https://www.croatiafidelis.hr/gnu/deb/l ... 180816-16/
see previous posts for how to install it and other.[/quote]
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Grsecurity/Pax installation on Debian GNU/Linux
Re: Grsecurity/Pax installation on Debian GNU/Linux
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?
Re: Grsecurity/Pax installation on Debian GNU/Linux
https://www.croatiafidelis.hr/gnu/deb/l ... 180820-16/
see previous posts for how to install it and other.
see previous posts for how to install it and other.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?
Re: Grsecurity/Pax installation on Debian GNU/Linux
I am going to post what the script:
https://github.com/a13xp0p0v/kconfig-hardened-check
( see here also: http://www.openwall.com/lists/kernel-ha ... 18/07/18/1 )
thinks about my latest offered packages (see immediately previous post to this).
Pls. compare it to what that kconfig-hardened-check thinks of the latest kernel in Debian/Devuan (reminder: I run Devuan, but the kernel is the same to the bit: it's not changed, just merged into Devuan package repo), the linux-image-4.16.0-2-amd64, which findings I'll post in the next post.
# kconfig-hardened-check.py -c /boot/config-4.9.122-dappersec180820-16
https://github.com/a13xp0p0v/kconfig-hardened-check
( see here also: http://www.openwall.com/lists/kernel-ha ... 18/07/18/1 )
thinks about my latest offered packages (see immediately previous post to this).
Pls. compare it to what that kconfig-hardened-check thinks of the latest kernel in Debian/Devuan (reminder: I run Devuan, but the kernel is the same to the bit: it's not changed, just merged into Devuan package repo), the linux-image-4.16.0-2-amd64, which findings I'll post in the next post.
# kconfig-hardened-check.py -c /boot/config-4.9.122-dappersec180820-16
Code: Select all
[+] Checking "/boot/config-4.9.122-dappersec180820-16" against hardening preferences...
option name | desired val | decision | reason || check result
===================================================================================================================
CONFIG_BUG | y | ubuntu18 | self_protection || OK
CONFIG_PAGE_TABLE_ISOLATION | y | ubuntu18 | self_protection || FAIL: not found
CONFIG_RETPOLINE | y | ubuntu18 | self_protection || FAIL: not found
CONFIG_X86_64 | y | ubuntu18 | self_protection || OK
CONFIG_STRICT_KERNEL_RWX | y | ubuntu18 | self_protection ||CONFIG_DEBUG_RODATA: OK ("y")
CONFIG_DEBUG_WX | y | ubuntu18 | self_protection || FAIL: not found
CONFIG_RANDOMIZE_BASE | y | ubuntu18 | self_protection || FAIL: not found
CONFIG_RANDOMIZE_MEMORY | y | ubuntu18 | self_protection || FAIL: not found
CONFIG_STACKPROTECTOR_STRONG | y | ubuntu18 | self_protection ||CONFIG_CC_STACKPROTECTOR_STRONG: OK ("y")
CONFIG_VMAP_STACK | y | ubuntu18 | self_protection || FAIL: not found
CONFIG_THREAD_INFO_IN_TASK | y | ubuntu18 | self_protection || OK
CONFIG_SCHED_STACK_END_CHECK | y | ubuntu18 | self_protection || OK
CONFIG_SLUB_DEBUG | y | ubuntu18 | self_protection || FAIL: not found
CONFIG_SLAB_FREELIST_HARDENED | y | ubuntu18 | self_protection || FAIL: not found
CONFIG_SLAB_FREELIST_RANDOM | y | ubuntu18 | self_protection || OK
CONFIG_HARDENED_USERCOPY | y | ubuntu18 | self_protection || OK
CONFIG_FORTIFY_SOURCE | y | ubuntu18 | self_protection || FAIL: not found
CONFIG_STRICT_MODULE_RWX | y | ubuntu18 | self_protection || FAIL: not found
CONFIG_MODULE_SIG | y | ubuntu18 | self_protection || FAIL: "is not set"
CONFIG_MODULE_SIG_ALL | y | ubuntu18 | self_protection || FAIL: not found
CONFIG_MODULE_SIG_SHA512 | y | ubuntu18 | self_protection || FAIL: not found
CONFIG_SYN_COOKIES | y | ubuntu18 | self_protection || OK
CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | ubuntu18 | self_protection || OK
CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection || FAIL: not found
CONFIG_PAGE_POISONING | y | kspp | self_protection || OK
CONFIG_GCC_PLUGINS | y | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection || FAIL: not found
CONFIG_GCC_PLUGIN_STRUCTLEAK | y | kspp | self_protection || FAIL: not found
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL | y | kspp | self_protection || FAIL: not found
CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection || OK
CONFIG_REFCOUNT_FULL | y | kspp | self_protection || FAIL: not found
CONFIG_DEBUG_LIST | y | kspp | self_protection || OK
CONFIG_DEBUG_SG | y | kspp | self_protection || FAIL: "is not set"
CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection || FAIL: "is not set"
CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection || FAIL: "is not set"
CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection || FAIL: not found
CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection || OK: not found
CONFIG_GCC_PLUGIN_STACKLEAK | y | my | self_protection || FAIL: not found
CONFIG_SLUB_DEBUG_ON | y | my | self_protection || FAIL: not found
CONFIG_SECURITY_DMESG_RESTRICT | y | my | self_protection || OK
CONFIG_STATIC_USERMODEHELPER | y | my | self_protection || FAIL: not found
CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection || FAIL: "y"
CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection || OK
CONFIG_SECURITY | y | ubuntu18 | security_policy || OK
CONFIG_SECURITY_YAMA | y | ubuntu18 | security_policy || FAIL: not found
CONFIG_SECURITY_SELINUX_DISABLE | is not set | ubuntu18 | security_policy || OK: not found
CONFIG_SECCOMP | y | ubuntu18 | cut_attack_surface || OK
CONFIG_SECCOMP_FILTER | y | ubuntu18 | cut_attack_surface || OK
CONFIG_STRICT_DEVMEM | y | ubuntu18 | cut_attack_surface || OK
CONFIG_ACPI_CUSTOM_METHOD | is not set | ubuntu18 | cut_attack_surface || OK: not found
CONFIG_COMPAT_BRK | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_DEVKMEM | is not set | ubuntu18 | cut_attack_surface || OK: not found
CONFIG_COMPAT_VDSO | is not set | ubuntu18 | cut_attack_surface || OK: not found
CONFIG_X86_PTDUMP | is not set | ubuntu18 | cut_attack_surface || OK: not found
CONFIG_ZSMALLOC_STAT | is not set | ubuntu18 | cut_attack_surface || OK: not found
CONFIG_PAGE_OWNER | is not set | ubuntu18 | cut_attack_surface || OK: not found
CONFIG_DEBUG_KMEMLEAK | is not set | ubuntu18 | cut_attack_surface || OK: not found
CONFIG_BINFMT_AOUT | is not set | ubuntu18 | cut_attack_surface || OK: not found
CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface || OK
CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface || FAIL: "is not set"
CONFIG_BINFMT_MISC | is not set | kspp | cut_attack_surface || FAIL: "m"
CONFIG_INET_DIAG | is not set | kspp | cut_attack_surface || FAIL: "m"
CONFIG_KEXEC | is not set | kspp | cut_attack_surface || OK: not found
CONFIG_PROC_KCORE | is not set | kspp | cut_attack_surface || OK: not found
CONFIG_LEGACY_PTYS | is not set | kspp | cut_attack_surface || OK
CONFIG_IA32_EMULATION | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_X86_X32 | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_HIBERNATION | is not set | kspp | cut_attack_surface || OK: not found
CONFIG_KPROBES | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_UPROBES | is not set |grsecurity| cut_attack_surface || OK
CONFIG_GENERIC_TRACER | is not set |grsecurity| cut_attack_surface || OK: not found
CONFIG_PROC_VMCORE | is not set |grsecurity| cut_attack_surface || OK: not found
CONFIG_PROC_PAGE_MONITOR | is not set |grsecurity| cut_attack_surface || OK: not found
CONFIG_USELIB | is not set |grsecurity| cut_attack_surface || OK: not found
