Grsecurity/Pax installation on Debian GNU/Linux

Share your own howto's etc. Not for support questions!

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2014-10-05 09:13

New packages will always be, by my modifying of this here post, hitherto referred to.
===
For previous (last month's or so) content of this local address of this topic, pls see:
< this same topic >
viewtopic.php?f=16&t=108616&p=555093#p555093

[[ Of course, if you are advanced, you are better off using the script; because it compiles tailor-made for your machine. See < in this same topic >. This post right here is for newbies.

And of course, if you are expert and honest, help us in this work, and in spreading of this Grsec program that enables real privacy for the masses, especially help us bring Grsec into mainstream Debian for everybody... ]]

As you can see, I'm reusing the old instructions, but replacing them with the new, so that it is always the same address with the newest instructions.
So, for new users:

Download first just:

http://www.croatiafidelis.hr/gnu/deb/li ... Lo-wget.sh

Move it into an empty directory. And then:

Code: Select all
$ chmod 755 dLo-wget.sh

to make it executable.

And run it:
Code: Select all
$ ./dLo-wget.sh

It will download all the packages.

You then should have these in that directory:

Code: Select all
$ ls -ABRgoh
.:
total 361M
-rwxr-xr-x 1  812 2014-12-12 21:44 dLo-wget.sh
-rw-r--r-- 1 946K 2014-12-12 19:03 linux-firmware-image-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb
-rw-r--r-- 1 7.0M 2014-12-12 19:04 linux-headers-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb
-rw-r--r-- 1  31M 2014-12-12 19:07 linux-image-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb
-rw-r--r-- 1 322M 2014-12-12 19:59 linux-image-3.17.6-grsec141212-15-dbg_3.17.6-grsec141212-15-1_amd64.deb
-rw-r--r-- 1 752K 2014-12-12 19:04 linux-libc-dev_3.17.6-grsec141212-15-1_amd64.deb
-rw-r--r-- 1  863 2014-12-12 21:15 SUMS
-rw-r--r-- 1  819 2014-12-12 21:43 SUMS.sig
$


Now:
Code: Select all
gpg --verify SUMS.sig

must return to you my correct signature:

Code: Select all
...snip...
Primary key fingerprint: FCF1 3245 ED24 7DCE 4438  55B7 EA98 8488 4FBA F0AE

(or anyway signed with that key; see tutorials elsewhere if you are lost here).

And now:
Code: Select all
sha256sum -c SUMS

should return to you:

Code: Select all
linux-firmware-image-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb: OK
linux-headers-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb: OK
linux-image-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb: OK
linux-image-3.17.6-grsec141212-15-dbg_3.17.6-grsec141212-15-1_amd64.deb: OK
linux-libc-dev_3.17.6-grsec141212-15-1_amd64.deb: OK


If all the above went correctly for you, in another terminal, but as root, cd into that directory, and do:
Code: Select all
dpkg -i *.deb


That should install these superior security packages for you. Much more is needed for real privacy for you with your machine on the internet, but at least now you are on the right path...

Maybe the next best thing is try and see how much you can understand from the book:

Grsecurity
https://en.wikibooks.org/wiki/Grsecurity

Refer Debian related issued with these here, and more strictly Grsecurity-related issues on:

Tips on Grsecurity installation for Debian newbies
https://forums.grsecurity.net/viewtopic.php?f=3&t=3835
Last edited by timbgo on 2014-12-14 06:11, edited 9 times in total.
timbgo
 
Posts: 236
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2014-10-23 00:54

I believe it is becoming necessary for proper implementation of Grsecurity/Pax, to go this fresh brand new way:

How to Remove Systemd and Related Packages from Your Debian
viewtopic.php?f=16&t=118197

I wrote previously in this topic and elsewhere on systemd intrusion onto Debian... Hopefully, things look bright again. Pls read there and in pages linked from there.

Sure I have to repeat that without Gradm RBAC policy set and enabled, the implementation of Grsecurity/Pax patched kernel does not offer complete protection.

That RBAC policy creation and gradm enabling is now getting closer to be much much much more easy realize, with the advent of mirabilos wtf repo!

Nothing likely to happen within just mere days, I work much more slowly than that.
timbgo
 
Posts: 236
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby jlambrecht » 2014-10-30 14:26

Great post, got there all by myself, BUT FOR ONE THING.

After i've installed all packages, it is impossible to boot. For some reason the UUID device-id is not valid and it fails to boot, dropping to initramfs. As far as i can tell i've done the right thing but the result proves differently.

