Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Grsecurity/Pax installation on Debian GNU/Linux

Share your HowTo, Documentation, Tips and Tricks. Not for support questions!.
Message
Author
timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#106 Post by timbgo »

https://www.croatiafidelis.hr/gnu/deb/l ... 180816-16/
see previous posts for how to install it and other.[/quote]
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#107 Post by timbgo »

https://www.croatiafidelis.hr/gnu/deb/l ... 180820-16/
see previous posts for how to install it and other.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#108 Post by timbgo »

I am going to post what the script:
https://github.com/a13xp0p0v/kconfig-hardened-check
( see here also: http://www.openwall.com/lists/kernel-ha ... 18/07/18/1 )
thinks about my latest offered packages (see immediately previous post to this).

Pls. compare it to what that kconfig-hardened-check thinks of the latest kernel in Debian/Devuan (reminder: I run Devuan, but the kernel is the same to the bit: it's not changed, just merged into Devuan package repo), the linux-image-4.16.0-2-amd64, which findings I'll post in the next post.

# kconfig-hardened-check.py -c /boot/config-4.9.122-dappersec180820-16

Code: Select all

[+] Checking "/boot/config-4.9.122-dappersec180820-16" against hardening preferences...
  option name                            | desired val | decision |       reason       ||        check result        
  ===================================================================================================================
  CONFIG_BUG                             |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_PAGE_TABLE_ISOLATION            |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_RETPOLINE                       |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_X86_64                          |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_STRICT_KERNEL_RWX               |      y      | ubuntu18 |  self_protection   ||CONFIG_DEBUG_RODATA: OK ("y")
  CONFIG_DEBUG_WX                        |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_RANDOMIZE_BASE                  |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_RANDOMIZE_MEMORY                |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_STACKPROTECTOR_STRONG           |      y      | ubuntu18 |  self_protection   ||CONFIG_CC_STACKPROTECTOR_STRONG: OK ("y")
  CONFIG_VMAP_STACK                      |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_THREAD_INFO_IN_TASK             |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_SCHED_STACK_END_CHECK           |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_SLUB_DEBUG                      |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_SLAB_FREELIST_HARDENED          |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_SLAB_FREELIST_RANDOM            |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_HARDENED_USERCOPY               |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_FORTIFY_SOURCE                  |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_STRICT_MODULE_RWX               |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_MODULE_SIG                      |      y      | ubuntu18 |  self_protection   ||     FAIL: "is not set"     
  CONFIG_MODULE_SIG_ALL                  |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_MODULE_SIG_SHA512               |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_SYN_COOKIES                     |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_DEFAULT_MMAP_MIN_ADDR           |    65536    | ubuntu18 |  self_protection   ||             OK             
  CONFIG_BUG_ON_DATA_CORRUPTION          |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_PAGE_POISONING                  |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_GCC_PLUGINS                     |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_GCC_PLUGIN_RANDSTRUCT           |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGIN_STRUCTLEAK           |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGIN_LATENT_ENTROPY       |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_REFCOUNT_FULL                   |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_DEBUG_LIST                      |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_DEBUG_SG                        |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_DEBUG_CREDENTIALS               |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_DEBUG_NOTIFIERS                 |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_MODULE_SIG_FORCE                |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_HARDENED_USERCOPY_FALLBACK      | is not set  |   kspp   |  self_protection   ||       OK: not found        
  CONFIG_GCC_PLUGIN_STACKLEAK            |      y      |    my    |  self_protection   ||      FAIL: not found       
  CONFIG_SLUB_DEBUG_ON                   |      y      |    my    |  self_protection   ||      FAIL: not found       
  CONFIG_SECURITY_DMESG_RESTRICT         |      y      |    my    |  self_protection   ||             OK             
  CONFIG_STATIC_USERMODEHELPER           |      y      |    my    |  self_protection   ||      FAIL: not found       
