Grsecurity/Pax installation on Debian GNU/Linux

[timbgo]

...[snip]...
at the usual address:

http://www.croatiafidelis.hr/gnu/deb/li ... c-current/
(which will be a symplink to:
http://www.croatiafidelis.hr/gnu/deb/li ... sec140521/ )

No. the symlink is back to:
http://www.croatiafidelis.hr/gnu/deb/li ... sec140430/
and while I am not competent to talk about source which those guys read as drink water, and I struggle with, I think I am free to make my conjectures as to what happened.
Pls. make your conjections yourself by looking into the changes.
The last one who, IIUC correctly, contributed code to grsecurity before the bad version
grsecurity-3.0-3.14.4-201405141623.patch
was, Linus the Dear Leader in persion...
See for yourself:
https://www.grsecurity.net/changelog-test.txt
Sure, Spender took time to get the right version out, Linus is a genius... and, on top of that, sometimes, with code, I bet there are areas that you don't easily figure out where and what,..

So, if you're compiling, use the latest 3.14.4:
https://www.grsecurity.net/download.php
which is currently:
grsecurity-3.0-3.14.4-201405252047.patch

that is, with my script for beginners, downloaded from github:
https://github.com/miroR/grsec-deb-compile
or from CroatiaFidelis.hr if I suggested otherwise, yet, previously...

Just think (and also you can see times from the timestamps of files in that
directory) the rate at which I upload is around:

50KB/s

That, on top of slow compilation, huge time to upload (I have to thank Iskon
Croatia here, becaue I pay for more, but they don't deliever more, they even
cut my connection all through, a few times)...

...[snip]...

But, if you want me to post the new packages, which I compiled, you need to, a few of you at least, kindly aks Iskon Hrvatska (Croatia) to release my upload connection to full speed that I paid to them for, and not the trickle they allow me for.
Try:

help@iskon.hr

or

support@iskon.hr

Should work.

Thanks,
Miroslav Rovis
http://www.CroatiaFidelis.hr

[timbgo]

http://www.croatiafidelis.hr/gnu/deb/li ... c-current/
now contains 3.14.6 grsec-patched kernel packages

And at any time, with the current Grsec patch, you can use the script-guide
for beginners from:
https://github.com/miroR/grsec-deb-compile
(or if you want to check the script with PGP:
http://www.croatiafidelis.hr/gnu/deb/gr ... compile.sh
and
http://www.croatiafidelis.hr/gnu/deb/gr ... ile.sh.sig
With grsec-deb-compile.sh you also build debugger, which I am no longer posting for download from now, too slow connection, most users don't really need it.

See also:
Tips on Grsecurity installation for Debian newbies
https://forums.grsecurity.net/viewtopic ... 5&start=15

and if you are deciding for yourself on which kernel to use on your Debian, see this:
Tips on Grsecurity installation for Gentoo newbies
https://forums.grsecurity.net/viewtopic.php?f=3&t=3974
where some very crucial and very important information applies to all of the GNU/Linux

Miroslav Rovis
http://www.CroatiaFidelis.hr

[timbgo]

I should soon be working to post more on Grsecurity Install in Debian.

Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr

[timbgo]

As usual, the new packages (just no more debugger for stated reasons, man it's 50K/s that my provider Iskon Croatia is letting me, sorry, choking me, have, the upload speed)...

As usual, the new packages are at:

http://www.croatiafidelis.hr/gnu/deb/li ... c-current/

And you don't need to anymore click on each link to download the entire set of packages.

Download, say into a proverbial empty directory, first just the:

http://www.croatiafidelis.hr/gnu/deb/li ... Lo-wget.sh

(dLo is for download, wget is the fine program by Hrvoje Nikšić from Croatia for command line downloads)

Then do:

Code: Select all

$ chmod 755 dLo-wget.sh
$ ./dLo-wget.sh

That will download all the packages for you.

Then do

Code: Select all

$ gpg --verify deb-kern-3.15.5-grsec.sum.sig

which must give you good signature, else do not continue. How to use GnuPG is out of scope here, but you can study the script below and see how to get PGP keys and verity signatures from my script that I mention below.

Thne you need to check the packages are fine with:

Code: Select all

$ sha256sum -c deb-kern-3.15.5-grsec.sum

All packages must be shown OK, else, do not continue.

And then, as root, install them:

Code: Select all

dpkg -i *.deb

Those packages are for people who want to introduce themselves to Grsec.
They are made on an old AMD64 system, and consequently they should work on almost any AMD64 system, which is the benefit.
The diadvantage is that they are probably not optimized well for newer mightier systems.

However, you can most probably compile better packages for yourself with the script that I have not changed in some months now, because it's just some typoes that need changing, all the funcionality is working fine.

That script is in various places, such as:
https://github.com/miroR/grsec-deb-compile
as well as:
http://www.croatiafidelis.hr/gnu/deb/gr ... compile.sh
(which is recommended if you want to verify the script with PGP)

Grsec is the sine qua non of security in GNU/Linux.
Cheers!

