Grsecurity/Pax installation on Debian GNU/Linux

Share your own howto's etc. Not for support questions!
Message
Author
timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#46 Post by timbgo »

New packages will always be, by my modifying of this here post, hitherto referred to.
===
For previous (last month's or so) content of this local address of this topic, pls see:
< this same topic >
http://forums.debian.net/viewtopic.php? ... 93#p555093

[[ Of course, if you are advanced, you are better off using the script; because it compiles tailor-made for your machine. See < in this same topic >. This post right here is for newbies.

And of course, if you are expert and honest, help us in this work, and in spreading of this Grsec program that enables real privacy for the masses, especially help us bring Grsec into mainstream Debian for everybody... ]]

As you can see, I'm reusing the old instructions, but replacing them with the new, so that it is always the same address with the newest instructions.
So, for new users:

Download first just:

http://www.croatiafidelis.hr/gnu/deb/li ... Lo-wget.sh

Move it into an empty directory. And then:

Code: Select all

$ chmod 755 dLo-wget.sh
to make it executable.

And run it:

Code: Select all

$ ./dLo-wget.sh
It will download all the packages.

You then should have these in that directory:

Code: Select all

$ ls -ABRgoh
.:
total 361M
-rwxr-xr-x 1  812 2014-12-12 21:44 dLo-wget.sh
-rw-r--r-- 1 946K 2014-12-12 19:03 linux-firmware-image-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb
-rw-r--r-- 1 7.0M 2014-12-12 19:04 linux-headers-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb
-rw-r--r-- 1  31M 2014-12-12 19:07 linux-image-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb
-rw-r--r-- 1 322M 2014-12-12 19:59 linux-image-3.17.6-grsec141212-15-dbg_3.17.6-grsec141212-15-1_amd64.deb
-rw-r--r-- 1 752K 2014-12-12 19:04 linux-libc-dev_3.17.6-grsec141212-15-1_amd64.deb
-rw-r--r-- 1  863 2014-12-12 21:15 SUMS
-rw-r--r-- 1  819 2014-12-12 21:43 SUMS.sig
$
Now:

Code: Select all

gpg --verify SUMS.sig
must return to you my correct signature:

Code: Select all

...snip...
Primary key fingerprint: FCF1 3245 ED24 7DCE 4438  55B7 EA98 8488 4FBA F0AE
(or anyway signed with that key; see tutorials elsewhere if you are lost here).

And now:

Code: Select all

sha256sum -c SUMS
should return to you:

Code: Select all

linux-firmware-image-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb: OK
linux-headers-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb: OK
linux-image-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb: OK
linux-image-3.17.6-grsec141212-15-dbg_3.17.6-grsec141212-15-1_amd64.deb: OK
linux-libc-dev_3.17.6-grsec141212-15-1_amd64.deb: OK
If all the above went correctly for you, in another terminal, but as root, cd into that directory, and do:

Code: Select all

dpkg -i *.deb
That should install these superior security packages for you. Much more is needed for real privacy for you with your machine on the internet, but at least now you are on the right path...

Maybe the next best thing is try and see how much you can understand from the book:

Grsecurity
https://en.wikibooks.org/wiki/Grsecurity

Refer Debian related issued with these here, and more strictly Grsecurity-related issues on:

Tips on Grsecurity installation for Debian newbies
https://forums.grsecurity.net/viewtopic.php?f=3&t=3835
Last edited by timbgo on 2014-12-14 06:11, edited 9 times in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#47 Post by timbgo »

I believe it is becoming necessary for proper implementation of Grsecurity/Pax, to go this fresh brand new way:

How to Remove Systemd and Related Packages from Your Debian
http://forums.debian.net/viewtopic.php?f=16&t=118197

I wrote previously in this topic and elsewhere on systemd intrusion onto Debian... Hopefully, things look bright again. Pls read there and in pages linked from there.

Sure I have to repeat that without Gradm RBAC policy set and enabled, the implementation of Grsecurity/Pax patched kernel does not offer complete protection.

That RBAC policy creation and gradm enabling is now getting closer to be much much much more easy realize, with the advent of mirabilos wtf repo!

Nothing likely to happen within just mere days, I work much more slowly than that.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

jlambrecht
Posts: 374
Joined: 2008-02-01 16:21

Re: Grsecurity/Pax installation on Debian GNU/Linux

#48 Post by jlambrecht »

Great post, got there all by myself, BUT FOR ONE THING.

