Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Grsecurity/Pax installation on Debian GNU/Linux

Share your HowTo, Documentation, Tips and Tricks. Not for support questions!.
Message
Author
timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#16 Post by timbgo »

This below is actually the script that can be downloaded from:
http://www.croatiafidelis.hr/gnu/deb/src-3.12.8-grsec/
EDIT START Sat Jan 18 15:24:54 EST 2014
All the files there are some 360MB, and while compiling with this script is safer, for newbies willing to try at their own risk, downloading the Debian packages into a newly created directory and running (as root):
# dpkg -i *.deb
could install the Grsecurity patched kernel without much fuss. (Then no development tools installation is needed.)
EDIT END
See more talk about it in bottom.

Code: Select all

#!/bin/bash
#
# This is grsec_debian_v3.12.8.sh
#
# copyright  Miroslav Rovis, Zagreb, Croatia, www.CroatiaFidelis.hr
# (the above needs to be cited if the script is modified/further developed,
# even if my NGO Croatia Fidelis were to be shut down by my country's regime,
# as well as if the script is used as basis for later kernel versions
# patching and compilations)
#
# licenced under GNU v3.0 or later, at your choice
#
# How to use this script?
# =======================
# In case of issues, the user needs to consult official Debian documentation,
# such as Debian Kernel Handbook, as well as Grsecurity documentation, and
# other documentation and manuals, wikis and forums.
# 'chmod 755 grsec_debian_v3.12.8.sh' once you downloaded this script, place
# it, best, in your homedir, and follow instructions as you run it. If you
# encounter problems, modify for your needs. Also, pls. report errors on Debian
# Forums where I made the Tips page:
# "Grsecurity/Pax installation on Debian GNU Linux"
# but pls. if you will be waiting for my replies, it could take days and longer
# sometimes. Thank you!
#
echo
echo "  Caveat emptor! " 
echo
echo "  Do not use this script if you do not understand  " 
echo " what you are doing. You are responsible if anything "
echo " breaks in your system (possible!) "
echo " "
echo " OTOH, maybe you could open it in another terminal for "
echo " perusing each next step before hitting Enter to run "
echo " that next step, one by one in this terminal."
echo " Of course you should be checking yourself how the script is"
echo " faring, are the commands doing the intended and all."
echo " This is GNU Linux after all."
echo
echo "The script contains some code which is clumsy, but does the work; the"
echo "following: it is populated with 'read FAKE ;' lines. That is just"
echo "someone's (mine, who knows no better yet), way to tell you to decide"
echo "to continue running the script or issue Ctrl-C to kill it."
echo
        read FAKE ;
echo
echo "Tell this script what your username is, so we can create the workspace."
read user ;
echo "If you are user $user and your homedir is /home/$user/ then this"
echo "script should work for you. If not, modify the script to suit you."
        read FAKE ;
echo "We create next two directories in your homedir, 'dLo' for the downloads,"
echo "and 'src' for the compilation. Will not create them if they exist,"
echo "but pls. you make sure that nothing in them obstructs this script,"
echo "meaning, we'll run command: 'mkdir -pv /home/$user/dLo/ /home/$user/src/'"
        read FAKE ;
mkdir -pv /home/$user/dLo/ /home/$user/src/
echo ; echo ls -l /home/$user/dLo/ /home/$user/src/ ;
ls -l /home/$user/dLo/ /home/$user/src/
echo ; echo cd /home/$user/dLo/ ;
cd /home/$user/dLo/ ; pwd ;
echo ; echo "We download next the kernel, the patch, the config to use."
echo "In case you already did, you'll see info and/or innocuous errors."
echo "I only want the script to work, can't polish it. Sorry!"
        read FAKE ;
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.12.8.tar.sign
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.12.8.tar.xz
wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.12.8-201401160931.patch
wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.12.8-201401160931.patch.sig
wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.12.7-grsec-140113-16.sig
wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.12.7-grsec-140113-16.gz

echo ; echo "Import my new key, because I had to revoke the previous one:"
echo  "gpg -recv-key 0x4FBAF0AE"
        read FAKE ;
gpg -recv-key 0x4FBAF0AE
echo ; echo "Next, copy all downloads to /home/$user/src/"
        read FAKE ;
cp -iav linux-3.12.8.tar.* /home/$user/src/
cp -iav grsecurity-3.0-3.12.8-201401160931.patch* /home/$user/src/
cp -iav config-3.12.7-grsec-140113-16* /home/$user/src/
cd /home/$user/src/ ; pwd
ls -l linux-3.12.8*
        read FAKE ;
echo ; echo unxz linux-3.12.8.tar.xz ;
        read FAKE ; 
 unxz linux-3.12.8.tar.xz ;
echo ; echo gpg --verify linux-3.12.8.tar.sign ;
        read FAKE ; 
 gpg --verify linux-3.12.8.tar.sign ;
echo ; echo gpg --verify grsecurity-3.0-3.12.8-201401160931.patch.sig;
        read FAKE ; 
 gpg --verify grsecurity-3.0-3.12.8-201401160931.patch.sig;
echo ; echo gunzip config-3.12.7-grsec-140113-16.gz;
        read FAKE ; 
 gunzip config-3.12.7-grsec-140113-16.gz;
echo ; echo gpg --verify config-3.12.7-grsec-140113-16.sig ;
        read FAKE ; 
 gpg --verify config-3.12.7-grsec-140113-16.sig ;
echo ; echo tar xvf linux-3.12.8.tar ;
        read FAKE ; 
 tar xvf linux-3.12.8.tar ;
echo ; echo cd linux-3.12.8;
        read FAKE ; 
 cd linux-3.12.8; pwd
echo ; echo "patch -p1 < ../grsecurity-3.0-3.12.8-201401160931.patch";
        read FAKE ; 
 patch -p1 < ../grsecurity-3.0-3.12.8-201401160931.patch
echo ; echo cd ../;
 cd ../ ; pwd
        read FAKE ; 
echo ; echo cp -iav config-3.12.7-grsec-140113-16 linux-3.12.8/.config;
        read FAKE ; 
 cp -iav config-3.12.7-grsec-140113-16 linux-3.12.8/.config
echo ; echo cd linux-3.12.8;
        read FAKE ; 
 cd linux-3.12.8
pwd
echo ; echo "Here we modify the LOCALVERSION variable to be -YYMMDD-HH"
locver=`date +%y%m%d-%H`
echo $locver
read FAKE ;
echo sed -i.bak "s/140113-16/$locver/" .config
read FAKE ;
sed -i.bak "s/140113-16/$locver/" .config
echo ; echo "And we need to check that we did what we meant:"
grep LOCALVERSION .config
echo ; echo "And we can also move the backup out of way if it went well."
mv -vi .config.bak ../ ;
echo ; echo make menuconfig;
        read FAKE ; 
echo "If here you will see the script complaining:"
echo "./grsec_debian_v3.12.8.sh: line 125: make: command not found"
echo "then you need to install the development tools (don't be worry,"
echo "nothing much ;-) Pls. find instructions in some of my previous/later"
echo "posts in this Tip, or read the script itself at this point."
# Huh? You found it? Probably these commands would get you all you're missing at
# this point:"
# # apt-get install build-essential fakeroot ;
# # apt-get build-dep linux ;
# #  apt-get install libncurses5-dev ;
# that's not an error '# #'. Run as root. If run as user you would see '# $'
# instead.
# And there's more, essential for Grsecurity/Pax install:
# # apt-get install gcc-4.8-plugin-dev

 make menuconfig
echo ; echo "The diff .config below will only show differences if you edited"
echo "the config through the ncurses menuconfig interface. You may not and"
echo "you may need to, in case, say, you have some exotic hardware and"
echo "functionality is later found missing for you."
echo diff .config*;
 diff .config*
        echo
        echo ; echo "Now this, the next one, can be a longer one step
              in the process..."
        echo
echo ; echo fakeroot make deb-pkg;
        read FAKE ; 
 fakeroot make deb-pkg


        echo ; echo "Here, the deb packages ought to be there..."
        read FAKE ; 
echo ; echo cd ../ ;
cd ../ ; pwd ;
        read FAKE ; 
ls -l *.deb
        echo ; echo "If you see the packages named linux-XXXXXX-grsec-XXX.deb ,
             above and if you already used paxctl on grub binaries as
             I took care to explain in detail, you're at your
             last step."
        echo ; echo "But, that step you need to execute as root, so it
             is not part of this script executed all as user."
        read FAKE ; 
pwd
msgbeforeroot1="As root in directory /home/$user/src/ issue this command"
msgbeforeroot2="dpkg -i *.deb"
echo ; echo $msgbeforeroot1
echo ; echo "$msgbeforeroot2"

echo "If no errors there, you can reboot."
echo "Upon rebooting, you too should get something like I did below:"
echo "Pls. look up the rest of the script, for that and for a message"
echo "to users of Debian GNU Linux"
# $ uname -a
# 
# $

# But I despise so much the fact that the best GNU Linux security is blocked
# from official Debian GNU Linux, that I intend to use my slow connection, a
# fraction of what I pay for, being myself a homeland living dissident whom the
# traitors in "power in my Croatia, try to keep under control through
# censorship like that and worse.. Illegally they do so, but those are a bunch
# of criminals, most of them, anyways... That exactly is what my friend Marko
# Francišković said to some of their servants, police officers, and is now
# paying for those words with being tortured, by being administered to him very
# hazardous medicament like Zypress (if I got the brand name of that sh*t
# correctly), and his life is in real danger.
# 
# But I was saying that I so much despise the fact that the best GNU Linux
# security is blocked from official Debian GNU Linux, that I intend to use my
# slow connection, a fraction of what I pay for, to try and upload these
# Grsecurity patched Debian GNU Linux packages I compiled, on
# www.CroatiaFidelis. And that task might take me a few hours to even ten or
# more hours time.
# 
# That's the measure of my disgust of the Debian GNU Linux leaders having
# practically and effectively, and for all intents and puposes, banned
# Grsecurity from anything official in Debian GNU Linux.
# 
# And yet it is such a small effort to compile Grsecurity/Pax patched GNU Linux
# kernel for Debian GNU Linux, that a user who may only be considered somewhat
# advanced and never really a developer, can do it .
# 
# And pls.let me know if this works for you, dear Debian GNU Linux user!  Those
# who know how to compile, and those who hopefully learn how to compile through
# my Tips pages on Debian Forums, pls. get active. We have to get a branch in
# the Official Debian GNU Linux repositories, this way, some other way or in
# yet other fashion, shape, form or shape, this huge injustice against us the
# users and against shiny honest developers Spender and Pax Team has to be
# reversed!
# 
# Miroslav Rovis, Zagreb, Croatia, Vankina 4, +385(0)16602633, +385(0)912660202
# (but you could only reach me if secret services here allow your call through)
# 
# miro.rovis@croatiafidelis.hr (but you have to be patient awaiting my replies,
# really!, and, sure, only if those evildoers let it through)
# 
# So the safest places to post a message to me, is on Debian Forums, and on
# Grsecurity Forums, the latter especially if you have private messages for me.
# But again, be patient awaiting for my replies!
# 
# Alternative sites, if www.CroatiaFidelis.hr "disappeared": www.exDeo.com and
# www.vankina2-10.com
# 
Pls. see also Grsecurity Forums, newbies topic, if it, say a problem more related to strictly Grsecuriy:
https://forums.grsecurity.net/viewtopic.php?f=3&t=3835
and off course, if it is more Debian specific, than in this topic, whre you are reading these lines.
Two only thing is due, for those who might go and try and download and install my packages:
1) at your own responsability, works for me, might nad might not for you, might even break your system, I don't think it really could, but I don't know and guarantie nothing
2) For those who install and are not home yet with Grsecurity/Pax...
get paxctl somewhere. The Iceweasel won't work out of the box, and maybe some other programs, but it's a simple fix to do it...
God, I'm so tired, but I can't go to sleep before I post that small little tip in here, right away...
I think it's:
# apt-get install paxctl
and then
# paxctl -cm /usr/lib/iceweasel/iceweasel

Miroslav Rovis,
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#17 Post by timbgo »

http://www.croatiafidelis.hr/gnu/deb/src-3.13.1-grsec/
All can be found there, but I can post the new script here.
A note first, though. I compiled it yesterday with the old patch.
So if anyone is venturing to compile their own Grsecurity patched kernel, they should use:

http://www.croatiafidelis.hr/gnu/deb/sr ... W_PATCH.sh

and it should just work.

