Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Grsecurity/Pax installation on Debian GNU/Linux

Share your HowTo, Documentation, Tips and Tricks. Not for support questions!.
Message
Author
timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#41 Post by timbgo »

The newest develop branch:
wget https://github.com/miroR/grsec-deb-comp ... 80-rc3.zip
( that is v0.80-rc3.zip , 3 )
Pls. someone report if it misbehaves.

And, if it does, simply use:
wget https://github.com/miroR/grsec-deb-comp ... 80-rc0.zip
which I tried today and works fine.

Surely you can find all that from the github interface just fine as well.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#42 Post by timbgo »

I have compiled new Grsec-patched kernel packages. They seem to be fine, and I am currently posting them. I have them running on two boxes fine.

Just the two of them have somehow, I have no idea neither how nor why, turned strange. Have a look:

Code: Select all

-rw-r--r-- 1 mr mr    965920 Sep  9 01:30 linux-firmware-image-3.16.2-grsec140908-21_3.16.2-grsec140908-21-1_amd64.deb
-rw-r--r-- 1 mr mr   7146548 Sep  9 01:31 linux-headers-3.16.2-grsec140908-21_3.16.2-grsec140908-21-1_amd64.deb
-rw-r--r-- 1 mr mr 338487210 Sep  9 02:22 linux-image-3.16.2-grsec140908-21_3.16.2-grsec140908-21-1_amd64.deb
-rw-r--r-- 1 mr mr  25885536 Sep  9 02:25 linux-image-3.16.2-grsec140908-21-dbg_3.16.2-grsec140908-21-1_amd64.deb
-rw-r--r-- 1 mr mr    766110 Sep  9 01:31 linux-libc-dev_3.16.2-grsec140908-21-1_amd64.deb
The:
linux-image-3.16.2-grsec140908-21_3.16.2-grsec140908-21-1_amd64.deb
and:
linux-image-3.16.2-grsec140908-21-dbg_3.16.2-grsec140908-21-1_amd64.deb

have "swapped sizes" somehow. They do install fine, and run just fine on my master, and on one of the two clones that I have (three same MBO systems altogether).

So this time around, I decided to post all the five packages.

It will be great f anyone should try and report whether just the four lightiest of the five can be installed (so one of the four should be the incorrectly named as debugger --with -dbg in the name--, and it was incorrectly named by the fakeroot command line (not the fault of my script that I use, and recommend, see previous post), so without the debugger, which is not correctly name, but you can easily recognize it by being the most sizeable of the five.

Use the dLo-wget script to download, check the sums, PGP verify the packages, and enjoy at least significantly more security/privacy/freedom than you would otherwise! (Although there's much more to do for real freedom)

Use the old explanation here on the forums.debian net:

(same tips page as you are reading this text on)
http://forums.debian.net/viewtopic.php? ... 30#p547521

( 323M the biggest one others are smallish packages )

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#43 Post by timbgo »

For now, see the opening remark that I edited today (2014-09-30) in the opening post of this topic:

http://forums.debian.net/viewtopic.php? ... 16#p516892

and what you can read in links from there.

And see the relatively new likely after-free bug manifestation in my Gentoo FOSS Linux:

grsec: halting the system due to suspicious kernel crash
https://forums.grsecurity.net/viewtopic ... =15#p14456

Miro
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#44 Post by timbgo »

( I've moved the "political content in the bottom half of this post. More purely technical part of the tip goes first. )

This is the old content that previously was on:
< this same topic >
http://forums.debian.net/viewtopic.php? ... 45#p555486
---
So these are one month (or so) old instructions, for old packages (still available
for a short while more). These instructions are for newbies. If you are
advanced, use the script and compile the packages yourself! And if you are
expert and honest, help us improve and spread this Grsec program that enables real privacy for the masses, and let's bring Grsec into mainstream Debian for everybody...

To install these old packages, do this. First download:

http://www.croatiafidelis.hr/gnu/deb/li ... Lo-wget.sh

Move it into an empty directory. And then:

Code: Select all

$ chmod 755 dLo-wget.sh
to make it executable.

And run it:

Code: Select all

$ ./dLo-wget.sh
It will download all the packages.