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
================================================
P.S.
Important to mentioned for those who try and install things quickly:
This above, is almost all. Just a few things will be missing once you boot (best tio do them before you boot into, but, it's just a minor nuissance rebootin and doing after).
Oh, yes, some of the stuff is necessary to be previous to install, or if install fails, and that is sort some binaries with paxctl (the grub binaries for instance).
I wrote on those previously, it's easy solving those once you're familiar with it, and it's mentioned in the right places in the script I suggest to you above.
Anyway, probably the most of your potential difficulties will be solved if you go through the previous posts in this topic.
And, surely, the documentation for Debian kernel and Grsecurity documentation, is recommended.

[timbgo]

As far as your free time and interest (and free mind) allows you, for those following my Grsec/Pax Tip which you're reading now, in the first place, please [*][/color] just those following my Tip, OK, have a look at:

Defeat and Hope for GNU/Linux
http://forums.debian.net/viewtopic.php?f=3&t=116472

I'm writing this ahead of time, as you may, in some time, not be getting any more of my updates as has been so far, but I'm on a quest to build something that I can trust instead.

Namely I don't trust systemD and packages around it at all. And it's the default for Jessie.

As you can see on that page, and I'll just paste over here the lines to further, actually, modify in effect, as my research further clarifies, now:

Either Mempo pulls truly off and stands up on its feet, which if it happens, my
joy will be immense, the preferable outcome.

Or someone helps me figure out how to revert form non-systemd in my Jessie, and
keeep on with my Grsecurity Tip, as all these months for almost one year now,
the consolatory outcome.

I'm betting on Mempo, and I think I'll try and become a tester.

No, I'm not betting on it, I'm only hoping, with some doubts how they could possibly succeed.
The developer base in Mempo is still too small, the tasks too big. I will keep my fingers crossed that they make it, and will be immensly happy if they do, but I'm not betting on it...
I tried to contact them via the offered irc chat, only once, true.
And I've been studying their pages, learned a lot from references offered, thanks.
Bat also there are unclarities and also incorrect and arbitrary presentations there.

Such as on Gentoo. No, Mempo people, not true. I'm referring to this:
http://mempo.org/index.html#hover1
Pls have a look at places such as:
Project:Hardened uClibc/Lilblue
https://wiki.gentoo.org/wiki/Project:Ha ... bc/Lilblue
as well as (referred to from Lilblue):
Features (on Ubuntu Wiki)
https://wiki.ubuntu.com/Security/Features

And as far as the "consolatory outcome" goes, if any of bigger boys from Debian are reading this (PLEA: I don't need negative nit picking advice, pls. refrain from such, just put me in your personal ignore list instead), I am looking for a shortcut without too much work on my, pages where the howto live in Jessie without systemD, if such pages exist, or can be found such info in less than a few dozen of pages that don't have that information sparsed in among reams of non-related information.

And then I could keep on with this tutorial on Jessie.

I'm not leaving just yet, I don't think, I'm weighing my options.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

[*][/color] equally, I won't bother anywhere where SELinux', systemD's or other fans congregate, freedom and choice to everybody!
======= cut out all underneath if verifying hashes ========
The file corresponding to this post has publictimstamp # 1236932
--
publictimestamp.org/ptb/PTB-21273 sha256 2014-08-02 12:01:45
C8792654DB0D24F510F4EAA4C2A14B657F2C1B1009B22C71C5F0F50DC939E098
Since I already pts'd the page, correction can now only go here:
Above, where you see it, should instead read:
I am looking for a shortcut without too much work of my own, pages where the howto lives abou Jessie without systemD, if such pages exist, or if such info can be found in less than a few dozen of pages that don't have that information sparsed in among reams of non-related information.

And then I could keep on with this Grsec/Pax Tips page on Jessie.

[timbgo]

This is crucial time for my continuing the work, hopefully, or not (which I would not like if that had to happen, and which will certainly not immediately happen, as I wrote a few days ago here) with this Debian GNU/Linux Tips page on Grsecurity.

There is very little opportunity, other then with some determined hard work, for a Debian newbie to gain true understanding of what this is really about, because of the strong and merciless propaganda from the systemd-impositioners side, and if that continues to be so, the losing party will be the freedom itself.

The freedom will be the losing party, in its brightest and most beautiful quality: the privacy.

There is no privacy without security, and the only true security nowadays in GNU/Linux is where the two honest geniuses, Spender and Pax Team, and developers associated with them, work on fixing the holes in the kernel: the Grsecurity.

That is my view, and it is absolutely legitimate for me to say that here. However, if you want more on that, study my other posts, recent and earlier, as I can not indulge in it here, reasons also being too much, and often flaming, opposition from the systemd-supporters' side.

On that flaming and invading opposition though, proofs aplenty in the link that I will give next in this current post. And some of it is of the worst kind. Some of it is downright trolling, on me:

How to avoid stealth installation of systemd?
http://forums.debian.net/viewtopic.php?f=5&t=116770

Some of you, readers and users of my script-guide for beginners that this topic you're reading features, can perfectly understand me if I tell you:

There will be no more room left, not really, for us who want that aforesaid true security if the systemd becomes the sole way to go in Debian GNU/Linux, no there will not really be any more!

