Grsecurity/Pax installation on Debian GNU/Linux

Share your own howto's etc. Not for support questions!
Message
Author
timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#81 Post by timbgo »

This is also a good reference page (with old clumsy occasional naming, read on):

https://packages.debian.org/source/stretch/linux

In Devuan we use the exact same kernel(s) as is used in Debian. Probably the rest of the kernels from the list too, but I know about mine.

This is my machine (I grep out 4.9.3 and 4.9.5, such as 4.9.39 and 4.9.51 --soon also 4.9.52-- because I have a few minipli grsecurity-hardened kernels, and the topic is Debian/Devuan kernels compatibility):

Code: Select all

# ls -l /boot/ | grep -vE '4.9.3|4.9.5'
total 195663
...
-rw-r--r-- 1 root root   190055 2017-01-06 20:17 config-4.4.0-59-generic
-rw-r--r-- 1 root root   186386 2017-06-26 15:27 config-4.9.0-3-amd64
drwxr-xr-x 2 root root     1024 2017-07-24 19:19 efi
drwxr-xr-x 6 root root     1024 2017-09-27 19:56 grub
-rw-r--r-- 1 root root 33548826 2017-09-13 12:33 initrd.img-4.4.0-59-generic
-rw-r--r-- 1 root root 19462711 2017-09-15 11:54 initrd.img-4.9.0-3-amd64
...
-rw------- 1 root root  3888958 2017-01-06 20:17 System.map-4.4.0-59-generic
-rw-r--r-- 1 root root  3180497 2017-06-26 15:27 System.map-4.9.0-3-amd64
-rw-r--r-- 1 root root  6969744 2017-01-30 17:03 vmlinuz-4.4.0-59-generic
-rw-r--r-- 1 root root  4204320 2017-06-26 15:27 vmlinuz-4.9.0-3-amd64
#
The 4.4.0-59-generic is actually some Ubuntu that I dual boot into, at this time.

But 4.9.0.3 is the same kernel in Debian and in Devuan. And I base my 4.9.5x configs on that one, which is actually generic kernel, except that it is described, currently on that page linked above as:

Code: Select all

linux-image-4.9.0-3-amd64
Linux 4.9 for 64-bit PCs
while the other of the kernels listed:

linux-image-4.9.0-3-686-pae
Linux 4.9 for modern PCs

Just saying about clumsy naming :-). Because the 64-bit PCs on the market are small share AMD64, much greater share Intel (IIUC), and 686:

Code: Select all

linux-image-4.9.0-3-686-pae
    Linux 4.9 for modern PCs
, be it even https://en.wikipedia.org/wiki/Physical_ ... _Extension , is it so modern?

(I mean other than Udoo x86, which I'd never recommend to anybody, because I'd very strongly expect Intel owns it, not you, and owns you through it: it's closed source, black box hardware. IIUC.)

But on the question about compatibility, I'd believe Devuan and Debian kernels being same, even my packages should work fine on Debian/Ubuntu as well, and if you go the best way, which is compiling your own kernel and hardening it with the fresh unofficial-grsecurity patches, it can not be in any way incompatible in the, I believe, whole Debian family (but I am not familiar with many other of the Debian family distro-members)!

I also take all the precautions when I compile the packages. For that reason I put fat warnings if I have any marginal doubts of my systems.

I'm compiling, away from this online system, linux-4.9.52 with the new patch:
https://github.com/minipli/linux-unoffi ... cial_grsec

Just as in the script (also been updated, e.g. you could likely also simply just use:
https://github.com/miroR/grsec-dev1-com ... compile.sh
) I run the long, one thread only:

Code: Select all

fakeroot make deb-pkg
i.e. not fakeroot make -jN deb-pkg, where N depends on how many cores your processor has, to be more on the safe side (and another possible reason, of which maybe later).

For compiling the next kernel the line is fine like this:

Code: Select all

$ grsec-dev1-compile.sh v4.9.52-unofficial_grsec-20170928143206 linux-4.9.52 config-4.9.51-unofficial+grsec170923-22
I have no room for more than one set of packages at a time (anyway, those who compile, know that they also get a debugger package, which I can post), so I think I'll always be removing the old, and posting the new... (very probably).

