Grsecurity/Pax installation on Debian GNU/Linux

Share your own howto's etc. Not for support questions!

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby jlambrecht » 2015-04-09 07:32

Ehr, wadayamean ? :D
Embrace what you're not certain off,
keep an eye on what you're confident about.
jlambrecht
 
Posts: 374
Joined: 2008-02-01 16:21

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby pcalvert » 2015-04-09 13:58

stevepusser wrote:Maybe...can anyone access that kernel?

I notified the website owner that the site is down.

His reply:

Thanks, we are working on a new server.
It should work soon.

In the meantime one alternative is to check mirror in Freenet network.

Thanks for your interest.


Phil
pcalvert
 
Posts: 1730
Joined: 2006-04-21 11:19
Location: Sol Sector

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2015-05-11 23:45

Hi!

I wish I could keep (and that I could have kept) this topic up, but what I deem the systemd-suicide by Debian Developers turned me away from Debian.

A lot, a huge lot is losing so much because of this what I deem Debian abandoning of its own true self.

I wish for the Devuan, the Debian non-systemd fork to really take off, and I hope that could still happen. We'll see.

I looked up the suggestion by a member a few post previous to here:

http://main.mepis-deb.org/

but that's a false suggestion, IIUC, no mention of grsecurity, so, again: IIUC, or to be sure: correct me if I'm wrong in understanding that they don't offer grsecurity-hardened kernel. And if they don't, it's a false suggestion. Period.

The other suggestion:

https://wiki.debian.org/Mempo

may be worth it, but not for all users. Exampli gratia, I liked to be close to the bleeding edge and install the weekly DVDs, and then compile the grsecurity-hardened kernel for it. Doesn't seem possible with Mempo.

But Mempo is not to be counted out. I really wish those guys succeeded! Their ideas are so pure, so right, and so needed today!

And if you search page 3 of this topic you are reading, this post:

viewtopic.php?f=16&t=108616&&start=30#p555093

for an alternative, previously made attempt similar to mine in this topic, you might go on from:

grsecurity source install script for Debian
https://github.com/rickard2/grsecurity-Debian-Installer

Sadly, not maintained.

I don't know what future holds.

I terribly liked what I could achieve with having my grsecurity-hardened kernel on the weekly (was it Sid up until a few months ago?, yes I think so), and then, the beauty was that thanks to Thorsten mirabilos Glaser...

The beauty was that then, thanks mirabilos from MirBSD, it was possible to rid myself of the program architecture that is there in most FOSS Linux and their relatives in FOSS, with the true purpose under the hood of its shine, to make for proprietory programs to work on top of [F]ree [O]pen [S]ource [S]oftware.

And proprietory, for which that architecture is there, and sadly lives undisturbed in most Linuces and their relatives of this day...

And yes I mean dbus based architecture.

And proprietory, in this day and age, means: in the service of the one-ring-to-rule-them-all cravers, dear brothers in *nix.

Look up my tip:
How to Remove Systemd and Related Packages from Your Debian
viewtopic.php?f=16&t=118197

And the beauty was that, thanks to that programmer from the BSD community, I was able to rid my Debian of dbus, pulseaudio and all those poetterware programs, along with harden it with my dearest program in all of FOSS, the grsecurity.

Sadly, while what I explained I needed to do in my previous post to this post, and it is this one:

( in this same topic you are reading )
viewtopic.php?f=16&t=108616&&start=45#p566911

I did manage to do, it cost me huge time which then I did not have available for so many other things.

I have deployed grsecurity completely in my Gentoo, I know now how to filter traffic in such way that pretty much nothing is unobserved if I get under attack (well, there surely are subjects stronger than me, but I'm not, say, such a subject like Iran was years ago, to deserve those subjects' attention, or like the hackers deserve it who hack into their premises)... Along with having managed deploying iptables properly, and other things...

And I can tell you that Gradm really really does it! Gradm, the grsecurity administration, which, as I said in a few places, needs to be deployed on top of the grsecurity-hardened kernel to account for the few holes that otherwise still remain, as they can not be fixed via solely the kernel patching, which grsecurity does.

My desire to transmit the little but good and very recommendable knowledge that I have gained by now, has not left me, such as to make the next tip some day, the harder one to do, on how to deploy Gradm in Debian. The harder one (then this tip you are reading) to do for newbies, and the harder one (then this tip) to write for me (or if someone else takes over).

It really depends. If Devuan takes off and learns to fly, and if they, this is important, and I'll point them over to these words of mine...