What am i doing wrong ? I've been here before, fixed it, but have no notes or memories left.
Embrace what you're not certain off,
keep an eye on what you're confident about.
jlambrecht
 
Posts: 374
Joined: 2008-02-01 16:21

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2014-10-31 09:42

Announcement. New packages, on same old address, from now:
viewtopic.php?f=16&t=108616&start=45#p555486
I'll only be announcing in new posts, but keeping the modified instructions on old addresses, from now on. That way, if you are subscribed to the topic, you get the news, and instructions are really repeated emtirely any more.
Miro
timbgo
 
Posts: 236
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2014-10-31 09:59

jlambrecht wrote:Great post, got there all by myself, BUT FOR ONE THING.

After i've installed all packages, it is impossible to boot. For some reason the UUID device-id is not valid and it fails to boot, dropping to initramfs. As far as i can tell i've done the right thing but the result proves differently.

What am i doing wrong ? I've been here before, fixed it, but have no notes or memories left.

Hi, jlambrecht!
I just noticed your post. Hmmh. There's no way anyone could tell you what you may have done wrong (or whether something was wrong elsewhere in the "ingredients"), without much more information than you have provided...
Try the new packages first, and if you still have problems, more detailed descriptions, maybe some logs, or other, would be nesessary...
timbgo
 
Posts: 236
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby jlambrecht » 2014-10-31 10:26

Basically, i'm not sure if i did anything wrong really. Just to make sure i've read a few articles on patching and compiling the kernel with grsec on Debian and Ubuntu. It seems i've not made any mistake. The only difference is this machine is a guest in a VPS host, i'm not sure how this could matter but it sticks to my attention.

This is a copy of an error which is exactly like mine, i've tried multiple ways to fix this to no avail, once more i start feeling retardish.
Gave up wating for root device. Common problems:
-Boot args (cat /proc/cmdline)
-Check rootdelay= (did the system wait long enough?)
-Check root= (did the system wait for right device?)
-Missing modules (cat /proc/modules; ls /dev)
ALERT! /dev/disk/by-uuid/X-X-X-X does not exist.
Dropping to a shell!

BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) built-in shel (ash)
Enter `help` for a list of built-in commands.
(initramfs)_


For completeness it must be added there are two notifications below 'Dropping to a shell!'

modprobe: module ohci-hcd not found in modules.dep
modprobe: module usbhid not found in modules.dep
Embrace what you're not certain off,
keep an eye on what you're confident about.
jlambrecht
 
Posts: 374
Joined: 2008-02-01 16:21

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2014-10-31 11:14

jlambrecht wrote:Basically, i'm not sure if i did anything wrong really. Just to make sure i've read a few articles on patching and compiling the kernel with grsec on Debian and Ubuntu. It seems i've not made any mistake. The only difference is this machine is a guest in a VPS host, i'm not sure how this could matter but it sticks to my attention.
Neither could I tell much at all. Not familiar with what being VPS guest entails in particualar wrt "regular" systems.
jlambrecht wrote:
This is a copy of an error which is exactly like mine, i've tried multiple ways to fix this to no avail, once more i start feeling retardish.
Gave up wating for root device. Common problems:
-Boot args (cat /proc/cmdline)
-Check rootdelay= (did the system wait long enough?)
-Check root= (did the system wait for right device?)
-Missing modules (cat /proc/modules; ls /dev)
ALERT! /dev/disk/by-uuid/X-X-X-X does not exist.
Dropping to a shell!

BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) built-in shel (ash)
Enter `help` for a list of built-in commands.
(initramfs)_

I had had an issue where I solved the no-boot with modifying things. Not saying that it will or will not apply to your case, but try and see here:

No-boot kernel, working lvm in initramfs, volumes not found
viewtopic.php?f=5&t=105549

(but in short, try and stick
Code: Select all
GRUB_CMDLINE_LINUX="rootdelay=30"

into /etc/default/grub and reinstall the kernel (I guess, maybe should delve deeper there just in case; a little short with time...). If it works replace 30 with smaller value if it bothers you waiting on every boot... Don't know...

jlambrecht wrote:For completeness it must be added there are two notifications below 'Dropping to a shell!'

modprobe: module ohci-hcd not found in modules.dep
modprobe: module usbhid not found in modules.dep

That would probably resolve if the root device was found.

