Grsecurity/Pax installation on Debian GNU/Linux

Share your own howto's etc. Not for support questions!
Message
Author
n_hologram
Posts: 459
Joined: 2013-06-16 00:10

Re: Grsecurity/Pax installation on Debian GNU/Linux

#91 Post by n_hologram »

@timbgo: How is grsecurity holding up against spectre/meltdown?
bester69 wrote:There is nothing to install in linux, from time to time i go to google searching for something fresh to install in linux, but, there is nothing
the crunkbong project: scripts, operating system, the list goes on...

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#92 Post by timbgo »

n_hologram wrote:@timbgo: How is grsecurity holding up against spectre/meltdown?
Hard work to do, that's how... They need the code that spender and PaX Team left (the last publicly available grsecurity), and they're using it (always you will find they cite them as their source, e.g. in the patches if you subscribe to KSPP)...
But, as...
minipli wrote: Expect it to be weeks/months/never. It's a pretty invasive change conflicting with a lot of PaX. :(
(pls. see that issue for details)
Things are probably happening, but slowly...
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#93 Post by timbgo »

Retpoline-patched grsecunoff (AMD, but no meltdown protection yet for Intel) available under the "current" link, or:
https://www.croatiafidelis.hr/gnu/deb/l ... 180203-22/
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#94 Post by timbgo »

It might be worth trying (and reporting if you can install and load amd64-microcode with):
https://www.croatiafidelis.hr/gnu/deb/l ... 180204-21/
Pls. read there, and the links, for the details.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#95 Post by timbgo »

The:
https://www.croatiafidelis.hr/gnu/deb/l ... c-current/
now points to:
https://www.croatiafidelis.hr/gnu/deb/l ... 180601-06/
That is the kernel package for Debian/Devuan that _may_ be worth trying out, bearing in mind the caveats of Dapper Linux patchset:
https://dapperlinux.com/
I.e. no meltdown protection, no spectre protection, currently no retpoline.

However, all the othe usual protection that grsec offered are there. And the kernel is up to date.

I am testing that kernel right now, it appears to be fine.

If you want to use it, pls. see previous posts, there are a lot of info how to dowload it, how to verify it, etc.

Regards!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#96 Post by timbgo »

The offered packages in the previous post (no issues have I had so far) are for any system hardware (well: x86_64 arch only).

The best way is surely, to compile. Nothing wrong with the other option. It's only that tailoring the compiled kernel for only your hardware reduces the huge attack surface.

While Dapper Secure Kernel Patchset (
https://github.com/dapperlinux/dapper-s ... e/releases
) is still grsecurity, my script for newbies has changed to help new GNU-Debianers/Devuaners who want to look into kernel compiling.

So pls. look up:

https://github.com/miroR/grsec-dapper-compile/

I'm not sure, you might need to get dapper-linux PGP key from:

https://dapperlinux.com/contact.html
https://dapperlinux.com/matthew_gpg_public_key.asc

Regards!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#97 Post by timbgo »

https://www.croatiafidelis.hr/gnu/deb/l ... 180615-20/
is now pointed to by:
https://www.croatiafidelis.hr/gnu/deb/l ... c-current/

Some new talk (some new indications) is at:
not an issue, but lack of issues #5
https://github.com/dapperlinux/dapper-s ... e/issues/5

as well as at:
PAX: RAP hash violation for return address: __ext4_get_inode_loc+0x258/0xab0 #17
https://github.com/minipli/linux-unoffi ... /issues/17

With vanilla kernel, a lot is lost, even though the Spectre and Meltdown are dealt with... In effect, there is no safety with Linux, after spender and PaX Team have gone... I believe it would be easier to deep-inspect figure out my browsing online, and protect my system against threats in real time, than to get vanilla kernel to be safe, or add Specter and Meltdown mitigations into any of the available forks remaining for the public of grsecurity...