If the few dishonest people (remember there's a very very tiny minority who own the majority of world's resources generally, and into those tiny group these few of our concern belong)...

No, I'm not an insider nor an investigative journalist with sources to know about those few, I only reserve the right to deduce it logically from the big picture.

And the big picture, what is the big picture? Read, first, this mail by [IIUC] a Debian Developer:

================================================
https://lists.debian.org/debian-devel/2 ... 00143.html

> Can we get over this now and start making Jessie the most awesome stable
> release we've ever prepared together?

For some of us there will never be an awesome Debian release that at it's core contains systemd. It's core developers, Lennart Poettering and Kay Sievers, work for a company that has multi-billion dollar contracts with NSA. It is your choice to assume good faith on their part. It is our choice not to.

Please respect our decision to stay away from systemd and still be Debian users. If possible, please, don't resist changes that make our lives easier.
================================================

You can also find plenty of discussion on who brought up those changes (and the few I mentioned are the movers and shakers of some of those companies that did bring about those changes) in, so far, probaly the best (public) discussion in the GNU/Linux world to be found on the issue:

When (and if) Gentoo will switch to systemd?
https://forums.gentoo.org/viewtopic-t-981256.html

That's all I base my statement on. That Gentoo Forums discussion. However, is a very hefty read, and I am not sifting through it again just to provide details lto support n my claim. What I said, and referenced, suffices for my argument here. Check it out yourself, anyone, before potentially blaming me for bringing in a lame argument. That argument is not lame, just read that aformentioned voluminous Gentoo Forums discussion to check it.

In light of the above, my next thought. Actually I deployed the above reasoning for it.

My next thing to do regarding yours and mine true freedom, dear reader, which, again, there is none without what every and any in the world democratic country claims is the guarantied right of their citizens: the right to secrecy in their communications, which translates to: privacy (yes privacy is: secrecy when you want it), which there is none, no privacy/secrecy there in computing, without security.

And do you really believe that spy agencies can provide you that security, which Debian has as default: the NSA's SELinux?... And I don't trust any other "security" either.... but only Grsecurity [for my privacy, and so for my freedom]...

But my next thing to do was a Tip in these forums on how to deploy Gradm, for full Grsecurity protection, because the sole installation of Grsecurity is fine, and protects you from most of the attacks, from almost all, but, alsa, not all..

Not all... There is a little left to do to gain full protection, which little cannot be done through patching the GNU/Linux kernel (which Grsecurity is: it is a set of patches to the kernel), and that little which still remains missing when Grsecurity patched kernel is installed in your system, can be done with Gradm:

for which pls. see:
the Download page
https://www.grsecurity.net/download.php

and the:
Grsecurity on Wikibooks page
https://en.wikibooks.org/wiki/Grsecurity

(in both of which find Gradm)

But Gradm is much, much harder to deploy on poetteringware-ruined (IMO) systems, of which poetteringware the systemd is (IMO) the absolutely most detrimental to GNU/Linux as we have known it by now.

Do you get my point, dear reader?

There have been reports and complaints on, I don't remember now exactly, but either systemd or some of its precursors/kindred like the *kits (consolekit, policykit), or somesuch, how Gradm cannot be properly/easily installed/configured on Grsecurity-patched Gentoo kernels, these things being hard or not doesn't depend of which distro we're talking.

What I mean, deploying Gradm and getting true privacy for your box (which your country's Constitution probably guaranties for you) is going to be much harder if we don't get systemd-free option for our Debian machines.

So dear reader, if you understan my points, and I'm sure some of you readers do understand me quite well, then please don't allow trolls to drown my new topic which I deployed to address the issue of getting for ourselves a systemd-free GNU/Linux Debian, the:

How to avoid stealth installation of systemd?
(link given nearer to the top of the post)

Don't allow it to be drowned. Instead, study the issue and try to help. You can help even if you just have honest questions, maybe on the methods to choose, which there are two there, and none contains complete advice in regard either from me or from some advanced user or developer, or with more relevant information, if you have any, if you are an advanced user or developer truly looking into these posts to help.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

==== cut this line and all underneath if verifying hashes ====
File corresponding to this file, Deb_Grsec_140816.txt,
has Publictimestamp # 1238462
--
publictimestamp.org/ptb/PTB-21385 sha256 2014-08-16 12:01:45
4D4AF7DE153174FB93CB56F480EBA406AF53CBC79CB022E8A4FD4FD485DF49C2

CORRIGENDA 2014-08-17 23:34 CEST:
Replace: "from almost all, but, alsa, not all"
With: "from almost all, but, alas, not all"

[timbgo]

On:

https://github.com/miroR/grsec-deb-compile/

you can now choose, not the default, which is master, but:

develop (branch)

and you can (you don't have to, you can go the old way, everything will be explained to you what to do) give three arguments to the script, such as:

Code: Select all

./grsec-deb-compile.sh grsecurity-3.0-3.15.10-201408140023 linux-3.15.10 \
    config-3.15.5-grsec140723-17

( the "\" just says it to ignore the newline, you may leave it out)

which is a little bit faster for regular users of the script.