Regards!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#82 Post by timbgo »

The latest:
https://www.croatiafidelis.hr/gnu/deb/l ... 170929-07/
Pls. until I sort out the README.html for it, read the previous one at:
https://www.croatiafidelis.hr/gnu/deb/l ... 170923-22/
( but the later packages I have taken really great care to prepare, use the new packages, not those )
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#83 Post by timbgo »

There's a discussion here:
https://github.com/minipli/linux-unoffi ... /issues/11

The patch is minipli's work updated by:

https://github.com/HacKurx

Pls. read the discussion about it at:

https://github.com/minipli/linux-unoffi ... /issues/11

And here are the deb packages:

https://www.CroatiaFidelis.hr/gnu/deb/l ... 171114-19/

Pls. pls., no warranties! But I think my system was only attacked but not compromised... Doing huge work of analysis of the network traces, and not and expert, but it does look the system wasn't compromised, and my big fat warning on page:

Strange Bash under grsecurity's exec logging
https://dev1galaxy.org/viewtopic.php?id=1598

was an exaggeration... But still no warranties. Use at your own risk. I too trusted HacKurx's work and I believe I won't regret in the least...

Again, I run Devuan, but the kernels are same in Debian and Devuan. Except for systemd-related stuff, Devuan is mostly still just in most respects: a Debian of a kind.

And the patch that I used, I have to sign with my PGP-key, since HacKurx didn't sign them, but gave the SHA256, which I testify you will get too, if my PGP-signiture you get is uncompromised (I'll be posting it next at, wait a minute... it'll be... It is, from right now at:

https://www.croatiafidelis.hr/gnu/deb/l ... iff.tar.xz
https://www.croatiafidelis.hr/gnu/deb/l ... x.diff.sig

If you compile, you will need to modify the part related to the patch in the grsec-dev1-compile.sh ... I hope HacKurx instead from now keeps to the tradition started by minipli with the unofficial-grsec patches.

( Pls. do tell if I made any mistakes in linking or signing, such as if something doesn't verify, or if you have any issues. )

Regards!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Grsecurity/Pax installation on Debian GNU/Linux

#84 Post by Head_on_a_Stick »

Black Lives Matter

Debian buster-backports ISO image: for new hardware support

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#85 Post by timbgo »

Head_on_a_Stick wrote:https://packages.debian.org/sid/linux-image-grsec-amd64

I'll just leave this here...

:D
Which is fine! Except old kernel, more exploits...
Only:

Code: Select all

linux-image-4.9.0-4-grsec-amd64
there.

Testing new versions of LTS patched with unofficial-grsecurity is better in my view.
However, if corsac returns and takes up packaging the unofficial-grsecurity-patched LTS, I'm all for it! :)
EDIT 2017-11-16 18:00 UTC Oh! That is corsac maintaining it! So glad to know!
Thanks for telling us, Head_on_a_Stick!. Last time I looked it up, that wasn't the case... But I'm slow...
EDIT END
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Grsecurity/Pax installation on Debian GNU/Linux

#86 Post by Head_on_a_Stick »

timbgo wrote:Except old kernel, more exploits...
Only:

Code: Select all

linux-image-4.9.0-4-grsec-amd64
there
That's the Debian package version, the kernel version is 4.9.51-1+grsecunoff2; my Alpine Linux system is using 4.9.60 (with an unofficial port of the grsec patches) and kernel.org is on 4.9.62 so it's not that far behind.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#87 Post by timbgo »

Head_on_a_Stick wrote:
timbgo wrote:Except old kernel, more exploits...
Only:

