Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Grsecurity/Pax installation on Debian GNU/Linux

Share your HowTo, Documentation, Tips and Tricks. Not for support questions!.
Message
Author
timbgo
Posts: 265
Joined: 2013-04-14 12:17

Grsecurity/Pax installation on Debian GNU/Linux

#1 Post by timbgo »

EDIT START 2014-09-30
I have studied the issues related with the latest very questionable changes in FOSS Linux very dedicatedly in recent weeks, and am linking the latest article of mine here because the systemd and other poetteringware changes by design can/could only have adverse if not threatening influence on grsecurity, which is the way to go for anyone aware of privacy issues in our big-brotherly time.

Therefore this Tips page on installing grsecurity-hardened kernel in Debian could be starting to be put in question as well.

These new links I tried and they worked fine just hours ago, and they have been consistent as I posted them and edited them in these couple of days eversince my initial posting of them:

Why is Gentoo not switching to systemd?
https://forums.gentoo.org/viewtopic-t-9 ... ml#7624042
https://forums.gentoo.org/viewtopic-t-9 ... ml#7624044

(in the #7624044, the second of the above, is the main read)

Somewhat long that read is, however you should find it revealing and facts and deductions there striking hard where due.

Why do I go about consistency of the article that should open to you buried in the 13th page of a huge discussion on Gentoo Forums?

I'll try and explain that in today's post of this very topic you are reading:

http://forums.debian.net/viewtopic.php? ... 40#p554940

. Only vis major (Latin) can prevent me from explaning, such as "problems" with my internet connection:

EDIT END 2014-09-30
--
EDIT START Tue Apr 15 18:58:29 BST 2014
This is currently the latest edit, meaning the latest few lines, these on the very top currently, of all of the entire topic on Tue Apr 15.
I am running out of space on the server hosting CroatiaFidelis.hr
where for that reason I'll delete old Debian Grsec-patched kernel packages.
That means deleting those packages that anyway wouldn't be the best option for installing, since better newer packages have replaced them.
This note in the adequate way will apply in all later cases. Users lose nothing really.
Thanks.
EDIT END

WARNING: Advanced users, pls allow for some verbosity in pastes. I know I needed a little spoonfeeding back when I was a GNU/Linux newbie. Pls. suffer newbies to more easily reach the information that I am offering here.

EDIT START
Thu Oct 31 17:27:01 UTC 2013
This article is another attempt of mine to point other users, esp. newbies, in the right direction. Out of plain gratitude towards Spender and Pax Team, without whose two pack of programs my Debian machines would have been hacked with irreparable damage (data stolen and such) The last defence by Grsecurity/Pax against bruteforce attack on my machine can be read about here:
https://forums.grsecurity.net/viewtopic.php?f=3&t=3841
EDIT END

Lots of the following is simply pastes. Actual today's command line input and output of mine.
For amd64 arch it may really be possible that you reuse my lines often with little or no modifications, today and a few more days ahead, but of course, versions will soon be replaced.

Newbies, pls. distinguish commands from the output. Simple: all the commands are on the one line after the prompt (unless, but I don't think we have any here, the end of line is a '\'). All is left here so you can compare what you are trying to do with this successful (or not, but it's indicated when it wasn't) download/patch/installation etc. commands.

Still: pls. first read all you can find of explanation/documentation starting from:

http://www.grsecurity.net

and then come back and follow this guide (but make sure you replace the versions for the current ones, if you are reading this days/months ahead from now).

You have been warned!

Code: Select all

me@mybox:/some-dir/download-dir$ wget -nc https://grsecurity.net/test/grsecurity-2.9.1-3.11.6-201310271552.patch
--2013-10-29 13:06:08--  https://grsecurity.net/test/grsecurity-2.9.1-3.11.6-201310271552.patch
Resolving grsecurity.net (grsecurity.net)... 173.10.160.233
Connecting to grsecurity.net (grsecurity.net)|173.10.160.233|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3738234 (3.6M) [text/plain]
Saving to: ‘grsecurity-2.9.1-3.11.6-201310271552.patch’

100%[=======================================================>] 3,738,234    626KB/s   in 6.3s   

2013-10-29 13:06:16 (580 KB/s) - ‘grsecurity-2.9.1-3.11.6-201310271552.patch’ saved [3738234/3738234]

me@mybox:/some-dir/download-dir$ wget -nc https://grsecurity.net/test/grsecurity-2.9.1-3.11.6-201310271552.patch.sig
--2013-10-29 13:08:09--  https://grsecurity.net/test/grsecurity-2.9.1-3.11.6-201310271552.patch.sig
Resolving grsecurity.net (grsecurity.net)... 173.10.160.233
Connecting to grsecurity.net (grsecurity.net)|173.10.160.233|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 72 [text/plain]
Saving to: ‘grsecurity-2.9.1-3.11.6-201310271552.patch.sig’

100%[=======================================================>] 72          --.-K/s   in 0s      

2013-10-29 13:08:19 (823 KB/s) - ‘grsecurity-2.9.1-3.11.6-201310271552.patch.sig’ saved [72/72]

me@mybox:/some-dir/download-dir$ wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.11.6.tar.xz
--2013-10-29 13:06:53--  https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.11.6.tar.xz
Resolving www.kernel.org (www.kernel.org)... 198.145.20.140, 149.20.4.69
Connecting to www.kernel.org (www.kernel.org)|198.145.20.140|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 75095360 (72M) [application/x-xz]
Saving to: ‘linux-3.11.6.tar.xz’

100%[=======================================================>] 75,095,360   608KB/s   in 2m 0s  

2013-10-29 13:08:56 (612 KB/s) - ‘linux-3.11.6.tar.xz’ saved [75095360/75095360]

me@mybox:/some-dir/download-dir$ wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.11.6.tar.sign
--2013-10-29 13:07:18--  https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.11.6.tar.sign
Resolving www.kernel.org (www.kernel.org)... 198.145.20.140, 149.20.4.69
Connecting to www.kernel.org (www.kernel.org)|198.145.20.140|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 836 [application/pgp-signature]
Saving to: ‘linux-3.11.6.tar.sign’

100%[=======================================================>] 836         --.-K/s   in 0s      