Still lot of room for improvement of this primitive script in that there is nothing really at all here for advanced users, but for beginners there is.

Enjoy!

Miroslav Rovis
Zagreb, Croatia,
http://www.CroatiaFidelis.hr
============================
Ah, and the entire git archive for grsec-deb-compile is now PGP signed with my signature. It was all explained in the Help section by the GitHub.

[timbgo]

Also, for those at the very beginning of acquainting themselves with GNU/Linux, I prepared the packages.

Open in a browser:

http://www.croatiafidelis.hr/gnu/deb/li ... c-current/

Right click on:

dLo-wget.sh

and in the menu that opens, left-click on "Copy link location".

Make an empty folder, maybe (substitute "ukrainian" with your username):

Code: Select all

$ mkdir ~ukrainian/grsec.d/
$ cd ~ukrainian/grsec.d/
$ wget 
...[snip]...

I'm interrupting it here to explain to you in a more easily understandable fashion.
After you typed "wget " (see the space there?), you now need to right click again.
The menu opens. Now left click on the "Paste" in that menu.

You now have a line like this one:

Code: Select all

$ mkdir ~ukrainian/grsec.d/
$ cd ~ukrainian/grsec.d/
$ wget http://www.croatiafidelis.hr/gnu/deb/linux-deb-3.15.10-grsec140817-00/dLo-wget.sh
$

in your terminal. If so, click Enter. It will download that file.

If not, you went wrong somewhere.

Now you need to do:

Code: Select all

$ chmod a+x dLo-wget.sh

which will make that scriplet executable. And then you need to execute it with:

Code: Select all

$ ./dLo-wget.sh
...

I put "..." there because that command will download all you need to install Grsecurity-patched kernel in your Debian GNU/Linux for you.

Just a minute or so, depending on your connection, and all the files are downloaded.
And it ought to look something like this (if not, proibably you went wrong somewhere):

Code: Select all

$ ls -l
total 39472
-rwxr-xr-x 1 mr mr      681 Aug 17 08:16 dLo-wget.sh
-rw-r--r-- 1 mr mr   966140 Aug 17 08:04 linux-firmware-image-3.15.10-grsec140817-00_3.15.10-grsec140817-00-1_amd64.deb
-rw-r--r-- 1 mr mr  7037090 Aug 17 08:05 linux-headers-3.15.10-grsec140817-00_3.15.10-grsec140817-00-1_amd64.deb
-rw-r--r-- 1 mr mr 31630870 Aug 17 08:08 linux-image-3.15.10-grsec140817-00_3.15.10-grsec140817-00-1_amd64.deb
-rw-r--r-- 1 mr mr   762318 Aug 17 08:08 linux-libc-dev_3.15.10-grsec140817-00-1_amd64.deb
-rw-r--r-- 1 mr mr      535 Aug 17 08:04 SUMS
-rw-r--r-- 1 mr mr      819 Aug 17 08:04 SUMS.sig
$

Now do:

Code: Select all

$ sha256sum -c SUMS
 ... OK
 ... OK
$

There must be no errors!

And also you need to, if you really want to be sure all is fine:

Code: Select all

$ gpg --recv-key 0x4FBAF0AE

which may be set for you, and if it is not, is much wider and harder topic to teach... and they complain that my posts are too long suggesting you don't read them...

And then:

Code: Select all

$ gpg --verify SUMS.sig
gpg: Signature made Sun 17 Aug 2014 08:01:24 AM CEST using RSA key ID 4FBAF0AE
gpg: Good signature from "Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>"
$

which, if it says good signature, or similarly, then you can proceed to the last step.

The last step is, open a terminal as root and (just replace "ukrainian" with your user name, this is if you created, the name is just an example, grsec.d, as further above explained):

Code: Select all

# cd ~ukrainian/grsec.d/
# dpkg -i *.deb
#

which will install all the packages in your machine.

If you have any issues, some answers may be already in this topic (such as the need to use paxctl on binaries), in the previous posts, and sure enough on:

https://forums.grsecurity.net/

Grsecurity is not all the way easy and simple, no big money behind the curtains here, only pure idealists, not necessarily religeous like me, unless GNU is a religion, which it is I would argue (grin), but it's the only way for you if you know what is, and want:

privacy

for yourself,

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

[timbgo]

A typical issue with Grsec kernel, and easy solution
=============================================

E.g., I like using jacksum

http://www.jonelo.de/java/jacksum/

I tried taking hashes, such as:

Code: Select all

/some/dir/ $ jacksum -V summary -a sha256 -r -d -f -m ./ > some-name.sum

(You get similar errors in GUIs as well. Don't bother figuring out that command if it look to mysterious to you, it's not, but yout understanding of it is not necessary for solving these errors.)
and I got an error out:

OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x0000687911000000, 2555904, 1) failed; error='Operation not permitted' (errno=1)

and more, but it's really not intrinsic to solving the (usual) problems with hardened kernels.

So I went looking for the binary to apply paxctl treatment to.