CONFIG_CHECKPOINT_RESTORE | is not set |grsecurity| cut_attack_surface || OK: not found
CONFIG_USERFAULTFD | is not set |grsecurity| cut_attack_surface || OK: not found
CONFIG_HWPOISON_INJECT | is not set |grsecurity| cut_attack_surface || OK: not found
CONFIG_MEM_SOFT_DIRTY | is not set |grsecurity| cut_attack_surface || OK: not found
CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface || OK: not found
CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface || OK: not found
CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface || OK: not found
CONFIG_KEXEC_FILE | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_LIVEPATCH | is not set | my | cut_attack_surface || OK: not found
CONFIG_USER_NS | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_IP_DCCP | is not set | my | cut_attack_surface || FAIL: "m"
CONFIG_IP_SCTP | is not set | my | cut_attack_surface || FAIL: "m"
CONFIG_FTRACE | is not set | my | cut_attack_surface || OK: not found
CONFIG_PROFILING | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_BPF_JIT | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_BPF_SYSCALL | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_ARCH_MMAP_RND_BITS | 32 | my |userspace_protection|| FAIL: "27"
[-] config check is NOT PASSED: 42 errors
Last edited by timbgo on 2018-08-21 20:42, edited 1 time in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?
Re: Grsecurity/Pax installation on Debian GNU/Linux
The same script, on the latest stock Debian kernel:
kconfig-hardened-check.py -c /boot/config-4.16.0-2-amd64
Errors 47 this config vs 42 the config of the 4.9.122 that I make the packages available of (see immediately previous post to this).
.
So... It's still probably safer with the free grsec kernel (dappersec)... Sorely missing the protections from Meltdown and Spectre, but most other protectiions are in place. And pls. note that it's a dev from the KSPP team. Hardly biased towards grsec.
kconfig-hardened-check.py -c /boot/config-4.16.0-2-amd64
Code: Select all
[+] Checking "/boot/config-4.16.0-2-amd64" against hardening preferences...
option name | desired val | decision | reason || check result
===================================================================================================================
CONFIG_BUG | y | ubuntu18 | self_protection || OK
CONFIG_PAGE_TABLE_ISOLATION | y | ubuntu18 | self_protection || OK
CONFIG_RETPOLINE | y | ubuntu18 | self_protection || OK
CONFIG_X86_64 | y | ubuntu18 | self_protection || OK
CONFIG_STRICT_KERNEL_RWX | y | ubuntu18 | self_protection || OK
CONFIG_DEBUG_WX | y | ubuntu18 | self_protection || OK
CONFIG_RANDOMIZE_BASE | y | ubuntu18 | self_protection || OK
CONFIG_RANDOMIZE_MEMORY | y | ubuntu18 | self_protection || OK
CONFIG_STACKPROTECTOR_STRONG | y | ubuntu18 | self_protection ||CONFIG_CC_STACKPROTECTOR_STRONG: OK ("y")
CONFIG_VMAP_STACK | y | ubuntu18 | self_protection || OK
CONFIG_THREAD_INFO_IN_TASK | y | ubuntu18 | self_protection || OK
CONFIG_SCHED_STACK_END_CHECK | y | ubuntu18 | self_protection || OK
CONFIG_SLUB_DEBUG | y | ubuntu18 | self_protection || OK
CONFIG_SLAB_FREELIST_HARDENED | y | ubuntu18 | self_protection || OK
CONFIG_SLAB_FREELIST_RANDOM | y | ubuntu18 | self_protection || OK
CONFIG_HARDENED_USERCOPY | y | ubuntu18 | self_protection || OK
CONFIG_FORTIFY_SOURCE | y | ubuntu18 | self_protection || OK
CONFIG_STRICT_MODULE_RWX | y | ubuntu18 | self_protection || OK
CONFIG_MODULE_SIG | y | ubuntu18 | self_protection || FAIL: "is not set"
CONFIG_MODULE_SIG_ALL | y | ubuntu18 | self_protection || FAIL: not found
CONFIG_MODULE_SIG_SHA512 | y | ubuntu18 | self_protection || FAIL: not found
CONFIG_SYN_COOKIES | y | ubuntu18 | self_protection || OK
CONFIG_DEFAULT_MMAP_MIN_ADDR | 65536 | ubuntu18 | self_protection || OK