Now, here the script which contains

########################
an open note
####################

to Debian leaders:

Code: Select all

#!/bin/bash
#
# This is grsec_debian_v3.13.1.sh
#
# copyright  Miroslav Rovis, Zagreb, Croatia, www.CroatiaFidelis.hr
# (the above needs to be cited if the script is modified/further developed,
# even if my NGO Croatia Fidelis were to be shut down by my country's regime,
# as well as if the script is used as basis for later kernel versions
# patching and compilations)
#
# licenced under GNU v3.0 or later, at your choice
#
# How to use this script?
# =======================
# In case of issues, the user needs to consult official Debian documentation,
# such as Debian Kernel Handbook, as well as Grsecurity documentation, and
# other documentation and manuals, wikis and forums.
# 'chmod 755 grsec_debian_v3.13.1.sh' once you downloaded this script, place
# it, best, in your homedir, and follow instructions as you run it. If you
# encounter problems, modify for your needs. Also, pls. report errors on Debian
# Forums where I made the Tips page:
# "Grsecurity/Pax installation on Debian GNU Linux"
# but pls. if you will be waiting for my replies, it could take days and longer
# sometimes. Thank you!
#
echo
echo "  Caveat emptor! " 
echo
echo "  Do not use this script if you do not understand  " 
echo " what you are doing. You are responsible if anything "
echo " breaks in your system (possible!) "
echo
echo " OTOH, maybe you could open it in another terminal for "
echo " perusing each next step before hitting Enter to run "
echo " that next step, one by one in this terminal."
echo " Of course you should be checking yourself how the script is"
echo " faring, are the commands doing the intended and all."
echo " This is GNU Linux after all."
echo
echo "The script contains some code which is clumsy, but does the work; the"
echo "following: it is populated with 'read FAKE ;' lines. That is just"
echo "someone's (mine, who knows no better yet), way to tell you to decide"
echo "to continue running the script hitting Enter or issue Ctrl-C to kill it."
echo
        read FAKE ;
echo
echo "Tell this script what your username is, so we can create the workspace."
read user ;
echo "If you are user $user and your homedir is /home/$user/ then this"
echo "script should work for you. If not, modify the script to suit you."
        read FAKE ;
echo "We create next two directories in your homedir, 'dLo' for the downloads,"
echo "and 'src' for the compilation. Will not create them if they exist,"
echo "but pls. you make sure that nothing in them obstructs this script,"
echo "meaning, we'll run command: 'mkdir -pv /home/$user/dLo/ /home/$user/src/'"
echo "A note is due here. If you don't have at least 10GB free in your homedir,"
echo "you need to modify the script such as to make the /home/$user/src a"
echo "symlink to somewhere with enough room for the compilation"
        read FAKE ;
mkdir -pv /home/$user/dLo/ /home/$user/src/
echo ; echo ls -l /home/$user/dLo/ /home/$user/src/ ;
ls -l /home/$user/dLo/ /home/$user/src/
echo ; echo cd /home/$user/dLo/ ;
        read FAKE ;
cd /home/$user/dLo/ ; pwd ;
echo ; echo "We download next the kernel, the patch, the config to use."
echo "In case you already did, you'll see info and/or innocuous errors."
echo "I only want the script to work, can't polish it. Sorry!"
        read FAKE ;
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.13.1.tar.sign
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.13.1.tar.xz
wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.13.1-201401301657.patch
wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.13.1-201401301657.patch.sig
echo ; echo "A note about the config to use: it should work (I'll try this"
echo "script first thing after I finish this updating/rewriting it from the"
echo "previous version), it is the same as next, just the LOCALVERSION changes"
echo "so you could use config-3.12.8-grsec-140117-06 if you compiled with the"
echo "previous version of this script, just modify the lines below to that effect"
echo ;
        read FAKE ;
wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.12.7-grsec-140113-16.sig
wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.12.7-grsec-140113-16.gz

echo ; echo "Import the necessary keys:"
echo  "gpg --recv-key 0x2525FE49"
        read FAKE ;
gpg --recv-key 0x2525FE49
echo  "gpg --recv-key 0x6092693E"
        read FAKE ;
gpg --recv-key 0x6092693E

echo ; echo "Import my key:"
echo  "gpg --recv-key 0x4FBAF0AE"
        read FAKE ;
gpg --recv-key 0x4FBAF0AE

echo "You can go offline now, internet not needed while compiling."
echo "I, myself, unplug the connection physically."

echo ; echo "Next, copy all downloads to /home/$user/src/"
        read FAKE ;
cp -iav linux-3.13.1.tar.* /home/$user/src/
cp -iav grsecurity-3.0-3.13.1-201401301657.patch* /home/$user/src/
cp -iav config-3.12.7-grsec-140113-16* /home/$user/src/
cd /home/$user/src/ ; pwd
ls -l linux-3.13.1*
        read FAKE ;
echo ; echo unxz linux-3.13.1.tar.xz ;
        read FAKE ; 
 unxz linux-3.13.1.tar.xz ;
echo ; echo gpg --verify linux-3.13.1.tar.sign ;
        read FAKE ; 
 gpg --verify linux-3.13.1.tar.sign ;
echo ; echo gpg --verify grsecurity-3.0-3.13.1-201401301657.patch.sig;
        read FAKE ; 
 gpg --verify grsecurity-3.0-3.13.1-201401301657.patch.sig;
echo ; echo gunzip config-3.12.7-grsec-140113-16.gz;
        read FAKE ; 
 gunzip config-3.12.7-grsec-140113-16.gz;
echo ; echo gpg --verify config-3.12.7-grsec-140113-16.sig ;
        read FAKE ; 
 gpg --verify config-3.12.7-grsec-140113-16.sig ;
echo ; echo tar xvf linux-3.13.1.tar ;
        read FAKE ; 
 tar xvf linux-3.13.1.tar ;
echo ; echo cd linux-3.13.1;
        read FAKE ; 
 cd linux-3.13.1; pwd
echo ; echo "patch -p1 < ../grsecurity-3.0-3.13.1-201401301657.patch";
        read FAKE ; 
 patch -p1 < ../grsecurity-3.0-3.13.1-201401301657.patch
echo ; echo cd ../;
 cd ../ ; pwd
        read FAKE ; 
echo ; echo cp -iav config-3.12.7-grsec-140113-16 linux-3.13.1/.config;
        read FAKE ; 
 cp -iav config-3.12.7-grsec-140113-16 linux-3.13.1/.config
echo ; echo cd linux-3.13.1;
        read FAKE ; 
 cd linux-3.13.1
pwd
echo ; echo "Here we modify the LOCALVERSION variable to be -YYMMDD-HH"
locver=`date +%y%m%d-%H`
echo $locver
read FAKE ;
echo sed -i.bak "s/140113-16/$locver/" .config
read FAKE ;
sed -i.bak "s/140113-16/$locver/" .config
echo ; echo "And we need to check that we did what we meant:"
grep LOCALVERSION .config
echo ; echo "And we can also move the backup out of way if it went well."
mv -vi .config.bak ../ ;
echo ; echo make menuconfig;
        read FAKE ; 
echo "If here you will see the script complaining:"
echo "./grsec_debian_v3.13.1.sh: line 125: make: command not found"
echo "then you need to install the development tools. Don't worry,"
echo "nothing much. Pls. find instructions in some of my previous/later"
echo "posts in this Tip, or read the script itself at this point."
# Huh? You found it? Probably these commands would get you all you're missing at
# this point:
# # apt-get install build-essential fakeroot ;
# # apt-get build-dep linux ;
# #  apt-get install libncurses5-dev ;
# that's not an error '# #'. Run as root. If run as user I would write '# $'
# instead, where the first # is necessary to make those lines comments
# in both cases.
# And there's more, essential for Grsecurity/Pax install:
# # apt-get install gcc-4.8-plugin-dev
# The lines above I won't be checking, since I have dev tools installed.
# Reports are welcome.

 make menuconfig
echo ; echo "The diff .config below will only show differences if you edited"
echo "the config through the ncurses menuconfig interface. You may not and"
echo "you may need to, in case, say, you have some exotic hardware and"
echo "functionality is later found missing for you."
echo diff .config*;
 diff .config*
        echo
        echo ; echo "Now this, the next one, can be a longer one step \
              in the process..."
        echo
echo ; echo fakeroot make deb-pkg;
        read FAKE ; 
 fakeroot make deb-pkg


        echo ; echo "Here, the deb packages ought to be there..."
        read FAKE ; 
echo ; echo cd ../ ;
cd ../ ; pwd ;
        read FAKE ; 
ls -l *.deb
        echo ; echo "If you see the packages named linux-XXXXXX-grsec-XXX.deb ,"
        echo "above and if you already used paxctl on grub binaries as"
        echo "I took care to explain in detail in my Tips (above or linked"
        echo "somewhere, you're at your last step."
        echo ; echo "But, that step you need to execute as root, so it"
        echo "is not part of this script executed entire as user."
        read FAKE ; 
pwd
msgbeforeroot1="As root in directory /home/$user/src/ issue this command"
msgbeforeroot2="dpkg -i *.deb"
echo ; echo $msgbeforeroot1
echo ; echo "$msgbeforeroot2"

echo "And then, if no errors there, you can reboot."
echo "Upon rebooting, you too should get something like I did below:"
echo "Pls. look up the rest of the script, for that and for a message"
echo "to users of Debian GNU Linux"
# $ uname -a
# 
# $