Code: Select all

$ which jacksum
/usr/bin/jacksum

Code: Select all

$ file jacksum
/usr/bin/jacksum: POSIX shell script, ASCII text executable
$

OK, so jacksum is a script. You can't paxctl a script, sure. But the script calls a binary in these cases. The script contains this line:

Code: Select all

java -jar "/usr/share/java/jacksum.jar" "$@"

It's the java program itself that needs to be paxctl'ed.

Code: Select all

$ which java
/usr/bin/java
$ 

Now become root.

Truly, if you even tried to run (you don't need to do it):

Code: Select all

# paxctl -v /usr/bin/java
PaX control v0.8
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

file /usr/bin/java does not have a PT_PAX_FLAGS program header, try conversion

Code: Select all

# /usr/bin/java
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00006b6075000000, 2555904, 1) failed; error='Operation not permitted' (errno=1)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (malloc) failed to allocate 2555904 bytes for committing reserved memory.
# An error report file with more information is saved as:
# /some/dir/hs_err_pid3295.log
# 

And the /some/dir/hs_err_pid3295.log contains all kinds of errors that a programmer (which I'm not, or maybe a tiny fraction of, only) could tell stories about.

And here's for us Joe users what we need to do:

Code: Select all

# paxctl -v /usr/bin/java
PaX control v0.8
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

file /usr/bin/java does not have a PT_PAX_FLAGS program header, try conversion
#

Do this to know what paxctl does, and understand the gist of it as much as you can, it'll help you understand better situation like this one that will arise in the future:

Code: Select all

# paxctl -h
PaX control v0.8
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

usage: paxctl <options> <files>

options:
	-p: disable PAGEEXEC		-P: enable PAGEEXEC
	-e: disable EMUTRAMP		-E: enable EMUTRAMP
	-m: disable MPROTECT		-M: enable MPROTECT
	-r: disable RANDMMAP		-R: enable RANDMMAP
	-x: disable RANDEXEC		-X: enable RANDEXEC
	-s: disable SEGMEXEC		-S: enable SEGMEXEC

	-v: view flags			-z: restore default flags
	-q: suppress error messages	-Q: report flags in short format
	-c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!)
	-C: create PT_PAX_FLAGS (see manpage!)
#

There, I pasted it, so that the beginners don't get too daunted, because this will be solved easily.

In this case, we only need to do:

Code: Select all

# paxctl -c /usr/bin/java
file /usr/bin/java had a PT_GNU_STACK program header, converted
#

and:

Code: Select all

# paxctl -m /usr/bin/java
#

[1]

Now, that binary will look much more friendlier for the use with our Grsec-enhanced kernel:

Code: Select all

# paxctl -v /usr/bin/java
PaX control v0.8
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-x-e-- [/usr/bin/java]
	MPROTECT is disabled
	RANDEXEC is disabled
	EMUTRAMP is disabled
#

And, sure enough, the command that showed the reported error above, now ran without a hitch.
( this one:

Code: Select all

$ jacksum -V summary -a sha256 -r -d -f -m ./ > some-name.sum )

It's pretty similar how to solve it with other situations, that, if you follow this my
"Grsecurity/Pax installation on Debian GNU/Linux"
tip, you will encounter, and that is, the Iceweasel on update, and the grub binaries. Again, I'm speaking for my AMD64 arch and my particular setup (which is not at all unusual), just pls. modify for yourself my advice (as well the whole tip) if your arch or your setup is different.

But this is really all I have time for right now.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
[1] In reality those two can be combined in one command:

Code: Select all

paxctl -cm /usr/bin/java

======= cut off from this line to end if verifying hashes =======
File corresponding to this post: Deb_Grsec_140827_jacksum_paxctl.txt,
has Publictimestamp # 1239554
--
publictimestamp.org/ptb/PTB-21471 sha256 2014-08-27 06:01:45
F5051284342C17C4C1C9EA46EE69B88A8A224340CEA5851ED4ED214C89A891A9

[timbgo]

With the new script from develop branch (but changing that soon):
EDIT pls read in the next post how to use it
EDIT END
you can issue the command:

Code: Select all

$ ./grsec-deb-compile.sh grsecurity-3.0-3.16.2-201409060014 linux-3.16.2 config-3.16.2-grsec140908-19

Where the "config-3.16.2-grsec140908-19" will download for you the config file hat I just uploaded. (See previous posts if unclear; although I am striving to make this all as easy to follow as possible, not all can be contained within the last few posts)

That command line will remain useable (copy-paste-and-run-able; just copy without the initial "$") until upstream has those available. Grsec patches are not kept but for a week or so after they are released.

No, I haven't done all the work that I proposed myself to do in this regard, but this is a fine start for anyone wishing to install themselves a Grsecurity/Pax patched kernel in their Debian machines.

I hope to offer for the newest beginners also the packages, in a while.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

[timbgo]

The newest develop branch:
wget https://github.com/miroR/grsec-deb-comp ... 80-rc3.zip
( that is v0.80-rc3.zip , 3 )
Pls. someone report if it misbehaves.

And, if it does, simply use:
wget https://github.com/miroR/grsec-deb-comp ... 80-rc0.zip
which I tried today and works fine.