  CONFIG_PAGE_POISONING_NO_SANITY        | is not set  |    my    |  self_protection   ||         FAIL: "y"          
  CONFIG_PAGE_POISONING_ZERO             | is not set  |    my    |  self_protection   ||             OK             
  CONFIG_SECURITY                        |      y      | ubuntu18 |  security_policy   ||             OK             
  CONFIG_SECURITY_YAMA                   |      y      | ubuntu18 |  security_policy   ||      FAIL: not found       
  CONFIG_SECURITY_SELINUX_DISABLE        | is not set  | ubuntu18 |  security_policy   ||       OK: not found        
  CONFIG_SECCOMP                         |      y      | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_SECCOMP_FILTER                  |      y      | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_STRICT_DEVMEM                   |      y      | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_ACPI_CUSTOM_METHOD              | is not set  | ubuntu18 | cut_attack_surface ||       OK: not found        
  CONFIG_COMPAT_BRK                      | is not set  | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_DEVKMEM                         | is not set  | ubuntu18 | cut_attack_surface ||       OK: not found        
  CONFIG_COMPAT_VDSO                     | is not set  | ubuntu18 | cut_attack_surface ||       OK: not found        
  CONFIG_X86_PTDUMP                      | is not set  | ubuntu18 | cut_attack_surface ||       OK: not found        
  CONFIG_ZSMALLOC_STAT                   | is not set  | ubuntu18 | cut_attack_surface ||       OK: not found        
  CONFIG_PAGE_OWNER                      | is not set  | ubuntu18 | cut_attack_surface ||       OK: not found        
  CONFIG_DEBUG_KMEMLEAK                  | is not set  | ubuntu18 | cut_attack_surface ||       OK: not found        
  CONFIG_BINFMT_AOUT                     | is not set  | ubuntu18 | cut_attack_surface ||       OK: not found        
  CONFIG_IO_STRICT_DEVMEM                |      y      |   kspp   | cut_attack_surface ||             OK             
  CONFIG_LEGACY_VSYSCALL_NONE            |      y      |   kspp   | cut_attack_surface ||     FAIL: "is not set"     
  CONFIG_BINFMT_MISC                     | is not set  |   kspp   | cut_attack_surface ||         FAIL: "m"          
  CONFIG_INET_DIAG                       | is not set  |   kspp   | cut_attack_surface ||         FAIL: "m"          
  CONFIG_KEXEC                           | is not set  |   kspp   | cut_attack_surface ||       OK: not found        
  CONFIG_PROC_KCORE                      | is not set  |   kspp   | cut_attack_surface ||       OK: not found        
  CONFIG_LEGACY_PTYS                     | is not set  |   kspp   | cut_attack_surface ||             OK             
  CONFIG_IA32_EMULATION                  | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_X86_X32                         | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_MODIFY_LDT_SYSCALL              | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_HIBERNATION                     | is not set  |   kspp   | cut_attack_surface ||       OK: not found        
  CONFIG_KPROBES                         | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_UPROBES                         | is not set  |grsecurity| cut_attack_surface ||             OK             
  CONFIG_GENERIC_TRACER                  | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_PROC_VMCORE                     | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_PROC_PAGE_MONITOR               | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_USELIB                          | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_CHECKPOINT_RESTORE              | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_USERFAULTFD                     | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_HWPOISON_INJECT                 | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_MEM_SOFT_DIRTY                  | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_DEVPORT                         | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_DEBUG_FS                        | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_NOTIFIER_ERROR_INJECTION        | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_KEXEC_FILE                      | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_LIVEPATCH                       | is not set  |    my    | cut_attack_surface ||       OK: not found        
  CONFIG_USER_NS                         | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_IP_DCCP                         | is not set  |    my    | cut_attack_surface ||         FAIL: "m"          
  CONFIG_IP_SCTP                         | is not set  |    my    | cut_attack_surface ||         FAIL: "m"          
  CONFIG_FTRACE                          | is not set  |    my    | cut_attack_surface ||       OK: not found        
  CONFIG_PROFILING                       | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_BPF_JIT                         | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_BPF_SYSCALL                     | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_ARCH_MMAP_RND_BITS              |     32      |    my    |userspace_protection||         FAIL: "27"         