A very hard choice to make... I myself, I still opt for dappersec fork of grsecurity, rather than the now, in essence, Google in charge of security of Mr. Linux's GNU/Linux.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

User avatar
debiman
Posts: 3064
Joined: 2013-03-12 07:18

Re: Grsecurity/Pax installation on Debian GNU/Linux

#98 Post by debiman »

people should have a good look at that website before deciding to download anything from it.

User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Grsecurity/Pax installation on Debian GNU/Linux

#99 Post by Head_on_a_Stick »

debiman wrote:people should have a good look at that website
Yes, the OP does seem quite delusional in respect of homosexuality and intergender conditions but the grsec patchset does offer some value.

I can't get the graphical desktop to work properly with the official Debian grsec-patched kernels, I think they're intended for servers.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#100 Post by timbgo »

Head_on_a_Stick wrote:
debiman wrote:people should have a good look at that website
Yes, the OP does seem quite delusional in respect of homosexuality and intergender conditions but the grsec patchset does offer some value.
I don't talk politics, and the fact that the place where I can offer my kernels from is at my NGO's website, I don't think that should matter.

Regarding this grsec topic, I'd realy kindly suggest that we don't talk politics.
I can't get the graphical desktop to work properly with the official Debian grsec-patched kernels, I think they're intended for servers.
Any report on the usefulness of my kernels, or of my newbie-oriented script ( with the latest stable kernels / with the currently available free patches: https://github.com/miroR/grsec-dapper-compile ) are welcome. I'd like to kind of still grow technically and do much more in FOSS.

Kind regards!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Grsecurity/Pax installation on Debian GNU/Linux

#101 Post by Head_on_a_Stick »

timbgo wrote:I don't talk politics, and the fact that the place where I can offer my kernels from is at my NGO's website, I don't think that should matter.

Regarding this grsec topic, I'd realy kindly suggest that we don't talk politics.
Yes, I agree, I probably shouldn't have posted that, sorry.
timbgo wrote:
I can't get the graphical desktop to work properly with the official Debian grsec-patched kernels, I think they're intended for servers.
Any report on the usefulness of my kernels, or of my newbie-oriented script ( with the latest stable kernels / with the currently available free patches: https://github.com/miroR/grsec-dapper-compile ) are welcome.
My experience was with linux-image-grsec-amd64 rather than your kernels.

I've given up on Linux for important stuff, I now use OpenBSD's kernel instead.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#102 Post by timbgo »

Head_on_a_Stick wrote:
timbgo wrote:I don't talk politics, and the fact that the place where I can offer my kernels from is at my NGO's website, I don't think that should matter.

Regarding this grsec topic, I'd realy kindly suggest that we don't talk politics.
Yes, I agree, I probably shouldn't have posted that, sorry.
Oh, you've talked some tollerance and I thank you for that (and I'm late to update my previous comment with a "thanks" for that, which I wanted to do, but you replied quicklier).
timbgo wrote:
I can't get the graphical desktop to work properly with the official Debian grsec-patched kernels, I think they're intended for servers.
Any report on the usefulness of my kernels, or of my newbie-oriented script ( with the latest stable kernels / with the currently available free patches: https://github.com/miroR/grsec-dapper-compile ) are welcome.
My experience was with linux-image-grsec-amd64 rather than your kernels.
But that's so old... Also, there was a newer one. Actually is: https://packages.debian.org/stretch-bac ... rsec-amd64 but that's still old, I offer way closer to the latest stable.
I've given up on Linux for important stuff, I now use OpenBSD's kernel instead.
I'm occasionally thinking about going that path too... But a few capable developers do appear to still be working on the few forks, and the dappersec works on my problematic system still without any bugs (two days this latest kernel --the one that I offer for download, the any-system kernel), so I can use that system, so far, reliably (wasn't the case with grsec-unoff, the minipli's one; long story, explained in the bugs linked previously)...