# But I despise so much the fact that the best GNU Linux security is blocked
# and probably artificial, fabricated, manufactured issues introduced to arise
# in the Debian system once it is installed and Grsec kernel started and the
# system connects online, as I might be able to demonstrate that those issues I
# had since my installation of 3.21.8 version two week's ago. Reasons for my
# suspicion: no issues in the system until only offline, freshly cloned, as I
# do them, from other same hardware of my systems, safely offline, and strange
# issues arising solely after the system has connected to internet... And
# again, no issues with sysresccd booting and accessing internet from the same
# box.
#
# But, I was saying, I despise so much the fact that the best GNU Linux
# security is blocked from official Debian GNU Linux, that I intend to use my
# slow connection, a fraction speed of what I pay for, being myself a homeland
# living dissident whom the traitors in power in my Croatia try to keep under
# control through censorship like that and worse.. Illegally they do so, but
# those are a bunch of criminals, most of them, anyways... That exactly is what
# my friend Marko Francišković said to some of their servants, police officers,
# and is now paying for such words with being tortured, through being
# administered to him forcefully very hazardous medicaments like Zyprex (if I
# got the brand name of that sh*t correctly), and his life is in real danger.
#
# You can actually see Marko Francišković's brutal arrest by the police in a
# video that I linked to from the topic on Grsecurity Forums:
# "grsec: halting the system... kernel crash, the Debian side",
# just search for 'Marko Francišković'.
# 
# But I was saying that I so much despise the fact that the best GNU Linux
# security is blocked from official Debian GNU Linux, that I intend to use my
# slow connection, at a fraction speed of what I pay for, to try and upload
# these Grsecurity patched Debian GNU Linux packages I compiled, on
# www.CroatiaFidelis.hr . And that task might take me quite a few hours or more
# hours time. I hope to do that with the new packages that I just made, as I am
# giving a final revision to this script for Grsec patched kernel 3.13.1 for
# Debian, as I successfully uploaded them for 3.12.8 .
# 
# That's the measure of my disgust of the Debian GNU Linux leaders having
# practically and effectively, and for all intents and puposes, banned
# Grsecurity from anything official in Debian GNU Linux, and throwing in, or
# facilitating such actions but someone else, fake errors to confuse new
# Grsecurity users, as I might be able to demonstrate. That behavior, such
# hostile action or arrangements, are, apart from being severe moral
# degradation in their own right, against Debian declared social contract,
# aren't it?  Debian social contract forbids discrimination, and this is
# discrimination.
#
# Hey leaders of Debian, who either behave like a bunch of crooks, or
# facilitate crooks (state and corporate crooks, in all probability) against
# the users of Debian, you have a piece of commons, you have a property of, for
# short explanation, all good users in the world, a GNU property, a property
# which is there for all of us to benefit, and not for you to either sell users
# through your decisions and arrangements of that property, and by means of
# possibly shady dealings with spy agencies and their associates like Google,
# your great friend, or by facilitating others to do such deals and actions!
# 
# Hey leaders of Debian, you have a piece of commons which you are not allowed
# to do anything against us users with, and you are abusing it/allowing it to
# be abused against us!
#
# But I already said, in the script for the 3.12.8, and was to repeat it now, somewhat modified,
# and yet while it is such a small effort to compile Grsecurity/Pax patched GNU Linux
# kernel for Debian GNU Linux, that a user who may only be considered somewhat
# advanced and never really a developer, can do it.
#
# But, while it is small effort compiling Grsecurity into Debian, it is,
# however, not a minor effort to demonstrate how new Grsecurity attempts at
# installing and using Grsecurity are deterred, or facilitated to be deterred,
# purposefully, so go and study my work so far to decide for yourself whether
# my bare words with no proofs as yet are to be, or not, taken with, and with
# how much, serious consideration, and whether my accusations against Debian
# leaders might be or are probably not at all baseless. Because efforts I will
# make to prove the above suspicion, but it is really huge effort that is
# needed, and my machines and my SOHO are under attack...  So I am not at all
# certain to succeed in doing so.
# 
# Pls. let me know if this works for you, dear Debian GNU Linux user! Those who
# know how to compile, and those who hopefully learn how to compile through my
# Tips pages on Debian Forums, pls. get active. We have to get a branch in the
# Official Debian GNU Linux repositories, this way, some other way or in yet
# other fashion, shape or form, this huge injustice against us the users and
# against shiny honest developers Spender and Pax Team and other developers
# from their circle has to be reversed!
# 
# Miroslav Rovis, Zagreb, Croatia, Vankina 4, +385(0)16602633, +385(0)912660202
# (but you could only reach me if secret services here allow your call through,
# censorship in Croatia heavy and getting heavier yet)
# 
# miro.rovis@croatiafidelis.hr (but you have to be patient awaiting my replies,
# really!, and, sure, only if those evildoers let it through)
# 
# So the safest places to post a message to me, is on Debian Forums, and on
# Grsecurity Forums, the latter especially if you have private messages for me.
# But again, be patient awaiting for my replies!
# 
# Alternative sites, if www.CroatiaFidelis.hr "disappeared": www.exDeo.com and
# www.vankina2-10.com
#
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#18 Post by timbgo »

Carefully manually selecting the code from top of:
http://forums.debian.net/viewtopic.php? ... 16#p525714
and cat'ing it into like:
$ cat > grsec_install.sh

(paste and press Ctrl-D)
you can, to get the new packages for new compilation, do.
Frist:

Code: Select all

$  mv -iv grsec_install.sh  grsec_install.sh.OLD
Next, get the new links to use, get them from:
https://grsecurity.net/download.php
and from:
https://www.kernel.org/
and maybe, if I do more work in the future, from:
http://www.croatiafidelis.hr/gnu/deb/
and replace them (not if you are using this script today or not much later) as the second, the one that is to replace, input to the sed commans (three sed command, but concatenated) below:

Code: Select all

cat  grsec_install.sh.OLD |sed 's/grsecurity-3.0-3.12.7-201401091837/grsecurity-3.0-3.13.3-201402152204/' |sed 's/3.12.7/3.13.3/' | sed 's/config-3.11.3-grsec-131009/config-3.12.7-grsec-140109/' > grsec_install.sh
Then, surely,

Code: Select all

chmod 755 grsec_install.sh
and whatever advice I gave earlier, I checked and the new grsec_install.sh downloads all packages fine...

Since kernel compile usually is part of an overall update of the system, also see:
http://forums.debian.net/viewtopic.php? ... 87#p530787

Miroslav Rovis
Zagreb, Croatia,
http://www.croatiafidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#19 Post by timbgo »

Since it is a matter both Grsecurity and Debian ,and there wasn't any reason to cross-post, on Grsecurity Forums in this topic below, people can find some criticism addressed to the Debian leaders:
grsec: halting the system... kernel crash, the Debian side
https://forums.grsecurity.net/viewtopic ... 886#p13885
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
EDIT:
That is the principle, but I used my own posts too old, and version numbers are too old... The way to manipulate the script with sed is correct though.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#20 Post by timbgo »

Here the new script, and the config, with respective signatures:
################################################

http://croatiafidelis.hr/gnu/deb/grsec_ ... v3.13.3.sh

http://croatiafidelis.hr/gnu/deb/grsec_ ... 3.3.sh.sig

That one you need for the script below...
==============================================

http://croatiafidelis.hr/gnu/deb/config ... 0130-21.gz

http://croatiafidelis.hr/gnu/deb/config ... 130-21.sig

And that script is safer to download and verify, so I'm not cluttering with same text here, I don't think it would be needed....
If it was needed for more than a week or two, when it, for reasons of the kernel being a moving target, needs update or can't be used really, probably not really.... Things change fast in GNU/Linux...
################################################
Feedback is welcome. Pls., public feedback if the questions are not of really private nature, which is not so likely, I guess.
And for topics more on the Debian side of possible issues, here, while if an issue partains prevalently on the Grsecurity side, then:
https://forums.grsecurity.net/viewtopic.php?f=3&t=3835

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#21 Post by timbgo »

Here are the packages:
EDIT START:
just gave this page a much better look and lots more explaning:
http://croatiafidelis.hr/gnu/deb/linux- ... sec140219/
Thu Feb 20 02:36:32 GMT 2014
Skim fast through the rest of this post, not really needed, rather read the above page, it's more complete!
EDIT END

Since only one is hefty... pasting the list:

README.txt
README.txt.sig
linux-firmware-image-3.13.3-grsec140219-03_3.13.3-grsec140219-03-1_amd64.deb
linux-headers-3.13.3-grsec140219-03_3.13.3-grsec140219-03-1_amd64.deb
linux-image-3.13.3-grsec140219-03-dbg_3.13.3-grsec140219-03-1_amd64.deb
linux-image-3.13.3-grsec140219-03_3.13.3-grsec140219-03-1_amd64.deb
linux-libc-dev_3.13.3-grsec140219-03-1_amd64.deb

...it is only this one that is some 330MB:
linux-image-3.13.3-grsec140219-03-dbg_3.13.3-grsec140219-03-1_amd64.deb

Pls. let me know if verification fails. If that happen to be the case, post here A.S.A.P.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#22 Post by timbgo »

Here's the current script, for those who might want to try compiling (best! ... and the hardest for newbies...).
Here:

Code: Select all

#!/bin/bash
#
# This is grsec_debian_v3.13.6.sh
#
# copyright  Miroslav Rovis, Zagreb, Croatia, www.CroatiaFidelis.hr
# (the above needs to be cited if the script is modified/further developed,
# even if my NGO Croatia Fidelis were to be shut down by my country's regime,
# as well as if the script is used as basis for later kernel versions
# patching and compilations)
#
# licenced under GNU v3.0 or later, at your choice
#
# How to use this script?
# =======================
# In case of issues, the user needs to consult official Debian documentation,
# such as Debian Kernel Handbook, as well as Grsecurity documentation, and
# other documentation and manuals, wikis and forums.
# 'chmod 755 grsec_debian_v3.13.6.sh' once you downloaded this script, place
# it, best, in your homedir, and follow instructions as you run it. If you
# encounter problems, modify for your needs. Also, pls. report errors on Debian
# Forums where I made the Tips page:
# "Grsecurity/Pax installation on Debian GNU Linux"
# but pls. if you will be waiting for my replies, it could take days and longer
# sometimes. Thank you!
#
echo
echo "  Caveat emptor! " 
echo
echo "  Do not use this script if you do not understand  " 
echo " what you are doing. You are responsible if anything "
echo " breaks in your system (possible!) "
echo
echo " OTOH, maybe you could open it in another terminal for "
echo " perusing each next step before hitting Enter to run "
echo " that next step, one by one in this terminal."
echo " Of course you should be checking yourself how the script is"
echo " faring, are the commands doing the intended and all."
echo " This is GNU Linux after all."
echo
echo "The script contains some code which is clumsy, but does the work; the"
echo "following: it is populated with 'read FAKE ;' lines. That is just"
echo "someone's (mine, who knows no better yet), way to tell you to decide"
echo "to continue running the script hitting Enter or issue Ctrl-C to kill it."
echo
        read FAKE ;
echo
echo "Tell this script what your username is, so we can create the workspace."
read user ;
echo "If you are user $user and your homedir is /home/$user/ then this"
echo "script should work for you. If not, modify the script to suit you."
        read FAKE ;
echo "We create next two directories in your homedir, 'dLo' for the downloads,"
echo "and 'src' for the compilation. Will not create them if they exist,"
echo "but pls. you make sure that nothing in them obstructs this script,"
echo "meaning, we'll run command: 'mkdir -pv /home/$user/dLo/ /home/$user/src/'"
echo "A note is due here. If you don't have at least 12GB free in your homedir,"
echo "you need to modify the script or arrange in some other way such as to"
echo "make the /home/$user/src a symlink to somewhere with enough room for the"
echo "compilation"
        read FAKE ;
mkdir -pv /home/$user/dLo/ /home/$user/src/
echo ; echo ls -l /home/$user/dLo/ /home/$user/src/ ;
ls -l /home/$user/dLo/ /home/$user/src/
echo ; echo cd /home/$user/dLo/ ;
        read FAKE ;
cd /home/$user/dLo/ ; pwd ;
echo ; echo "We download next the kernel, the patch, the config to use."
echo "In case you already did, you'll see info and/or innocuous errors."
echo "I only want the script to work, can't polish it. Sorry!"
        read FAKE ;
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.13.6.tar.sign
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.13.6.tar.xz
wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.13.6-201403122116.patch
wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.13.6-201403122116.patch.sig
echo ; echo "A note about the config to use: it should work (I'll try this"
echo "script first thing after I finish this updating/rewriting it from the"
echo "previous version), it is sometimes the same as previous or next, just the"
echo "LOCALVERSION changes,"
echo "so you could use an older of the config, but the latest I offer at the time"
echo "updating this script is: config-3.13.3-grsec140219-03"
echo ;
        read FAKE ;
wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.13.3-grsec140219-03.sig
wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.13.3-grsec140219-03.gz

echo ; echo "Import the necessary keys:"
echo  "gpg --recv-key 0x2525FE49"
        read FAKE ;
gpg --recv-key 0x2525FE49
echo  "gpg --recv-key 0x6092693E"
        read FAKE ;
gpg --recv-key 0x6092693E

echo ; echo "Import my key:"
echo  "gpg --recv-key 0x4FBAF0AE"
        read FAKE ;
gpg --recv-key 0x4FBAF0AE

echo "You can go offline now, internet not needed while compiling."
echo "I, myself, unplug the connection physically."