After i've installed all packages, it is impossible to boot. For some reason the UUID device-id is not valid and it fails to boot, dropping to initramfs. As far as i can tell i've done the right thing but the result proves differently.

What am i doing wrong ? I've been here before, fixed it, but have no notes or memories left.
Embrace what you're not certain off,
keep an eye on what you're confident about.

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#49 Post by timbgo »

Announcement. New packages, on same old address, from now:
http://forums.debian.net/viewtopic.php? ... 45#p555486
I'll only be announcing in new posts, but keeping the modified instructions on old addresses, from now on. That way, if you are subscribed to the topic, you get the news, and instructions are really repeated emtirely any more.
Miro
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#50 Post by timbgo »

jlambrecht wrote:Great post, got there all by myself, BUT FOR ONE THING.

After i've installed all packages, it is impossible to boot. For some reason the UUID device-id is not valid and it fails to boot, dropping to initramfs. As far as i can tell i've done the right thing but the result proves differently.

What am i doing wrong ? I've been here before, fixed it, but have no notes or memories left.
Hi, jlambrecht!
I just noticed your post. Hmmh. There's no way anyone could tell you what you may have done wrong (or whether something was wrong elsewhere in the "ingredients"), without much more information than you have provided...
Try the new packages first, and if you still have problems, more detailed descriptions, maybe some logs, or other, would be nesessary...
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

jlambrecht
Posts: 374
Joined: 2008-02-01 16:21

Re: Grsecurity/Pax installation on Debian GNU/Linux

#51 Post by jlambrecht »

Basically, i'm not sure if i did anything wrong really. Just to make sure i've read a few articles on patching and compiling the kernel with grsec on Debian and Ubuntu. It seems i've not made any mistake. The only difference is this machine is a guest in a VPS host, i'm not sure how this could matter but it sticks to my attention.

This is a copy of an error which is exactly like mine, i've tried multiple ways to fix this to no avail, once more i start feeling retardish.
Gave up wating for root device. Common problems:
-Boot args (cat /proc/cmdline)
-Check rootdelay= (did the system wait long enough?)
-Check root= (did the system wait for right device?)
-Missing modules (cat /proc/modules; ls /dev)
ALERT! /dev/disk/by-uuid/X-X-X-X does not exist.
Dropping to a shell!

BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) built-in shel (ash)
Enter `help` for a list of built-in commands.
(initramfs)_
For completeness it must be added there are two notifications below 'Dropping to a shell!'

modprobe: module ohci-hcd not found in modules.dep
modprobe: module usbhid not found in modules.dep
Embrace what you're not certain off,
keep an eye on what you're confident about.

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#52 Post by timbgo »

jlambrecht wrote:Basically, i'm not sure if i did anything wrong really. Just to make sure i've read a few articles on patching and compiling the kernel with grsec on Debian and Ubuntu. It seems i've not made any mistake. The only difference is this machine is a guest in a VPS host, i'm not sure how this could matter but it sticks to my attention.
Neither could I tell much at all. Not familiar with what being VPS guest entails in particualar wrt "regular" systems.
jlambrecht wrote:
This is a copy of an error which is exactly like mine, i've tried multiple ways to fix this to no avail, once more i start feeling retardish.
Gave up wating for root device. Common problems:
-Boot args (cat /proc/cmdline)
-Check rootdelay= (did the system wait long enough?)
-Check root= (did the system wait for right device?)
-Missing modules (cat /proc/modules; ls /dev)
ALERT! /dev/disk/by-uuid/X-X-X-X does not exist.
Dropping to a shell!

BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) built-in shel (ash)
Enter `help` for a list of built-in commands.
(initramfs)_
I had had an issue where I solved the no-boot with modifying things. Not saying that it will or will not apply to your case, but try and see here:

No-boot kernel, working lvm in initramfs, volumes not found
http://forums.debian.net/viewtopic.php?f=5&t=105549

(but in short, try and stick

Code: Select all

GRUB_CMDLINE_LINUX="rootdelay=30"
into /etc/default/grub and reinstall the kernel (I guess, maybe should delve deeper there just in case; a little short with time...). If it works replace 30 with smaller value if it bothers you waiting on every boot... Don't know...
jlambrecht wrote:For completeness it must be added there are two notifications below 'Dropping to a shell!'

modprobe: module ohci-hcd not found in modules.dep
modprobe: module usbhid not found in modules.dep
That would probably resolve if the root device was found.