Thanks!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#103 Post by timbgo »

New stable packages:
https://www.croatiafidelis.hr/gnu/deb/l ... 180710-21/
( https://www.croatiafidelis.hr/gnu/deb/l ... c-current/ )
Any difficulty installing, pls. review previous long posts... (I'm probably too short on time currently)
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#104 Post by timbgo »

https://www.croatiafidelis.hr/gnu/deb/l ... 180727-10/ (under https://www.croatiafidelis.hr/gnu/deb/l ... c-current/)
Tested on three machines (but MBO are of only two kinds). No issues.
Refer to previous post for tips if needed.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#105 Post by timbgo »

https://www.croatiafidelis.hr/gnu/deb/l ... 180810-06/
see previous posts for how to install it and other.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#106 Post by timbgo »

https://www.croatiafidelis.hr/gnu/deb/l ... 180816-16/
see previous posts for how to install it and other.[/quote]
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#107 Post by timbgo »

https://www.croatiafidelis.hr/gnu/deb/l ... 180820-16/
see previous posts for how to install it and other.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#108 Post by timbgo »

I am going to post what the script:
https://github.com/a13xp0p0v/kconfig-hardened-check
( see here also: http://www.openwall.com/lists/kernel-ha ... 18/07/18/1 )
thinks about my latest offered packages (see immediately previous post to this).

Pls. compare it to what that kconfig-hardened-check thinks of the latest kernel in Debian/Devuan (reminder: I run Devuan, but the kernel is the same to the bit: it's not changed, just merged into Devuan package repo), the linux-image-4.16.0-2-amd64, which findings I'll post in the next post.