echo ; echo "Next, copy all downloads to /home/$user/src/"
        read FAKE ;
cp -iav linux-3.13.6.tar.* /home/$user/src/
cp -iav grsecurity-3.0-3.13.6-201403122116.patch* /home/$user/src/
cp -iav config-3.13.3-grsec140219-03* /home/$user/src/
cd /home/$user/src/ ; pwd
ls -l linux-3.13.6*
        read FAKE ;
echo ; echo unxz linux-3.13.6.tar.xz ;
        read FAKE ; 
 unxz linux-3.13.6.tar.xz ;
echo ; echo gpg --verify linux-3.13.6.tar.sign ;
        read FAKE ; 
 gpg --verify linux-3.13.6.tar.sign ;
echo ; echo gpg --verify grsecurity-3.0-3.13.6-201403122116.patch.sig;
        read FAKE ; 
 gpg --verify grsecurity-3.0-3.13.6-201403122116.patch.sig;
echo ; echo gunzip config-3.13.3-grsec140219-03.gz;
        read FAKE ; 
 gunzip config-3.13.3-grsec140219-03.gz;
echo ; echo gpg --verify config-3.13.3-grsec140219-03.sig ;
        read FAKE ; 
 gpg --verify config-3.13.3-grsec140219-03.sig ;
echo ; echo tar xvf linux-3.13.6.tar ;
        read FAKE ; 
 tar xvf linux-3.13.6.tar ;
echo ; echo cd linux-3.13.6;
        read FAKE ; 
 cd linux-3.13.6; pwd
echo ; echo "patch -p1 < ../grsecurity-3.0-3.13.6-201403122116.patch";
        read FAKE ; 
 patch -p1 < ../grsecurity-3.0-3.13.6-201403122116.patch
echo ; echo cd ../;
 cd ../ ; pwd
        read FAKE ; 
echo ; echo cp -iav config-3.13.3-grsec140219-03 linux-3.13.6/.config;
        read FAKE ; 
 cp -iav config-3.13.3-grsec140219-03 linux-3.13.6/.config
echo ; echo cd linux-3.13.6;
        read FAKE ; 
 cd linux-3.13.6
pwd
echo ; echo "Here we modify the LOCALVERSION variable to be -YYMMDD-HH"
locver=`date +%y%m%d-%H`
echo $locver
read FAKE ;
echo sed -i.bak "s/140219-03/$locver/" .config
read FAKE ;
sed -i.bak "s/140219-03/$locver/" .config
echo ; echo "And we need to check that we did what we meant:"
grep LOCALVERSION .config
echo ; echo "And we can also move the backup out of way if it went well."
mv -vi .config.bak ../ ;
echo ; echo make menuconfig;
        read FAKE ; 
echo "If here you will see the script complaining:"
echo "./grsec_debian_v3.13.6.sh: line 125: make: command not found"
echo "then you need to install the development tools. Don't worry,"
echo "nothing much. Pls. find instructions in some of my previous/later"
echo "posts in this Tip, or read the script itself at this point."
# Huh? You found it? Probably these commands would get you all you're missing at
# this point:
# # apt-get install build-essential fakeroot ;
# # apt-get build-dep linux ;
# #  apt-get install libncurses5-dev ;
# that's not an error '# #'. Run as root. If run as user I would write '# $'
# instead, where the first # is necessary to make those lines comments
# in both cases.
# And there's more, essential for Grsecurity/Pax install:
# # apt-get install gcc-4.8-plugin-dev
# The lines above I won't be checking, since I have dev tools installed.
# Reports are welcome.

 make menuconfig
echo ; echo "The diff .config below will only show differences if you edited"
echo "the config through the ncurses menuconfig interface. You may not and"
echo "you may need to, in case, say, you have some exotic hardware and"
echo "functionality is later found missing for you."
echo diff .config*;
 diff .config*
        echo
        echo ; echo "Now this, the next one, can be a longer one step \
              in the process..."
        echo
echo ; echo fakeroot make deb-pkg;
        read FAKE ; 
 fakeroot make deb-pkg


        echo ; echo "Here, the deb packages ought to be there..."
        read FAKE ; 
echo ; echo cd ../ ;
cd ../ ; pwd ;
        read FAKE ; 
ls -l *.deb
        echo ; echo "If you see the packages named linux-XXXXXX-grsec-XXX.deb ,"
        echo "above and if you already used paxctl on grub binaries as"
        echo "I took care to explain in detail in my Tips (above or linked"
        echo "somewhere, you're at your last step."
        echo ; echo "But, that step you need to execute as root, so it"
        echo "is not part of this script executed entire as user."
        read FAKE ; 
pwd
msgbeforeroot1="As root in directory /home/$user/src/ issue this command"
msgbeforeroot2="dpkg -i *.deb"
echo ; echo $msgbeforeroot1
echo ; echo "$msgbeforeroot2"

echo "And then, if no errors there, you can reboot."
echo "Upon rebooting, you too should get something like I did below:"
echo "Pls. look up the rest of the script, for that and for a message"
echo "to users of Debian GNU Linux"
# $ uname -a
# 
# $

# But I despise so much the fact that the best GNU Linux security is blocked
# and probably artificial, fabricated, manufactured issues introduced to arise
# in the Debian system once it is installed and Grsec kernel started and the
# system connects online, as I might be able to demonstrate that those issues I
# had since some old installations quite some weeks ago now (just go to
# forums.grsecurity.net in case you doubt my words). Reasons for my suspicion:
# no issues in the system until only offline, freshly cloned, as I do them,
# from other same hardware of my systems, safely offline, and strange issues
# arising solely after the system has connected to internet... And again, no
# issues with sysresccd booting and accessing internet from the same box.
#
# But, I was saying, I despise so much the fact that the best GNU Linux
# security is blocked from official Debian GNU Linux, that I intend to use my
# slow connection, a fraction speed of what I pay for, being myself a homeland
# living dissident whom the traitors in power in my Croatia try to keep under
# control through censorship like that and worse.. Illegally they do so, but
# those are a bunch of criminals, most of them, anyways... That exactly is what
# my friend Marko Francišković said to some of their servants, police officers,
# and is now paying for such words with being tortured, through being
# administered to him forcefully very hazardous medicaments like Zyprex (if I
# got the brand name of that sh*t correctly), and his life is in real danger.
#
# You can actually see Marko Francišković's brutal arrest by the police longer
# ago yet in a video that I linked to from the topic on Grsecurity Forums:
# "grsec: halting the system... kernel crash, the Debian side",
# just search for 'Marko Francišković'.
#
# But here the link, for convenience:
# Al Jazeera, Clashes on the Eve of EU Referendum, Francišković et. Al HRVATSKI
# https://www.youtube.com/watch?v=_dX-ek2mPaU
# 
# But I was saying that I so much despise the fact that the best GNU Linux
# security is blocked from official Debian GNU Linux, that I intend to use my
# slow connection, a fraction of what I pay for, to try and upload these
# Grsecurity patched Debian GNU Linux packages I compiled, on
# www.CroatiaFidelis.hr . And that task might take me quite a few hours or more
# hours time. I hope to do that with the new packages that I just made, as I am
# giving a final revision to this script for Grsec patched kernel 3.13.3 for
# Debian, as I successfully uploaded them for 3.12.8 .
# 
# That's the measure of my disgust of the Debian GNU Linux leaders having
# practically and effectively, and for all intents and puposes, banned
# Grsecurity from anything official in Debian GNU Linux, and throwing in, or
# facilitating such actions but someone else, fake errors to confuse new
# Grsecurity users, as I might be able to demonstrate, had I had the time.
# That behavior, suc hhostile action or arrangements, are, apart from being
# severe moral degradation in itself, against Debian declared social contract,
# isn't it?  Debian social contract forbids discrimination, and this is
# discrimination.
#
# Hey leaders of Debian, who behave like a bunch of crooks, you have a piece of
# commons, you have a property of, for short explanation, all good users in the
# world, a property which is there for all of us to benefit, and not for you to
# sell users with, through shady dealings with spy agencies and their
# associates like Google, your great friend...
# 
# Hey leaders of Debian, you have a piece of commons which you are not allowed
# to do anything against us users with, and you are doing that!
#
# But I already said, in the script for the 3.12.8, and was to repeat it now,
# and yet it is such a small effort to compile Grsecurity/Pax patched GNU Linux
# kernel for Debian GNU Linux, that a user who may only be considered somewhat
# advanced and never really a developer, can do it.
#
# It is, however, not a minor effort to demonstrate how new Grsecurity attempts
# at installing and using Grsecurity are deterred, or facilitated to be
# deterred, purposefully, so go and study my work so far to decide for yourself
# whether my bare words with no proofs as yet are to be, or not, taken with,
# and with how much, serious consideration, and whether my accusations against
# Debian leaders might be or are probably not at all baseless. Because efforts
# I will make to prove the above suspicion, but it is really huge effort that
# is needed, and my machines and my SOHO are under attack...  So I am not at
# all certain to succeed in doing so. Looking all the more unlikely to have the
# time to do so, is my later musing, as I revisit what I wrote, for the current
# version of the script...
# 
# Pls. let me know if this works for you, dear Debian GNU Linux user! Those who
# know how to compile, and those who hopefully learn how to compile through my
# Tips pages on Debian Forums, pls. get active. We have to get a branch in the
# Official Debian GNU Linux repositories, this way, some other way or in yet
# other fashion, shape or form, this huge injustice against us the users and
# against shiny honest developers Spender and Pax Team and other developers
# from their circle has to be reversed!
# 
# Miroslav Rovis, Zagreb, Croatia, Vankina 4, +385(0)16602633, +385(0)912660202
# (but you could only reach me if secret services here allow your call through,
# censorship in Croatia heavy and getting heavier yet)
# 
# miro.rovis@croatiafidelis.hr (but you have to be patient awaiting my replies,
# really!, and, sure, only if those evildoers let it through)
# 
# So the safest places to post a message to me, is on Debian Forums, and on
# Grsecurity Forums, the latter especially if you have private messages for me.
# But again, be patient awaiting for my replies!
# 
# Alternative sites, if www.CroatiaFidelis.hr "disappeared": www.exDeo.com and
# www.vankina2-10.com
# 
But, of course, there is the signed version, here:
http://www.croatiafidelis.hr/gnu/deb/gr ... v3.13.6.sh
http://www.croatiafidelis.hr/gnu/deb/gr ... 3.6.sh.sig
I checked it as I was letting my jigdo-automate script:
http://forums.debian.net/viewtopic.php? ... 23#p533823
do the work of replacing the old ISOs with the new ones...
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#23 Post by timbgo »

I checked the script while online for the throwaway system that I go online with.
I mean, in the sense that I wrote in some of my tips pages, maybe:

Poor User's Defences, Basic Anti-Surveillance for Debian
http://forums.debian.net/viewtopic.php?f=3&t=111906
(which is, lo and behold, moved to Offtopic! Good users, no worry! And use your sane judgement, without malice, and let us not be intimidated.)

But I compiled fine on my safe offline master clone system, and these deb packages should work for gentle readers' AMD64 arch machines.

I need to sort the page to be as the old one (but DON'T use this one):
http://www.croatiafidelis.hr/gnu/deb/li ... sec140219/
(ok, NOT that to use, but to look like that one)...

Use this:

http://www.croatiafidelis.hr/gnu/deb/li ... c-current/

And here the listing of it:

Code: Select all

 ls -l
-rw-r--r--    1 rovisnet rovisnet      666 Mar 15 06:08 SUMS
-rw-r--r--    1 rovisnet rovisnet      819 Mar 15 06:08 SUMS.sig
-rw-r--r--    1 rovisnet rovisnet   903122 Mar 15 06:08 linux-firmware-image-3.13.6-grsec140314-22_3.13.6-grsec140314-22-1_amd64.deb
-rw-r--r--    1 rovisnet rovisnet  6799122 Mar 15 06:10 linux-headers-3.13.6-grsec140314-22_3.13.6-grsec140314-22-1_amd64.deb
-rw-r--r--    1 rovisnet rovisnet 337868462 Mar 15 07:57 linux-image-3.13.6-grsec140314-22-dbg_3.13.6-grsec140314-22-1_amd64.deb
-rw-r--r--    1 rovisnet rovisnet 30382012 Mar 15 08:07 linux-image-3.13.6-grsec140314-22_3.13.6-grsec140314-22-1_amd64.deb
-rw-r--r--    1 rovisnet rovisnet   741326 Mar 15 08:07 linux-libc-dev_3.13.6-grsec140314-22-1_amd64.deb
So it's just:
linux-image-3.13.6-grsec140314-22-dbg_3.13.6-grsec140314-22-1_amd64.deb
that is some 320MB, the rest is lightweight.