And if they offer a no-dbus Devuan, which I am not certain it is among their objectives; but if they do, then you may even not see much of me, because then I may get my little free time that I have, I can then start using that time for Devuan only...

But if they don't offer a non-dbus Devuan, then I can't go for Devuan.

I told them this already...

I attempted to say my views generally, and very clumsily, I admit:

https://lists.dyne.org/lurker/message/2 ... 11.en.html

but on dbus, I think I said it right, even though in the wider context:

https://lists.dyne.org/lurker/message/2 ... 95.en.html

where find:
"
I count dbus in poetterware-related. You don't have to. I do. Pls. allow for that option!

My take on it you can have also here:

Updating and keeping your Gentoo non-poeterized
https://forums.gentoo.org/viewtopic-t-1012022.html
"
and:

https://lists.dyne.org/lurker/message/2 ... 14.en.html
"And an opt-out from dbus, official possiblity to have a non-dbus Devuan."

But I'm really not a developer to be able to follow them in the development of Debian, so I withdrew from the discussion.

And if they don't offer a no-dbus Devuan, then I may try and see if modalities still exist here in Debian, to go on where I left, disgusted that not even a simple file of a few kilobytes was allowed in the DVD 1 back when they were all (are they still?) about imposing the freaking systemd on every Debian user, as you can read in this tip of mine:

Air-Gapped Debian Install for Newbies
viewtopic.php?f=16&t=119648&#p564470

where find this paragraph:
"
As you can see the systemd vandals have removed the sysvinit time honored and reliable (although a better one should be invented/deployed) init from the disk 1. Namely it is there in the disk-2. For the 129K sysvinit-core_2.88dsf-58_amd64.deb there was no room to be found in the disk-1... It's shame.
"
I don't know which way I will go next, esp. since I'm much more familiar with Gentoo (which is the best for security, and for defence from surveillance, as it is the home of grsecurity-hardening deployed).

And also the way that I showed I believe in, in my tips in these Debian Forums, and which is above all without dbus/poetterware and with grsecurity/PaX, and which I believe is the way to go in today's surveilled society, for anyone who wants to be free and not controlled by unknown to him/her. on that way De[bv][iu]an does not seem to be persevering on, not steadilyy, no, not so well as Gentoo...

And especially I don't know when I might go the way that I happen to go next in Debian or its fork Devuan.

Thank you all for your kind attention.
timbgo
 
Posts: 241
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby mardybear » 2015-05-12 01:49

timbgo:
And the beauty was that, thanks to that programmer from the BSD community, I was able to rid my Debian of dbus, pulseaudio and all those poetterware programs, along with harden it with my dearest program in all of FOSS, the grsecurity.

Don't forget Avahi...

Didn't re-read the entire thread, but have you looked at Alpine Linux:
Alpine Linux was designed with security in mind. The kernel is patched with grsecurity/PaX out of the box, and all userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection. These proactive security features prevent exploitation of entire classes of zero-day and other vulnerabilities.

http://www.alpinelinux.org/about/

...don't know about dbus.

Dbus is optional/not required in TinyCore Linux. It does, however, let you build a system to your preference. No grsecurity though.
800mhz, 512mb ram, dCore-jessie (Tiny Core with Debian Jessie packages) with BusyBox and Fluxbox.
Most don't have computer access, reuse or pay forward an old computer.
User avatar
mardybear
 
Posts: 994
Joined: 2014-01-19 03:30

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2015-05-12 14:00

Hi mardybear!

(for some reason, I can't find the `Quote' link with my dillo, and am in other work)

I'll look into Alpine. Anything grsec/PaX is interesting to me.

Avahi, isn't that something RedHat?

Really no time. Pls. allow delays.

And really thanks! Didn't know about Alpine.
timbgo
 
Posts: 241
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2015-05-12 14:14

And I can't even find the Edit button (or whether it's a link)...

EDIT START: Well, I can, but i'ts somewhat advanced. See:

No edit/delete/report Buttons in Some phpBB Forums
http://lists.dillo.org/pipermail/dillo- ... 10523.html

and bear in mind that it appears that the sed command lost a little in the transit ;-). It should be:

Code: Select all
cat /Cmn/dLo/SK_150514-10_pg2_src.php  | grep delete-icon | sed 's/\&/\&/g'

and I hope it will hold to what I posted, here.

EDIT END

dillo, however is such an ocean of calm security-wise, so these are, yes, issues, but sniffings practices, intrusions, even attacks when I browse with Schmooglezilla Fox, that's worse, much worse...