# kconfig-hardened-check.py -c /boot/config-4.9.122-dappersec180820-16

Code: Select all

[+] Checking "/boot/config-4.9.122-dappersec180820-16" against hardening preferences...
  option name                            | desired val | decision |       reason       ||        check result        
  ===================================================================================================================
  CONFIG_BUG                             |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_PAGE_TABLE_ISOLATION            |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_RETPOLINE                       |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_X86_64                          |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_STRICT_KERNEL_RWX               |      y      | ubuntu18 |  self_protection   ||CONFIG_DEBUG_RODATA: OK ("y")
  CONFIG_DEBUG_WX                        |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_RANDOMIZE_BASE                  |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_RANDOMIZE_MEMORY                |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_STACKPROTECTOR_STRONG           |      y      | ubuntu18 |  self_protection   ||CONFIG_CC_STACKPROTECTOR_STRONG: OK ("y")
  CONFIG_VMAP_STACK                      |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_THREAD_INFO_IN_TASK             |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_SCHED_STACK_END_CHECK           |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_SLUB_DEBUG                      |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_SLAB_FREELIST_HARDENED          |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_SLAB_FREELIST_RANDOM            |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_HARDENED_USERCOPY               |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_FORTIFY_SOURCE                  |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_STRICT_MODULE_RWX               |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_MODULE_SIG                      |      y      | ubuntu18 |  self_protection   ||     FAIL: "is not set"     
  CONFIG_MODULE_SIG_ALL                  |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_MODULE_SIG_SHA512               |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_SYN_COOKIES                     |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_DEFAULT_MMAP_MIN_ADDR           |    65536    | ubuntu18 |  self_protection   ||             OK             
  CONFIG_BUG_ON_DATA_CORRUPTION          |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_PAGE_POISONING                  |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_GCC_PLUGINS                     |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_GCC_PLUGIN_RANDSTRUCT           |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGIN_STRUCTLEAK           |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGIN_LATENT_ENTROPY       |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_REFCOUNT_FULL                   |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_DEBUG_LIST                      |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_DEBUG_SG                        |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_DEBUG_CREDENTIALS               |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_DEBUG_NOTIFIERS                 |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_MODULE_SIG_FORCE                |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_HARDENED_USERCOPY_FALLBACK      | is not set  |   kspp   |  self_protection   ||       OK: not found        
  CONFIG_GCC_PLUGIN_STACKLEAK            |      y      |    my    |  self_protection   ||      FAIL: not found       
  CONFIG_SLUB_DEBUG_ON                   |      y      |    my    |  self_protection   ||      FAIL: not found       
  CONFIG_SECURITY_DMESG_RESTRICT         |      y      |    my    |  self_protection   ||             OK             
  CONFIG_STATIC_USERMODEHELPER           |      y      |    my    |  self_protection   ||      FAIL: not found       
  CONFIG_PAGE_POISONING_NO_SANITY        | is not set  |    my    |  self_protection   ||         FAIL: "y"          
  CONFIG_PAGE_POISONING_ZERO             | is not set  |    my    |  self_protection   ||             OK             
  CONFIG_SECURITY                        |      y      | ubuntu18 |  security_policy   ||             OK             
  CONFIG_SECURITY_YAMA                   |      y      | ubuntu18 |  security_policy   ||      FAIL: not found       
  CONFIG_SECURITY_SELINUX_DISABLE        | is not set  | ubuntu18 |  security_policy   ||       OK: not found        
  CONFIG_SECCOMP                         |      y      | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_SECCOMP_FILTER                  |      y      | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_STRICT_DEVMEM                   |      y      | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_ACPI_CUSTOM_METHOD              | is not set  | ubuntu18 | cut_attack_surface ||       OK: not found        
  CONFIG_COMPAT_BRK                      | is not set  | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_DEVKMEM                         | is not set  | ubuntu18 | cut_attack_surface ||       OK: not found        
  CONFIG_COMPAT_VDSO                     | is not set  | ubuntu18 | cut_attack_surface ||       OK: not found        
  CONFIG_X86_PTDUMP                      | is not set  | ubuntu18 | cut_attack_surface ||       OK: not found        
  CONFIG_ZSMALLOC_STAT                   | is not set  | ubuntu18 | cut_attack_surface ||       OK: not found        
  CONFIG_PAGE_OWNER                      | is not set  | ubuntu18 | cut_attack_surface ||       OK: not found        
  CONFIG_DEBUG_KMEMLEAK                  | is not set  | ubuntu18 | cut_attack_surface ||       OK: not found        
  CONFIG_BINFMT_AOUT                     | is not set  | ubuntu18 | cut_attack_surface ||       OK: not found        
  CONFIG_IO_STRICT_DEVMEM                |      y      |   kspp   | cut_attack_surface ||             OK             
  CONFIG_LEGACY_VSYSCALL_NONE            |      y      |   kspp   | cut_attack_surface ||     FAIL: "is not set"     
  CONFIG_BINFMT_MISC                     | is not set  |   kspp   | cut_attack_surface ||         FAIL: "m"          
  CONFIG_INET_DIAG                       | is not set  |   kspp   | cut_attack_surface ||         FAIL: "m"          
  CONFIG_KEXEC                           | is not set  |   kspp   | cut_attack_surface ||       OK: not found        
  CONFIG_PROC_KCORE                      | is not set  |   kspp   | cut_attack_surface ||       OK: not found        
  CONFIG_LEGACY_PTYS                     | is not set  |   kspp   | cut_attack_surface ||             OK             
  CONFIG_IA32_EMULATION                  | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_X86_X32                         | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_MODIFY_LDT_SYSCALL              | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_HIBERNATION                     | is not set  |   kspp   | cut_attack_surface ||       OK: not found        
  CONFIG_KPROBES                         | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_UPROBES                         | is not set  |grsecurity| cut_attack_surface ||             OK             
  CONFIG_GENERIC_TRACER                  | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_PROC_VMCORE                     | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_PROC_PAGE_MONITOR               | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_USELIB                          | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_CHECKPOINT_RESTORE              | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_USERFAULTFD                     | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_HWPOISON_INJECT                 | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_MEM_SOFT_DIRTY                  | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_DEVPORT                         | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_DEBUG_FS                        | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_NOTIFIER_ERROR_INJECTION        | is not set  |grsecurity| cut_attack_surface ||       OK: not found        
  CONFIG_KEXEC_FILE                      | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_LIVEPATCH                       | is not set  |    my    | cut_attack_surface ||       OK: not found        
  CONFIG_USER_NS                         | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_IP_DCCP                         | is not set  |    my    | cut_attack_surface ||         FAIL: "m"          
  CONFIG_IP_SCTP                         | is not set  |    my    | cut_attack_surface ||         FAIL: "m"          
  CONFIG_FTRACE                          | is not set  |    my    | cut_attack_surface ||       OK: not found        
  CONFIG_PROFILING                       | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_BPF_JIT                         | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_BPF_SYSCALL                     | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_ARCH_MMAP_RND_BITS              |     32      |    my    |userspace_protection||         FAIL: "27"         