Surely you can find all that from the github interface just fine as well.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

[timbgo]

I have compiled new Grsec-patched kernel packages. They seem to be fine, and I am currently posting them. I have them running on two boxes fine.

Just the two of them have somehow, I have no idea neither how nor why, turned strange. Have a look:

Code: Select all

-rw-r--r-- 1 mr mr    965920 Sep  9 01:30 linux-firmware-image-3.16.2-grsec140908-21_3.16.2-grsec140908-21-1_amd64.deb
-rw-r--r-- 1 mr mr   7146548 Sep  9 01:31 linux-headers-3.16.2-grsec140908-21_3.16.2-grsec140908-21-1_amd64.deb
-rw-r--r-- 1 mr mr 338487210 Sep  9 02:22 linux-image-3.16.2-grsec140908-21_3.16.2-grsec140908-21-1_amd64.deb
-rw-r--r-- 1 mr mr  25885536 Sep  9 02:25 linux-image-3.16.2-grsec140908-21-dbg_3.16.2-grsec140908-21-1_amd64.deb
-rw-r--r-- 1 mr mr    766110 Sep  9 01:31 linux-libc-dev_3.16.2-grsec140908-21-1_amd64.deb

The:
linux-image-3.16.2-grsec140908-21_3.16.2-grsec140908-21-1_amd64.deb
and:
linux-image-3.16.2-grsec140908-21-dbg_3.16.2-grsec140908-21-1_amd64.deb

have "swapped sizes" somehow. They do install fine, and run just fine on my master, and on one of the two clones that I have (three same MBO systems altogether).

So this time around, I decided to post all the five packages.

It will be great f anyone should try and report whether just the four lightiest of the five can be installed (so one of the four should be the incorrectly named as debugger --with -dbg in the name--, and it was incorrectly named by the fakeroot command line (not the fault of my script that I use, and recommend, see previous post), so without the debugger, which is not correctly name, but you can easily recognize it by being the most sizeable of the five.

Use the dLo-wget script to download, check the sums, PGP verify the packages, and enjoy at least significantly more security/privacy/freedom than you would otherwise! (Although there's much more to do for real freedom)

Use the old explanation here on the forums.debian net:

(same tips page as you are reading this text on)
http://forums.debian.net/viewtopic.php? ... 30#p547521

( 323M the biggest one others are smallish packages )

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

[timbgo]

For now, see the opening remark that I edited today (2014-09-30) in the opening post of this topic:

http://forums.debian.net/viewtopic.php? ... 16#p516892

and what you can read in links from there.

And see the relatively new likely after-free bug manifestation in my Gentoo FOSS Linux:

grsec: halting the system due to suspicious kernel crash
https://forums.grsecurity.net/viewtopic ... =15#p14456

Miro

[timbgo]

( I've moved the "political content in the bottom half of this post. More purely technical part of the tip goes first. )

This is the old content that previously was on:
< this same topic >
http://forums.debian.net/viewtopic.php? ... 45#p555486
---
So these are one month (or so) old instructions, for old packages (still available
for a short while more). These instructions are for newbies. If you are
advanced, use the script and compile the packages yourself! And if you are
expert and honest, help us improve and spread this Grsec program that enables real privacy for the masses, and let's bring Grsec into mainstream Debian for everybody...

To install these old packages, do this. First download:

http://www.croatiafidelis.hr/gnu/deb/li ... Lo-wget.sh

Move it into an empty directory. And then:

Code: Select all

$ chmod 755 dLo-wget.sh

to make it executable.

And run it:

Code: Select all

$ ./dLo-wget.sh

It will download all the packages.

You then should have these in that directory:

Code: Select all

$ ls -ABRgo
.:
total 368960
-rwxr-xr-x 1       812 Oct 31 07:15 dLo-wget.sh
-rw-r--r-- 1    966580 Oct 31 02:15 linux-firmware-image-3.17.1-grsec141030-22_3.17.1-grsec141030-22-1_amd64.deb
-rw-r--r-- 1   7246134 Oct 31 02:15 linux-headers-3.17.1-grsec141030-22_3.17.1-grsec141030-22-1_amd64.deb
-rw-r--r-- 1 342443826 Oct 31 03:08 linux-image-3.17.1-grsec141030-22_3.17.1-grsec141030-22-1_amd64.deb
-rw-r--r-- 1  26368512 Oct 31 03:10 linux-image-3.17.1-grsec141030-22-dbg_3.17.1-grsec141030-22-1_amd64.deb
-rw-r--r-- 1    769976 Oct 31 02:15 linux-libc-dev_3.17.1-grsec141030-22-1_amd64.deb
-rw-r--r-- 1       666 Oct 31 06:45 SUMS
-rw-r--r-- 1       819 Oct 31 06:49 SUMS.sig
$

(that's, translated into bigger units, the largest of the files is: 327M)

Now:

Code: Select all

gpg --verify SUMS.sig

must return to you my correct signature:

Code: Select all

...snip...
Primary key fingerprint: FCF1 3245 ED24 7DCE 4438  55B7 EA98 8488 4FBA F0AE

(or anyway signed with that key; see tutorials elsewhere if you are lost here).