Maybe, and anyway, for other users who might have issues, I suggest, instead of the usual as root:

Code: Select all

dpkg -i *.deb
(see the instructions for the context), do:

Code: Select all

dpkg -i *.deb 2>&1 | tee dpkg-grsec_`date +%s`.log
for part of which my explanation is here (in bottom of that post):
http://forums.debian.net/viewtopic.php? ... 64#p552775
and this part, just try it out in a termanal:

Code: Select all

date +%s
(only gives the time in seconds since 1970-01-01 00:00), to not overwrite the previous file with otherwise same name; I sometimes use same command lines over, so this is my way; that `date +%s` part is not important; the log is)
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

jlambrecht
Posts: 374
Joined: 2008-02-01 16:21

Re: Grsecurity/Pax installation on Debian GNU/Linux

#53 Post by jlambrecht »

I think i know what is missing here. Since the system is a VPS it requires the virtio modules to be available, especially the virtio-blk module. I've just recompiled, updated etc and it is not indeed loading the virtio modules, though not the virtio-blk module since it is not there yet. Once i find what to select to build this module it will most likely boot as expected.
Embrace what you're not certain off,
keep an eye on what you're confident about.

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#54 Post by timbgo »

jlambrecht wrote:I think i know what is missing here. Since the system is a VPS it requires the virtio modules to be available, especially the virtio-blk module. I've just recompiled, updated etc and it is not indeed loading the virtio modules, though not the virtio-blk module since it is not there yet. Once i find what to select to build this module it will most likely boot as expected.
Happy you've probably solved it!

Your final report will be most welcome (if you find the time to confirm whether it did work)!

Anyway, reports are welcome. Just, I'm not always around, because I work slowly and may be busy elsewhere, so patience may be needed for my replies, often.

(Remember that I may be advanced in comparison to new users, but I'm not an expert by any means, and I've really done and doing this entire topic out of gratitude to Spender and PaX Team who provide us with Grsecurity/Pax, the paramount model of honest programming which is becoming kind of rarity nowadays.)
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

jlambrecht
Posts: 374
Joined: 2008-02-01 16:21

Re: Grsecurity/Pax installation on Debian GNU/Linux

#55 Post by jlambrecht »

Yep, it is solved now. Who would have thought such would be required ( i feel kind of dumb to not have thought of this )

To summarize, my procedure was right but not selecting the virtio modules and in particular the virtio-blk module to be compiled resulted into a failed boot. Since the module was compiled and installed the system boots. Now i have to iron out the unknowns of configuring grsec to my liking.
Embrace what you're not certain off,
keep an eye on what you're confident about.

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#56 Post by timbgo »

Pls., generally, alert me if anything is mistaken esp. in those new, and old permanent post. While I'm off and on, and off sometimes for longer, I don't leave without checking for feedback in some, at least some number of hours or a day or two, after posting new stuff. Thank you!

So from now on, there's, for the newbies, (it's easy for the advanced, they only need the script which is on github -- advanced maybe try this, but I don't have time to check myself if it's the right link)...

So from now on, for the newbies, there are the new and the old versions of packages to try, and they will both be on the, kind of, more permanent addresses:

The newest set of packages:
< this same topic >
http://forums.debian.net/viewtopic.php? ... 45#p555486

And the one month (or so) old set:
< this same topic >
http://forums.debian.net/viewtopic.php? ... 30#p555093

I will be adding diverse musings/advice too, in new posts though, occasionally.

Today, after the updare/upgrade with apt-get of this weeks Jigdo DVD's (there's my tip for my jigdo-automate-script in the Tiips section), I found out the Iceweasel is somewhat different to deal with than before, for treatment with paxctl.

Here's what I needed to do with the new Iceweasel (else it wouldn't start).

Code: Select all

# which iceweasel
# file /usr/bin/iceweasel
# ls -l /usr/lib/iceweasel/
# file /usr/lib/iceweasel/iceweasel
# paxctl -v /usr/lib/iceweasel/iceweasel
# paxctl -v /usr/lib/iceweasel/plugin-container
# paxctl -v /usr/lib/iceweasel/webapprt-stub
# paxctl -cm /usr/lib/iceweasel/iceweasel
# paxctl -cm /usr/lib/iceweasel/plugin-container
# paxctl -cm /usr/lib/iceweasel/webapprt-stub
In essence it's just the last three lines, but the others, previous, are showing you why. Can't always explain profusely. Newbies, try and see my explanation elsewhere, or, best, read the Grsec docs and forums and wikis.

If Grsec does not get into the mainstream Debian sooner or later, something is wrong with the Debian "elite". Because presenting/imposing SELinux as "security" to people, is lying.