That is all that is necessary, I'll try and improve the looks of it, but I just don't know when.
And, it's not just a week or two... it's, these packages for a little longer, probaly a few weeks from now that they can be installed and beneficially used.

Miroslav Rovis,
Zagreb, Croatia,
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#24 Post by timbgo »

Oh, as usual, testing grsecurity patches move rather fast.
So if you're compiling with my script, use the sed command that I gave somewhere above, and, since the patch is now:
https://grsecurity.net/test/grsecurity- ... 2112.patch
and surely so the signature, replace... or, better, here the command to run on my latest script:
$ sed -i.bak 's/3.0-3.13.6-201403122116/3.0-3.13.6-201403142112/g' grsec_debian_v3.13.6.sh
and then check, and compile.
Can't check that line now, tired, have to go.
Miroslav Rovis,
Zagreb, Croatia,
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#25 Post by timbgo »

I made a post, but it's too much off this Grsecurity topic, and decided to post it OffTopic:
Really Happened? 15e5510744048dc5473d05bfc028fbc2
http://forums.debian.net/viewtopic.php?f=3&t=113059
It's important. Pls. read it, here small part:

...
and search for the word youtube, you'll get to this address:

Code: Select all

# Al Jazeera, Clashes on the Eve of EU Referendum, Francišković et. Al
# HRVATSKI
# https://www.youtube.com/watch?v=_dX-ek2mPaU
Again, in clickable:

Al Jazeera, Clashes on the Eve of EU Referendum, Francišković et. Al HRVATSKI
https://www.youtube.com/watch?v=_dX-ek2mPaU

That's the paste of the title and the paste of the address.

Can anybody pls. paste over what opens up for them when they access that
address in their browser?
...

Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#26 Post by timbgo »

I'll try and post new grsec packages, you can probably expect them in intervals as so far I mostly manage to keep, approx. every one month or so, on:

http://www.croatiafidelis.hr/gnu/deb/li ... c-current/

There are new packages there currently, the best for probably a week or more to come, and useable for longer actually.

I can't promise anything, as I already stated in many places, along with the reasons.

I hope my contribution is not completely negligeable for a better GNU free world.

I'll try and post the better newer version of the script for compiling below.

Thank you!

Miroslav Rovis,
Zagreb, Croatia,
http://www.CroatiaFidelis.hr

grsec_debian_install_00.sh

Code: Select all

#!/bin/bash
#
# This is grsec_debian_compile_v010.sh
#
# copyright  Miroslav Rovis, Zagreb, Croatia, www.CroatiaFidelis.hr
# (the above needs to be cited if the script is modified/further developed,
# even if my NGO Croatia Fidelis were to be shut down by my country's regime,
# as well as if the script is used as basis for later kernel versions
# patching and compilations)
#
# licenced under GNU v3.0 or later, at your choice
#
# How to use this script?
# =======================
# In case of issues, the user needs to consult official Debian documentation,
# such as Debian Kernel Handbook, as well as Grsecurity documentation, and
# other documentation and manuals, wikis and forums.
# 'chmod 755 grsec_debian_compile_v010.sh' once you downloaded this script, place
# it, best, in your homedir, and follow instructions as you run it. If you
# encounter problems, modify for your needs. Also, pls. report errors on Debian
# Forums where I made the Tips page:
# "Grsecurity/Pax installation on Debian GNU Linux"
# but pls. if you will be waiting for my replies, it could take days and longer
# sometimes. Thank you!
#
echo
echo "  Caveat emptor! " 
echo
echo "  Do not use this script if you do not understand  " 
echo " what you are doing. You are responsible if anything "
echo " breaks in your system (possible!) "
echo
echo " OTOH, maybe you could open it in another terminal for "
echo " perusing each next step before hitting Enter to run "
echo " that next step, one by one in this terminal."
echo " Of course you should be checking yourself how the script is"
echo " faring, are the commands doing the intended and all."
echo " This is GNU Linux after all."
echo
echo "The script contains some code which is clumsy, but does the work; the"
echo "following: it is populated with 'read FAKE ;' lines. That is just"
echo "someone's (mine, who knows no better yet), way to tell you to decide"
echo "to continue running the script hitting Enter or issue Ctrl-C to kill it."
echo
        read FAKE ;
echo
echo "Tell this script what your username is, so we can create the workspace."
read user ;
echo "If you are user $user and your homedir is /home/$user/ then this"
echo "script should work for you. If not, modify the script to suit you."
        read FAKE ;
echo "We create next two directories in your homedir, 'dLo' for the downloads,"
echo "and 'src' for the compilation. Will not create them if they exist,"
echo "but pls. you make sure that nothing in them obstructs this script,"
echo "meaning, we'll run command: 'mkdir -pv /home/$user/dLo/ /home/$user/src/'"
echo "A note is due here. If you don't have at least 12GB free in your homedir,"
echo "you need to modify the script or arrange in some other way such as to"
echo "make the /home/$user/src a symlink to somewhere with enough room for the"
echo "compilation"
        read FAKE ;
mkdir -pv /home/$user/dLo/ /home/$user/src/
echo ; echo ls -l /home/$user/dLo/ /home/$user/src/ ;
ls -l /home/$user/dLo/ /home/$user/src/
echo ; echo cd /home/$user/dLo/ ;
        read FAKE ;
cd /home/$user/dLo/ ; pwd ;
echo "Give the name of the grsecurity patch (that we need to get) without"
echo "extension, such as grsecurity-3.0-3.13.6-201403122116 (as is found on"
echo "download page on grsecurity.net:"
read grsec ;
echo "Give the name of the kernel (that we need to get) such as linux-3.13.6"
echo "as is found for download (or can be guessed from grsecurity patch's name)"
echo "on kernel.org:"
read kernel ;
echo "Give the name of the (old) config file (that we need to get) usually the"
echo "from last compile, from www.croatiafidelis.hr/gnu/deb/, no extension, such"
echo "as: config-3.13.3-grsec140219-03"
read config
echo ; echo "We download next the kernel, the patch, the config to use."
echo "In case you already did, you'll see info and/or innocuous errors."
echo "I only want the script to work, can't polish it. Sorry!"
        read FAKE ;
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/$kernel.tar.sign
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/$kernel.tar.xz
wget -nc https://www.grsecurity.net/test/$grsec.patch
wget -nc https://www.grsecurity.net/test/$grsec.patch.sig
wget -nc http://www.croatiafidelis.hr/gnu/deb/$config.sig
wget -nc http://www.croatiafidelis.hr/gnu/deb/$config.gz

echo ; echo "Import the necessary keys:"
echo  "gpg --recv-key 0x2525FE49"
        read FAKE ;
gpg --recv-key 0x2525FE49
echo  "gpg --recv-key 0x6092693E"
        read FAKE ;
gpg --recv-key 0x6092693E

echo ; echo "Import my key:"
echo  "gpg --recv-key 0x4FBAF0AE"
        read FAKE ;
gpg --recv-key 0x4FBAF0AE

echo "You can go offline now, internet not needed while compiling."
echo "I, myself, unplug the connection physically."

echo ; echo "Next, copy all downloads to /home/$user/src/"
        read FAKE ;
cp -iav $kernel.tar.* /home/$user/src/
cp -iav $grsec.patch* /home/$user/src/
cp -iav $config* /home/$user/src/
cd /home/$user/src/ ; pwd
ls -l $kernel*
        read FAKE ;
echo ; echo unxz $kernel.tar.xz ;
        read FAKE ; 
 unxz $kernel.tar.xz ;
echo ; echo gpg --verify $kernel.tar.sign ;
        read FAKE ; 
 gpg --verify $kernel.tar.sign ;
echo ; echo gpg --verify $grsec.patch.sig;
        read FAKE ; 
 gpg --verify $grsec.patch.sig;
echo ; echo gunzip $config.gz;
        read FAKE ; 
 gunzip $config.gz;
echo ; echo gpg --verify $config.sig ;
        read FAKE ; 
 gpg --verify $config.sig ;
echo ; echo tar xvf $kernel.tar ;
        read FAKE ; 
 tar xvf $kernel.tar ;
echo ; echo cd $kernel;
        read FAKE ; 
 cd $kernel; pwd
echo ; echo "patch -p1 < ../$grsec.patch";
        read FAKE ; 
 patch -p1 < ../$grsec.patch
echo ; echo cd ../;
 cd ../ ; pwd
        read FAKE ; 
echo ; echo cp -iav $config $kernel/.config;
        read FAKE ; 
 cp -iav $config $kernel/.config
echo ; echo cd $kernel;
        read FAKE ; 
 cd $kernel
pwd
echo ; echo "Here we modify the LOCALVERSION variable to be -YYMMDD-HH"
locver=`date +%y%m%d-%H`
echo $locver
read FAKE ;
oldloc=`grep CONFIG_LOCALVERSION= .config|cut -d'"' -f2`
echo sed -i.bak "s/$oldloc/$locver/" .config
read FAKE ;
echo sed -i.bak "s/$oldloc/$locver/" .config
echo ; echo "And we need to check that we did what we meant:"
grep LOCALVERSION .config
echo ; echo "And we can also move the backup out of way if it went well."
mv -vi .config.bak ../ ;
echo ; echo make menuconfig;
        read FAKE ; 
echo "If here you will see the script complaining:"
echo "./grsec_debian_compile_v010.sh: line 125: make: command not found"
echo "then you need to install the development tools. Don't worry,"
echo "nothing much. Pls. find instructions in some of my previous/later"
echo "posts in this Tip, or read the script itself at this point."
# Huh? You found it? Probably these commands would get you all you're missing at
# this point:
# # apt-get install build-essential fakeroot ;
# # apt-get build-dep linux ;
# #  apt-get install libncurses5-dev ;
# that's not an error '# #'. Run as root. If run as user I would write '# $'
# instead, where the first # is necessary to make those lines comments
# in both cases.
# And there's more, essential for Grsecurity/Pax install:
# # apt-get install gcc-4.8-plugin-dev
# The lines above I won't be checking, since I have dev tools installed.
# Reports are welcome.

 make menuconfig
echo ; echo "The diff .config below will only show differences if you edited"
echo "the config through the ncurses menuconfig interface. You may not and"
echo "you may need to, in case, say, you have some exotic hardware and"
echo "functionality is later found missing for you."
echo diff .config*;
 diff .config*
        echo
        echo ; echo "Now this, the next one, can be a longer one step \
              in the process..."
        echo
echo ; echo fakeroot make deb-pkg;
        read FAKE ; 
 fakeroot make deb-pkg


        echo ; echo "Here, the deb packages ought to be there..."
        read FAKE ; 
echo ; echo cd ../ ;
cd ../ ; pwd ;
        read FAKE ; 
ls -l *.deb
        echo ; echo "If you see the packages named linux-XXXXXX-grsec-XXX.deb ,"
        echo "above and if you already used paxctl on grub binaries as"
        echo "I took care to explain in detail in my Tips (above or linked"
        echo "somewhere), you're at your last step."
        echo ; echo "But, that step you need to execute as root, so it"
        echo "is not part of this script executed entire as user."
        read FAKE ; 
pwd
msgbeforeroot1="As root in directory /home/$user/src/ issue this command"
msgbeforeroot2="dpkg -i *.deb"
echo ; echo $msgbeforeroot1
echo ; echo "$msgbeforeroot2"

echo "And then, if no errors there, you can reboot."
echo "Upon rebooting, you too should get something like I did below:"
echo "Pls. look up the rest of the script, for that and for a message"
echo "to users of Debian GNU Linux"
# $ uname -a
# 
# $