You then should have these in that directory:

Code: Select all

$ ls -ABRgo
.:
total 368960
-rwxr-xr-x 1       812 Oct 31 07:15 dLo-wget.sh
-rw-r--r-- 1    966580 Oct 31 02:15 linux-firmware-image-3.17.1-grsec141030-22_3.17.1-grsec141030-22-1_amd64.deb
-rw-r--r-- 1   7246134 Oct 31 02:15 linux-headers-3.17.1-grsec141030-22_3.17.1-grsec141030-22-1_amd64.deb
-rw-r--r-- 1 342443826 Oct 31 03:08 linux-image-3.17.1-grsec141030-22_3.17.1-grsec141030-22-1_amd64.deb
-rw-r--r-- 1  26368512 Oct 31 03:10 linux-image-3.17.1-grsec141030-22-dbg_3.17.1-grsec141030-22-1_amd64.deb
-rw-r--r-- 1    769976 Oct 31 02:15 linux-libc-dev_3.17.1-grsec141030-22-1_amd64.deb
-rw-r--r-- 1       666 Oct 31 06:45 SUMS
-rw-r--r-- 1       819 Oct 31 06:49 SUMS.sig
$
(that's, translated into bigger units, the largest of the files is: 327M)

Now:

Code: Select all

gpg --verify SUMS.sig
must return to you my correct signature:

Code: Select all

...snip...
Primary key fingerprint: FCF1 3245 ED24 7DCE 4438  55B7 EA98 8488 4FBA F0AE
(or anyway signed with that key; see tutorials elsewhere if you are lost here).

And now:

Code: Select all

sha256sum -c SUMS
should return to you:

Code: Select all

linux-firmware-image-3.17.1-grsec141030-22_3.17.1-grsec141030-22-1_amd64.deb: OK
linux-headers-3.17.1-grsec141030-22_3.17.1-grsec141030-22-1_amd64.deb: OK
linux-image-3.17.1-grsec141030-22_3.17.1-grsec141030-22-1_amd64.deb: OK
linux-image-3.17.1-grsec141030-22-dbg_3.17.1-grsec141030-22-1_amd64.deb: OK
linux-libc-dev_3.17.1-grsec141030-22-1_amd64.deb: OK
If all the above went correctly for you, in another terminal, but as root, cd into that directory, and do:

Code: Select all

dpkg -i *.deb
That should install these superior security packages for you. Much more is needed for real privacy for you with your machine on the internet, but at least now you are on the right path...

Maybe the next best thing is try and see how much you can understand from the book:

Grsecurity
https://en.wikibooks.org/wiki/Grsecurity

Refer Debian related issued with these here, and more strictly Grsecurity-related issues on:

Tips on Grsecurity installation for Debian newbies
https://forums.grsecurity.net/viewtopic.php?f=3&t=3835
---
The other half of this post now which is more on the "political" side.

Thanks everybody for the interest.

And, in effect, thanks to the existence of the, no this is not politics, read carefully...

And, in effect, thanks to the existence of the Western democracy that you can still read from me, because

--and this is why this is *not* politics, dear Debian moderators and admins---

because if the Bolsheviks had had their ways in these lands where my homeland is, my posts would not have lasted more than half an hour, and you *would* *not* *be* *reading* *any* from me.

I am in particular talking about the issue which (as well as my freedom to talk to you) has to do with my very latest of social contributions, political contribution (in the sense that the spyware SELinux has politically moved aside the honest and perfect grsecurity):

Why is Gentoo not switching to systemd?
https://forums.gentoo.org/viewtopic-t-9 ... ml#7624042
https://forums.gentoo.org/viewtopic-t-9 ... ml#7624044

So, while the reaction to FOSS has its ways to undermine the privacy-viability nature of FOSS, by digging in from underneath, with the unfortunate help of dishonest developers, as I have also demonstrated (using Julian Assange's and Poul-Heening Kamp's expertize:

How to avoid stealth installation of systemd?
http://forums.debian.net/viewtopic.php? ... 90#p553266
)

we need to, politely but truthfully keep up our fight for privacy, brothers in *nix.