And now:

Code: Select all

sha256sum -c SUMS

should return to you:

Code: Select all

linux-firmware-image-3.17.1-grsec141030-22_3.17.1-grsec141030-22-1_amd64.deb: OK
linux-headers-3.17.1-grsec141030-22_3.17.1-grsec141030-22-1_amd64.deb: OK
linux-image-3.17.1-grsec141030-22_3.17.1-grsec141030-22-1_amd64.deb: OK
linux-image-3.17.1-grsec141030-22-dbg_3.17.1-grsec141030-22-1_amd64.deb: OK
linux-libc-dev_3.17.1-grsec141030-22-1_amd64.deb: OK

If all the above went correctly for you, in another terminal, but as root, cd into that directory, and do:

Code: Select all

dpkg -i *.deb

That should install these superior security packages for you. Much more is needed for real privacy for you with your machine on the internet, but at least now you are on the right path...

Maybe the next best thing is try and see how much you can understand from the book:

Grsecurity
https://en.wikibooks.org/wiki/Grsecurity

Refer Debian related issued with these here, and more strictly Grsecurity-related issues on:

Tips on Grsecurity installation for Debian newbies
https://forums.grsecurity.net/viewtopic.php?f=3&t=3835
---
The other half of this post now which is more on the "political" side.

Thanks everybody for the interest.

And, in effect, thanks to the existence of the, no this is not politics, read carefully...

And, in effect, thanks to the existence of the Western democracy that you can still read from me, because

--and this is why this is *not* politics, dear Debian moderators and admins---

because if the Bolsheviks had had their ways in these lands where my homeland is, my posts would not have lasted more than half an hour, and you *would* *not* *be* *reading* *any* from me.

I am in particular talking about the issue which (as well as my freedom to talk to you) has to do with my very latest of social contributions, political contribution (in the sense that the spyware SELinux has politically moved aside the honest and perfect grsecurity):

Why is Gentoo not switching to systemd?
https://forums.gentoo.org/viewtopic-t-9 ... ml#7624042
https://forums.gentoo.org/viewtopic-t-9 ... ml#7624044

So, while the reaction to FOSS has its ways to undermine the privacy-viability nature of FOSS, by digging in from underneath, with the unfortunate help of dishonest developers, as I have also demonstrated (using Julian Assange's and Poul-Heening Kamp's expertize:

How to avoid stealth installation of systemd?
http://forums.debian.net/viewtopic.php? ... 90#p553266
)

we need to, politely but truthfully keep up our fight for privacy, brothers in *nix.

And we need to spread the good word as well, because, I am somewhat privy, socially (I'm not a dev), to a lot that has been happening around grsecurity, but I only yesterday found out about this good install script (just don't use it, it needs to be updated first):

grsecurity source install script for Debian
https://github.com/rickard2/grsecurity-Debian-Installer

See my notice to rickard2 here:
https://github.com/rickard2/grsecurity- ... r/issues/6

See also here (esp. users of Arch FOSS Linux [1]) :
Downsides to a grsec install script?
https://forums.grsecurity.net/viewtopic.php?f=3&t=4051

More would need to be recounted, but for now that'll do.

[1] Linux can not stand alone as the name of that OS, GNU is dead for me as the name of it since Richard Matthew Stallman supports SELinux insanely, see the Emacs page on gnu.org

[timbgo]

I am updating my systems (Gentoo and Debian ones, masters first, then cloning --I am to revise my poor user's security methods, but if the Fate allows, and when it so be).

And along with updating them (my method is an air-gapped one, so that means some longer work, to first update the local mirrors and then more on top of usual updating stuff)...

And along with updating I'm checking my scripts so I can check them for any issues.

Take a look at the:

Scripts to automate jigdo download
http://forums.debian.net/viewtopic.php?f=16&t=110503

which I used first (take a look even if you will not be using the testing Jigdo DVD, to know what I use and adaptt your scripts more easily to your own needs; YMMV), and also, surely I used:

https://github.com/miroR/grsec-deb-comp ... /v0.80-rc3

which is the latest and recommended, not the master (need to update that too, but I'm so sloow, sorry).

You surely can find it there, but here's the link of the script package to use:

https://github.com/miroR/grsec-deb-comp ... 80-rc3.zip

And the command I used is:

./grsec-deb-compile.sh grsecurity-3.0-3.16.3-201409282025 linux-3.16.3 config-3.16.2-grsec140908-19

and it does all up to 'make menuconfig' correctly, and probably all the rest, just I checked it (just like I checked it last month) only this far, before I go offline.

And I go offline to do the huge remaining work of updating my systems. This time it is huge because there's the frankestein systemd changes (and poetteringware generally, which we are all now a lot more aware of) to think about and try to dodge away from...

And, hopefully, I'll be posting the new packages for the newbies.

This will very probably be a fine stable grsecurity-hardened amd64 deb packages set, even though it's nominally testing and not stable.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

[timbgo]

New packages will always be, by my modifying of this here post, hitherto referred to.
===
For previous (last month's or so) content of this local address of this topic, pls see:
< this same topic >
http://forums.debian.net/viewtopic.php? ... 93#p555093

[[ Of course, if you are advanced, you are better off using the script; because it compiles tailor-made for your machine. See < in this same topic >. This post right here is for newbies.