[-] config check is NOT PASSED: 42 errors
Last edited by timbgo on 2018-08-21 20:42, edited 1 time in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#109 Post by timbgo »

The same script, on the latest stock Debian kernel:
kconfig-hardened-check.py -c /boot/config-4.16.0-2-amd64

Code: Select all

[+] Checking "/boot/config-4.16.0-2-amd64" against hardening preferences...
  option name                            | desired val | decision |       reason       ||        check result        
  ===================================================================================================================
  CONFIG_BUG                             |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_PAGE_TABLE_ISOLATION            |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_RETPOLINE                       |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_X86_64                          |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_STRICT_KERNEL_RWX               |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_DEBUG_WX                        |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_RANDOMIZE_BASE                  |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_RANDOMIZE_MEMORY                |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_STACKPROTECTOR_STRONG           |      y      | ubuntu18 |  self_protection   ||CONFIG_CC_STACKPROTECTOR_STRONG: OK ("y")
  CONFIG_VMAP_STACK                      |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_THREAD_INFO_IN_TASK             |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_SCHED_STACK_END_CHECK           |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_SLUB_DEBUG                      |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_SLAB_FREELIST_HARDENED          |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_SLAB_FREELIST_RANDOM            |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_HARDENED_USERCOPY               |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_FORTIFY_SOURCE                  |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_STRICT_MODULE_RWX               |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_MODULE_SIG                      |      y      | ubuntu18 |  self_protection   ||     FAIL: "is not set"     
  CONFIG_MODULE_SIG_ALL                  |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_MODULE_SIG_SHA512               |      y      | ubuntu18 |  self_protection   ||      FAIL: not found       
  CONFIG_SYN_COOKIES                     |      y      | ubuntu18 |  self_protection   ||             OK             
  CONFIG_DEFAULT_MMAP_MIN_ADDR           |    65536    | ubuntu18 |  self_protection   ||             OK             
  CONFIG_BUG_ON_DATA_CORRUPTION          |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_PAGE_POISONING                  |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_GCC_PLUGINS                     |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_GCC_PLUGIN_RANDSTRUCT           |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGIN_STRUCTLEAK           |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_GCC_PLUGIN_LATENT_ENTROPY       |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_REFCOUNT_FULL                   |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_DEBUG_LIST                      |      y      |   kspp   |  self_protection   ||             OK             
  CONFIG_DEBUG_SG                        |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_DEBUG_CREDENTIALS               |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_DEBUG_NOTIFIERS                 |      y      |   kspp   |  self_protection   ||     FAIL: "is not set"     
  CONFIG_MODULE_SIG_FORCE                |      y      |   kspp   |  self_protection   ||      FAIL: not found       
  CONFIG_HARDENED_USERCOPY_FALLBACK      | is not set  |   kspp   |  self_protection   ||             OK             
  CONFIG_GCC_PLUGIN_STACKLEAK            |      y      |    my    |  self_protection   ||      FAIL: not found       
  CONFIG_SLUB_DEBUG_ON                   |      y      |    my    |  self_protection   ||     FAIL: "is not set"     
  CONFIG_SECURITY_DMESG_RESTRICT         |      y      |    my    |  self_protection   ||             OK             
  CONFIG_STATIC_USERMODEHELPER           |      y      |    my    |  self_protection   ||     FAIL: "is not set"     
  CONFIG_PAGE_POISONING_NO_SANITY        | is not set  |    my    |  self_protection   ||         FAIL: "y"          
  CONFIG_PAGE_POISONING_ZERO             | is not set  |    my    |  self_protection   ||             OK             
  CONFIG_SECURITY                        |      y      | ubuntu18 |  security_policy   ||             OK             
  CONFIG_SECURITY_YAMA                   |      y      | ubuntu18 |  security_policy   ||             OK             
  CONFIG_SECURITY_SELINUX_DISABLE        | is not set  | ubuntu18 |  security_policy   ||             OK             