And we need to spread the good word as well, because, I am somewhat privy, socially (I'm not a dev), to a lot that has been happening around grsecurity, but I only yesterday found out about this good install script (just don't use it, it needs to be updated first):

grsecurity source install script for Debian
https://github.com/rickard2/grsecurity-Debian-Installer

See my notice to rickard2 here:
https://github.com/rickard2/grsecurity- ... r/issues/6

See also here (esp. users of Arch FOSS Linux [1]) :
Downsides to a grsec install script?
https://forums.grsecurity.net/viewtopic.php?f=3&t=4051

More would need to be recounted, but for now that'll do.

[1] Linux can not stand alone as the name of that OS, GNU is dead for me as the name of it since Richard Matthew Stallman supports SELinux insanely, see the Emacs page on gnu.org
Last edited by timbgo on 2014-12-14 05:01, edited 9 times in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#45 Post by timbgo »

I am updating my systems (Gentoo and Debian ones, masters first, then cloning --I am to revise my poor user's security methods, but if the Fate allows, and when it so be).

And along with updating them (my method is an air-gapped one, so that means some longer work, to first update the local mirrors and then more on top of usual updating stuff)...

And along with updating I'm checking my scripts so I can check them for any issues.

Take a look at the:

Scripts to automate jigdo download
http://forums.debian.net/viewtopic.php?f=16&t=110503

which I used first (take a look even if you will not be using the testing Jigdo DVD, to know what I use and adaptt your scripts more easily to your own needs; YMMV), and also, surely I used:

https://github.com/miroR/grsec-deb-comp ... /v0.80-rc3

which is the latest and recommended, not the master (need to update that too, but I'm so sloow, sorry).

You surely can find it there, but here's the link of the script package to use:

https://github.com/miroR/grsec-deb-comp ... 80-rc3.zip

And the command I used is:

./grsec-deb-compile.sh grsecurity-3.0-3.16.3-201409282025 linux-3.16.3 config-3.16.2-grsec140908-19

and it does all up to 'make menuconfig' correctly, and probably all the rest, just I checked it (just like I checked it last month) only this far, before I go offline.

And I go offline to do the huge remaining work of updating my systems. This time it is huge because there's the frankestein systemd changes (and poetteringware generally, which we are all now a lot more aware of) to think about and try to dodge away from...

And, hopefully, I'll be posting the new packages for the newbies.

This will very probably be a fine stable grsecurity-hardened amd64 deb packages set, even though it's nominally testing and not stable.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#46 Post by timbgo »

New packages will always be, by my modifying of this here post, hitherto referred to.
===
For previous (last month's or so) content of this local address of this topic, pls see:
< this same topic >
http://forums.debian.net/viewtopic.php? ... 93#p555093

[[ Of course, if you are advanced, you are better off using the script; because it compiles tailor-made for your machine. See < in this same topic >. This post right here is for newbies.

And of course, if you are expert and honest, help us in this work, and in spreading of this Grsec program that enables real privacy for the masses, especially help us bring Grsec into mainstream Debian for everybody... ]]

As you can see, I'm reusing the old instructions, but replacing them with the new, so that it is always the same address with the newest instructions.
So, for new users:

Download first just:

http://www.croatiafidelis.hr/gnu/deb/li ... Lo-wget.sh

Move it into an empty directory. And then:

Code: Select all

$ chmod 755 dLo-wget.sh
to make it executable.

And run it:

Code: Select all

$ ./dLo-wget.sh
It will download all the packages.

You then should have these in that directory:

Code: Select all

$ ls -ABRgoh
.:
total 361M
-rwxr-xr-x 1  812 2014-12-12 21:44 dLo-wget.sh
-rw-r--r-- 1 946K 2014-12-12 19:03 linux-firmware-image-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb
-rw-r--r-- 1 7.0M 2014-12-12 19:04 linux-headers-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb
-rw-r--r-- 1  31M 2014-12-12 19:07 linux-image-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb
-rw-r--r-- 1 322M 2014-12-12 19:59 linux-image-3.17.6-grsec141212-15-dbg_3.17.6-grsec141212-15-1_amd64.deb
-rw-r--r-- 1 752K 2014-12-12 19:04 linux-libc-dev_3.17.6-grsec141212-15-1_amd64.deb
-rw-r--r-- 1  863 2014-12-12 21:15 SUMS
-rw-r--r-- 1  819 2014-12-12 21:43 SUMS.sig
$
Now:

Code: Select all

gpg --verify SUMS.sig
must return to you my correct signature:

Code: Select all

...snip...
Primary key fingerprint: FCF1 3245 ED24 7DCE 4438  55B7 EA98 8488 4FBA F0AE
(or anyway signed with that key; see tutorials elsewhere if you are lost here).