[-] config check is NOT PASSED: 42 errors
Last edited by timbgo on 2018-08-21 20:42, edited 1 time in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#109 Post by timbgo »

The same script, on the latest stock Debian kernel:
kconfig-hardened-check.py -c /boot/config-4.16.0-2-amd64

Code: Select all

[+] Checking "/boot/config-4.16.0-2-amd64" against hardening preferences...
  option name                            | desired val | decision |       reason       ||        check result        
  ===================================================================================================================
  CONFIG_BUG                             |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_PAGE_TABLE_ISOLATION            |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_RETPOLINE                       |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_X86_64                          |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_STRICT_KERNEL_RWX               |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_DEBUG_WX                        |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_RANDOMIZE_BASE                  |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_RANDOMIZE_MEMORY                |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_STACKPROTECTOR_STRONG           |      y      | ubuntu18 |  self_protection   ||CONFIG_CC_STACKPROTECTOR_STRONG: OK ("y")
  CONFIG_VMAP_STACK                      |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_THREAD_INFO_IN_TASK             |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_SCHED_STACK_END_CHECK           |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_SLUB_DEBUG                      |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_SLAB_FREELIST_HARDENED          |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_SLAB_FREELIST_RANDOM            |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_HARDENED_USERCOPY               |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_FORTIFY_SOURCE                  |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_STRICT_MODULE_RWX               |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_MODULE_SIG                      |      y      | ubuntu18 |  self_protection   ||     FAIL: "is not set"     
  CONFIG_MODULE_SIG_ALL                  |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_MODULE_SIG_SHA512               |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_SYN_COOKIES                     |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_DEFAULT_MMAP_MIN_ADDR           |    65536    | ubuntu18 |  self_protection   ||             OK             
  CONFIG_BUG_ON_DATA_CORRUPTION          |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_PAGE_POISONING                  |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_GCC_PLUGINS                     |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_GCC_PLUGIN_RANDSTRUCT           |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGIN_STRUCTLEAK           |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGIN_LATENT_ENTROPY       |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_REFCOUNT_FULL                   |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_DEBUG_LIST                      |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_DEBUG_SG                        |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_DEBUG_CREDENTIALS               |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_DEBUG_NOTIFIERS                 |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_MODULE_SIG_FORCE                |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_HARDENED_USERCOPY_FALLBACK      | is not set  |   kspp   |  self_protection   ||             OK             
  CONFIG_GCC_PLUGIN_STACKLEAK            |      y      |    my    |  self_protection   ||      FAIL: not found       
  CONFIG_SLUB_DEBUG_ON                   |      y      |    my    |  self_protection   ||     FAIL: "is not set"     
  CONFIG_SECURITY_DMESG_RESTRICT         |      y      |    my    |  self_protection   ||             OK             
  CONFIG_STATIC_USERMODEHELPER           |      y      |    my    |  self_protection   ||     FAIL: "is not set"     
  CONFIG_PAGE_POISONING_NO_SANITY        | is not set  |    my    |  self_protection   ||         FAIL: "y"          
  CONFIG_PAGE_POISONING_ZERO             | is not set  |    my    |  self_protection   ||             OK             
  CONFIG_SECURITY                        |      y      | ubuntu18 |  security_policy   ||             OK             
  CONFIG_SECURITY_YAMA                   |      y      | ubuntu18 |  security_policy   ||             OK             
  CONFIG_SECURITY_SELINUX_DISABLE        | is not set  | ubuntu18 |  security_policy   ||             OK             
  CONFIG_SECCOMP                         |      y      | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_SECCOMP_FILTER                  |      y      | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_STRICT_DEVMEM                   |      y      | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_ACPI_CUSTOM_METHOD              | is not set  | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_COMPAT_BRK                      | is not set  | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_DEVKMEM                         | is not set  | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_COMPAT_VDSO                     | is not set  | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_X86_PTDUMP                      | is not set  | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_ZSMALLOC_STAT                   | is not set  | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_PAGE_OWNER                      | is not set  | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_DEBUG_KMEMLEAK                  | is not set  | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_BINFMT_AOUT                     | is not set  | ubuntu18 | cut_attack_surface ||       OK: not found        
  CONFIG_IO_STRICT_DEVMEM                |      y      |   kspp   | cut_attack_surface ||             OK             
  CONFIG_LEGACY_VSYSCALL_NONE            |      y      |   kspp   | cut_attack_surface ||             OK             
  CONFIG_BINFMT_MISC                     | is not set  |   kspp   | cut_attack_surface ||         FAIL: "m"          
  CONFIG_INET_DIAG                       | is not set  |   kspp   | cut_attack_surface ||         FAIL: "m"          
  CONFIG_KEXEC                           | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_PROC_KCORE                      | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_LEGACY_PTYS                     | is not set  |   kspp   | cut_attack_surface ||             OK             
  CONFIG_IA32_EMULATION                  | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_X86_X32                         | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_MODIFY_LDT_SYSCALL              | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_HIBERNATION                     | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_KPROBES                         | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_UPROBES                         | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_GENERIC_TRACER                  | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_PROC_VMCORE                     | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_PROC_PAGE_MONITOR               | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_USELIB                          | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_CHECKPOINT_RESTORE              | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_USERFAULTFD                     | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_HWPOISON_INJECT                 | is not set  |grsecurity| cut_attack_surface ||         FAIL: "m"          
  CONFIG_MEM_SOFT_DIRTY                  | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_DEVPORT                         | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_DEBUG_FS                        | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_NOTIFIER_ERROR_INJECTION        | is not set  |grsecurity| cut_attack_surface ||         FAIL: "m"          
  CONFIG_KEXEC_FILE                      | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_LIVEPATCH                       | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_USER_NS                         | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_IP_DCCP                         | is not set  |    my    | cut_attack_surface ||         FAIL: "m"          
  CONFIG_IP_SCTP                         | is not set  |    my    | cut_attack_surface ||         FAIL: "m"          
  CONFIG_FTRACE                          | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_PROFILING                       | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_BPF_JIT                         | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_BPF_SYSCALL                     | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_ARCH_MMAP_RND_BITS              |     32      |    my    |userspace_protection||         FAIL: "28"         