Code: Select all

linux-image-4.9.0-4-grsec-amd64
there
That's the Debian package version, the kernel version is 4.9.51-1+grsecunoff2; my Alpine Linux system is using 4.9.60 (with an unofficial port of the grsec patches) and kernel.org is on 4.9.62 so it's not that far behind.
8) Of course, I studied all the links from the page you gave in the meantime, and I checked if we had it in Devuan: yes we do!
And of course I'll install it, along with gradm2 and other recommends! (For Devuan it's in Ceres, something like our testing branch.)
But it is old, it is. My packages that I gave above, based on the same grsecunoff by Mathias (minipli) Krause, who BTW has been taking some time off, and is sorely being missed, but Loic (HacKurx) updated the patch to 4.9.61, which I gave all the links and uploaded my deb packages... So my packages are kind of much newer version of grsecunoff. Could still be worth a try for some people, I'd hope.

I'm happy that grsec is being taken good care of. corsac, thank you so much for keeping the grsec available for us!

But it took corsac time to provide the packages, didn't it? And this is the first of the new series of grsec, the unofficial_grsecurity!
See here:
http://metadata.ftp-master.debian.org/c ... _changelog
where, currently at the very top, there is only one single version of it:

Code: Select all

linux-grsec (4.9.51-1+grsecunoff1) unstable; urgency=medium

  * Pull changes from src:linux up to 4.9.51-1.
  * grsec/gen-patch:
    - update to generate patch from a local git repository with Mathias Krause
    grsec-unofficial tree (https://github.com/minipli/linux-unofficial_grsec)
  * Update grsecurity patch to the unofficial version maintained by Mathias
    Krause.
  * featureset-grsec/config: update long description to make it clear we are
    using the unofficial patch, unrelated to the private patch.
  * debian/lib/python/debian_linux/debian.py: handle new versioning scheme.

 -- Yves-Alexis Perez <corsac@debian.org>  Tue, 03 Oct 2017 10:59:32 +0200
Regards! (And thanks again Head_on_a_Stick for bringing us all here the very happy news!)
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#88 Post by timbgo »

If anybody feels like testing the newest:

https://croatiafidelis.hr/gnu/deb/linux ... 171209-20/

and maybe they will find new realizations amusing:

NULL pointer deref in do_blockdev_direct_IO()
https://github.com/minipli/linux-unoffi ... -350476483

You can use:
https://croatiafidelis.hr/gnu/deb/confi ... 1209-20.gz
https://croatiafidelis.hr/gnu/deb/confi ... 209-20.sig
if you're compiling with:
https://github.com/miroR/grsec-dev1-compile
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#89 Post by timbgo »

4.9.70 under:
https://www.croatiafidelis.hr/gnu/deb/l ... c-current/
(i.e. https://www.croatiafidelis.hr/gnu/deb/l ... 171220-11/ )
For those who verify, ls-1.sum.asc is missing. Busy, but it's coming later.
EDIT 2017-12-21 09:28:41+00:00, there now:
https://www.croatiafidelis.hr/gnu/deb/l ... -1.sum.asc
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#90 Post by timbgo »

New grsecunoff kernel is available for the brave:
https://www.croatiafidelis.hr/gnu/deb/l ... 171228-16/
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: Grsecurity/Pax installation on Debian GNU/Linux

#91 Post by n_hologram »

@timbgo: How is grsecurity holding up against spectre/meltdown?
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#92 Post by timbgo »

n_hologram wrote:@timbgo: How is grsecurity holding up against spectre/meltdown?
Hard work to do, that's how... They need the code that spender and PaX Team left (the last publicly available grsecurity), and they're using it (always you will find they cite them as their source, e.g. in the patches if you subscribe to KSPP)...
But, as...
minipli wrote: Expect it to be weeks/months/never. It's a pretty invasive change conflicting with a lot of PaX. :(
(pls. see that issue for details)
Things are probably happening, but slowly...
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#93 Post by timbgo »

Retpoline-patched grsecunoff (AMD, but no meltdown protection yet for Intel) available under the "current" link, or:
https://www.croatiafidelis.hr/gnu/deb/l ... 180203-22/
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#94 Post by timbgo »

It might be worth trying (and reporting if you can install and load amd64-microcode with):
https://www.croatiafidelis.hr/gnu/deb/l ... 180204-21/
Pls. read there, and the links, for the details.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#95 Post by timbgo »

The:
https://www.croatiafidelis.hr/gnu/deb/l ... c-current/
now points to:
https://www.croatiafidelis.hr/gnu/deb/l ... 180601-06/
That is the kernel package for Debian/Devuan that _may_ be worth trying out, bearing in mind the caveats of Dapper Linux patchset:
https://dapperlinux.com/
I.e. no meltdown protection, no spectre protection, currently no retpoline.