Maybe, and anyway, for other users who might have issues, I suggest, instead of the usual as root:
Code: Select all
dpkg -i *.deb

(see the instructions for the context), do:
Code: Select all
dpkg -i *.deb 2>&1 | tee dpkg-grsec_`date +%s`.log

for part of which my explanation is here (in bottom of that post):
viewtopic.php?f=5&t=117276&p=552864#p552775
and this part, just try it out in a termanal:
Code: Select all
date +%s

(only gives the time in seconds since 1970-01-01 00:00), to not overwrite the previous file with otherwise same name; I sometimes use same command lines over, so this is my way; that `date +%s` part is not important; the log is)
timbgo
 
Posts: 236
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby jlambrecht » 2014-10-31 12:02

I think i know what is missing here. Since the system is a VPS it requires the virtio modules to be available, especially the virtio-blk module. I've just recompiled, updated etc and it is not indeed loading the virtio modules, though not the virtio-blk module since it is not there yet. Once i find what to select to build this module it will most likely boot as expected.
Embrace what you're not certain off,
keep an eye on what you're confident about.
jlambrecht
 
Posts: 374
Joined: 2008-02-01 16:21

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2014-10-31 12:12

jlambrecht wrote:I think i know what is missing here. Since the system is a VPS it requires the virtio modules to be available, especially the virtio-blk module. I've just recompiled, updated etc and it is not indeed loading the virtio modules, though not the virtio-blk module since it is not there yet. Once i find what to select to build this module it will most likely boot as expected.

Happy you've probably solved it!

Your final report will be most welcome (if you find the time to confirm whether it did work)!

Anyway, reports are welcome. Just, I'm not always around, because I work slowly and may be busy elsewhere, so patience may be needed for my replies, often.

(Remember that I may be advanced in comparison to new users, but I'm not an expert by any means, and I've really done and doing this entire topic out of gratitude to Spender and PaX Team who provide us with Grsecurity/Pax, the paramount model of honest programming which is becoming kind of rarity nowadays.)
timbgo
 
Posts: 236
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby jlambrecht » 2014-10-31 12:50

Yep, it is solved now. Who would have thought such would be required ( i feel kind of dumb to not have thought of this )

To summarize, my procedure was right but not selecting the virtio modules and in particular the virtio-blk module to be compiled resulted into a failed boot. Since the module was compiled and installed the system boots. Now i have to iron out the unknowns of configuring grsec to my liking.
Embrace what you're not certain off,
keep an eye on what you're confident about.
jlambrecht
 
Posts: 374
Joined: 2008-02-01 16:21

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2014-12-11 05:40

Pls., generally, alert me if anything is mistaken esp. in those new, and old permanent post. While I'm off and on, and off sometimes for longer, I don't leave without checking for feedback in some, at least some number of hours or a day or two, after posting new stuff. Thank you!

So from now on, there's, for the newbies, (it's easy for the advanced, they only need the script which is on github -- advanced maybe try this, but I don't have time to check myself if it's the right link)...

So from now on, for the newbies, there are the new and the old versions of packages to try, and they will both be on the, kind of, more permanent addresses:

The newest set of packages:
< this same topic >
viewtopic.php?f=16&t=108616&start=45#p555486

And the one month (or so) old set:
< this same topic >
viewtopic.php?f=16&t=108616&start=30#p555093

I will be adding diverse musings/advice too, in new posts though, occasionally.

Today, after the updare/upgrade with apt-get of this weeks Jigdo DVD's (there's my tip for my jigdo-automate-script in the Tiips section), I found out the Iceweasel is somewhat different to deal with than before, for treatment with paxctl.

Here's what I needed to do with the new Iceweasel (else it wouldn't start).

Code: Select all
# which iceweasel
# file /usr/bin/iceweasel
# ls -l /usr/lib/iceweasel/
# file /usr/lib/iceweasel/iceweasel
# paxctl -v /usr/lib/iceweasel/iceweasel
# paxctl -v /usr/lib/iceweasel/plugin-container
# paxctl -v /usr/lib/iceweasel/webapprt-stub
# paxctl -cm /usr/lib/iceweasel/iceweasel
# paxctl -cm /usr/lib/iceweasel/plugin-container
# paxctl -cm /usr/lib/iceweasel/webapprt-stub


In essence it's just the last three lines, but the others, previous, are showing you why. Can't always explain profusely. Newbies, try and see my explanation elsewhere, or, best, read the Grsec docs and forums and wikis.

If Grsec does not get into the mainstream Debian sooner or later, something is wrong with the Debian "elite". Because presenting/imposing SELinux as "security" to people, is lying.

And surely, get rid of Systemd, there's my tip on removing it and related stuff on this Tips section.

Cheers!
timbgo
 
Posts: 236
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby timbgo » 2015-01-23 00:49

Sadly, due to censorship by my provider on me and very subtle possible attacks allowed or in collusion...

