Grsecurity/Pax installation on Debian GNU/Linux

Share your own howto's etc. Not for support questions!

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby Head_on_a_Stick » 2016-08-03 19:25

pcalvert wrote:How is it that they have the stable version of Grsecurity

Ah, perhaps I was being a fanboi with that statement...

At the moment, the current stable grsec release is 4.4.16 but my Alpine system has:
Code: Select all
empty@alpine ~ % uname -a
Linux alpine 4.4.15-1-grsec #2-Alpine SMP Mon Jul 18 11:27:31 GMT 2016 x86_64 GNU/Linux

IIRC from the last upgrade, the 4.4.16 will be added a few days after grsec move on to 4.4.17 so it is always one version down (if you see what I mean).
"Only the mediocre are always at their best." — Jean Giraudoux
User avatar
Head_on_a_Stick
 
Posts: 6784
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2017-09-18 12:39

I'd be interested to know if my method, which can be read about, and the script is renewed, with grsecurity having taken, appears to me good care of by minipli and friends (just the LTS kernel being patched, but that is still very valuable)...

I'd be interested to know if my method, works fine with Debian and Ubuntu.

See (skip to recent posts there):
Grsecurity/Pax installation on Devuan GNU/Linux
https://dev1galaxy.org/viewtopic.php?id=596

The renewed script is at:
https://github.com/miroR/grsec-dev1-compile

The new patches are now from:
https://github.com/minipli/linux-unoffi ... cial_grsec

I see people from Subgraph are also engaged... and Parazyd a Devuan and Gentoo developer.

In the latest release from:
https://github.com/minipli/linux-unoffi ... /releases/

it seems they had been successful in getting some of the RAP protection back in...
(
https://github.com/minipli/linux-unoffi ... dc6f20cded
)


Of course mine is just a helper script for newbies, I'm not an expert (just a reminder).

But I do believe my script should work for Debian/Ubuntu and others from the family...

Pls. let me know if you find it useful! Regards!
timbgo
 
Posts: 245
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2017-09-24 04:44

There are also packages available. But first, they are actually NOT recommended, and the big fat warning says so.

https://croatiafidelis.hr/gnu/deb/linux ... 170923-22/

But you can always compile, as I wrote there as well!

Regards!
timbgo
 
Posts: 245
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby Head_on_a_Stick » 2017-09-24 17:27

@timbgo, thank you very much for all of your efforts, they are very much appreciated :)

I haven't had time to try any of this in Debian yet (I'm running Alpine Linux atm and that still has the grsec patches included) but I do intend to.

Do you know if the patches will apply to the Debian kernels?

https://kernel-handbook.alioth.debian.o ... n-official

I am tempted to file a Request for Packaging for a KSPP-patched kernel version, Arch has a linux-hardened package that offers this.
"Only the mediocre are always at their best." — Jean Giraudoux
User avatar
Head_on_a_Stick
 
Posts: 6784
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2017-09-25 16:20

Head_on_a_Stick wrote:@timbgo, thank you very much for all of your efforts, they are very much appreciated :)

I haven't had time to try any of this in Debian yet (I'm running Alpine Linux atm and that still has the grsec patches included) but I do intend to.

Do you know if the patches will apply to the Debian kernels?

https://kernel-handbook.alioth.debian.o ... n-official

Very probably yes. Devuan and Debian, and Ubuntu and other of the Debian family do have the samy kernels. Often bit by bit same.
Head_on_a_Stick wrote:I am tempted to file a Request for Packaging for a KSPP-patched kernel version, Arch has a linux-hardened package that offers this.

No, not KSPP (well, not in my opinion)! They go a whole different way. Not the grsec way. minipli's unofficial-grsecurity (links are where due) does go the grsecurity way!

I'm ill today (ah, just strong but cripling allergy), can't write longer.

Regards!
timbgo
 
Posts: 245
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2017-09-28 22:11

This is also a good reference page (with old clumsy occasional naming, read on):

https://packages.debian.org/source/stretch/linux

In Devuan we use the exact same kernel(s) as is used in Debian. Probably the rest of the kernels from the list too, but I know about mine.