# But I despise so much the fact that the best GNU Linux security is blocked
# and probably artificial, fabricated, manufactured issues introduced to arise
# in the Debian system once it is installed and Grsec kernel started and the
# system connects online, as I might be able to demonstrate that those issues I
# had since some old installations quite some weeks ago now (just go to
# forums.grsecurity.net in case you doubt my words). Reasons for my suspicion:
# no issues in the system until only offline, freshly cloned, as I do them,
# from other same hardware of my systems, safely offline, and strange issues
# arising solely after the system has connected to internet... And again, no
# issues with sysresccd booting and accessing internet from the same box.
#
# But, I was saying, I despise so much the fact that the best GNU Linux
# security is blocked from official Debian GNU Linux, that I intend to use my
# slow connection, a fraction speed of what I pay for, being myself a homeland
# living dissident whom the traitors in power in my Croatia try to keep under
# control through censorship like that and worse.. Illegally they do so, but
# those are a bunch of criminals, most of them, anyways... That exactly is what
# my friend Marko Francišković said to some of their servants, police officers,
# and is now paying for such words with being tortured, through being
# administered to him forcefully very hazardous medicaments like Zyprex (if I
# got the brand name of that sh*t correctly), and his life is in real danger.
#
# You can actually see Marko Francišković's brutal arrest by the police longer
# ago yet in a video that I linked to from the topic on Grsecurity Forums:
# "grsec: halting the system... kernel crash, the Debian side",
# just search for 'Marko Francišković'.
#
# But here the link, for convenience:
# Al Jazeera, Clashes on the Eve of EU Referendum, Francišković et. Al HRVATSKI
# https://www.youtube.com/watch?v=_dX-ek2mPaU
# 
# But I was saying that I so much despise the fact that the best GNU Linux
# security is blocked from official Debian GNU Linux, that I intend to use my
# slow connection, a fraction of what I pay for, to try and upload these
# Grsecurity patched Debian GNU Linux packages I compiled, on
# www.CroatiaFidelis.hr . And that task might take me quite a few hours or more
# hours time. I hope to do that with the new packages that I just made, as I am
# giving a final revision to this script for Grsec patched kernel 3.13.6 for
# Debian, as I successfully uploaded them for 3.12.8 .
# 
# That's the measure of my disgust of the Debian GNU Linux leaders having
# practically and effectively, and for all intents and puposes, banned
# Grsecurity from anything official in Debian GNU Linux, and throwing in, or
# facilitating such actions but someone else, fake errors to confuse new
# Grsecurity users, as I might be able to demonstrate, had I had the time.
# That behavior, suc hhostile action or arrangements, are, apart from being
# severe moral degradation in itself, against Debian declared social contract,
# isn't it?  Debian social contract forbids discrimination, and this is
# discrimination.
#
# Hey leaders of Debian, who behave like a bunch of crooks, you have a piece of
# commons, you have a property of, for short explanation, all good users in the
# world, a property which is there for all of us to benefit, and not for you to
# sell users with, through shady dealings with spy agencies and their
# associates like Google, your great friend...
# 
# Hey leaders of Debian, you have a piece of commons which you are not allowed
# to do anything against us users with, and you are doing that!
#
# But I already said, in the script for the 3.12.8, and was to repeat it now,
# and yet it is such a small effort to compile Grsecurity/Pax patched GNU Linux
# kernel for Debian GNU Linux, that a user who may only be considered somewhat
# advanced and never really a developer, can do it.
#
# It is, however, not a minor effort to demonstrate how new Grsecurity attempts
# at installing and using Grsecurity are deterred, or facilitated to be
# deterred, purposefully, so go and study my work so far to decide for yourself
# whether my bare words with no proofs as yet are to be, or not, taken with,
# and with how much, serious consideration, and whether my accusations against
# Debian leaders might be or are probably not at all baseless. Because efforts
# I will make to prove the above suspicion, but it is really huge effort that
# is needed, and my machines and my SOHO are under attack...  So I am not at
# all certain to succeed in doing so. Looking all the more unlikely to have the
# time to do so, is my later musing, as I revisit what I wrote, for the current
# version of the script...
# 
# Pls. let me know if this works for you, dear Debian GNU Linux user! Those who
# know how to compile, and those who hopefully learn how to compile through my
# Tips pages on Debian Forums, pls. get active. We have to get a branch in the
# Official Debian GNU Linux repositories, this way, some other way or in yet
# other fashion, shape or form, this huge injustice against us the users and
# against shiny honest developers Spender and Pax Team and other developers
# from their circle has to be reversed!
# 
# Miroslav Rovis, Zagreb, Croatia, Vankina 4, +385(0)16602633, +385(0)912660202
# (but you could only reach me if secret services here allow your call through,
# censorship in Croatia heavy and getting heavier yet)
# 
# miro.rovis@croatiafidelis.hr (but you have to be patient awaiting my replies,
# really!, and, sure, only if those evildoers let it through)
# 
# So the safest places to post a message to me, is on Debian Forums, and on
# Grsecurity Forums, the latter especially if you have private messages for me.
# But again, be patient awaiting for my replies!
# 
# Alternative sites, if www.CroatiaFidelis.hr "disappeared": www.exDeo.com and
# www.vankina2-10.com
# 
If ther aren't some losses in the html of the server on anywhere on the way from me to this Forums server, or further to the readers, and if you know how to use the signature below, here it is for your checking. That is just in case the http://www.CroatiaFidelis.hr for some reason became unavailable:

grsec_debian_install_00.sh.sig

Code: Select all

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABCgAGBQJTSJjNAAoJEOqYhIhPuvCuAvYP/Rm7aoZUXQxWp2ZfnKx6z6QG
5qsjVpu/whTA4sQCV62+ESDgLO8cNyUsMSzsqLPYvK5l906apHIc0Iwi1T5YK85x
weWZL9krUSO+m3yz3PeYUQm6Tcrspad0IbeLQsGOu8dxjhS04ipQgQ+qZs/9riYK
ZNX43Wt4g2ig9PIuHEsrNAiFFRTGwmPPa4opL6Oi6B/F/pVXEZigjG8P22sy6/+q
4rrycWxbEctQW9UHEXnBm4BlBbl4mjZhRBrdJBkUkaEfCZw3DoyYyEZVR/Ws/2o/
ggf+SJWfDV1Y2pcouTWkso+gQn+Jrt7ZCUYNqDT5ozSRgqVbmrbIJMhEo1+bo+jZ
jwAs12u0KjlsnScDHNMSFAm1AhqEBGrQ3A3uR72nCc5ukFN63ZPkaoWkMoDAs3AW
2RZEQUynRy3GoQJjYSWjc/6s1WjWe7eXwWwZfS0Pg4ci14XRj9MUMNcHGpV2PBi5
Oj4DXozWaZLPLgIFZgHwyIQgKFPv7nAySDU0YxVv/D+RBfy2eerU0lU/jnHibucR
TQ9x3Ign0Z977GzuzH3M3AqRFTg1S5j55HuIyiu/VS3yU+SIIgcHb65AZlsFD39O
9BhkBBPxNokY4ZP7J2MsSzz1dYPNWixF7dc6Ys/gkivZa5VEpPUeoHJLiY4cJZ0d
9ZsbTtmG9s5ZA9x1hD+v
=A6Gm
-----END PGP SIGNATURE-----
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#27 Post by timbgo »

Oh yest, I forgot something.
Old packages will be deleted. Those that anyway are not anymore recommended, because they have been obsoleted.
I am running out of space on the server hosting
CroatiaFidelis.hr
Thank you.
Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#28 Post by timbgo »

There are new packages in the current folder:

http://www.croatiafidelis.hr/gnu/deb/li ... c-current/

Also, while compiling, I notice the latest script was misnamed in its own text,
(look up the before-latest here:
http://croatiafidelis.hr/gnu/deb/linux- ... sec140411/
right at the top, the script I talk in the first line and worse, it didn't replace the
old LOCALVERSION with the new, because I forgot to remove one literal
string 'echo' where that sed line is..

Hopefully more coming.

Thanks everybody for the interest!

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#29 Post by timbgo »

Still familiarizing with git, but I think I'll be keeping the script there from now:

https://github.com/miroR/grsec-deb-compile

I'll try and see if I made any typos now compiling:

grsecurity-3.0-3.14.4-201405141623.patch
on, obviously, 3.14.4 kernel.

Miro
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#30 Post by timbgo »

The grsec-deb-compile.sh from the github above, has nothing new, is same as,
only cleaned-up a little, as the previous script a little further above, but
for this line:
The diff .config below will only show differences if you edited
the config through the ncurses menuconfig interface. You may and you may
not need to. You may in case, say, you have some exotic hardware and
functionality is later found missing for you. However, only in rare
cases, only those that also in non-Grsec kernel you would need to, and
those are rare, only where regular Debian kernel which config I base
this compile on, would have issues.
Let me explain. I try and use the expertize that the team building regular
Debian kernel employ. I do that having in mind others who would want to either
compile Grsec kerel using this script, or who would download and install my
packages for their systems, I don't need all those modules for my own hardware
(I actually planned to always recompile to get rid of all the plethora of
modules that I don't need for my hardware, but that lost precedence after more
important work of trying to offer good working script and good working
packages... I'm usually a little tired once I'm done with the compile as is).

I actually tried to see what configuration file I would get based on the
previous, three weeks ago kernel, earlier 3.14.x version, as well as what
configuration I would get if I combined that earlier version with the configuration
file that I got when I installed the latest kernel prepared by the Debian
kernel team.

That kernel you can see, if you downloaded and installed this week's jigdo DVDs
( you can use jigdo-automate-scripts to add a helping layer of automation to
downloading them, as I explained here:
Scripts to automate jigdo download
http://forums.debian.net/viewtopic.php?f=16&t=110503
on that Debian Forums Tips page):

Code: Select all

# apt-cache search linux|egrep '^linux-image-3.14'
(that is a "^", caret character, in front of "linux-...", if you have older software, not latest jigdo testing installed, than search for just '^linux-image-3.1' to see what you have)

That line returns to me:

Code: Select all

linux-image-3.14-1-amd64 - Linux 3.14 for 64-bit PCs
I installed that newest kernel exactly for the purpose I mentioned above. I
want as much as possible hardware supported.

And so latest configs to do this comparison, are in my /boot, and I posted some
of them for you to see.

In the dir:
http://www.croatiafidelis.hr/gnu/deb/co ... _testcase/

there are, signed and gzipped:
config-3.14-1-amd64
config-3.14.4-grsec140521-02

The latter is the 3.14.4 config that I got based on the previous 3.14.2
grsec-deb-compile.sh produced packages, that I posted as current three weeks
ago. Obviously now they are in the porcess of being relegated to old and later
deleted.

And the first is the config that:

Code: Select all

# apt-get install linux-image-3.14-1-amd64
installed.

config-3.14.4-grsec140521-02 is a config file of the actually produces
packages, but as you will see, there is a little support lacking for some
hardware in it, so I am not publishing those packages.

Instead, the packages I will post, and the config that I posted and recommend
for people to give as input into grsec-deb-compile.sh script (along with latest
the grsecurity patch for 3.14.4 and the kernel 3.14.4) is packages based, and
input of this, config file:

http://www.croatiafidelis.hr/gnu/deb/co ... 0521-10.gz
http://www.croatiafidelis.hr/gnu/deb/co ... 521-10.sig

Let me explain why.

