debian kernels being same, even my packages should work fine on Debian/Ubuntu as well, and if you go the best way, which is compiling your own kernel and hardening it with the fresh unofficial-grsecurity patches, it can not be in any way incompatible in the, I believe, whole Debian family (but I am not familiar with many other of the Debian family distro-members)!

I also take all the precautions when I compile the packages. For that reason I put fat warnings if I have any marginal doubts of my systems.

I'm compiling, away from this online system, linux-4.9.52 with the new patch:
https://github.com/minipli/linux-unoffi ... cial_grsec

Just as in the script (also been updated, e.g. you could likely also simply just use:
https://github.com/miroR/grsec-dev1-com ... compile.sh
) I run the long, one thread only:
Code: Select all
fakeroot make deb-pkg

i.e. not fakeroot make -jN deb-pkg, where N depends on how many cores your processor has, to be more on the safe side (and another possible reason, of which maybe later).

For compiling the next kernel the line is fine like this:
Code: Select all
$ grsec-dev1-compile.sh v4.9.52-unofficial_grsec-20170928143206 linux-4.9.52 config-4.9.51-unofficial+grsec170923-22


I have no room for more than one set of packages at a time (anyway, those who compile, know that they also get a debugger package, which I can post), so I think I'll always be removing the old, and posting the new... (very probably).

Regards!
timbgo
 
Posts: 241
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2017-09-29 14:45

The latest:
https://www.croatiafidelis.hr/gnu/deb/l ... 170929-07/
Pls. until I sort out the README.html for it, read the previous one at:
https://www.croatiafidelis.hr/gnu/deb/l ... 170923-22/
( but the later packages I have taken really great care to prepare, use the new packages, not those )
timbgo
 
Posts: 241
Joined: 2013-04-14 12:17

Previous

Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 2 guests

fashionable