So, here is documented, but will even be documented for newbies (hard to read those dumps for them, yet, without some explaining which I intend to do some time in the future)...

So, here is documented, how I am not allowed by third subjects, obviously to do with my provider, to send two simple mails:

Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion
https://forums.gentoo.org/viewtopic-t-9 ... ml#7746644

And just like I say there, pls. if anybody from Devuan is reading this, pls. do call their attention to my second previous post from here:

( this same topic you are reading )
viewtopic.php?f=16&t=108616&start=60#p577538

Thank you!
Last edited by timbgo on 2015-05-14 18:02, edited 1 time in total.
timbgo
 
Posts: 241
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby mardybear » 2015-05-12 16:27

Hi timbgo.

Here's the full Alpine link address, hope this works in Dillo. Really should take a look if interested in gsecurity and a system that doesn't come default with a whole bunch of unnecessary stuff.
http://www.alpinelinux.org/about/

Avahi was developed by Lennart Poettering and Trent Lloyd. Average user doesn't need it, yet it's installed by default in most major Linux distributions. Just check it out via pstree or ps, disable Avahi and reboot, chances are your system won't miss it.
Avahi is a free zero-configuration networking (zeroconf) implementation, including a system for multicast DNS/DNS-SD service discovery. It is licensed under the GNU Lesser General Public License (LGPL).

Avahi is a system which enables programs to publish and discover services and hosts running on a local network. For example, a user can plug their computer into a network and have Avahi automatically advertise the network services running on the machine which could enable access to files and printers.

http://en.wikipedia.org/wiki/Avahi_%28software%29
800mhz, 512mb ram, dCore-jessie (Tiny Core with Debian Jessie packages) with BusyBox and Fluxbox.
Most don't have computer access, reuse or pay forward an old computer.
User avatar
mardybear
 
Posts: 994
Joined: 2014-01-19 03:30

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2015-05-14 18:05

The problem is lack of time.

But anyway, I wasn't posting only for myself, and I believe users will find Alpine attractive!

Thanks for caring for the right programs, mardybear!
timbgo
 
Posts: 241
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2015-07-06 20:02

Regarding the installation of grsecurity, however, I gave lots of explanation and examples in the five pages of this tip, so far.

I believe, the most of the work is done, with this tip. When if ever, will there be a real for-newbies-easy-to-use deployment of grsecurity? Maybe never, since you get their SELinux deployed in no-brains-needed fashion, because the filthy richness (the secret services are always with the moneys in societies left and right, it's the nature of the corrupted power)... [because the filthy richness] is not with us, but with them and it's those, the NSA and friends who made or broke, bullied or bought their way into your boxes, dear *nixers...

Here is an afterthought, and a promise that I will try to keep:
https://forums.grsecurity.net/viewtopic ... 344#p15344

because I really like Gentoo and (Debian/Devuan?), and Dillo and Postfix, and a lot of other programs, but I love the best grsecurity, because they, our heroes spender and PaX Team, without them, the computing would have been so much poorer that you can't even imagine.

[So much poorer] of the real richness, the freedom, the freedom, attainable, not easily but pretty hard to attain, but attainable freedom from surveillance, one of the worst and most dangerous evils of our days.
timbgo
 
Posts: 241
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby jlambrecht » 2015-07-07 08:26

sorry to barge in like this, i've spent time on grsec with Debian before and it was a bit steep at first, then it seemed to work well for me. Now, on a laptop, i cannot get it to work well. I had to recompile the intel ethernet module from intel sources because it seemed buggy, now i have network. But only DNS resolves, i cannot get apt-get update to work or for the policy to adapt to it.

Does anyone have a shorthand guide on working with grsec on Debian ? I still have the machine for which it worked at hand so i can also make a copy but i'd prefer to share experiences.
Embrace what you're not certain off,
keep an eye on what you're confident about.
jlambrecht
 
Posts: 374
Joined: 2008-02-01 16:21

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2015-07-14 13:02

jlambrecht wrote:sorry to barge in like this, i've spent time on grsec with Debian before and it was a bit steep at first, then it seemed to work well for me. Now, on a laptop, i cannot get it to work well. I had to recompile the intel ethernet module from intel sources because it seemed buggy, now i have network. But only DNS resolves, i cannot get apt-get update to work or for the policy to adapt to it.

Does anyone have a shorthand guide on working with grsec on Debian ? I still have the machine for which it worked at hand so i can also make a copy but i'd prefer to share experiences.


It's not that simple.