And surely, get rid of Systemd, there's my tip on removing it and related stuff on this Tips section.

Cheers!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#57 Post by timbgo »

Sadly, due to censorship by my provider on me and very subtle possible attacks allowed or in collusion...

Yes, sadly, due to censorship by my provider on me, about which you can read some documented events and, in effect, the provider's own admission of censorship on me, easily seen through bogus accusations and/or excuses leveled against me on:

Postfix smtp-tls-wrapper, Bkp/Cloning Mthd, A Zerk Provider
https://forums.gentoo.org/viewtopic-t-999436.html

The main points, for quick guided info:

https://forums.gentoo.org/viewtopic-t-9 ... ml#7613052
where find:

Code: Select all

Sep  4 23:18:46 localhost postfix/smtp[14602]: 29D7B28E1FF: to=<support@plus.hr>, relay=127.0.0.1[127.0.0.1]:11125, delay=15731, delays=15731/0.01/0.18/0.52, dsn=5.0.0, status=bounced (host 127.0.0.1[127.0.0.1] said: 550-"JunkMail rejected - 147-226.dsl.iskon.hr (n4m3.localdomain) 550-[89.164.147.226]:41972 is in an RBL, see 550 http://www.spamhaus.org/query/bl?ip=89.164.147.226" (in reply to RCPT TO command)) 
https://forums.gentoo.org/viewtopic-t-9 ... ml#7682770
where read:
the provider wrote:For your protection, on your user account a ban has been placed for sending e-mails from any other servers but mail.t-com.hr.
and:
me wrote:I don't have any problems that you ban any other mail server but your own, mail.t-com.hr, and pls. take good notice, and:

lin16.mojsite.com

that is, in IPv4: 178.218.164.164

which I pay for ... and the email address ... which I [also] pay for ...:

miro.rovis@croatiafidelis.hr
[and for which that is the server for sending/receiving]

So, [due to] that [censorship] by my provider on me and due to [very subtle possible attacks allowed or] done [in colusion], of which you can read documented case here:

< same topic as above >
https://forums.gentoo.org/viewtopic-t-9 ... ml#7685200

where, to me, what happened, although it looks like a smooth, apparently legal opening of two connections, but it is in no way so (feel free to download and work through the entire triplet of the capture/screencast/conntrack in all aspects and find out for yourself)...

[where, to me, what happened] is a clear case of clickjacking, and it could have been, on their part, a collusion with those intruding subjects, to have a "spam" sent from my computor. This (notice the verb modes in this paragraph: I'm not claiming it; I am only suspecting it) could have been what they needed to get me banned from even using the Internet at all, as they did in the past for a few periods of time in similar occasions (only I knew much less back then to be able to disprove their claims, which I can now, to some extent, at this level to which I grew in the meantime).

So the issue is not at all insignificant, as I already was close to jail for my political beliefs in 2009, basically anti-Titoist-slaughters-progenie-neocommunism in power in Croatia (and I am really saying this here only to explain to readers why I can not update the packages and improve this tip further). (I'm not against honest leftists, I actually publically support some.)

Sadly, I need to learn so much more, and I have to study, to be able to, basically, protect myself from my current provider claiming to ban me from using my email address ... that I pay for, for reasons of my own "protection" by them, and possibly subtly threatening me having spam really sent from my computors, via other subjects... as the screencast/capture/conntrack likely sufficiently demonstrate.

Just imagine what those subject could do, if I don't get the iptables very right, and learn to packet capture much much cleverer and with the right filtering, and also finally deploy Gradm fully, as well as probably do other checks on my system before I go and download the Jigdo DVDs! Just imagine!

So I'm in a race, and I have to work and overwork, because both my Debian boxes and my Gentoo boxes are already one month and ten days without updating, and I can not update them before all of the work mentioned in the previous paragraph is done here.

Thank you for your kind attention, and pls. be patient. Grsecurity is the program that I put my hope into like in no other, I really love it, and I hope to be back in a while to give even more and even better work into this topic.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

pcalvert
Posts: 1924
Joined: 2006-04-21 11:19
Location: Sol Sector

Re: Grsecurity/Pax installation on Debian GNU/Linux

#58 Post by pcalvert »

People interested in Grsecurity may be interested in this as well:
https://wiki.debian.org/SameKernel

Phil
“It is better to believe than to disbelieve; in doing so, it brings
everything into the realm of possibility.” — Albert Einstein

jlambrecht
Posts: 374
Joined: 2008-02-01 16:21

Re: Grsecurity/Pax installation on Debian GNU/Linux

#59 Post by jlambrecht »

Thank you so much Phil, great tip.
Embrace what you're not certain off,
keep an eye on what you're confident about.