And of course, if you are expert and honest, help us in this work, and in spreading of this Grsec program that enables real privacy for the masses, especially help us bring Grsec into mainstream Debian for everybody... ]]

As you can see, I'm reusing the old instructions, but replacing them with the new, so that it is always the same address with the newest instructions.
So, for new users:

Download first just:

http://www.croatiafidelis.hr/gnu/deb/li ... Lo-wget.sh

Move it into an empty directory. And then:

Code: Select all

$ chmod 755 dLo-wget.sh

to make it executable.

And run it:

Code: Select all

$ ./dLo-wget.sh

It will download all the packages.

You then should have these in that directory:

Code: Select all

$ ls -ABRgoh
.:
total 361M
-rwxr-xr-x 1  812 2014-12-12 21:44 dLo-wget.sh
-rw-r--r-- 1 946K 2014-12-12 19:03 linux-firmware-image-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb
-rw-r--r-- 1 7.0M 2014-12-12 19:04 linux-headers-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb
-rw-r--r-- 1  31M 2014-12-12 19:07 linux-image-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb
-rw-r--r-- 1 322M 2014-12-12 19:59 linux-image-3.17.6-grsec141212-15-dbg_3.17.6-grsec141212-15-1_amd64.deb
-rw-r--r-- 1 752K 2014-12-12 19:04 linux-libc-dev_3.17.6-grsec141212-15-1_amd64.deb
-rw-r--r-- 1  863 2014-12-12 21:15 SUMS
-rw-r--r-- 1  819 2014-12-12 21:43 SUMS.sig
$

Now:

Code: Select all

gpg --verify SUMS.sig

must return to you my correct signature:

Code: Select all

...snip...
Primary key fingerprint: FCF1 3245 ED24 7DCE 4438  55B7 EA98 8488 4FBA F0AE

(or anyway signed with that key; see tutorials elsewhere if you are lost here).

And now:

Code: Select all

sha256sum -c SUMS

should return to you:

Code: Select all

linux-firmware-image-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb: OK
linux-headers-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb: OK
linux-image-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb: OK
linux-image-3.17.6-grsec141212-15-dbg_3.17.6-grsec141212-15-1_amd64.deb: OK
linux-libc-dev_3.17.6-grsec141212-15-1_amd64.deb: OK

If all the above went correctly for you, in another terminal, but as root, cd into that directory, and do:

Code: Select all

dpkg -i *.deb

That should install these superior security packages for you. Much more is needed for real privacy for you with your machine on the internet, but at least now you are on the right path...

Maybe the next best thing is try and see how much you can understand from the book:

Grsecurity
https://en.wikibooks.org/wiki/Grsecurity

Refer Debian related issued with these here, and more strictly Grsecurity-related issues on:

Tips on Grsecurity installation for Debian newbies
https://forums.grsecurity.net/viewtopic.php?f=3&t=3835

[timbgo]

I believe it is becoming necessary for proper implementation of Grsecurity/Pax, to go this fresh brand new way:

How to Remove Systemd and Related Packages from Your Debian
http://forums.debian.net/viewtopic.php?f=16&t=118197

I wrote previously in this topic and elsewhere on systemd intrusion onto Debian... Hopefully, things look bright again. Pls read there and in pages linked from there.

Sure I have to repeat that without Gradm RBAC policy set and enabled, the implementation of Grsecurity/Pax patched kernel does not offer complete protection.

That RBAC policy creation and gradm enabling is now getting closer to be much much much more easy realize, with the advent of mirabilos wtf repo!

Nothing likely to happen within just mere days, I work much more slowly than that.

[jlambrecht]

Great post, got there all by myself, BUT FOR ONE THING.

After i've installed all packages, it is impossible to boot. For some reason the UUID device-id is not valid and it fails to boot, dropping to initramfs. As far as i can tell i've done the right thing but the result proves differently.

What am i doing wrong ? I've been here before, fixed it, but have no notes or memories left.

[timbgo]

Announcement. New packages, on same old address, from now:
http://forums.debian.net/viewtopic.php? ... 45#p555486
I'll only be announcing in new posts, but keeping the modified instructions on old addresses, from now on. That way, if you are subscribed to the topic, you get the news, and instructions are really repeated emtirely any more.
Miro

[timbgo]

Great post, got there all by myself, BUT FOR ONE THING.

After i've installed all packages, it is impossible to boot. For some reason the UUID device-id is not valid and it fails to boot, dropping to initramfs. As far as i can tell i've done the right thing but the result proves differently.

What am i doing wrong ? I've been here before, fixed it, but have no notes or memories left.

Hi, jlambrecht!
I just noticed your post. Hmmh. There's no way anyone could tell you what you may have done wrong (or whether something was wrong elsewhere in the "ingredients"), without much more information than you have provided...
Try the new packages first, and if you still have problems, more detailed descriptions, maybe some logs, or other, would be nesessary...