Yes, sadly, due to censorship by my provider on me, about which you can read some documented events and, in effect, the provider's own admission of censorship on me, easily seen through bogus accusations and/or excuses leveled against me on:

Postfix smtp-tls-wrapper, Bkp/Cloning Mthd, A Zerk Provider
https://forums.gentoo.org/viewtopic-t-999436.html

The main points, for quick guided info:

https://forums.gentoo.org/viewtopic-t-9 ... ml#7613052
where find:
Code: Select all
Sep  4 23:18:46 localhost postfix/smtp[14602]: 29D7B28E1FF: to=<support@plus.hr>, relay=127.0.0.1[127.0.0.1]:11125, delay=15731, delays=15731/0.01/0.18/0.52, dsn=5.0.0, status=bounced (host 127.0.0.1[127.0.0.1] said: 550-"JunkMail rejected - 147-226.dsl.iskon.hr (n4m3.localdomain) 550-[89.164.147.226]:41972 is in an RBL, see 550 http://www.spamhaus.org/query/bl?ip=89.164.147.226" (in reply to RCPT TO command))


https://forums.gentoo.org/viewtopic-t-9 ... ml#7682770
where read:
the provider wrote:For your protection, on your user account a ban has been placed for sending e-mails from any other servers but mail.t-com.hr.

and:
me wrote:I don't have any problems that you ban any other mail server but your own, mail.t-com.hr, and pls. take good notice, and:

lin16.mojsite.com

that is, in IPv4: 178.218.164.164

which I pay for ... and the email address ... which I [also] pay for ...:

miro.rovis@croatiafidelis.hr


[and for which that is the server for sending/receiving]

So, [due to] that [censorship] by my provider on me and due to [very subtle possible attacks allowed or] done [in colusion], of which you can read documented case here:

< same topic as above >
https://forums.gentoo.org/viewtopic-t-9 ... ml#7685200

where, to me, what happened, although it looks like a smooth, apparently legal opening of two connections, but it is in no way so (feel free to download and work through the entire triplet of the capture/screencast/conntrack in all aspects and find out for yourself)...

[where, to me, what happened] is a clear case of clickjacking, and it could have been, on their part, a collusion with those intruding subjects, to have a "spam" sent from my computor. This (notice the verb modes in this paragraph: I'm not claiming it; I am only suspecting it) could have been what they needed to get me banned from even using the Internet at all, as they did in the past for a few periods of time in similar occasions (only I knew much less back then to be able to disprove their claims, which I can now, to some extent, at this level to which I grew in the meantime).

So the issue is not at all insignificant, as I already was close to jail for my political beliefs in 2009, basically anti-Titoist-slaughters-progenie-neocommunism in power in Croatia (and I am really saying this here only to explain to readers why I can not update the packages and improve this tip further). (I'm not against honest leftists, I actually publically support some.)

Sadly, I need to learn so much more, and I have to study, to be able to, basically, protect myself from my current provider claiming to ban me from using my email address ... that I pay for, for reasons of my own "protection" by them, and possibly subtly threatening me having spam really sent from my computors, via other subjects... as the screencast/capture/conntrack likely sufficiently demonstrate.

Just imagine what those subject could do, if I don't get the iptables very right, and learn to packet capture much much cleverer and with the right filtering, and also finally deploy Gradm fully, as well as probably do other checks on my system before I go and download the Jigdo DVDs! Just imagine!

So I'm in a race, and I have to work and overwork, because both my Debian boxes and my Gentoo boxes are already one month and ten days without updating, and I can not update them before all of the work mentioned in the previous paragraph is done here.

Thank you for your kind attention, and pls. be patient. Grsecurity is the program that I put my hope into like in no other, I really love it, and I hope to be back in a while to give even more and even better work into this topic.
timbgo
 
Posts: 236
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby pcalvert » 2015-04-08 11:56

People interested in Grsecurity may be interested in this as well:
https://wiki.debian.org/SameKernel

Phil
pcalvert
 
Posts: 1714
Joined: 2006-04-21 11:19
Location: Sol Sector

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby jlambrecht » 2015-04-08 12:02

Thank you so much Phil, great tip.
Embrace what you're not certain off,
keep an eye on what you're confident about.
jlambrecht
 
Posts: 374
Joined: 2008-02-01 16:21

Re: Grsecurity/Pax installation on Debian GNU/Linux

Postby stevepusser » 2015-04-08 17:44

jlambrecht wrote:Thank you so much Phil, great tip.


Maybe...can anyone access that kernel?
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: AzPainter 2.0.6, Pale Moon 27.3.0, Liquorix kernel 4.11-9, mpv 0.25.0, Kodi 17.3, Ksnip 1.3.1, Mesa 13.0.6
User avatar
stevepusser
 
Posts: 8335
Joined: 2009-10-06 05:53

PreviousNext

Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 1 guest

fashionable