  CONFIG_SECCOMP                         |      y      | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_SECCOMP_FILTER                  |      y      | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_STRICT_DEVMEM                   |      y      | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_ACPI_CUSTOM_METHOD              | is not set  | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_COMPAT_BRK                      | is not set  | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_DEVKMEM                         | is not set  | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_COMPAT_VDSO                     | is not set  | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_X86_PTDUMP                      | is not set  | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_ZSMALLOC_STAT                   | is not set  | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_PAGE_OWNER                      | is not set  | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_DEBUG_KMEMLEAK                  | is not set  | ubuntu18 | cut_attack_surface ||             OK             
  CONFIG_BINFMT_AOUT                     | is not set  | ubuntu18 | cut_attack_surface ||       OK: not found        
  CONFIG_IO_STRICT_DEVMEM                |      y      |   kspp   | cut_attack_surface ||             OK             
  CONFIG_LEGACY_VSYSCALL_NONE            |      y      |   kspp   | cut_attack_surface ||             OK             
  CONFIG_BINFMT_MISC                     | is not set  |   kspp   | cut_attack_surface ||         FAIL: "m"          
  CONFIG_INET_DIAG                       | is not set  |   kspp   | cut_attack_surface ||         FAIL: "m"          
  CONFIG_KEXEC                           | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_PROC_KCORE                      | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_LEGACY_PTYS                     | is not set  |   kspp   | cut_attack_surface ||             OK             
  CONFIG_IA32_EMULATION                  | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_X86_X32                         | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_MODIFY_LDT_SYSCALL              | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_HIBERNATION                     | is not set  |   kspp   | cut_attack_surface ||         FAIL: "y"          
  CONFIG_KPROBES                         | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_UPROBES                         | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_GENERIC_TRACER                  | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_PROC_VMCORE                     | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_PROC_PAGE_MONITOR               | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_USELIB                          | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_CHECKPOINT_RESTORE              | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_USERFAULTFD                     | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_HWPOISON_INJECT                 | is not set  |grsecurity| cut_attack_surface ||         FAIL: "m"          
  CONFIG_MEM_SOFT_DIRTY                  | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_DEVPORT                         | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_DEBUG_FS                        | is not set  |grsecurity| cut_attack_surface ||         FAIL: "y"          
  CONFIG_NOTIFIER_ERROR_INJECTION        | is not set  |grsecurity| cut_attack_surface ||         FAIL: "m"          
  CONFIG_KEXEC_FILE                      | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_LIVEPATCH                       | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_USER_NS                         | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_IP_DCCP                         | is not set  |    my    | cut_attack_surface ||         FAIL: "m"          
  CONFIG_IP_SCTP                         | is not set  |    my    | cut_attack_surface ||         FAIL: "m"          
  CONFIG_FTRACE                          | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_PROFILING                       | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_BPF_JIT                         | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_BPF_SYSCALL                     | is not set  |    my    | cut_attack_surface ||         FAIL: "y"          
  CONFIG_ARCH_MMAP_RND_BITS              |     32      |    my    |userspace_protection||         FAIL: "28"         

[-] config check is NOT PASSED: 47 errors
Errors 47 this config vs 42 the config of the 4.9.122 that I make the packages available of (see immediately previous post to this).
.
So... It's still probably safer with the free grsec kernel (dappersec)... Sorely missing the protections from Meltdown and Spectre, but most other protectiions are in place. And pls. note that it's a dev from the KSPP team. Hardly biased towards grsec.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#110 Post by timbgo »

https://www.croatiafidelis.hr/gnu/deb/l ... 180914-10/
see previous posts for how to install it and other.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

Post Reply