I'll do it by showing you the diff.

diff config-3.14.4-grsec140521-02 config-3.14.4-grsec140521-10

Code: Select all

53c53
< CONFIG_LOCALVERSION="140521-02"
---
> CONFIG_LOCALVERSION="140521-10"
142c142,144
< # CONFIG_NUMA_BALANCING is not set
---
> CONFIG_ARCH_USES_NUMA_PROT_NONE=y
> # CONFIG_NUMA_BALANCING_DEFAULT_ENABLED is not set
> CONFIG_NUMA_BALANCING=y
241a244
> CONFIG_HAVE_CLK=y
357c360
< # CONFIG_X86_INTEL_LPSS is not set
---
> CONFIG_X86_INTEL_LPSS=y
426c429
< # CONFIG_X86_MSR is not set
---
> CONFIG_X86_MSR=m
509c512
< CONFIG_PHYSICAL_ALIGN=0x1000000
---
> CONFIG_PHYSICAL_ALIGN=0x200000
535a539
> CONFIG_PM_CLK=y
570c574
< # CONFIG_ACPI_EXTLOG is not set
---
> CONFIG_ACPI_EXTLOG=y
687c691
< # CONFIG_X86_SYSFB is not set
---
> CONFIG_X86_SYSFB=y
790c794
< # CONFIG_IPV6_VTI is not set
---
> CONFIG_IPV6_VTI=m
853c857,872
< # CONFIG_NF_TABLES is not set
---
> CONFIG_NETFILTER_SYNPROXY=m
> CONFIG_NF_TABLES=m
> CONFIG_NF_TABLES_INET=m
> CONFIG_NFT_EXTHDR=m
> CONFIG_NFT_META=m
> CONFIG_NFT_CT=m
> CONFIG_NFT_RBTREE=m
> CONFIG_NFT_HASH=m
> CONFIG_NFT_COUNTER=m
> CONFIG_NFT_LOG=m
> CONFIG_NFT_LIMIT=m
> CONFIG_NFT_NAT=m
> CONFIG_NFT_QUEUE=m
> CONFIG_NFT_REJECT=m
> CONFIG_NFT_REJECT_INET=m
> CONFIG_NFT_COMPAT=m
897c916
< # CONFIG_NETFILTER_XT_MATCH_CGROUP is not set
---
> CONFIG_NETFILTER_XT_MATCH_CGROUP=m
915c934
< # CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
---
> CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
951c970
< # CONFIG_IP_SET_HASH_NETPORTNET is not set
---
> CONFIG_IP_SET_HASH_NETPORTNET=m
953c972
< # CONFIG_IP_SET_HASH_NETNET is not set
---
> CONFIG_IP_SET_HASH_NETNET=m
1003a1023,1027
> CONFIG_NF_TABLES_IPV4=m
> CONFIG_NFT_CHAIN_ROUTE_IPV4=m
> CONFIG_NFT_CHAIN_NAT_IPV4=m
> CONFIG_NFT_REJECT_IPV4=m
> CONFIG_NF_TABLES_ARP=m
1011c1035
< # CONFIG_IP_NF_TARGET_SYNPROXY is not set
---
> CONFIG_IP_NF_TARGET_SYNPROXY=m
1024c1048
< CONFIG_IP_NF_TARGET_TTL=m
---
> # CONFIG_IP_NF_TARGET_TTL is not set
1034a1059,1062
> CONFIG_NF_TABLES_IPV6=m
> CONFIG_NFT_CHAIN_ROUTE_IPV6=m
> CONFIG_NFT_CHAIN_NAT_IPV6=m
> CONFIG_NFT_REJECT_IPV6=m
1040c1068
< CONFIG_IP6_NF_MATCH_HL=m
---
> # CONFIG_IP6_NF_MATCH_HL is not set
1045c1073
< CONFIG_IP6_NF_TARGET_HL=m
---
> # CONFIG_IP6_NF_TARGET_HL is not set
1048c1076
< # CONFIG_IP6_NF_TARGET_SYNPROXY is not set
---
> CONFIG_IP6_NF_TARGET_SYNPROXY=m
1058a1087
> CONFIG_NF_TABLES_BRIDGE=m
1177,1178c1206,1207
< # CONFIG_NET_SCH_HHF is not set
< # CONFIG_NET_SCH_PIE is not set
---
> CONFIG_NET_SCH_HHF=m
> CONFIG_NET_SCH_PIE=m
1196,1197c1225,1226
< CONFIG_NET_CLS_CGROUP=y
< # CONFIG_NET_CLS_BPF is not set
---
> CONFIG_NET_CLS_CGROUP=m
> CONFIG_NET_CLS_BPF=m
1239c1268
< # CONFIG_CGROUP_NET_PRIO is not set
---
> CONFIG_CGROUP_NET_PRIO=m
1449,1451c1478,1479
< # CONFIG_NFC_DIGITAL is not set
< CONFIG_NFC_NCI=m
< # CONFIG_NFC_NCI_SPI is not set
---
> CONFIG_NFC_DIGITAL=m
> # CONFIG_NFC_NCI is not set
1459c1487
< # CONFIG_NFC_MRVL is not set
---
> CONFIG_NFC_PORT100=m
1589c1617,1618
< # CONFIG_MTD_NAND_ECC_BCH is not set
---
> CONFIG_MTD_NAND_BCH=m
> CONFIG_MTD_NAND_ECC_BCH=y
1638c1667
< # CONFIG_BLK_DEV_NULL_BLK is not set
---
> CONFIG_BLK_DEV_NULL_BLK=m
1656c1685
< # CONFIG_BLK_DEV_SKD is not set
---
> CONFIG_BLK_DEV_SKD=m
1680a1710
> # CONFIG_ATMEL_PWM is not set
1702,1703c1732
< CONFIG_BMP085=y
< CONFIG_BMP085_I2C=m
---
> # CONFIG_BMP085_I2C is not set
1742c1771
< # CONFIG_INTEL_MIC_HOST is not set
---
> CONFIG_INTEL_MIC_HOST=m
1827c1856
< # CONFIG_SCSI_ESAS2R is not set
---
> CONFIG_SCSI_ESAS2R=m
2252,2254c2281,2283
< # CONFIG_I40E_VXLAN is not set
< # CONFIG_I40E_DCB is not set
< # CONFIG_I40EVF is not set
---
> CONFIG_I40E_VXLAN=y
> CONFIG_I40E_DCB=y
> CONFIG_I40EVF=m
2416c2445
< # CONFIG_USB_NET_HUAWEI_CDC_NCM is not set
---
> CONFIG_USB_NET_HUAWEI_CDC_NCM=m
2420c2449
< # CONFIG_USB_NET_SR9800 is not set
---
> CONFIG_USB_NET_SR9800=m
2532c2561,2563
< # CONFIG_BRCMFMAC is not set
---
> CONFIG_BRCMFMAC=m
> CONFIG_BRCMFMAC_SDIO=y
> # CONFIG_BRCMFMAC_USB is not set
2762a2794
> # CONFIG_KEYBOARD_SAMSUNG is not set
2879c2911
< # CONFIG_TOUCHSCREEN_TSC_SERIO is not set
---
> CONFIG_TOUCHSCREEN_TSC_SERIO=m
2881a2914
> CONFIG_TOUCHSCREEN_W90X900=m
2883c2916
< # CONFIG_TOUCHSCREEN_SUR40 is not set
---
> CONFIG_TOUCHSCREEN_SUR40=m
3018a3052
> # CONFIG_HW_RANDOM_ATMEL is not set
3020a3055
> # CONFIG_HW_RANDOM_EXYNOS is not set
3042,3044c3077,3079
< # CONFIG_TCG_TIS_I2C_ATMEL is not set
< # CONFIG_TCG_TIS_I2C_INFINEON is not set
< # CONFIG_TCG_TIS_I2C_NUVOTON is not set
---
> CONFIG_TCG_TIS_I2C_ATMEL=m
> CONFIG_TCG_TIS_I2C_INFINEON=m
> CONFIG_TCG_TIS_I2C_NUVOTON=m
3048,3049c3083,3084
< # CONFIG_TCG_ST33_I2C is not set
< # CONFIG_TCG_XEN is not set
---
> CONFIG_TCG_ST33_I2C=m
> CONFIG_TCG_XEN=m
3062a3098
> # CONFIG_I2C_MUX_PINCTRL is not set
3103c3139
< # CONFIG_I2C_DESIGNWARE_PLATFORM is not set
---
> CONFIG_I2C_DESIGNWARE_PLATFORM=m
3185a3222,3230
> CONFIG_PINCTRL=y
> 
> #
> # Pin controllers
> #
> # CONFIG_PINMUX is not set
> # CONFIG_PINCONF is not set
> # CONFIG_DEBUG_PINCTRL is not set
> # CONFIG_PINCTRL_BAYTRAIL is not set
3438c3483
< # CONFIG_ACPI_INT3403_THERMAL is not set
---
> CONFIG_ACPI_INT3403_THERMAL=m
3714c3759,3761
< # CONFIG_VIDEO_STK1160_COMMON is not set
---
> CONFIG_VIDEO_STK1160_COMMON=m
> CONFIG_VIDEO_STK1160_AC97=y
> CONFIG_VIDEO_STK1160=m
3782c3829
< # CONFIG_VIDEO_EM28XX_V4L2 is not set
---
> CONFIG_VIDEO_EM28XX_V4L2=m
3886c3933
< # CONFIG_USB_RAREMONO is not set
---
> CONFIG_USB_RAREMONO=m
3953a4001
> CONFIG_VIDEO_TVP5150=m
3973a4022
> CONFIG_VIDEO_MT9V011=m
4178c4227
< # CONFIG_DRM_LOAD_EDID_FIRMWARE is not set
---
> CONFIG_DRM_LOAD_EDID_FIRMWARE=y
4317c4366
< # CONFIG_FB_SIMPLE is not set
---
> CONFIG_FB_SIMPLE=y
4541c4590
< # CONFIG_HID_ELO is not set
---
> CONFIG_HID_ELO=m
4597c4646
< # CONFIG_HID_XINMO is not set
---
> CONFIG_HID_XINMO=m
4751c4800
< # CONFIG_USB_SERIAL_MXUPORT is not set
---
> CONFIG_USB_SERIAL_MXUPORT=m
4887a4937,4938
> # CONFIG_MMC_SDHCI_PXAV3 is not set
> # CONFIG_MMC_SDHCI_PXAV2 is not set
5223c5274
< # CONFIG_COMEDI_MF6X4 is not set
---
> CONFIG_COMEDI_MF6X4=m
5276,5277c5327,5330
< # CONFIG_R8188EU is not set
< # CONFIG_R8821AE is not set
---
> CONFIG_R8188EU=m
> CONFIG_88EU_AP_MODE=y
> CONFIG_88EU_P2P=y
> CONFIG_R8821AE=m
5280c5333,5334
< # CONFIG_RTS5208 is not set
---
> CONFIG_RTS5208=m
> # CONFIG_RTS5208_DEBUG is not set
5469c5523
< # CONFIG_HP_WIRELESS is not set
---
> CONFIG_HP_WIRELESS=m
5507c5561,5571
< # CONFIG_CHROME_PLATFORMS is not set
---
> CONFIG_CHROME_PLATFORMS=y
> CONFIG_CHROMEOS_LAPTOP=m
> CONFIG_CHROMEOS_PSTORE=m
> CONFIG_CLKDEV_LOOKUP=y
> CONFIG_HAVE_CLK_PREPARE=y
> CONFIG_COMMON_CLK=y
> 
> #
> # Common Clock Framework
> #
> # CONFIG_COMMON_CLK_SI5351 is not set
5663c5727
< # CONFIG_HID_SENSOR_INCLINOMETER_3D is not set
---
> CONFIG_HID_SENSOR_INCLINOMETER_3D=m
5694c5758,5759
< # CONFIG_POWERCAP is not set
---
> CONFIG_POWERCAP=y
> CONFIG_INTEL_RAPL=m
5947c6012
< # CONFIG_CEPH_FS_POSIX_ACL is not set
---
> CONFIG_CEPH_FS_POSIX_ACL=y
6062c6127
< CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x1
---
> CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x01b6
6474c6539
< # CONFIG_CRYPTO_CRCT10DIF_PCLMUL is not set
---
> CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m
6485,6486c6550,6551
< # CONFIG_CRYPTO_SHA256_SSSE3 is not set
< # CONFIG_CRYPTO_SHA512_SSSE3 is not set
---
> CONFIG_CRYPTO_SHA256_SSSE3=m
> CONFIG_CRYPTO_SHA512_SSSE3=m
6506,6507c6571,6572
< # CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64 is not set
< # CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64 is not set
---
> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m
> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m
6510c6575
< # CONFIG_CRYPTO_CAST5_AVX_X86_64 is not set
---
> CONFIG_CRYPTO_CAST5_AVX_X86_64=m
6512c6577
< # CONFIG_CRYPTO_CAST6_AVX_X86_64 is not set
---
> CONFIG_CRYPTO_CAST6_AVX_X86_64=m
6522c6587
< # CONFIG_CRYPTO_SERPENT_AVX2_X86_64 is not set
---
> CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m
6550c6615,6617
< # CONFIG_CRYPTO_DEV_CCP is not set
---
> CONFIG_CRYPTO_DEV_CCP=y
> CONFIG_CRYPTO_DEV_CCP_DD=m
> CONFIG_CRYPTO_DEV_CCP_CRYPTO=m
6596c6663
< CONFIG_CRC8=m
---
> # CONFIG_CRC8 is not set
6622a6690
> CONFIG_BCH=m
That diff reflects changes in the kernel, the advancements of different
methods, and relinquishing of others, and also changes in harware support since
the last one Debian kernel team's config that I based my packages on.