[-] config check is NOT PASSED: 47 errors
Errors 47 this config vs 42 the config of the 4.9.122 that I make the packages available of (see immediately previous post to this).
.
So... It's still probably safer with the free grsec kernel (dappersec)... Sorely missing the protections from Meltdown and Spectre, but most other protectiions are in place. And pls. note that it's a dev from the KSPP team. Hardly biased towards grsec.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#110 Post by timbgo »

https://www.croatiafidelis.hr/gnu/deb/l ... 180914-10/
see previous posts for how to install it and other.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#111 Post by timbgo »

https://www.croatiafidelis.hr/gnu/deb/l ... 180924-07/
see previous posts for how to install it and other.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#112 Post by timbgo »

timbgo wrote:So... It's still probably safer with the free grsec kernel (dappersec)... Sorely missing the protections from Meltdown and Spectre, but most other protectiions are in place. And pls. note that it's a dev from the KSPP team. Hardly biased towards grsec.
No, it's probably not... While I haven't sudied those in depth, it's probably the Meltdown and Spectre that are the most important to have countermeasures in your kernel against, and grsec/dappersec can't at this time, and there seem no interest from spender and PaX Team, the authors... and grsec/dappersec can't protect you from those...
I think I'm closing my engagement with what is left in the open FOSS world of grsecurity.

See also:
https://github.com/dapperlinux/dapper-s ... -427653248
and
https://github.com/minipli/linux-unoffi ... -427652732

Regards!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Grsecurity/Pax installation on Debian GNU/Linux

#113 Post by Head_on_a_Stick »

The Arch repositories have started including a linux-hardened package:

https://git.archlinux.org/svntogit/pack ... x-hardened

If I have the time I may attempt to package this up for Debian (or maybe a version for the LTS branch with the same configuration) because I think we need a hardened kernel version as well.

For the interested, here is a great Masters thesis that covers the subject of kernel vulnerabilities in some depth:

https://github.com/maxking/linux-vulner ... s-10-years
deadbang

Post Reply