User avatar
stevepusser
Posts: 12408
Joined: 2009-10-06 05:53
Has thanked: 7 times
Been thanked: 5 times

Re: Grsecurity/Pax installation on Debian GNU/Linux

#60 Post by stevepusser »

jlambrecht wrote:Thank you so much Phil, great tip.
Maybe...can anyone access that kernel?
MX Linux packager and developer

jlambrecht
Posts: 374
Joined: 2008-02-01 16:21

Re: Grsecurity/Pax installation on Debian GNU/Linux

#61 Post by jlambrecht »

Ehr, wadayamean ? :D
Embrace what you're not certain off,
keep an eye on what you're confident about.

pcalvert
Posts: 1924
Joined: 2006-04-21 11:19
Location: Sol Sector

Re: Grsecurity/Pax installation on Debian GNU/Linux

#62 Post by pcalvert »

stevepusser wrote: Maybe...can anyone access that kernel?
I notified the website owner that the site is down.

His reply:

Thanks, we are working on a new server.
It should work soon.

In the meantime one alternative is to check mirror in Freenet network.

Thanks for your interest.
Phil
“It is better to believe than to disbelieve; in doing so, it brings
everything into the realm of possibility.” — Albert Einstein

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#63 Post by timbgo »

Hi!

I wish I could keep (and that I could have kept) this topic up, but what I deem the systemd-suicide by Debian Developers turned me away from Debian.

A lot, a huge lot is losing so much because of this what I deem Debian abandoning of its own true self.

I wish for the Devuan, the Debian non-systemd fork to really take off, and I hope that could still happen. We'll see.

I looked up the suggestion by a member a few post previous to here:

http://main.mepis-deb.org/

but that's a false suggestion, IIUC, no mention of grsecurity, so, again: IIUC, or to be sure: correct me if I'm wrong in understanding that they don't offer grsecurity-hardened kernel. And if they don't, it's a false suggestion. Period.

The other suggestion:

https://wiki.debian.org/Mempo

may be worth it, but not for all users. Exampli gratia, I liked to be close to the bleeding edge and install the weekly DVDs, and then compile the grsecurity-hardened kernel for it. Doesn't seem possible with Mempo.

But Mempo is not to be counted out. I really wish those guys succeeded! Their ideas are so pure, so right, and so needed today!

And if you search page 3 of this topic you are reading, this post:

http://forums.debian.net/viewtopic.php? ... 30#p555093

for an alternative, previously made attempt similar to mine in this topic, you might go on from:

grsecurity source install script for Debian
https://github.com/rickard2/grsecurity-Debian-Installer

Sadly, not maintained.

I don't know what future holds.

I terribly liked what I could achieve with having my grsecurity-hardened kernel on the weekly (was it Sid up until a few months ago?, yes I think so), and then, the beauty was that thanks to Thorsten mirabilos Glaser...

The beauty was that then, thanks mirabilos from MirBSD, it was possible to rid myself of the program architecture that is there in most FOSS Linux and their relatives in FOSS, with the true purpose under the hood of its shine, to make for proprietory programs to work on top of [F]ree [O]pen [S]ource [S]oftware.

And proprietory, for which that architecture is there, and sadly lives undisturbed in most Linuces and their relatives of this day...

And yes I mean dbus based architecture.

And proprietory, in this day and age, means: in the service of the one-ring-to-rule-them-all cravers, dear brothers in *nix.

Look up my tip:
How to Remove Systemd and Related Packages from Your Debian
http://forums.debian.net/viewtopic.php?f=16&t=118197

And the beauty was that, thanks to that programmer from the BSD community, I was able to rid my Debian of dbus, pulseaudio and all those poetterware programs, along with harden it with my dearest program in all of FOSS, the grsecurity.

Sadly, while what I explained I needed to do in my previous post to this post, and it is this one:

( in this same topic you are reading )
http://forums.debian.net/viewtopic.php? ... 45#p566911

I did manage to do, it cost me huge time which then I did not have available for so many other things.

I have deployed grsecurity completely in my Gentoo, I know now how to filter traffic in such way that pretty much nothing is unobserved if I get under attack (well, there surely are subjects stronger than me, but I'm not, say, such a subject like Iran was years ago, to deserve those subjects' attention, or like the hackers deserve it who hack into their premises)... Along with having managed deploying iptables properly, and other things...