No, I'm not an expert, I do not understand all the stories on all the
particular modules. The gist I do grasp very well.

What I need to say here also is, the important changes for us who build
Grsecurity kernels, are not in the diff. Because I used exactly the same
configuration (I did that part manually, but comparing the 3.14.2 based .config
in one menuconfig, on the 3.14.4-grsec140521-02 old linux sources which I had
already built, with, in another terminal, the 3.14.4-grsec140521-10 linux
sources that only yet were to be built) for Grsecurity.

And, of course, importantly for us, removing all the reminiscence, as much as that
can be done, of the NSA SELinux and some other "security" options, but really
spying-excused-on-security, according to many voices, all of them getting all
the more stifled in the bigbrotherly Orwellian world of today.

And I believe my packages do have all the hardware support that regular
(SELinux on top, that is what we want without) Debian GNU/Linux kernel, which I
base my packages upon, have.

But I'm not an expert. This is my best try to make matters more honest.

Support, advice, help, will be welcome.

And I made a huge time expenditure, which I can not really cover for. I'm out
for a while now (other than being around a little longer to be able to follow
on replies, if any).

Miroslav Rovis
http://www.CroatiaFidelis.hr

P.S. I really was to go, but I remembered the other efforts in applying
Grsecurity into Debian, as:

https://wiki.debian.org/Mempo
and
http://molly.corsac.net/~corsac/debian/ ... /packages/

which both build on wheezy.

( pls. see Debian official stance on Grsecurity:
https://wiki.debian.org/grsecurity )

I hope those are sooner than later developed into fully-fledged projects, and
also get bleeding edge, and get support more and more in among the general
public.

But if you really want Grsecurity on bleeding edge Debian, and it's still, for
my taste, as well as in my experience, more often than not, stable rather then
not, the kind of install that I deploy here, is the way to go.

However, a huge number of Debian users are simply thrown upon them NSA SELinux kernel in their systems, and newbies just can't know to choose.
So my way here is weening them off. I hope this Tips page is useful in that
sense. It is not meant as rival to other ways of introducing the real security,
the Grsecurity/Pax into Debian.

I'm posting this after publishing the packages. They will be at the usual
address:

http://www.croatiafidelis.hr/gnu/deb/li ... c-current/
(which will be a symplink to:
http://www.croatiafidelis.hr/gnu/deb/li ... sec140521/ )

Just think (and also you can see times from the timestamps of files in that
directory) the rate at which I upload is around:

50KB/s

That, on top of slow compilation, huge time to upload (I have to thank Iskon
Croatia here, becaue I pay for more, but they don't deliever more, they even
cut my connection all through, a few times)...

That huge time to upload is, as I wrote, and have no desire left to repeat in
its entirety, you can find it in previous post, and in the script, is the
measure of my disgust.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#31 Post by timbgo »

timbgo wrote: ...[snip]...
at the usual address:

http://www.croatiafidelis.hr/gnu/deb/li ... c-current/
(which will be a symplink to:
http://www.croatiafidelis.hr/gnu/deb/li ... sec140521/ )
No. the symlink is back to:
http://www.croatiafidelis.hr/gnu/deb/li ... sec140430/
and while I am not competent to talk about source which those guys read as drink water, and I struggle with, I think I am free to make my conjectures as to what happened.
Pls. make your conjections yourself by looking into the changes.
The last one who, IIUC correctly, contributed code to grsecurity before the bad version
grsecurity-3.0-3.14.4-201405141623.patch
was, Linus the Dear Leader in persion...
See for yourself:
https://www.grsecurity.net/changelog-test.txt
Sure, Spender took time to get the right version out, Linus is a genius... and, on top of that, sometimes, with code, I bet there are areas that you don't easily figure out where and what,..

So, if you're compiling, use the latest 3.14.4:
https://www.grsecurity.net/download.php
which is currently:
grsecurity-3.0-3.14.4-201405252047.patch

that is, with my script for beginners, downloaded from github:
https://github.com/miroR/grsec-deb-compile
or from CroatiaFidelis.hr if I suggested otherwise, yet, previously...

timbgo wrote:Just think (and also you can see times from the timestamps of files in that
directory) the rate at which I upload is around:

50KB/s

That, on top of slow compilation, huge time to upload (I have to thank Iskon
Croatia here, becaue I pay for more, but they don't deliever more, they even
cut my connection all through, a few times)...

...[snip]...
But, if you want me to post the new packages, which I compiled, you need to, a few of you at least, kindly aks Iskon Hrvatska (Croatia) to release my upload connection to full speed that I paid to them for, and not the trickle they allow me for.
Try:

help@iskon.hr

or

support@iskon.hr

Should work.

Thanks,
Miroslav Rovis
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#32 Post by timbgo »

http://www.croatiafidelis.hr/gnu/deb/li ... c-current/
now contains 3.14.6 grsec-patched kernel packages

And at any time, with the current Grsec patch, you can use the script-guide
for beginners from:
https://github.com/miroR/grsec-deb-compile
(or if you want to check the script with PGP:
http://www.croatiafidelis.hr/gnu/deb/gr ... compile.sh
and
http://www.croatiafidelis.hr/gnu/deb/gr ... ile.sh.sig
With grsec-deb-compile.sh you also build debugger, which I am no longer posting for download from now, too slow connection, most users don't really need it.

See also:
Tips on Grsecurity installation for Debian newbies
https://forums.grsecurity.net/viewtopic ... 5&start=15

and if you are deciding for yourself on which kernel to use on your Debian, see this:
Tips on Grsecurity installation for Gentoo newbies
https://forums.grsecurity.net/viewtopic.php?f=3&t=3974
where some very crucial and very important information applies to all of the GNU/Linux

Miroslav Rovis
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#33 Post by timbgo »

I should soon be working to post more on Grsecurity Install in Debian.

Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#34 Post by timbgo »

As usual, the new packages (just no more debugger for stated reasons, man it's 50K/s that my provider Iskon Croatia is letting me, sorry, choking me, have, the upload speed)...

As usual, the new packages are at:

http://www.croatiafidelis.hr/gnu/deb/li ... c-current/

And you don't need to anymore click on each link to download the entire set of packages.

Download, say into a proverbial empty directory, first just the:

http://www.croatiafidelis.hr/gnu/deb/li ... Lo-wget.sh

(dLo is for download, wget is the fine program by Hrvoje Nikšić from Croatia for command line downloads)

Then do:

Code: Select all

$ chmod 755 dLo-wget.sh
$ ./dLo-wget.sh
That will download all the packages for you.

Then do

Code: Select all

$ gpg --verify deb-kern-3.15.5-grsec.sum.sig
which must give you good signature, else do not continue. How to use GnuPG is out of scope here, but you can study the script below and see how to get PGP keys and verity signatures from my script that I mention below.

Thne you need to check the packages are fine with:

Code: Select all

$ sha256sum -c deb-kern-3.15.5-grsec.sum
All packages must be shown OK, else, do not continue.

And then, as root, install them:

Code: Select all

dpkg -i *.deb
Those packages are for people who want to introduce themselves to Grsec.
They are made on an old AMD64 system, and consequently they should work on almost any AMD64 system, which is the benefit.
The diadvantage is that they are probably not optimized well for newer mightier systems.

However, you can most probably compile better packages for yourself with the script that I have not changed in some months now, because it's just some typoes that need changing, all the funcionality is working fine.

That script is in various places, such as:
https://github.com/miroR/grsec-deb-compile
as well as:
http://www.croatiafidelis.hr/gnu/deb/gr ... compile.sh
(which is recommended if you want to verify the script with PGP)

Grsec is the sine qua non of security in GNU/Linux.
Cheers!

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
================================================
P.S.
Important to mentioned for those who try and install things quickly:
This above, is almost all. Just a few things will be missing once you boot (best tio do them before you boot into, but, it's just a minor nuissance rebootin and doing after).
Oh, yes, some of the stuff is necessary to be previous to install, or if install fails, and that is sort some binaries with paxctl (the grub binaries for instance).
I wrote on those previously, it's easy solving those once you're familiar with it, and it's mentioned in the right places in the script I suggest to you above.
Anyway, probably the most of your potential difficulties will be solved if you go through the previous posts in this topic.
And, surely, the documentation for Debian kernel and Grsecurity documentation, is recommended.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#35 Post by timbgo »

As far as your free time and interest (and free mind) allows you, for those following my Grsec/Pax Tip which you're reading now, in the first place, please [*][/color] just those following my Tip, OK, have a look at:

Defeat and Hope for GNU/Linux
http://forums.debian.net/viewtopic.php?f=3&t=116472

I'm writing this ahead of time, as you may, in some time, not be getting any more of my updates as has been so far, but I'm on a quest to build something that I can trust instead.

Namely I don't trust systemD and packages around it at all. And it's the default for Jessie.

As you can see on that page, and I'll just paste over here the lines to further, actually, modify in effect, as my research further clarifies, now:
timbgo wrote:Either Mempo pulls truly off and stands up on its feet, which if it happens, my
joy will be immense, the preferable outcome.

Or someone helps me figure out how to revert form non-systemd in my Jessie, and
keeep on with my Grsecurity Tip, as all these months for almost one year now,
the consolatory outcome.

I'm betting on Mempo, and I think I'll try and become a tester.
No, I'm not betting on it, I'm only hoping, with some doubts how they could possibly succeed.
The developer base in Mempo is still too small, the tasks too big. I will keep my fingers crossed that they make it, and will be immensly happy if they do, but I'm not betting on it...
I tried to contact them via the offered irc chat, only once, true.
And I've been studying their pages, learned a lot from references offered, thanks.
Bat also there are unclarities and also incorrect and arbitrary presentations there.

Such as on Gentoo. No, Mempo people, not true. I'm referring to this:
http://mempo.org/index.html#hover1
Pls have a look at places such as:
Project:Hardened uClibc/Lilblue
https://wiki.gentoo.org/wiki/Project:Ha ... bc/Lilblue
as well as (referred to from Lilblue):
Features (on Ubuntu Wiki)
https://wiki.ubuntu.com/Security/Features

And as far as the "consolatory outcome" goes, if any of bigger boys from Debian are reading this (PLEA: I don't need negative nit picking advice, pls. refrain from such, just put me in your personal ignore list instead), I am looking for a shortcut without too much work on my, pages where the howto live in Jessie without systemD, if such pages exist, or can be found such info in less than a few dozen of pages that don't have that information sparsed in among reams of non-related information.

And then I could keep on with this tutorial on Jessie.

I'm not leaving just yet, I don't think, I'm weighing my options.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

[*][/color] equally, I won't bother anywhere where SELinux', systemD's or other fans congregate, freedom and choice to everybody!
======= cut out all underneath if verifying hashes ========
The file corresponding to this post has publictimstamp # 1236932
--
publictimestamp.org/ptb/PTB-21273 sha256 2014-08-02 12:01:45
C8792654DB0D24F510F4EAA4C2A14B657F2C1B1009B22C71C5F0F50DC939E098
Since I already pts'd the page, correction can now only go here:
Above, where you see it, should instead read:
I am looking for a shortcut without too much work of my own, pages where the howto lives abou Jessie without systemD, if such pages exist, or if such info can be found in less than a few dozen of pages that don't have that information sparsed in among reams of non-related information.

And then I could keep on with this Grsec/Pax Tips page on Jessie.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

Post Reply