And now:

Code: Select all

sha256sum -c SUMS
should return to you:

Code: Select all

linux-firmware-image-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb: OK
linux-headers-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb: OK
linux-image-3.17.6-grsec141212-15_3.17.6-grsec141212-15-1_amd64.deb: OK
linux-image-3.17.6-grsec141212-15-dbg_3.17.6-grsec141212-15-1_amd64.deb: OK
linux-libc-dev_3.17.6-grsec141212-15-1_amd64.deb: OK
If all the above went correctly for you, in another terminal, but as root, cd into that directory, and do:

Code: Select all

dpkg -i *.deb
That should install these superior security packages for you. Much more is needed for real privacy for you with your machine on the internet, but at least now you are on the right path...

Maybe the next best thing is try and see how much you can understand from the book:

Grsecurity
https://en.wikibooks.org/wiki/Grsecurity

Refer Debian related issued with these here, and more strictly Grsecurity-related issues on:

Tips on Grsecurity installation for Debian newbies
https://forums.grsecurity.net/viewtopic.php?f=3&t=3835
Last edited by timbgo on 2014-12-14 06:11, edited 9 times in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#47 Post by timbgo »

I believe it is becoming necessary for proper implementation of Grsecurity/Pax, to go this fresh brand new way:

How to Remove Systemd and Related Packages from Your Debian
http://forums.debian.net/viewtopic.php?f=16&t=118197

I wrote previously in this topic and elsewhere on systemd intrusion onto Debian... Hopefully, things look bright again. Pls read there and in pages linked from there.

Sure I have to repeat that without Gradm RBAC policy set and enabled, the implementation of Grsecurity/Pax patched kernel does not offer complete protection.

That RBAC policy creation and gradm enabling is now getting closer to be much much much more easy realize, with the advent of mirabilos wtf repo!

Nothing likely to happen within just mere days, I work much more slowly than that.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

jlambrecht
Posts: 374
Joined: 2008-02-01 16:21

Re: Grsecurity/Pax installation on Debian GNU/Linux

#48 Post by jlambrecht »

Great post, got there all by myself, BUT FOR ONE THING.

After i've installed all packages, it is impossible to boot. For some reason the UUID device-id is not valid and it fails to boot, dropping to initramfs. As far as i can tell i've done the right thing but the result proves differently.

What am i doing wrong ? I've been here before, fixed it, but have no notes or memories left.
Embrace what you're not certain off,
keep an eye on what you're confident about.

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#49 Post by timbgo »

Announcement. New packages, on same old address, from now:
http://forums.debian.net/viewtopic.php? ... 45#p555486
I'll only be announcing in new posts, but keeping the modified instructions on old addresses, from now on. That way, if you are subscribed to the topic, you get the news, and instructions are really repeated emtirely any more.
Miro
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#50 Post by timbgo »

jlambrecht wrote:Great post, got there all by myself, BUT FOR ONE THING.

After i've installed all packages, it is impossible to boot. For some reason the UUID device-id is not valid and it fails to boot, dropping to initramfs. As far as i can tell i've done the right thing but the result proves differently.

What am i doing wrong ? I've been here before, fixed it, but have no notes or memories left.
Hi, jlambrecht!
I just noticed your post. Hmmh. There's no way anyone could tell you what you may have done wrong (or whether something was wrong elsewhere in the "ingredients"), without much more information than you have provided...
Try the new packages first, and if you still have problems, more detailed descriptions, maybe some logs, or other, would be nesessary...
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

jlambrecht
Posts: 374
Joined: 2008-02-01 16:21

Re: Grsecurity/Pax installation on Debian GNU/Linux

#51 Post by jlambrecht »

Basically, i'm not sure if i did anything wrong really. Just to make sure i've read a few articles on patching and compiling the kernel with grsec on Debian and Ubuntu. It seems i've not made any mistake. The only difference is this machine is a guest in a VPS host, i'm not sure how this could matter but it sticks to my attention.

This is a copy of an error which is exactly like mine, i've tried multiple ways to fix this to no avail, once more i start feeling retardish.
Gave up wating for root device. Common problems:
-Boot args (cat /proc/cmdline)
-Check rootdelay= (did the system wait long enough?)
-Check root= (did the system wait for right device?)
-Missing modules (cat /proc/modules; ls /dev)
ALERT! /dev/disk/by-uuid/X-X-X-X does not exist.
Dropping to a shell!

BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) built-in shel (ash)
Enter `help` for a list of built-in commands.
(initramfs)_
For completeness it must be added there are two notifications below 'Dropping to a shell!'

modprobe: module ohci-hcd not found in modules.dep
modprobe: module usbhid not found in modules.dep
Embrace what you're not certain off,
keep an eye on what you're confident about.

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#52 Post by timbgo »

jlambrecht wrote:Basically, i'm not sure if i did anything wrong really. Just to make sure i've read a few articles on patching and compiling the kernel with grsec on Debian and Ubuntu. It seems i've not made any mistake. The only difference is this machine is a guest in a VPS host, i'm not sure how this could matter but it sticks to my attention.
Neither could I tell much at all. Not familiar with what being VPS guest entails in particualar wrt "regular" systems.
jlambrecht wrote:
This is a copy of an error which is exactly like mine, i've tried multiple ways to fix this to no avail, once more i start feeling retardish.
Gave up wating for root device. Common problems:
-Boot args (cat /proc/cmdline)
-Check rootdelay= (did the system wait long enough?)
-Check root= (did the system wait for right device?)
-Missing modules (cat /proc/modules; ls /dev)
ALERT! /dev/disk/by-uuid/X-X-X-X does not exist.
Dropping to a shell!

BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) built-in shel (ash)
Enter `help` for a list of built-in commands.
(initramfs)_
I had had an issue where I solved the no-boot with modifying things. Not saying that it will or will not apply to your case, but try and see here:

No-boot kernel, working lvm in initramfs, volumes not found
http://forums.debian.net/viewtopic.php?f=5&t=105549

(but in short, try and stick

Code: Select all

GRUB_CMDLINE_LINUX="rootdelay=30"
into /etc/default/grub and reinstall the kernel (I guess, maybe should delve deeper there just in case; a little short with time...). If it works replace 30 with smaller value if it bothers you waiting on every boot... Don't know...
jlambrecht wrote:For completeness it must be added there are two notifications below 'Dropping to a shell!'

modprobe: module ohci-hcd not found in modules.dep
modprobe: module usbhid not found in modules.dep
That would probably resolve if the root device was found.

Maybe, and anyway, for other users who might have issues, I suggest, instead of the usual as root:

Code: Select all

dpkg -i *.deb
(see the instructions for the context), do:

Code: Select all

dpkg -i *.deb 2>&1 | tee dpkg-grsec_`date +%s`.log
for part of which my explanation is here (in bottom of that post):
http://forums.debian.net/viewtopic.php? ... 64#p552775
and this part, just try it out in a termanal:

Code: Select all

date +%s
(only gives the time in seconds since 1970-01-01 00:00), to not overwrite the previous file with otherwise same name; I sometimes use same command lines over, so this is my way; that `date +%s` part is not important; the log is)
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

jlambrecht
Posts: 374
Joined: 2008-02-01 16:21

Re: Grsecurity/Pax installation on Debian GNU/Linux

#53 Post by jlambrecht »

I think i know what is missing here. Since the system is a VPS it requires the virtio modules to be available, especially the virtio-blk module. I've just recompiled, updated etc and it is not indeed loading the virtio modules, though not the virtio-blk module since it is not there yet. Once i find what to select to build this module it will most likely boot as expected.
Embrace what you're not certain off,
keep an eye on what you're confident about.

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#54 Post by timbgo »

jlambrecht wrote:I think i know what is missing here. Since the system is a VPS it requires the virtio modules to be available, especially the virtio-blk module. I've just recompiled, updated etc and it is not indeed loading the virtio modules, though not the virtio-blk module since it is not there yet. Once i find what to select to build this module it will most likely boot as expected.
Happy you've probably solved it!

Your final report will be most welcome (if you find the time to confirm whether it did work)!

Anyway, reports are welcome. Just, I'm not always around, because I work slowly and may be busy elsewhere, so patience may be needed for my replies, often.

(Remember that I may be advanced in comparison to new users, but I'm not an expert by any means, and I've really done and doing this entire topic out of gratitude to Spender and PaX Team who provide us with Grsecurity/Pax, the paramount model of honest programming which is becoming kind of rarity nowadays.)
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

jlambrecht
Posts: 374
Joined: 2008-02-01 16:21

Re: Grsecurity/Pax installation on Debian GNU/Linux

#55 Post by jlambrecht »

Yep, it is solved now. Who would have thought such would be required ( i feel kind of dumb to not have thought of this )

To summarize, my procedure was right but not selecting the virtio modules and in particular the virtio-blk module to be compiled resulted into a failed boot. Since the module was compiled and installed the system boots. Now i have to iron out the unknowns of configuring grsec to my liking.
Embrace what you're not certain off,
keep an eye on what you're confident about.

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#56 Post by timbgo »

Pls., generally, alert me if anything is mistaken esp. in those new, and old permanent post. While I'm off and on, and off sometimes for longer, I don't leave without checking for feedback in some, at least some number of hours or a day or two, after posting new stuff. Thank you!

So from now on, there's, for the newbies, (it's easy for the advanced, they only need the script which is on github -- advanced maybe try this, but I don't have time to check myself if it's the right link)...

So from now on, for the newbies, there are the new and the old versions of packages to try, and they will both be on the, kind of, more permanent addresses:

The newest set of packages:
< this same topic >
http://forums.debian.net/viewtopic.php? ... 45#p555486

And the one month (or so) old set:
< this same topic >
http://forums.debian.net/viewtopic.php? ... 30#p555093

I will be adding diverse musings/advice too, in new posts though, occasionally.

Today, after the updare/upgrade with apt-get of this weeks Jigdo DVD's (there's my tip for my jigdo-automate-script in the Tiips section), I found out the Iceweasel is somewhat different to deal with than before, for treatment with paxctl.

Here's what I needed to do with the new Iceweasel (else it wouldn't start).

Code: Select all

# which iceweasel
# file /usr/bin/iceweasel
# ls -l /usr/lib/iceweasel/
# file /usr/lib/iceweasel/iceweasel
# paxctl -v /usr/lib/iceweasel/iceweasel
# paxctl -v /usr/lib/iceweasel/plugin-container
# paxctl -v /usr/lib/iceweasel/webapprt-stub
# paxctl -cm /usr/lib/iceweasel/iceweasel
# paxctl -cm /usr/lib/iceweasel/plugin-container
# paxctl -cm /usr/lib/iceweasel/webapprt-stub
In essence it's just the last three lines, but the others, previous, are showing you why. Can't always explain profusely. Newbies, try and see my explanation elsewhere, or, best, read the Grsec docs and forums and wikis.

If Grsec does not get into the mainstream Debian sooner or later, something is wrong with the Debian "elite". Because presenting/imposing SELinux as "security" to people, is lying.

And surely, get rid of Systemd, there's my tip on removing it and related stuff on this Tips section.

Cheers!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#57 Post by timbgo »

Sadly, due to censorship by my provider on me and very subtle possible attacks allowed or in collusion...

Yes, sadly, due to censorship by my provider on me, about which you can read some documented events and, in effect, the provider's own admission of censorship on me, easily seen through bogus accusations and/or excuses leveled against me on:

Postfix smtp-tls-wrapper, Bkp/Cloning Mthd, A Zerk Provider
https://forums.gentoo.org/viewtopic-t-999436.html

The main points, for quick guided info:

https://forums.gentoo.org/viewtopic-t-9 ... ml#7613052
where find:

Code: Select all

Sep  4 23:18:46 localhost postfix/smtp[14602]: 29D7B28E1FF: to=<support@plus.hr>, relay=127.0.0.1[127.0.0.1]:11125, delay=15731, delays=15731/0.01/0.18/0.52, dsn=5.0.0, status=bounced (host 127.0.0.1[127.0.0.1] said: 550-"JunkMail rejected - 147-226.dsl.iskon.hr (n4m3.localdomain) 550-[89.164.147.226]:41972 is in an RBL, see 550 http://www.spamhaus.org/query/bl?ip=89.164.147.226" (in reply to RCPT TO command)) 
https://forums.gentoo.org/viewtopic-t-9 ... ml#7682770
where read:
the provider wrote:For your protection, on your user account a ban has been placed for sending e-mails from any other servers but mail.t-com.hr.
and:
me wrote:I don't have any problems that you ban any other mail server but your own, mail.t-com.hr, and pls. take good notice, and:

lin16.mojsite.com

that is, in IPv4: 178.218.164.164

which I pay for ... and the email address ... which I [also] pay for ...:

miro.rovis@croatiafidelis.hr
[and for which that is the server for sending/receiving]

So, [due to] that [censorship] by my provider on me and due to [very subtle possible attacks allowed or] done [in colusion], of which you can read documented case here:

< same topic as above >
https://forums.gentoo.org/viewtopic-t-9 ... ml#7685200

where, to me, what happened, although it looks like a smooth, apparently legal opening of two connections, but it is in no way so (feel free to download and work through the entire triplet of the capture/screencast/conntrack in all aspects and find out for yourself)...

[where, to me, what happened] is a clear case of clickjacking, and it could have been, on their part, a collusion with those intruding subjects, to have a "spam" sent from my computor. This (notice the verb modes in this paragraph: I'm not claiming it; I am only suspecting it) could have been what they needed to get me banned from even using the Internet at all, as they did in the past for a few periods of time in similar occasions (only I knew much less back then to be able to disprove their claims, which I can now, to some extent, at this level to which I grew in the meantime).

So the issue is not at all insignificant, as I already was close to jail for my political beliefs in 2009, basically anti-Titoist-slaughters-progenie-neocommunism in power in Croatia (and I am really saying this here only to explain to readers why I can not update the packages and improve this tip further). (I'm not against honest leftists, I actually publically support some.)

Sadly, I need to learn so much more, and I have to study, to be able to, basically, protect myself from my current provider claiming to ban me from using my email address ... that I pay for, for reasons of my own "protection" by them, and possibly subtly threatening me having spam really sent from my computors, via other subjects... as the screencast/capture/conntrack likely sufficiently demonstrate.

Just imagine what those subject could do, if I don't get the iptables very right, and learn to packet capture much much cleverer and with the right filtering, and also finally deploy Gradm fully, as well as probably do other checks on my system before I go and download the Jigdo DVDs! Just imagine!

So I'm in a race, and I have to work and overwork, because both my Debian boxes and my Gentoo boxes are already one month and ten days without updating, and I can not update them before all of the work mentioned in the previous paragraph is done here.

Thank you for your kind attention, and pls. be patient. Grsecurity is the program that I put my hope into like in no other, I really love it, and I hope to be back in a while to give even more and even better work into this topic.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

pcalvert
Posts: 1939
Joined: 2006-04-21 11:19
Location: Sol Sector
Has thanked: 1 time
Been thanked: 2 times

Re: Grsecurity/Pax installation on Debian GNU/Linux

#58 Post by pcalvert »

People interested in Grsecurity may be interested in this as well:
https://wiki.debian.org/SameKernel

Phil
Freespoke is a new search engine that respects user privacy and does not engage in censorship.

jlambrecht
Posts: 374
Joined: 2008-02-01 16:21

Re: Grsecurity/Pax installation on Debian GNU/Linux

#59 Post by jlambrecht »

Thank you so much Phil, great tip.
Embrace what you're not certain off,
keep an eye on what you're confident about.

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Grsecurity/Pax installation on Debian GNU/Linux

#60 Post by stevepusser »

jlambrecht wrote:Thank you so much Phil, great tip.
Maybe...can anyone access that kernel?
MX Linux packager and developer

Post Reply