CONFIG_BUG_ON_DATA_CORRUPTION | y | kspp | self_protection || OK
CONFIG_PAGE_POISONING | y | kspp | self_protection || OK
CONFIG_GCC_PLUGINS | y | kspp | self_protection || FAIL: "is not set"
CONFIG_GCC_PLUGIN_RANDSTRUCT | y | kspp | self_protection || FAIL: not found
CONFIG_GCC_PLUGIN_STRUCTLEAK | y | kspp | self_protection || FAIL: not found
CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL | y | kspp | self_protection || FAIL: not found
CONFIG_GCC_PLUGIN_LATENT_ENTROPY | y | kspp | self_protection || FAIL: not found
CONFIG_REFCOUNT_FULL | y | kspp | self_protection || OK
CONFIG_DEBUG_LIST | y | kspp | self_protection || OK
CONFIG_DEBUG_SG | y | kspp | self_protection || FAIL: "is not set"
CONFIG_DEBUG_CREDENTIALS | y | kspp | self_protection || FAIL: "is not set"
CONFIG_DEBUG_NOTIFIERS | y | kspp | self_protection || FAIL: "is not set"
CONFIG_MODULE_SIG_FORCE | y | kspp | self_protection || FAIL: not found
CONFIG_HARDENED_USERCOPY_FALLBACK | is not set | kspp | self_protection || OK
CONFIG_GCC_PLUGIN_STACKLEAK | y | my | self_protection || FAIL: not found
CONFIG_SLUB_DEBUG_ON | y | my | self_protection || FAIL: "is not set"
CONFIG_SECURITY_DMESG_RESTRICT | y | my | self_protection || OK
CONFIG_STATIC_USERMODEHELPER | y | my | self_protection || FAIL: "is not set"
CONFIG_PAGE_POISONING_NO_SANITY | is not set | my | self_protection || FAIL: "y"
CONFIG_PAGE_POISONING_ZERO | is not set | my | self_protection || OK
CONFIG_SECURITY | y | ubuntu18 | security_policy || OK
CONFIG_SECURITY_YAMA | y | ubuntu18 | security_policy || OK
CONFIG_SECURITY_SELINUX_DISABLE | is not set | ubuntu18 | security_policy || OK
CONFIG_SECCOMP | y | ubuntu18 | cut_attack_surface || OK
CONFIG_SECCOMP_FILTER | y | ubuntu18 | cut_attack_surface || OK
CONFIG_STRICT_DEVMEM | y | ubuntu18 | cut_attack_surface || OK
CONFIG_ACPI_CUSTOM_METHOD | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_COMPAT_BRK | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_DEVKMEM | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_COMPAT_VDSO | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_X86_PTDUMP | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_ZSMALLOC_STAT | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_PAGE_OWNER | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_DEBUG_KMEMLEAK | is not set | ubuntu18 | cut_attack_surface || OK
CONFIG_BINFMT_AOUT | is not set | ubuntu18 | cut_attack_surface || OK: not found
CONFIG_IO_STRICT_DEVMEM | y | kspp | cut_attack_surface || OK
CONFIG_LEGACY_VSYSCALL_NONE | y | kspp | cut_attack_surface || OK
CONFIG_BINFMT_MISC | is not set | kspp | cut_attack_surface || FAIL: "m"
CONFIG_INET_DIAG | is not set | kspp | cut_attack_surface || FAIL: "m"
CONFIG_KEXEC | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_PROC_KCORE | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_LEGACY_PTYS | is not set | kspp | cut_attack_surface || OK
CONFIG_IA32_EMULATION | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_X86_X32 | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_MODIFY_LDT_SYSCALL | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_HIBERNATION | is not set | kspp | cut_attack_surface || FAIL: "y"
CONFIG_KPROBES | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_UPROBES | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_GENERIC_TRACER | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_PROC_VMCORE | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_PROC_PAGE_MONITOR | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_USELIB | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_CHECKPOINT_RESTORE | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_USERFAULTFD | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_HWPOISON_INJECT | is not set |grsecurity| cut_attack_surface || FAIL: "m"
CONFIG_MEM_SOFT_DIRTY | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_DEVPORT | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_DEBUG_FS | is not set |grsecurity| cut_attack_surface || FAIL: "y"
CONFIG_NOTIFIER_ERROR_INJECTION | is not set |grsecurity| cut_attack_surface || FAIL: "m"
CONFIG_KEXEC_FILE | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_LIVEPATCH | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_USER_NS | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_IP_DCCP | is not set | my | cut_attack_surface || FAIL: "m"
CONFIG_IP_SCTP | is not set | my | cut_attack_surface || FAIL: "m"
CONFIG_FTRACE | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_PROFILING | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_BPF_JIT | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_BPF_SYSCALL | is not set | my | cut_attack_surface || FAIL: "y"
CONFIG_ARCH_MMAP_RND_BITS | 32 | my |userspace_protection|| FAIL: "28"
[-] config check is NOT PASSED: 47 errors
.
So... It's still probably safer with the free grsec kernel (dappersec)... Sorely missing the protections from Meltdown and Spectre, but most other protectiions are in place. And pls. note that it's a dev from the KSPP team. Hardly biased towards grsec.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?
Re: Grsecurity/Pax installation on Debian GNU/Linux
https://www.croatiafidelis.hr/gnu/deb/l ... 180914-10/
see previous posts for how to install it and other.
see previous posts for how to install it and other.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?
Re: Grsecurity/Pax installation on Debian GNU/Linux
https://www.croatiafidelis.hr/gnu/deb/l ... 180924-07/
see previous posts for how to install it and other.
see previous posts for how to install it and other.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?
Re: Grsecurity/Pax installation on Debian GNU/Linux
No, it's probably not... While I haven't sudied those in depth, it's probably the Meltdown and Spectre that are the most important to have countermeasures in your kernel against, and grsec/dappersec can't at this time, and there seem no interest from spender and PaX Team, the authors... and grsec/dappersec can't protect you from those...timbgo wrote:So... It's still probably safer with the free grsec kernel (dappersec)... Sorely missing the protections from Meltdown and Spectre, but most other protectiions are in place. And pls. note that it's a dev from the KSPP team. Hardly biased towards grsec.
I think I'm closing my engagement with what is left in the open FOSS world of grsecurity.
See also:
https://github.com/dapperlinux/dapper-s ... -427653248
and
https://github.com/minipli/linux-unoffi ... -427652732
Regards!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Grsecurity/Pax installation on Debian GNU/Linux
The Arch repositories have started including a linux-hardened package:
https://git.archlinux.org/svntogit/pack ... x-hardened
If I have the time I may attempt to package this up for Debian (or maybe a version for the LTS branch with the same configuration) because I think we need a hardened kernel version as well.
For the interested, here is a great Masters thesis that covers the subject of kernel vulnerabilities in some depth:
https://github.com/maxking/linux-vulner ... s-10-years
https://git.archlinux.org/svntogit/pack ... x-hardened
If I have the time I may attempt to package this up for Debian (or maybe a version for the LTS branch with the same configuration) because I think we need a hardened kernel version as well.
For the interested, here is a great Masters thesis that covers the subject of kernel vulnerabilities in some depth:
https://github.com/maxking/linux-vulner ... s-10-years
deadbang