1) You need to post all the relevant settings, and all the relevant log errors, and then describe as best you can, without missing important details, what is happening and what you suspect could be the cause (that is learning in itself, even if you get no reply)

2) and then someone who has experience with a similar setup and similar particular issues that you may have with your hardware or your setup, or such, than he has to look at it and try to figure out what there could be set wrong or even that there some circumstances (whichever that they may consist of) appear to be twarting or disabilitating and chance of successful grsec installation and deployment, and then such person may even need to test it on a similar system

I've given directions that seemed to me the best bet to get it done.

But, if I recall correctly, you are on Ubuntu, and I don't even have a working Debian at the moment, and Devuan is currently installable the dbus way, without alternative, IIUC (and I do follow Devuan mailing list so I'm probably right here), which I wrote about that I don't want to follow...

In Ubuntu you also have dbus... which in my opinion is just a companion of systemd. And you also have systemd in Ubuntu, IIRC...

To deploy grsecurity in a system with systemd, it's not me (who am not even so advanced, to be honest), but more advanced and experienced users, such as a few Gentooers, for example, have complained that it is a headache to get a working grsecurity on a systemd machine...

I know Ubuntu is a real brand name, and so will Debian continue to be, and lets see if, which I so much hoped for, a systemd-free Debian fork, the Devuan really takes off and applies for the best standards in FOSS, such as allowing freedom from also dbus...

So, I know Ubuntu is a real brand name, and so will Debian remain to be (tarnished with the systemd default), but if I were you, I would seriously research if Miro Rovis, who writes these lines for you, to post his best advice in your case, if I were you, I would seriously research whether Miro is right, or maybe wrong (he's been decidedly proven wrong sometimes), and whether those, as he says, fake FOSS programs are as bad as he claims.

Fake FOSS programs, because they are, in his opinion, done in the service of big money (military, the absolutely most money spending firm in the world, the U.S. firm, is the main customer of the Red Hat who pay Poettering and Sievers, the systemd guys and all of their windozation-of-FOSS-Linux cameraderie)...

Because those guys are payed for by big money, and they have nothing to really do with the real free projects that are not corporate servicemen like the poetter-people, but who are free and open source idealist people like you and me...

I would research those, and, in case the systemd and grsec do appear incompatible... maybe I would see if I could get rid of them in Ubuntu first, so I can install grsec-hardened kernel...

Or maybe choose the Apline Linux, as mardybear suggests... or maybe go with the Debian but the way that Miro (I'm still talking if I were you) wrote in a few places and linked to other tips, such as on how to install Debian the Air-Gapped way, systemd-frree:

Air-Gapped Debian Install for Newbies
viewtopic.php?f=16&t=119648&#p564470

and also without dbus:

How to Remove Systemd and Related Packages from Your Debian
viewtopic.php?f=16&t=118197

if those are still possible.

If I didn't have issues that drain my power (and a really good Gentoo installation for on-line, cloned from air-gapped offline-only), I would go those ways (as, not anymore talking as if I were you), I'm pretty certain of my findings.

Got to go. Cheers!
timbgo
 
Posts: 241
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby jlambrecht » 2015-07-14 13:35

Hi, thanks for the once more lengthy response. I'm not sure if i agree, grsec should be simple enough to get started.

I'll work on a simple yet effective procedure if i manage to fix this current challenge.
Embrace what you're not certain off,
keep an eye on what you're confident about.
jlambrecht
 
Posts: 374
Joined: 2008-02-01 16:21


Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby Head_on_a_Stick » 2016-07-31 20:16

^ You can't use VirtualBox with a grsec kernel and it can be restrictive if you tighten up the controls too much.

Also, they appear to be the testing images:
https://grsecurity.net/

Unfortunately, thanks to the abuses of embedded systems developers, the grsec team have restricted the availability of the stable release and it is no longer free (as in beer):
https://grsecurity.net/announce.php

:(

For the stable version of the grsec-patched kernel, I would recommend Alpine Linux:
http://www.alpinelinux.org/
"Are you quite sure that all those bells and whistles, all those wonderful facilities of your so called powerful programming languages, belong to the solution set rather than the problem set?" — Edsger W. Dijkstra
User avatar
Head_on_a_Stick
 
Posts: 6578
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby pcalvert » 2016-08-03 18:27

Head_on_a_Stick wrote:For the stable version of the grsec-patched kernel, I would recommend Alpine Linux:
http://www.alpinelinux.org/

How is it that they have the stable version of Grsecurity and not the testing version?

Phil
pcalvert
 
Posts: 1730
Joined: 2006-04-21 11:19
Location: Sol Sector

PreviousNext

Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable