Grsecurity/Pax installation on Debian GNU/Linux

Share your own howto's etc. Not for support questions!
Message
Author
User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Grsecurity/Pax installation on Debian GNU/Linux

#76 Post by Head_on_a_Stick »

pcalvert wrote:How is it that they have the stable version of Grsecurity
Ah, perhaps I was being a fanboi with that statement...

At the moment, the current stable grsec release is 4.4.16 but my Alpine system has:

Code: Select all

empty@alpine ~ % uname -a
Linux alpine 4.4.15-1-grsec #2-Alpine SMP Mon Jul 18 11:27:31 GMT 2016 x86_64 GNU/Linux
IIRC from the last upgrade, the 4.4.16 will be added a few days after grsec move on to 4.4.17 so it is always one version down (if you see what I mean).
Black Lives Matter

Debian buster-backports ISO image: for new hardware support

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#77 Post by timbgo »

I'd be interested to know if my method, which can be read about, and the script is renewed, with grsecurity having taken, appears to me good care of by minipli and friends (just the LTS kernel being patched, but that is still very valuable)...

I'd be interested to know if my method, works fine with Debian and Ubuntu.

See (skip to recent posts there):
Grsecurity/Pax installation on Devuan GNU/Linux
https://dev1galaxy.org/viewtopic.php?id=596

The renewed script is at:
https://github.com/miroR/grsec-dev1-compile

The new patches are now from:
https://github.com/minipli/linux-unoffi ... cial_grsec

I see people from Subgraph are also engaged... and Parazyd a Devuan and Gentoo developer.

In the latest release from:
https://github.com/minipli/linux-unoffi ... /releases/

it seems they had been successful in getting some of the RAP protection back in...
(
https://github.com/minipli/linux-unoffi ... dc6f20cded
)


Of course mine is just a helper script for newbies, I'm not an expert (just a reminder).

But I do believe my script should work for Debian/Ubuntu and others from the family...

Pls. let me know if you find it useful! Regards!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#78 Post by timbgo »

There are also packages available. But first, they are actually NOT recommended, and the big fat warning says so.

https://croatiafidelis.hr/gnu/deb/linux ... 170923-22/

But you can always compile, as I wrote there as well!

Regards!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Grsecurity/Pax installation on Debian GNU/Linux

#79 Post by Head_on_a_Stick »

@timbgo, thank you very much for all of your efforts, they are very much appreciated :)

I haven't had time to try any of this in Debian yet (I'm running Alpine Linux atm and that still has the grsec patches included) but I do intend to.

Do you know if the patches will apply to the Debian kernels?

https://kernel-handbook.alioth.debian.o ... n-official

I am tempted to file a Request for Packaging for a KSPP-patched kernel version, Arch has a linux-hardened package that offers this.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#80 Post by timbgo »

Head_on_a_Stick wrote:@timbgo, thank you very much for all of your efforts, they are very much appreciated :)

I haven't had time to try any of this in Debian yet (I'm running Alpine Linux atm and that still has the grsec patches included) but I do intend to.

Do you know if the patches will apply to the Debian kernels?

https://kernel-handbook.alioth.debian.o ... n-official
Very probably yes. Devuan and Debian, and Ubuntu and other of the Debian family do have the samy kernels. Often bit by bit same.
Head_on_a_Stick wrote:I am tempted to file a Request for Packaging for a KSPP-patched kernel version, Arch has a linux-hardened package that offers this.
No, not KSPP (well, not in my opinion)! They go a whole different way. Not the grsec way. minipli's unofficial-grsecurity (links are where due) does go the grsecurity way!

I'm ill today (ah, just strong but cripling allergy), can't write longer.

Regards!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#81 Post by timbgo »

This is also a good reference page (with old clumsy occasional naming, read on):

https://packages.debian.org/source/stretch/linux

In Devuan we use the exact same kernel(s) as is used in Debian. Probably the rest of the kernels from the list too, but I know about mine.

This is my machine (I grep out 4.9.3 and 4.9.5, such as 4.9.39 and 4.9.51 --soon also 4.9.52-- because I have a few minipli grsecurity-hardened kernels, and the topic is Debian/Devuan kernels compatibility):

Code: Select all

# ls -l /boot/ | grep -vE '4.9.3|4.9.5'
total 195663
...
-rw-r--r-- 1 root root   190055 2017-01-06 20:17 config-4.4.0-59-generic
-rw-r--r-- 1 root root   186386 2017-06-26 15:27 config-4.9.0-3-amd64
drwxr-xr-x 2 root root     1024 2017-07-24 19:19 efi
drwxr-xr-x 6 root root     1024 2017-09-27 19:56 grub
-rw-r--r-- 1 root root 33548826 2017-09-13 12:33 initrd.img-4.4.0-59-generic
-rw-r--r-- 1 root root 19462711 2017-09-15 11:54 initrd.img-4.9.0-3-amd64
...
-rw------- 1 root root  3888958 2017-01-06 20:17 System.map-4.4.0-59-generic
-rw-r--r-- 1 root root  3180497 2017-06-26 15:27 System.map-4.9.0-3-amd64
-rw-r--r-- 1 root root  6969744 2017-01-30 17:03 vmlinuz-4.4.0-59-generic
-rw-r--r-- 1 root root  4204320 2017-06-26 15:27 vmlinuz-4.9.0-3-amd64
#
The 4.4.0-59-generic is actually some Ubuntu that I dual boot into, at this time.

But 4.9.0.3 is the same kernel in Debian and in Devuan. And I base my 4.9.5x configs on that one, which is actually generic kernel, except that it is described, currently on that page linked above as:

Code: Select all

linux-image-4.9.0-3-amd64
Linux 4.9 for 64-bit PCs
while the other of the kernels listed:

linux-image-4.9.0-3-686-pae
Linux 4.9 for modern PCs

Just saying about clumsy naming :-). Because the 64-bit PCs on the market are small share AMD64, much greater share Intel (IIUC), and 686:

Code: Select all

linux-image-4.9.0-3-686-pae
    Linux 4.9 for modern PCs
, be it even https://en.wikipedia.org/wiki/Physical_ ... _Extension , is it so modern?

(I mean other than Udoo x86, which I'd never recommend to anybody, because I'd very strongly expect Intel owns it, not you, and owns you through it: it's closed source, black box hardware. IIUC.)

But on the question about compatibility, I'd believe Devuan and Debian kernels being same, even my packages should work fine on Debian/Ubuntu as well, and if you go the best way, which is compiling your own kernel and hardening it with the fresh unofficial-grsecurity patches, it can not be in any way incompatible in the, I believe, whole Debian family (but I am not familiar with many other of the Debian family distro-members)!

I also take all the precautions when I compile the packages. For that reason I put fat warnings if I have any marginal doubts of my systems.

I'm compiling, away from this online system, linux-4.9.52 with the new patch:
https://github.com/minipli/linux-unoffi ... cial_grsec

Just as in the script (also been updated, e.g. you could likely also simply just use:
https://github.com/miroR/grsec-dev1-com ... compile.sh
) I run the long, one thread only:

Code: Select all

fakeroot make deb-pkg
i.e. not fakeroot make -jN deb-pkg, where N depends on how many cores your processor has, to be more on the safe side (and another possible reason, of which maybe later).

For compiling the next kernel the line is fine like this:

Code: Select all

$ grsec-dev1-compile.sh v4.9.52-unofficial_grsec-20170928143206 linux-4.9.52 config-4.9.51-unofficial+grsec170923-22
I have no room for more than one set of packages at a time (anyway, those who compile, know that they also get a debugger package, which I can post), so I think I'll always be removing the old, and posting the new... (very probably).

Regards!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#82 Post by timbgo »

The latest:
https://www.croatiafidelis.hr/gnu/deb/l ... 170929-07/
Pls. until I sort out the README.html for it, read the previous one at:
https://www.croatiafidelis.hr/gnu/deb/l ... 170923-22/
( but the later packages I have taken really great care to prepare, use the new packages, not those )
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#83 Post by timbgo »

There's a discussion here:
https://github.com/minipli/linux-unoffi ... /issues/11

The patch is minipli's work updated by:

https://github.com/HacKurx

Pls. read the discussion about it at:

https://github.com/minipli/linux-unoffi ... /issues/11

And here are the deb packages:

https://www.CroatiaFidelis.hr/gnu/deb/l ... 171114-19/

Pls. pls., no warranties! But I think my system was only attacked but not compromised... Doing huge work of analysis of the network traces, and not and expert, but it does look the system wasn't compromised, and my big fat warning on page:

Strange Bash under grsecurity's exec logging
https://dev1galaxy.org/viewtopic.php?id=1598

was an exaggeration... But still no warranties. Use at your own risk. I too trusted HacKurx's work and I believe I won't regret in the least...

Again, I run Devuan, but the kernels are same in Debian and Devuan. Except for systemd-related stuff, Devuan is mostly still just in most respects: a Debian of a kind.

And the patch that I used, I have to sign with my PGP-key, since HacKurx didn't sign them, but gave the SHA256, which I testify you will get too, if my PGP-signiture you get is uncompromised (I'll be posting it next at, wait a minute... it'll be... It is, from right now at:

https://www.croatiafidelis.hr/gnu/deb/l ... iff.tar.xz
https://www.croatiafidelis.hr/gnu/deb/l ... x.diff.sig

If you compile, you will need to modify the part related to the patch in the grsec-dev1-compile.sh ... I hope HacKurx instead from now keeps to the tradition started by minipli with the unofficial-grsec patches.

( Pls. do tell if I made any mistakes in linking or signing, such as if something doesn't verify, or if you have any issues. )

Regards!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Grsecurity/Pax installation on Debian GNU/Linux

#84 Post by Head_on_a_Stick »

Black Lives Matter

Debian buster-backports ISO image: for new hardware support

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#85 Post by timbgo »

Head_on_a_Stick wrote:https://packages.debian.org/sid/linux-image-grsec-amd64

I'll just leave this here...

:D
Which is fine! Except old kernel, more exploits...
Only:

Code: Select all

linux-image-4.9.0-4-grsec-amd64
there.

Testing new versions of LTS patched with unofficial-grsecurity is better in my view.
However, if corsac returns and takes up packaging the unofficial-grsecurity-patched LTS, I'm all for it! :)
EDIT 2017-11-16 18:00 UTC Oh! That is corsac maintaining it! So glad to know!
Thanks for telling us, Head_on_a_Stick!. Last time I looked it up, that wasn't the case... But I'm slow...
EDIT END
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Grsecurity/Pax installation on Debian GNU/Linux

#86 Post by Head_on_a_Stick »

timbgo wrote:Except old kernel, more exploits...
Only:

Code: Select all

linux-image-4.9.0-4-grsec-amd64
there
That's the Debian package version, the kernel version is 4.9.51-1+grsecunoff2; my Alpine Linux system is using 4.9.60 (with an unofficial port of the grsec patches) and kernel.org is on 4.9.62 so it's not that far behind.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#87 Post by timbgo »

Head_on_a_Stick wrote:
timbgo wrote:Except old kernel, more exploits...
Only:

Code: Select all

linux-image-4.9.0-4-grsec-amd64
there
That's the Debian package version, the kernel version is 4.9.51-1+grsecunoff2; my Alpine Linux system is using 4.9.60 (with an unofficial port of the grsec patches) and kernel.org is on 4.9.62 so it's not that far behind.
8) Of course, I studied all the links from the page you gave in the meantime, and I checked if we had it in Devuan: yes we do!
And of course I'll install it, along with gradm2 and other recommends! (For Devuan it's in Ceres, something like our testing branch.)
But it is old, it is. My packages that I gave above, based on the same grsecunoff by Mathias (minipli) Krause, who BTW has been taking some time off, and is sorely being missed, but Loic (HacKurx) updated the patch to 4.9.61, which I gave all the links and uploaded my deb packages... So my packages are kind of much newer version of grsecunoff. Could still be worth a try for some people, I'd hope.

I'm happy that grsec is being taken good care of. corsac, thank you so much for keeping the grsec available for us!

But it took corsac time to provide the packages, didn't it? And this is the first of the new series of grsec, the unofficial_grsecurity!
See here:
http://metadata.ftp-master.debian.org/c ... _changelog
where, currently at the very top, there is only one single version of it:

Code: Select all

linux-grsec (4.9.51-1+grsecunoff1) unstable; urgency=medium

  * Pull changes from src:linux up to 4.9.51-1.
  * grsec/gen-patch:
    - update to generate patch from a local git repository with Mathias Krause
    grsec-unofficial tree (https://github.com/minipli/linux-unofficial_grsec)
  * Update grsecurity patch to the unofficial version maintained by Mathias
    Krause.
  * featureset-grsec/config: update long description to make it clear we are
    using the unofficial patch, unrelated to the private patch.
  * debian/lib/python/debian_linux/debian.py: handle new versioning scheme.

 -- Yves-Alexis Perez <corsac@debian.org>  Tue, 03 Oct 2017 10:59:32 +0200
Regards! (And thanks again Head_on_a_Stick for bringing us all here the very happy news!)
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#88 Post by timbgo »

If anybody feels like testing the newest:

https://croatiafidelis.hr/gnu/deb/linux ... 171209-20/

and maybe they will find new realizations amusing:

NULL pointer deref in do_blockdev_direct_IO()
https://github.com/minipli/linux-unoffi ... -350476483

You can use:
https://croatiafidelis.hr/gnu/deb/confi ... 1209-20.gz
https://croatiafidelis.hr/gnu/deb/confi ... 209-20.sig
if you're compiling with:
https://github.com/miroR/grsec-dev1-compile
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#89 Post by timbgo »

4.9.70 under:
https://www.croatiafidelis.hr/gnu/deb/l ... c-current/
(i.e. https://www.croatiafidelis.hr/gnu/deb/l ... 171220-11/ )
For those who verify, ls-1.sum.asc is missing. Busy, but it's coming later.
EDIT 2017-12-21 09:28:41+00:00, there now:
https://www.croatiafidelis.hr/gnu/deb/l ... -1.sum.asc
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#90 Post by timbgo »

New grsecunoff kernel is available for the brave:
https://www.croatiafidelis.hr/gnu/deb/l ... 171228-16/
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: Grsecurity/Pax installation on Debian GNU/Linux

#91 Post by n_hologram »

@timbgo: How is grsecurity holding up against spectre/meltdown?
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#92 Post by timbgo »

n_hologram wrote:@timbgo: How is grsecurity holding up against spectre/meltdown?
Hard work to do, that's how... They need the code that spender and PaX Team left (the last publicly available grsecurity), and they're using it (always you will find they cite them as their source, e.g. in the patches if you subscribe to KSPP)...
But, as...
minipli wrote: Expect it to be weeks/months/never. It's a pretty invasive change conflicting with a lot of PaX. :(
(pls. see that issue for details)
Things are probably happening, but slowly...
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#93 Post by timbgo »

Retpoline-patched grsecunoff (AMD, but no meltdown protection yet for Intel) available under the "current" link, or:
https://www.croatiafidelis.hr/gnu/deb/l ... 180203-22/
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#94 Post by timbgo »

It might be worth trying (and reporting if you can install and load amd64-microcode with):
https://www.croatiafidelis.hr/gnu/deb/l ... 180204-21/
Pls. read there, and the links, for the details.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#95 Post by timbgo »

The:
https://www.croatiafidelis.hr/gnu/deb/l ... c-current/
now points to:
https://www.croatiafidelis.hr/gnu/deb/l ... 180601-06/
That is the kernel package for Debian/Devuan that _may_ be worth trying out, bearing in mind the caveats of Dapper Linux patchset:
https://dapperlinux.com/
I.e. no meltdown protection, no spectre protection, currently no retpoline.

However, all the othe usual protection that grsec offered are there. And the kernel is up to date.

I am testing that kernel right now, it appears to be fine.

If you want to use it, pls. see previous posts, there are a lot of info how to dowload it, how to verify it, etc.

Regards!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

Post Reply