This is my machine (I grep out 4.9.3 and 4.9.5, such as 4.9.39 and 4.9.51 --soon also 4.9.52-- because I have a few minipli grsecurity-hardened kernels, and the topic is Debian/Devuan kernels compatibility):
Code: Select all
# ls -l /boot/ | grep -vE '4.9.3|4.9.5'
total 195663
...
-rw-r--r-- 1 root root   190055 2017-01-06 20:17 config-4.4.0-59-generic
-rw-r--r-- 1 root root   186386 2017-06-26 15:27 config-4.9.0-3-amd64
drwxr-xr-x 2 root root     1024 2017-07-24 19:19 efi
drwxr-xr-x 6 root root     1024 2017-09-27 19:56 grub
-rw-r--r-- 1 root root 33548826 2017-09-13 12:33 initrd.img-4.4.0-59-generic
-rw-r--r-- 1 root root 19462711 2017-09-15 11:54 initrd.img-4.9.0-3-amd64
...
-rw------- 1 root root  3888958 2017-01-06 20:17 System.map-4.4.0-59-generic
-rw-r--r-- 1 root root  3180497 2017-06-26 15:27 System.map-4.9.0-3-amd64
-rw-r--r-- 1 root root  6969744 2017-01-30 17:03 vmlinuz-4.4.0-59-generic
-rw-r--r-- 1 root root  4204320 2017-06-26 15:27 vmlinuz-4.9.0-3-amd64
#


The 4.4.0-59-generic is actually some Ubuntu that I dual boot into, at this time.

But 4.9.0.3 is the same kernel in Debian and in Devuan. And I base my 4.9.5x configs on that one, which is actually generic kernel, except that it is described, currently on that page linked above as:

Code: Select all
linux-image-4.9.0-3-amd64
Linux 4.9 for 64-bit PCs


while the other of the kernels listed:

linux-image-4.9.0-3-686-pae
Linux 4.9 for modern PCs

Just saying about clumsy naming :-). Because the 64-bit PCs on the market are small share AMD64, much greater share Intel (IIUC), and 686:

Code: Select all
linux-image-4.9.0-3-686-pae
    Linux 4.9 for modern PCs


, be it even https://en.wikipedia.org/wiki/Physical_ ... _Extension , is it so modern?

(I mean other than Udoo x86, which I'd never recommend to anybody, because I'd very strongly expect Intel owns it, not you, and owns you through it: it's closed source, black box hardware. IIUC.)

But on the question about compatibility, I'd believe Devuan and Debian kernels being same, even my packages should work fine on Debian/Ubuntu as well, and if you go the best way, which is compiling your own kernel and hardening it with the fresh unofficial-grsecurity patches, it can not be in any way incompatible in the, I believe, whole Debian family (but I am not familiar with many other of the Debian family distro-members)!

I also take all the precautions when I compile the packages. For that reason I put fat warnings if I have any marginal doubts of my systems.

I'm compiling, away from this online system, linux-4.9.52 with the new patch:
https://github.com/minipli/linux-unoffi ... cial_grsec

Just as in the script (also been updated, e.g. you could likely also simply just use:
https://github.com/miroR/grsec-dev1-com ... compile.sh
) I run the long, one thread only:
Code: Select all
fakeroot make deb-pkg

i.e. not fakeroot make -jN deb-pkg, where N depends on how many cores your processor has, to be more on the safe side (and another possible reason, of which maybe later).

For compiling the next kernel the line is fine like this:
Code: Select all
$ grsec-dev1-compile.sh v4.9.52-unofficial_grsec-20170928143206 linux-4.9.52 config-4.9.51-unofficial+grsec170923-22


I have no room for more than one set of packages at a time (anyway, those who compile, know that they also get a debugger package, which I can post), so I think I'll always be removing the old, and posting the new... (very probably).

Regards!
timbgo
 
Posts: 245
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2017-09-29 14:45

The latest:
https://www.croatiafidelis.hr/gnu/deb/l ... 170929-07/
Pls. until I sort out the README.html for it, read the previous one at:
https://www.croatiafidelis.hr/gnu/deb/l ... 170923-22/
( but the later packages I have taken really great care to prepare, use the new packages, not those )
timbgo
 
Posts: 245
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2017-11-15 16:18

There's a discussion here:
https://github.com/minipli/linux-unoffi ... /issues/11

The patch is minipli's work updated by:

https://github.com/HacKurx

Pls. read the discussion about it at:

https://github.com/minipli/linux-unoffi ... /issues/11

And here are the deb packages:

https://www.CroatiaFidelis.hr/gnu/deb/l ... 171114-19/

Pls. pls., no warranties! But I think my system was only attacked but not compromised... Doing huge work of analysis of the network traces, and not and expert, but it does look the system wasn't compromised, and my big fat warning on page:

Strange Bash under grsecurity's exec logging
https://dev1galaxy.org/viewtopic.php?id=1598

was an exaggeration... But still no warranties. Use at your own risk. I too trusted HacKurx's work and I believe I won't regret in the least...

Again, I run Devuan, but the kernels are same in Debian and Devuan. Except for systemd-related stuff, Devuan is mostly still just in most respects: a Debian of a kind.

And the patch that I used, I have to sign with my PGP-key, since HacKurx didn't sign them, but gave the SHA256, which I testify you will get too, if my PGP-signiture you get is uncompromised (I'll be posting it next at, wait a minute... it'll be... It is, from right now at:

https://www.croatiafidelis.hr/gnu/deb/l ... iff.tar.xz
https://www.croatiafidelis.hr/gnu/deb/l ... x.diff.sig

If you compile, you will need to modify the part related to the patch in the grsec-dev1-compile.sh ... I hope HacKurx instead from now keeps to the tradition started by minipli with the unofficial-grsec patches.

( Pls. do tell if I made any mistakes in linking or signing, such as if something doesn't verify, or if you have any issues. )

Regards!
timbgo
 
Posts: 245
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby Head_on_a_Stick » 2017-11-15 18:32

"Only the mediocre are always at their best." — Jean Giraudoux
User avatar
Head_on_a_Stick
 
Posts: 6784
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2017-11-16 11:49

Head_on_a_Stick wrote:https://packages.debian.org/sid/linux-image-grsec-amd64

I'll just leave this here...

:D

Which is fine! Except old kernel, more exploits...
Only:
Code: Select all
linux-image-4.9.0-4-grsec-amd64

there.

Testing new versions of LTS patched with unofficial-grsecurity is better in my view.
However, if corsac returns and takes up packaging the unofficial-grsecurity-patched LTS, I'm all for it! :)
EDIT 2017-11-16 18:00 UTC Oh! That is corsac maintaining it! So glad to know!
Thanks for telling us, Head_on_a_Stick!. Last time I looked it up, that wasn't the case... But I'm slow...
EDIT END
timbgo
 
Posts: 245
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby Head_on_a_Stick » 2017-11-16 17:35

timbgo wrote:Except old kernel, more exploits...
Only:
Code: Select all
linux-image-4.9.0-4-grsec-amd64

there

That's the Debian package version, the kernel version is 4.9.51-1+grsecunoff2; my Alpine Linux system is using 4.9.60 (with an unofficial port of the grsec patches) and kernel.org is on 4.9.62 so it's not that far behind.
"Only the mediocre are always at their best." — Jean Giraudoux
User avatar
Head_on_a_Stick
 
Posts: 6784
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2017-11-16 20:25

Head_on_a_Stick wrote:
timbgo wrote:Except old kernel, more exploits...
Only:
Code: Select all
linux-image-4.9.0-4-grsec-amd64

there

That's the Debian package version, the kernel version is 4.9.51-1+grsecunoff2; my Alpine Linux system is using 4.9.60 (with an unofficial port of the grsec patches) and kernel.org is on 4.9.62 so it's not that far behind.

8) Of course, I studied all the links from the page you gave in the meantime, and I checked if we had it in Devuan: yes we do!
And of course I'll install it, along with gradm2 and other recommends! (For Devuan it's in Ceres, something like our testing branch.)
But it is old, it is. My packages that I gave above, based on the same grsecunoff by Mathias (minipli) Krause, who BTW has been taking some time off, and is sorely being missed, but Loic (HacKurx) updated the patch to 4.9.61, which I gave all the links and uploaded my deb packages... So my packages are kind of much newer version of grsecunoff. Could still be worth a try for some people, I'd hope.

I'm happy that grsec is being taken good care of. corsac, thank you so much for keeping the grsec available for us!

But it took corsac time to provide the packages, didn't it? And this is the first of the new series of grsec, the unofficial_grsecurity!
See here:
http://metadata.ftp-master.debian.org/c ... _changelog
where, currently at the very top, there is only one single version of it:
Code: Select all
linux-grsec (4.9.51-1+grsecunoff1) unstable; urgency=medium

  * Pull changes from src:linux up to 4.9.51-1.
  * grsec/gen-patch:
    - update to generate patch from a local git repository with Mathias Krause
    grsec-unofficial tree (https://github.com/minipli/linux-unofficial_grsec)
  * Update grsecurity patch to the unofficial version maintained by Mathias
    Krause.
  * featureset-grsec/config: update long description to make it clear we are
    using the unofficial patch, unrelated to the private patch.
  * debian/lib/python/debian_linux/debian.py: handle new versioning scheme.

 -- Yves-Alexis Perez <corsac@debian.org>  Tue, 03 Oct 2017 10:59:32 +0200

Regards! (And thanks again Head_on_a_Stick for bringing us all here the very happy news!)
timbgo
 
Posts: 245
Joined: 2013-04-14 12:17


Previous

Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 6 guests

fashionable