And I can tell you that Gradm really really does it! Gradm, the grsecurity administration, which, as I said in a few places, needs to be deployed on top of the grsecurity-hardened kernel to account for the few holes that otherwise still remain, as they can not be fixed via solely the kernel patching, which grsecurity does.

My desire to transmit the little but good and very recommendable knowledge that I have gained by now, has not left me, such as to make the next tip some day, the harder one to do, on how to deploy Gradm in Debian. The harder one (then this tip you are reading) to do for newbies, and the harder one (then this tip) to write for me (or if someone else takes over).

It really depends. If Devuan takes off and learns to fly, and if they, this is important, and I'll point them over to these words of mine...

And if they offer a no-dbus Devuan, which I am not certain it is among their objectives; but if they do, then you may even not see much of me, because then I may get my little free time that I have, I can then start using that time for Devuan only...

But if they don't offer a non-dbus Devuan, then I can't go for Devuan.

I told them this already...

I attempted to say my views generally, and very clumsily, I admit:

https://lists.dyne.org/lurker/message/2 ... 11.en.html

but on dbus, I think I said it right, even though in the wider context:

https://lists.dyne.org/lurker/message/2 ... 95.en.html

where find:
"
I count dbus in poetterware-related. You don't have to. I do. Pls. allow for that option!

My take on it you can have also here:

Updating and keeping your Gentoo non-poeterized
https://forums.gentoo.org/viewtopic-t-1012022.html
"
and:

https://lists.dyne.org/lurker/message/2 ... 14.en.html
"And an opt-out from dbus, official possiblity to have a non-dbus Devuan."

But I'm really not a developer to be able to follow them in the development of Debian, so I withdrew from the discussion.

And if they don't offer a no-dbus Devuan, then I may try and see if modalities still exist here in Debian, to go on where I left, disgusted that not even a simple file of a few kilobytes was allowed in the DVD 1 back when they were all (are they still?) about imposing the freaking systemd on every Debian user, as you can read in this tip of mine:

Air-Gapped Debian Install for Newbies
http://forums.debian.net/viewtopic.php? ... 8&#p564470

where find this paragraph:
"
As you can see the systemd vandals have removed the sysvinit time honored and reliable (although a better one should be invented/deployed) init from the disk 1. Namely it is there in the disk-2. For the 129K sysvinit-core_2.88dsf-58_amd64.deb there was no room to be found in the disk-1... It's shame.
"
I don't know which way I will go next, esp. since I'm much more familiar with Gentoo (which is the best for security, and for defence from surveillance, as it is the home of grsecurity-hardening deployed).

And also the way that I showed I believe in, in my tips in these Debian Forums, and which is above all without dbus/poetterware and with grsecurity/PaX, and which I believe is the way to go in today's surveilled society, for anyone who wants to be free and not controlled by unknown to him/her. on that way De[bv][iu]an does not seem to be persevering on, not steadilyy, no, not so well as Gentoo...

And especially I don't know when I might go the way that I happen to go next in Debian or its fork Devuan.

Thank you all for your kind attention.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

User avatar
mardybear
Posts: 994
Joined: 2014-01-19 03:30

Re: Grsecurity/Pax installation on Debian GNU/Linux

#64 Post by mardybear »

timbgo:
And the beauty was that, thanks to that programmer from the BSD community, I was able to rid my Debian of dbus, pulseaudio and all those poetterware programs, along with harden it with my dearest program in all of FOSS, the grsecurity.
Don't forget Avahi...

Didn't re-read the entire thread, but have you looked at Alpine Linux:
Alpine Linux was designed with security in mind. The kernel is patched with grsecurity/PaX out of the box, and all userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection. These proactive security features prevent exploitation of entire classes of zero-day and other vulnerabilities.
http://www.alpinelinux.org/about/

...don't know about dbus.

Dbus is optional/not required in TinyCore Linux. It does, however, let you build a system to your preference. No grsecurity though.
800mhz, 512mb ram, dCore-jessie (Tiny Core with Debian Jessie packages) with BusyBox and Fluxbox.
Most don't have computer access, reuse or pay forward an old computer.

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#65 Post by timbgo »

Hi mardybear!

(for some reason, I can't find the `Quote' link with my dillo, and am in other work)

I'll look into Alpine. Anything grsec/PaX is interesting to me.

Avahi, isn't that something RedHat?

Really no time. Pls. allow delays.

And really thanks! Didn't know about Alpine.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

Post Reply