However, all the othe usual protection that grsec offered are there. And the kernel is up to date.

I am testing that kernel right now, it appears to be fine.

If you want to use it, pls. see previous posts, there are a lot of info how to dowload it, how to verify it, etc.

Regards!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#96 Post by timbgo »

The offered packages in the previous post (no issues have I had so far) are for any system hardware (well: x86_64 arch only).

The best way is surely, to compile. Nothing wrong with the other option. It's only that tailoring the compiled kernel for only your hardware reduces the huge attack surface.

While Dapper Secure Kernel Patchset (
https://github.com/dapperlinux/dapper-s ... e/releases
) is still grsecurity, my script for newbies has changed to help new GNU-Debianers/Devuaners who want to look into kernel compiling.

So pls. look up:

https://github.com/miroR/grsec-dapper-compile/

I'm not sure, you might need to get dapper-linux PGP key from:

https://dapperlinux.com/contact.html
https://dapperlinux.com/matthew_gpg_public_key.asc

Regards!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#97 Post by timbgo »

https://www.croatiafidelis.hr/gnu/deb/l ... 180615-20/
is now pointed to by:
https://www.croatiafidelis.hr/gnu/deb/l ... c-current/

Some new talk (some new indications) is at:
not an issue, but lack of issues #5
https://github.com/dapperlinux/dapper-s ... e/issues/5

as well as at:
PAX: RAP hash violation for return address: __ext4_get_inode_loc+0x258/0xab0 #17
https://github.com/minipli/linux-unoffi ... /issues/17

With vanilla kernel, a lot is lost, even though the Spectre and Meltdown are dealt with... In effect, there is no safety with Linux, after spender and PaX Team have gone... I believe it would be easier to deep-inspect figure out my browsing online, and protect my system against threats in real time, than to get vanilla kernel to be safe, or add Specter and Meltdown mitigations into any of the available forks remaining for the public of grsecurity...

A very hard choice to make... I myself, I still opt for dappersec fork of grsecurity, rather than the now, in essence, Google in charge of security of Mr. Linux's GNU/Linux.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

User avatar
debiman
Posts: 3064
Joined: 2013-03-12 07:18

Re: Grsecurity/Pax installation on Debian GNU/Linux

#98 Post by debiman »

people should have a good look at that website before deciding to download anything from it.

User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Grsecurity/Pax installation on Debian GNU/Linux

#99 Post by Head_on_a_Stick »

debiman wrote:people should have a good look at that website
Yes, the OP does seem quite delusional in respect of homosexuality and intergender conditions but the grsec patchset does offer some value.

I can't get the graphical desktop to work properly with the official Debian grsec-patched kernels, I think they're intended for servers.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#100 Post by timbgo »

Head_on_a_Stick wrote:
debiman wrote:people should have a good look at that website
Yes, the OP does seem quite delusional in respect of homosexuality and intergender conditions but the grsec patchset does offer some value.
I don't talk politics, and the fact that the place where I can offer my kernels from is at my NGO's website, I don't think that should matter.

Regarding this grsec topic, I'd realy kindly suggest that we don't talk politics.
I can't get the graphical desktop to work properly with the official Debian grsec-patched kernels, I think they're intended for servers.
Any report on the usefulness of my kernels, or of my newbie-oriented script ( with the latest stable kernels / with the currently available free patches: https://github.com/miroR/grsec-dapper-compile ) are welcome. I'd like to kind of still grow technically and do much more in FOSS.

Kind regards!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

Post Reply