2013-10-29 13:07:30 (13.9 MB/s) - ‘linux-3.11.6.tar.sign’ saved [836/836]

me@mybox:/some-dir/download-dir$ ls -l *3.11.6*
-rw-r--r-- 1 mr mr  3738234 Oct 27 19:53 grsecurity-2.9.1-3.11.6-201310271552.patch
-rw-r--r-- 1 mr mr       72 Oct 27 19:54 grsecurity-2.9.1-3.11.6-201310271552.patch.sig
-rw-r--r-- 1 mr mr      836 Oct 18 18:27 linux-3.11.6.tar.sign
-rw-r--r-- 1 mr mr 73928040 Oct 29 13:08 linux-3.11.6.tar.xz
me@mybox:/some-dir/download-dir$ gpg --verify grsecurity-2.9.1-3.11.6-201310271552.patch.sig 
gpg: Signature made Sun 27 Oct 2013 07:54:01 PM UTC using DSA key ID 4245D46A
gpg: Good signature from "Bradley Spengler (spender) <spender@grsecurity.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9F74 393D 7E7F FF3C 6500  E778 9879 B649 4245 D46A
me@mybox:/some-dir/download-dir$ gpg --verify gradm-2.9.1-201309161709.tar.gz.sig 
gpg: Signature made Mon 16 Sep 2013 09:10:02 PM UTC using DSA key ID 4245D46A
gpg: Good signature from "Bradley Spengler (spender) <spender@grsecurity.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9F74 393D 7E7F FF3C 6500  E778 9879 B649 4245 D46A
me@mybox:/some-dir/download-dir$ xz
xz       xzcat    xzcmp    xzdiff   xzegrep  xzfgrep  xzgrep   xzless   xzmore   
# The following is not a command, but a teb that I pressed, to see what options I have for
# filename after 'linux-3.11.'

Code: Select all

me@mybox:/some-dir/download-dir$ xz linux-3.11.
linux-3.11.3.tar       linux-3.11.3.tar.sign  linux-3.11.6.tar.sign 


# This is the actual command

Code: Select all

me@mybox:/some-dir/download-dir$ unxz linux-3.11.6.tar.xz 
me@mybox:/some-dir/download-dir$ gpg --verify linux-3.11.6.tar.sign 
gpg: Signature made Fri 18 Oct 2013 06:24:39 PM UTC using RSA key ID 6092693E
gpg: Good signature from "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

me@mybox:/some-dir/download-dir$ gpg --verify grsecurity-2.9.1-3.11.6-201310271552.patch.sig 
gpg: Signature made Sun 27 Oct 2013 07:54:01 PM UTC using DSA key ID 4245D46A
gpg: Good signature from "Bradley Spengler (spender) <spender@grsecurity.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9F74 393D 7E7F FF3C 6500  E778 9879 B649 4245 D46A
me@mybox:/some-dir/download-dir$ gpg --verify gradm-2.9.1-201309161709.tar.gz.sig 
gpg: Signature made Mon 16 Sep 2013 09:10:02 PM UTC using DSA key ID 4245D46A
gpg: Good signature from "Bradley Spengler (spender) <spender@grsecurity.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9F74 393D 7E7F FF3C 6500  E778 9879 B649 4245 D46A
me@mybox:/some-dir/download-dir$ xz
xz       xzcat    xzcmp    xzdiff   xzegrep  xzfgrep  xzgrep   xzless   xzmore   
me@mybox:/some-dir/download-dir$ xz linux-3.11.
linux-3.11.3.tar       linux-3.11.3.tar.sign  linux-3.11.6.tar.sign  
me@mybox:/some-dir/download-dir$ unxz linux-3.11.6.tar.xz 
me@mybox:/some-dir/download-dir$ gpg --verify linux-3.11.6.tar.sign 
gpg: Signature made Fri 18 Oct 2013 06:24:39 PM UTC using RSA key ID 6092693E
gpg: Good signature from "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

Code: Select all

me@mybox:/some-dir/src$ tar tvf ../download-dir/linux-3.11.6.tar 
drwxrwxr-x root/root         0 2013-10-18 18:24 linux-3.11.6/
-rw-rw-r-- root/root      1097 2013-10-18 18:24 linux-3.11.6/.gitignore
-rw-rw-r-- root/root      4465 2013-10-18 18:24 linux-3.11.6/.mailmap
-rw-rw-r-- root/root     18693 2013-10-18 18:24 linux-3.11.6/COPYING
-rw-rw-r-- root/root     95317 2013-10-18 18:24 linux-3.11.6/CREDITS
drwxrwxr-x root/root         0 2013-10-18 18:24 linux-3.11.6/Documentation/
-rw-rw-r-- root/root       107 2013-10-18 18:24 linux-3.11.6/Documentation/.gitignore
-rw-rw-r-- root/root     16957 2013-10-18 18:24 linux-3.11.6/Documentation/00-INDEX
drwxrwxr-x root/root         0 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/
-rw-rw-r-- root/root      3284 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/README
drwxrwxr-x root/root         0 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/
-rw-rw-r-- root/root       248 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/proc-sys-vm-nr_pdflush_threads
-rw-rw-r-- root/root      1296 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/sysfs-bus-usb
-rw-rw-r-- root/root      1063 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/sysfs-class-rfkill
-rw-rw-r-- root/root      2820 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/sysfs-driver-hid-roccat-koneplus
-rw-rw-r-- root/root      3657 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/sysfs-driver-hid-roccat-kovaplus
-rw-rw-r-- root/root      3767 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/obsolete/sysfs-driver-hid-roccat-pyra
drwxrwxr-x root/root         0 2013-10-18 18:24 linux-3.11.6/Documentation/ABI/removed/
-rw-rw-r-- root
...[snip]...

Code: Select all

me@mybox:/some-dir/src$ tar xvf ../download-dir/linux-3.11.6.tar 
linux-3.11.6/
linux-3.11.6/.gitignore
linux-3.11.6/.mailmap
linux-3.11.6/COPYING
linux-3.11.6/CREDITS
linux-3.11.6/Documentation/
linux-3.11.6/Documentation/.gitignore
linux-3.11.6/Documentation/00-INDEX
linux-3.11.6/Documentation/ABI/
linux-3.11.6/Documentation/ABI/README
linux-3.11.6/Documentation/ABI/obsolete/
linux-3.11.6/Documentation/ABI/obsolete/proc-sys-vm-nr_pdflush_threads
linux-3.11.6/Documentation/ABI/obsolete/sysfs-bus-usb
linux-3.11.6/Documentation/ABI/obsolete/sysfs-class-rfkill
linux-3.11.6/Documentation/ABI/obsolete/sysfs-driver-hid-roccat-koneplus
linux-3.11.6/Documentation/ABI/obsolete/sysfs-driver-hid-roccat-kovaplus
linux-3.11.6/Documentation/ABI/obsolete/sysfs-driver-hid-roccat-pyra
linux-3.11.6/Documentation/ABI/removed/
linux-3.11.6/Doc
...[snip]...

Code: Select all

me@mybox:/some-dir/src$ ls -l
total 4
drwxr-xr-x 23 mr mr 4096 Oct 18 18:24 linux-3.11.6
me@mybox:/some-dir/src$ ls -l linux-3.11.6/
total 548
drwxr-xr-x  32 mr mr   4096 Oct 18 18:24 arch
drwxr-xr-x   3 mr mr   4096 Oct 18 18:24 block
-rw-r--r--   1 mr mr  18693 Oct 18 18:24 COPYING
-rw-r--r--   1 mr mr  95317 Oct 18 18:24 CREDITS
drwxr-xr-x   4 mr mr   4096 Oct 18 18:24 crypto
drwxr-xr-x 101 mr mr  12288 Oct 18 18:24 Documentation
drwxr-xr-x 112 mr mr   4096 Oct 18 18:24 drivers
drwxr-xr-x  36 mr mr   4096 Oct 18 18:24 firmware
drwxr-xr-x  73 mr mr   4096 Oct 18 18:24 fs
drwxr-xr-x  27 mr mr   4096 Oct 18 18:24 include
drwxr-xr-x   2 mr mr   4096 Oct 18 18:24 init
drwxr-xr-x   2 mr mr   4096 Oct 18 18:24 ipc
-rw-r--r--   1 mr mr   2536 Oct 18 18:24 Kbuild
-rw-r--r--   1 mr mr    252 Oct 18 18:24 Kconfig
drwxr-xr-x  12 mr mr   4096 Oct 18 18:24 kernel
drwxr-xr-x  11 mr mr   4096 Oct 18 18:24 lib
-rw-r--r--   1 mr mr 260046 Oct 18 18:24 MAINTAINERS
-rw-r--r--   1 mr mr  48517 Oct 18 18:24 Makefile
drwxr-xr-x   2 mr mr   4096 Oct 18 18:24 mm
drwxr-xr-x  56 mr mr   4096 Oct 18 18:24 net
-rw-r--r--   1 mr mr  18736 Oct 18 18:24 README
-rw-r--r--   1 mr mr   7485 Oct 18 18:24 REPORTING-BUGS
drwxr-xr-x  12 mr mr   4096 Oct 18 18:24 samples
drwxr-xr-x  13 mr mr   4096 Oct 18 18:24 scripts
drwxr-xr-x   9 mr mr   4096 Oct 18 18:24 security
drwxr-xr-x  22 mr mr   4096 Oct 18 18:24 sound
drwxr-xr-x  17 mr mr   4096 Oct 18 18:24 tools
drwxr-xr-x   2 mr mr   4096 Oct 18 18:24 usr
drwxr-xr-x   3 mr mr   4096 Oct 18 18:24 virt

Code: Select all

me@mybox:/some-dir/src$ cp -aiv ../download-dir/grsecurity-2.9.1-3.11.6-201310271552.patch .
‘../download-dir/grsecurity-2.9.1-3.11.6-201310271552.patch’ -> ‘./grsecurity-2.9.1-3.11.6-201310271552.patch’
me@mybox:/some-dir/src$ ls -l 
total 3656
-rw-r--r--  1 mr mr 3738234 Oct 27 19:53 grsecurity-2.9.1-3.11.6-201310271552.patch
drwxr-xr-x 23 mr mr    4096 Oct 18 18:24 linux-3.11.6
me@mybox:/some-dir/src$ cd linux-3.11.6/
me@mybox:/some-dir/src/linux-3.11.6$ patch  -p1 < ../grsecurity-2.9.1-3.11.6-201310271552.patch 
patching file Documentation/dontdiff
patching file Documentation/kernel-parameters.txt
patching file Makefile
patching file arch/alpha/include/asm/atomic.h
patching file arch/alpha/include/asm/cache.h
patching file arch/alpha/include/asm/elf.h
patching file arch/alpha/include/asm/pgalloc.h
patching file arch/alpha/include/asm/pgtable.h
patching file arch/alpha/kernel/module.c
patching file arch/alpha/kernel/osf_sys.c
patching file arch/alpha/mm/fault.c
patching file arch/arm/Kconfig
patching file arch/arm/include/asm/atomic.h
patching file arch/arm/include/asm/cache.h
patching file arch/arm/include/asm/cacheflush.h
patching file arch/arm/include/asm/checksum.h
patching file arch/arm/include/asm/cmpxchg.h
patching file arch/arm/include/asm/domain.h
patching file arch/arm/include/asm/elf.h
patching file arch/arm/include/asm/fncpy.h
patching file arch/arm/include/asm/futex.h
patching file arch/arm/include/asm/kmap_types.h
patching file arch/arm/include/asm/mach/dma.h
patching file arch/arm/include/asm/mach/map.h
patching file arch/arm/include/asm/outercache.h
patching file arch/arm/include/asm/page.h
...[snip]...
patching file tools/gcc/constify_plugin.c
patching file tools/gcc/generate_size_overflow_hash.sh
patching file tools/gcc/kallocstat_plugin.c
patching file tools/gcc/kernexec_plugin.c
patching file tools/gcc/latent_entropy_plugin.c
patching file tools/gcc/size_overflow_hash.data
patching file tools/gcc/size_overflow_plugin.c
patching file tools/gcc/stackleak_plugin.c
patching file tools/gcc/structleak_plugin.c
patching file tools/lib/lk/Makefile
patching file tools/perf/util/include/asm/alternative-asm.h
patching file tools/perf/util/include/linux/compiler.h
patching file virt/kvm/kvm_main.c
me@mybox:/some-dir/src/linux-3.11.6$
##################################################
## We now have Grsec/Pax patched kernel ###
####################################################

Part 2 is to follow.
Last edited by timbgo on 2014-09-30 10:37, edited 8 times in total.

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#2 Post by timbgo »

Part 2

Code: Select all

me@mybox:/some-dir/src/linux-3.11.6$ fakeroot make deb-pkg
  HOSTCC  scripts/basic/fixdep
  HOSTCC  scripts/kconfig/conf.o
  SHIPPED scripts/kconfig/zconf.tab.c
  SHIPPED scripts/kconfig/zconf.lex.c
  SHIPPED scripts/kconfig/zconf.hash.c
  HOSTCC  scripts/kconfig/zconf.tab.o
In file included from scripts/kconfig/zconf.tab.c:2501:0:
scripts/kconfig/expr.c: In function ‘expr_print_gstr_helper’:
scripts/kconfig/expr.c:1156:41: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
In file included from scripts/kconfig/zconf.tab.c:2502:0:
scripts/kconfig/symbol.c: In function ‘sym_rel_comp’:
scripts/kconfig/symbol.c:983:9: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/kconfig/symbol.c:983:40: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/kconfig/symbol.c:985:9: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/kconfig/symbol.c:985:40: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
In file included from scripts/kconfig/zconf.tab.c:2503:0:
scripts/kconfig/menu.c: In function ‘menu_set_type’:
scripts/kconfig/menu.c:116:16: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf --silentoldconfig Kconfig
***
*** Configuration file ".config" not found!
***
*** Please run some configurator (e.g. "make oldconfig" or
*** "make menuconfig" or "make xconfig").
***
make[2]: *** [silentoldconfig] Error 1
make[1]: *** [silentoldconfig] Error 2
make: *** No rule to make target `include/config/auto.conf', needed by `include/config/kernel.release'.  Stop.
me@mybox:/some-dir/src/linux-3.11.6$
Sure enough. No .config in there... No big deal, *that* is no big deal...

For amd64, try fiddling with mine, that I'll attach or post complete... No warranties, pls! At your own risk. It works for me, just defended me from a bruteforce attack, that's what I can tell...

EDIT START
Thu Oct 31 17:35:20 UTC 2013
Here the actual config that I used back yesterday when I postied this tip.
http://forums.debian.net/viewtopic.php? ... 81#p517006
EDIT END

This is what my /boot looks like:

Code: Select all

root@mybox:/some-dir/mr# ls -l /boot/
total 57471
-rw-r--r-- 1 root root   126974 Aug  7 04:37 config-3.10.5-grsec-130807
-rw-r--r-- 1 root root   126725 Aug 28 01:47 config-3.10.9-grsec-130827
-rw-r--r-- 1 root root   128663 Oct  9 06:37 config-3.11.3-grsec-131009
-rw-r--r-- 1 root root   129038 Mar 26  2013 config-3.2.0-4-amd64
drwxr-xr-x 3 root root     5120 Oct 28 15:58 grub
-rw-r--r-- 1 root root 11189354 Aug  7 05:05 initrd.img-3.10.5-grsec-130807
-rw-r--r-- 1 root root 11309328 Oct 11 02:06 initrd.img-3.10.9-grsec-130827
-rw-r--r-- 1 root root 11371623 Oct 11 02:07 initrd.img-3.11.3-grsec-131009
-rw-r--r-- 1 root root  3372771 Apr 17  2013 initrd.img-3.2.0-4-amd64
drwx------ 2 root root     1024 Sep 18 15:22 lost+found
-rw-r--r-- 1 root root  2171130 Aug  7 04:37 System.map-3.10.5-grsec-130807
-rw-r--r-- 1 root root  2180693 Aug 28 01:47 System.map-3.10.9-grsec-130827
-rw-r--r-- 1 root root  2220919 Oct  9 06:37 System.map-3.11.3-grsec-131009
-rw-r--r-- 1 root root  2105340 Mar 26  2013 System.map-3.2.0-4-amd64
-rw-r--r-- 1 root root  2972112 Aug  7 04:37 vmlinuz-3.10.5-grsec-130807
-rw-r--r-- 1 root root  3167504 Aug 28 01:47 vmlinuz-3.10.9-grsec-130827
-rw-r--r-- 1 root root  3181136 Oct  9 06:37 vmlinuz-3.11.3-grsec-131009
-rw-r--r-- 1 root root  2833216 Mar 26  2013 vmlinuz-3.2.0-4-amd64
root@mybox:/some-dir/mr#
The old vmlinuz-3.2.0-4-amd64 is the stock Debian kernel. I haven't used it in months. The *-3.2.0-4-amd64 pack, actually, we are talking.

And the three other packs are some of the more recent grsec kernels that I've compiled.

We'll take the latest config, sure.

Code: Select all

me@mybox:/some-dir/src/linux-3.11.6$ cp /boot/config-3.11.3-grsec-131009 .config
However, if you use some other config file, pls. take good care to rid of any SELinux configuration options. Basically, or in simplified terms, and trying hard not to get into gory political (and worse) details, SELinux and Grsecurity are not compatible, at least in some of the possible semantics/meanings/senses.

If you do use some other config-XYZ-whatever, I advise you to look up here:
https://forums.grsecurity.net/viewtopic.php?f=3&t=3712
and grep it for selin:

Code: Select all

# cat /boot/config-3.10.9-grsec-130821 | grep -i selin
#
, pls. read there for more.

Code: Select all

me@mybox:/some-dir/src/linux-3.11.6$ make menuconfig
  HOSTCC  scripts/kconfig/lxdialog/checklist.o
scripts/kconfig/lxdialog/checklist.c: In function ‘dialog_checklist’:
scripts/kconfig/lxdialog/checklist.c:182:13: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/kconfig/lxdialog/checklist.c:182:13: warning: signed and unsigned type in conditional expression [-Wsign-compare]
  HOSTCC  scripts/kconfig/lxdialog/inputbox.o
  HOSTCC  scripts/kconfig/lxdialog/menubox.o
  HOSTCC  scripts/kconfig/lxdialog/textbox.o
scripts/kconfig/lxdialog/textbox.c: In function ‘print_line’:
scripts/kconfig/lxdialog/textbox.c:346:10: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/kconfig/lxdialog/textbox.c:346:10: warning: signed and unsigned type in conditional expression [-Wsign-compare]
scripts/kconfig/lxdialog/textbox.c:349:22: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/kconfig/lxdialog/textbox.c:349:22: warning: signed and unsigned type in conditional expression [-Wsign-compare]
  HOSTCC  scripts/kconfig/lxdialog/util.o
scripts/kconfig/lxdialog/util.c: In function ‘dialog_clear’:
scripts/kconfig/lxdialog/util.c:294:13: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/kconfig/lxdialog/util.c: In function ‘print_title’:
scripts/kconfig/lxdialog/util.c:368:14: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/kconfig/lxdialog/util.c:368:14: warning: signed and unsigned type in conditional expression [-Wsign-compare]
scripts/kconfig/lxdialog/util.c: In function ‘print_autowrap’:
scripts/kconfig/lxdialog/util.c:415:34: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/kconfig/lxdialog/util.c: In function ‘first_alpha’:
scripts/kconfig/lxdialog/util.c:536:16: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  HOSTCC  scripts/kconfig/lxdialog/yesno.o
  HOSTCC  scripts/kconfig/mconf.o
scripts/kconfig/mconf.c: In function ‘set_config_filename’:
scripts/kconfig/mconf.c:305:11: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/kconfig/mconf.c:310:11: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  HOSTLD  scripts/kconfig/mconf
scripts/kconfig/mconf Kconfig
And at this point here the terminal is taken over by the menuconfig.

I'll mark what you need to select (using arrow keys) with "---->" on the left of the column of selectable entries.

In the first paste below you can see there is "---->" on the left of General setup. Select it and click Enter.

Code: Select all

.config - Linux/x86 3.11.6 Kernel Configuration
 ───────────────────────────────────────────────────────────────────────────────────────────────
  ┌───────────────────────── Linux/x86 3.11.6 Kernel Configuration ──────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        [*] 64-bit kernel                                                             │ │  
  │ │ ---->      General setup  --->                                                       │ │  
  │ │        [*] Enable loadable module support  --->                                      │ │  
  │ │        -*- Enable the block layer  --->                                              │ │  
  │ │            Processor type and features  --->                                         │ │  
  │ │            Power management and ACPI options  --->                                   │ │  
  │ │            Bus options (PCI etc.)  --->                                              │ │  
  │ │            Executable file formats / Emulations  --->                                │ │  
  │ │        -*- Networking support  --->                                                  │ │  
  │ │            Device Drivers  --->                                                      │ │  
  │ │            Firmware Drivers  --->                                                    │ │  
  │ │            File systems  --->                                                        │ │  
  │ │            Kernel hacking  --->                                                      │ │  
  │ │            Security options  --->                                                    │ │  
  │ │        -*- Cryptographic API  --->                                                   │ │  
  │ │        [*] Virtualization  --->                                                      │ │  
  │ │            Library routines  --->                                                    │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  
    

Code: Select all

.config - Linux/x86 3.11.6 Kernel Configuration
 > General setup ───────────────────────────────────────────────────────────────────────────────
  ┌───────────────────────────────────── General setup ──────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        ()  Cross-compiler tool prefix                                                │ │  
  │ │        [ ] Compile also drivers which will not load                                  │ │  
  │ │  ----> (-131009) Local version - append to kernel release                            │ │  
  │ │        [ ] Automatically append version information to the version string            │ │  
  │ │            Kernel compression mode (Gzip)  --->                                      │ │  
  │ │        ((none)) Default hostname                                                     │ │  
  │ │        [*] Support for paging of anonymous memory (swap)                             │ │  
  │ │        [*] System V IPC                                                              │ │  
  │ │        [*] POSIX Message Queues                                                      │ │  
  │ │        [*] open by fhandle syscalls                                                  │ │  
  │ │        [*] Auditing support                                                          │ │  
  │ │        [*]   Enable system-call auditing support                                     │ │  
  │ │        [ ]   Make audit loginuid immutable                                           │ │  
  │ │            IRQ subsystem  --->                                                       │ │  
  │ │            Timers subsystem  --->                                                    │ │  
  │ │            CPU/Task time and stats accounting  --->                                  │ │  
  │ │            RCU Subsystem  --->                                                       │ │  
  │ │        < > Kernel .config support                                                    │ │  
  │ │        (17) Kernel log buffer size (16 => 64KB, 17 => 128KB)                         │ │  
  │ └────────┴(+)──────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  
Of course the following is an optional change. But I like my kernels with local versions.

Code: Select all

.config - Linux/x86 3.11.6 Kernel Configuration
 > General setup ───────────────────────────────────────────────────────────────────────────────









           ┌─────────────── Local version - append to kernel release ────────────────┐
           │  Please enter a string value. Use the <TAB> key to move from the input  │  
           │  field to the buttons below it.                                         │  
           │ ┌─────────────────────────────────────────────────────────────────────┐ │  
           │ │-131009                                                              │ │  
           │ └─────────────────────────────────────────────────────────────────────┘ │  
           │                                                                         │  
           ├─────────────────────────────────────────────────────────────────────────┤  
           │                         <  Ok  >      < Help >                          │  
           └─────────────────────────────────────────────────────────────────────────┘  
                                                                                        









Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 > General setup ───────────────────────────────────────────────────────────────────────────────









           ┌─────────────── Local version - append to kernel release ────────────────┐
           │  Please enter a string value. Use the <TAB> key to move from the input  │  
           │  field to the buttons below it.                                         │  
           │ ┌─────────────────────────────────────────────────────────────────────┐ │  
           │ │-131029                                                              │ │  
           │ └─────────────────────────────────────────────────────────────────────┘ │  
           │                                                                         │  
           ├─────────────────────────────────────────────────────────────────────────┤  
           │                         <  Ok  >      < Help >                          │  
           └─────────────────────────────────────────────────────────────────────────┘  
      


That bove I did using backspace two times and typing 29
Back we go now.

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 ───────────────────────────────────────────────────────────────────────────────────────────────
  ┌───────────────────────── Linux/x86 3.11.6 Kernel Configuration ──────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        [*] 64-bit kernel                                                             │ │  
  │ │            General setup  --->                                                       │ │  
  │ │        [*] Enable loadable module support  --->                                      │ │  
  │ │        -*- Enable the block layer  --->                                              │ │  
  │ │            Processor type and features  --->                                         │ │  
  │ │            Power management and ACPI options  --->                                   │ │  
  │ │            Bus options (PCI etc.)  --->                                              │ │  
  │ │            Executable file formats / Emulations  --->                                │ │  
  │ │        -*- Networking support  --->                                                  │ │  
  │ │            Device Drivers  --->                                                      │ │  
  │ │            Firmware Drivers  --->                                                    │ │  
  │ │            File systems  --->                                                        │ │  
  │ │            Kernel hacking  --->                                                      │ │  
  │ │  ---->     Security options  --->                                                    │ │  
  │ │        -*- Cryptographic API  --->                                                   │ │  
  │ │        [*] Virtualization  --->                                                      │ │  
  │ │            Library routines  --->                                                    │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  

Code: Select all

.config - Linux/x86 3.11.6 Kernel Configuration
 > Security options ────────────────────────────────────────────────────────────────────────────
  ┌──────────────────────────────────── Security options ────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │  ---->     Grsecurity  --->                                                          │ │  
  │ │        -*- Enable access key retention support                                       │ │  
  │ │        < >   TRUSTED KEYS                                                            │ │  
  │ │        < >   ENCRYPTED KEYS                                                          │ │  
  │ │        [ ]   Enable the /proc/keys file by which keys may be viewed                  │ │  
  │ │        [ ] Restrict unprivileged access to the kernel syslog                         │ │  
  │ │        [ ] Enable different security models                                          │ │  
  │ │        -*- Enable the securityfs filesystem                                          │ │  
  │ │        [ ] Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)               │ │  
  │ │            Default security module (Unix Discretionary Access Controls)  --->        │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity ───────────────────────────────────────────────────────────────
  ┌─────────────────────────────────────── Grsecurity ───────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        [*] Grsecurity                                                                │ │  
  │ │              Configuration Method (Custom)  --->                                     │ │  
  │ │              Customize Configuration  --->                                           │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity ───────────────────────────────────────────────────────────────







                ┌──────────────────── Configuration Method ─────────────────────┐
                │  Use the arrow keys to navigate this window or press the      │  
                │  hotkey of the item you wish to select followed by the <SPACE │  
                │  BAR>. Press <?> for additional information about this        │  
                │ ┌───────────────────────────────────────────────────────────┐ │  
                │ │                       ( ) Automatic                       │ │  
                │ │                       (X) Custom                          │ │  
                │ │                                                           │ │  
                │ │                                                           │ │  
                │ │                                                           │ │  
                │ │                                                           │ │  
                │ └───────────────────────────────────────────────────────────┘ │  
                ├───────────────────────────────────────────────────────────────┤  
                │                    <Select>      < Help >                     │  
                └───────────────────────────────────────────────────────────────┘  
      

Back we go now.
And you can see where we are by the line underneath:
".config - Linux/x86 3.11.6 Kernel Configuration" which I leave intact in all the pastes.
So if from now I leave out to mark what to select with "---->", you can still know how to get there.

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration ─────────────────────────────────────
  ┌──────────────────────────────── Customize Configuration ─────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │            PaX  --->                                                                 │ │  
  │ │            Memory Protections  --->                                                  │ │  
  │ │            Role Based Access Control Options  --->                                   │ │  
  │ │            Filesystem Protections  --->                                              │ │  
  │ │            Kernel Auditing  --->                                                     │ │  
  │ │            Executable Protections  --->                                              │ │  
  │ │            Network Protections  --->                                                 │ │  
  │ │            Physical Protections  --->                                                │ │  
  │ │            Sysctl Support  --->                                                      │ │  
  │ │            Logging Options  --->                                                     │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > PaX ───────────────────────────────
  ┌────────────────────────────────────────── PaX ───────────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        [*] Enable various PaX features                                               │ │  
  │ │              PaX Control  --->                                                       │ │  
  │ │              Non-executable pages  --->                                              │ │  
  │ │              Address Space Layout Randomization  --->                                │ │  
  │ │            Miscellaneous hardening features  --->                                    │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > PaX > PaX Control ─────────────────
  ┌────────────────────────────────────── PaX Control ───────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        [ ] Support soft mode                                                         │ │  
  │ │        [ ] Use legacy ELF header marking                                             │ │  
  │ │        [*] Use ELF program header marking                                            │ │  
  │ │        [ ] Use filesystem extended attributes marking                                │ │  
  │ │            MAC system integration (none)  --->                                       │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  
I am not expert at all. I don't understand even some of the explanations in the help, occasionally... I am open to learn from people who know more than me.

I don't claim that my choices are the best, esp. because I don't always have enough time to dig deep enough to weigh pros and cons in so many of options that Grsec/Pax presents us with.

But I am trying to make a user-to-user tips-and-tricks page here on Debian forums because I believe in freedom and privacy and I believe that there is hardly good privacy for a beginner's Debian machine without Grsec/Pax kernel. And I believe privacy is essential for freedom.

I'll make a digression to paste some of the help, precisely because e.g. users of Skype (I am not one of those currently) will find how their .config will probably need to differ here from mine.

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > PaX > PaX Control ─────────────────
  ┌─────────────────────── Use filesystem extended attributes marking ───────────────────────┐
  │ CONFIG_PAX_XATTR_PAX_FLAGS:                                                              │  
  │                                                                                          │  
  │ Enabling this option will allow you to control PaX features on                           │  
  │ a per executable basis via the 'setfattr' utility.  The control                          │  
  │ flags will be read from the user.pax.flags extended attribute of                         │  
  │ the file.  This marking has the benefit of supporting binary-only                        │  
  │ applications that self-check themselves (e.g., skype) and would                          │  
  │ not tolerate chpax/paxctl changes.  The main drawback is that                            │  
  │ extended attributes are not supported by some filesystems (e.g.,                         │  
  │ isofs, udf, vfat) so copying files through such filesystems will                         │  
  │ lose the extended attributes and these PaX markings.                                     │  
  │                                                                                          │  
  │ Note that if you enable the legacy EI_PAX marking support as well,                       │  
  │ the EI_PAX marks will be overridden by the XATTR_PAX_FLAGS marks.                        │  
  │                                                                                          │  
  │ If you enable both PT_PAX_FLAGS and XATTR_PAX_FLAGS support then you                     │  
  │ must make sure that the marks are the same if a binary has both marks.                   │  
  │                                                                                          │  
  │ If you enable none of the marking options then all applications                          │  
  │ will run with PaX enabled on them by default.                                            │  
  │                                                                                          │  
  │ Symbol: PAX_XATTR_PAX_FLAGS [=n]                                                         │  
  │ Type  : boolean                                                                          │  
  │ Prompt: Use filesystem extended attributes marking                                       │  
  │   Location:                                                                              │  
  ├──────────────────────────────────────────────────────────────────────────────────( 68%)──┤  
  │                                         < Exit >                                         │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  
I, myself, still have only:

Code: Select all

  │ │        [*] Use ELF program header marking                                            │ │  
selected.

But I want to make another digression here. For two reasons.

Firstly, that newbies understand what blessing GNU/Debian is (nevertheless that I have a few compaints about it, which I do occasionally publicly declare), in comparison with any closed-source such as Microsoft in this currecnt digression.

Secondly, how superb the program Grsecurity is, namely so great that of all security options that the wide world offers, Microsoft chose to kind of steal exactly Grsecuriy for it's Skype deployment!

Pls. the links for your kind perusal:
http://expertmiami.blogspot.com/2012/05 ... nodes.html
http://arstechnica.com/business/2012/05 ... microsoft/

and, esp. for the less initiated, pls. find my take on it here:

https://forums.grsecurity.net/viewtopic ... 594#p13203

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > PaX > PaX Control ─────────────────
  ┌────────────────────────────────────── PaX Control ───────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        [ ] Support soft mode                                                         │ │  
  │ │        [ ] Use legacy ELF header marking                                             │ │  
  │ │        [*] Use ELF program header marking                                            │ │  
  │ │        [ ] Use filesystem extended attributes marking                                │ │  
  │ │            MAC system integration (none)  --->                                       │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > PaX > PaX Control ─────────────────







                ┌─────────────────── MAC system integration ────────────────────┐
                │  Use the arrow keys to navigate this window or press the      │  
                │  hotkey of the item you wish to select followed by the <SPACE │  
                │  BAR>. Press <?> for additional information about this        │  
                │ ┌───────────────────────────────────────────────────────────┐ │  
                │ │                        (X) none                           │ │  
                │ │                        ( ) direct                         │ │  
                │ │                        ( ) hook                           │ │  
                │ │                                                           │ │  
                │ │                                                           │ │  
                │ │                                                           │ │  
                │ └───────────────────────────────────────────────────────────┘ │  
                ├───────────────────────────────────────────────────────────────┤  
                │                    <Select>      < Help >                     │  
                └───────────────────────────────────────────────────────────────┘  
                                                                                   


Part 3 is to follow.
Last edited by timbgo on 2013-10-31 17:33, edited 5 times in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#3 Post by timbgo »

Part 3

Code: Select all

.config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > PaX ───────────────────────────────
  ┌────────────────────────────────────────── PaX ───────────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        [*] Enable various PaX features                                               │ │  
  │ │              PaX Control  --->                                                       │ │  
  │ │              Non-executable pages  --->                                              │ │  
  │ │              Address Space Layout Randomization  --->                                │ │  
  │ │            Miscellaneous hardening features  --->                                    │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  




Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > PaX > Non-executable pages ────────
  ┌────────────────────────────────── Non-executable pages ──────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        [*] Enforce non-executable pages                                              │ │  
  │ │        [*]   Paging based non-executable pages                                       │ │  
  │ │        [*] Emulate trampolines                                                       │ │  
  │ │        [*] Restrict mprotect()                                                       │ │  
  │ │        [*]   Use legacy/compat protection demoting (read help)                       │ │  
  │ │        [ ]   Allow ELF text relocations (read help)                                  │ │  
  │ │        [ ] Enforce non-executable kernel pages                                       │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > PaX ───────────────────────────────
  ┌────────────────────────────────────────── PaX ───────────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        [*] Enable various PaX features                                               │ │  
  │ │              PaX Control  --->                                                       │ │  
  │ │              Non-executable pages  --->                                              │ │  
  │ │              Address Space Layout Randomization  --->                                │ │  
  │ │            Miscellaneous hardening features  --->                                    │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 [...] ptions > Grsecurity > Customize Configuration > PaX > Address Space Layout Randomization
  ┌─────────────────────────── Address Space Layout Randomization ───────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        [*] Address Space Layout Randomization                                        │ │  
  │ │        [*] Randomize kernel stack base                                               │ │  
  │ │        [*] Randomize user stack base                                                 │ │  
  │ │        [*] Randomize mmap() base                                                     │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 [...]  options > Grsecurity > Customize Configuration > PaX > Miscellaneous hardening features
  ┌──────────────────────────── Miscellaneous hardening features ────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        [*] Sanitize all freed memory                                                 │ │  
  │ │        [*] Sanitize kernel stack                                                     │ │  
  │ │        [*] Forcibly initialize local variables copied to userland                    │ │  
  │ │        [*] Prevent invalid userland pointer dereference                              │ │  
  │ │        [*] Prevent various kernel object reference counter overflows                 │ │  
  │ │        [*] Harden heap object copies between kernel and userland                     │ │  
  │ │        [*] Prevent various integer overflows in function size parameters             │ │  
  │ │        [ ] Generate some entropy during boot and runtime                             │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > Memory Protections ────────────────
  ┌─────────────────────────────────── Memory Protections ───────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        [*] Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port                │ │  
  │ │        [ ] Disable privileged I/O                                                    │ │  
  │ │        [*] Harden BPF JIT against spray attacks                                      │ │  
  │ │        [*] Disable unprivileged PERF_EVENTS usage by default                         │ │  
  │ │        [*] Insert random gaps between thread stacks                                  │ │  
  │ │        [*] Harden ASLR against information leaks and entropy reduction               │ │  
  │ │        [*] Deter exploit bruteforcing                                                │ │  
  │ │        [ ] Harden module auto-loading                                                │ │  
  │ │        [*] Hide kernel symbols                                                       │ │  
  │ │        [*] Active kernel exploit response                                            │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > Role Based Access Control Options ─
  ┌─────────────────────────── Role Based Access Control Options ────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        [ ] Disable RBAC system                                                       │ │  
  │ │        [*] Hide kernel processes                                                     │ │  
  │ │        (3) Maximum tries before password lockout                                     │ │  
  │ │        (30) Time to wait after max password tries, in seconds                        │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > Filesystem Protections ────────────
  ┌───────────────────────────────── Filesystem Protections ─────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        [*] Proc restrictions                                                         │ │  
  │ │        [ ]   Restrict /proc to user only                                             │ │  
  │ │        [ ]     Allow special group                                                   │ │  
  │ │        [*] Linking restrictions                                                      │ │  
  │ │        [ ] Kernel-enforced SymlinksIfOwnerMatch                                      │ │  
  │ │        [*] FIFO restrictions                                                         │ │  
  │ │        [*] Sysfs/debugfs restriction                                                 │ │  
  │ │        [*] Runtime read-only mount protection                                        │ │  
  │ │        [*] Eliminate stat/notify-based device sidechannels                           │ │  
  │ │        [*] Chroot jail restrictions                                                  │ │  
  │ │        [*]   Deny mounts                                                             │ │  
  │ │        [*]   Deny double-chroots                                                     │ │  
  │ │        [*]   Deny pivot_root in chroot                                               │ │  
  │ │        [*]   Enforce chdir("/") on all chroots                                       │ │  
  │ │        [*]   Deny (f)chmod +s                                                        │ │  
  │ │        [*]   Deny fchdir out of chroot                                               │ │  
  │ │        [*]   Deny mknod                                                              │ │  
  │ │        [*]   Deny shmat() out of chroot                                              │ │  
  │ │        [*]   Deny access to abstract AF_UNIX sockets out of chroot                   │ │  
  │ │        [*]   Protect outside processes                                               │ │  
  │ │        [*]   Restrict priority changes                                               │ │  
  │ │        [*]   Deny sysctl writes                                                      │ │  
  │ │        [*]   Capability restrictions                                                 │ │  
  │ │        [ ]   Exempt initrd tasks from restrictions                                   │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > Kernel Auditing ───────────────────
  ┌──────────────────────────────────── Kernel Auditing ─────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        [ ] Single group for auditing                                                 │ │  
  │ │        [*] Exec logging                                                              │ │  
  │ │        [*] Resource logging                                                          │ │  
  │ │        [*] Log execs within chroot                                                   │ │  
  │ │        [*] Ptrace logging                                                            │ │  
  │ │        [*] Chdir logging                                                             │ │  
  │ │        [*] (Un)Mount logging                                                         │ │  
  │ │        [*] Signal logging                                                            │ │  
  │ │        [*] Fork failure logging                                                      │ │  
  │ │        [*] Time change logging                                                       │ │  
  │ │        [*] /proc/<pid>/ipaddr support                                                │ │  
  │ │        [*] Denied RWX mmap/mprotect logging                                          │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > Executable Protections ────────────
  ┌───────────────────────────────── Executable Protections ─────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        [*] Dmesg(8) restriction                                                      │ │  
  │ │        [*] Deter ptrace-based process snooping                                       │ │  
  │ │        [*] Require read access to ptrace sensitive binaries                          │ │  
  │ │        [*] Enforce consistent multithreaded privileges                               │ │  
  │ │        [ ] Trusted Path Execution (TPE)                                              │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > Network Protections ───────────────
  ┌────────────────────────────────── Network Protections ───────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        [*] Larger entropy pools                                                      │ │  
  │ │        [*] TCP/UDP blackhole and LAST_ACK DoS prevention                             │ │  
  │ │        [*] Disable TCP Simultaneous Connect                                          │ │  
  │ │        [ ] Socket restrictions                                                       │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > Physical Protections ──────────────
  ┌────────────────────────────────── Physical Protections ──────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        [ ] Deny new USB connections after toggle                                     │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > Sysctl Support ────────────────────
  ┌───────────────────────────────────── Sysctl Support ─────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        [*] Sysctl support                                                            │ │  
  │ │        [*]   Turn on features by default                                             │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  

Code: Select all

 .config - Linux/x86 3.11.6 Kernel Configuration
 > Security options > Grsecurity > Customize Configuration > Logging Options ───────────────────
  ┌──────────────────────────────────── Logging Options ─────────────────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty submenus ----).  │  
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, <M> modularizes  │  
  │  features.  Press <Esc><Esc> to exit, <?> for Help, </> for Search.  Legend: [*]         │  
  │  built-in  [ ] excluded  <M> module  < > module capable                                  │  
  │ ┌──────────────────────────────────────────────────────────────────────────────────────┐ │  
  │ │        (10) Seconds in between log messages (minimum)                                │ │  
  │ │        (6) Number of messages in a burst (maximum)                                   │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ │                                                                                      │ │  
  │ └──────────────────────────────────────────────────────────────────────────────────────┘ │  
  ├──────────────────────────────────────────────────────────────────────────────────────────┤  
  │                 <Select>    < Exit >    < Help >    < Save >    < Load >                 │  
  └──────────────────────────────────────────────────────────────────────────────────────────┘  

That's all the configuration. I admit I haven't had time to reread most of the help of the options since maybe a few months ago. But I did spend quite a few afternoons studying Grsecurity/Pax previously! And I don't regret it one bit! Instead I hope I will dig much deeper some day into how to better yet use the protections that these programs afford.

Once the configuration is completed (of course you might need to configure the "pristine" kernel for completely different issues than Grsec/Pax now as well.

But once you are done, and Once you saved the menuconfig, and exited, this is what you see:

Code: Select all

configuration written to .config

*** End of the configuration.
*** Execute 'make' to start the build or try 'make help'.
Part 4 is to follow.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#4 Post by timbgo »

Part 4

Now, as normal user:

Code: Select all

me@mybox:/some-dir/src/linux-3.11.6$ fakeroot make deb-pkg
scripts/kconfig/conf --silentoldconfig Kconfig
make KBUILD_SRC=
  HOSTCXX -fPIC tools/gcc/colorize_plugin.o
  GENHASH  /some-dir/src/linux-3.11.6/tools/gcc/size_overflow_hash.h
  HOSTCXX -fPIC tools/gcc/size_overflow_plugin.o
  HOSTCXX -fPIC tools/gcc/stackleak_plugin.o
  HOSTCXX -fPIC tools/gcc/structleak_plugin.o
  HOSTLLD -shared tools/gcc/stackleak_plugin.so
  HOSTLLD -shared tools/gcc/colorize_plugin.so
  HOSTLLD -shared tools/gcc/size_overflow_plugin.so
  HOSTLLD -shared tools/gcc/structleak_plugin.so
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/syscalls/../include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/syscalls/../include/generated/asm/unistd_32_ia32.h
  SYSHDR  arch/x86/syscalls/../include/generated/asm/unistd_64_x32.h
  SYSTBL  arch/x86/syscalls/../include/generated/asm/syscalls_64.h
  HOSTCC  arch/x86/tools/relocs_32.o
  HOSTCC  arch/x86/tools/relocs_64.o
In file included from arch/x86/tools/relocs_64.c:17:0:
arch/x86/tools/relocs.c: In function ‘do_reloc64’:
arch/x86/tools/relocs.c:798:24: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  HOSTCC  arch/x86/tools/relocs_common.o
  HOSTLD  arch/x86/tools/relocs
  WRAP    arch/x86/include/generated/asm/clkdev.h
  CHK     include/generated/uapi/linux/version.h
  UPD     include/generated/uapi/linux/version.h
  CHK     include/generated/utsrelease.h
  UPD     include/generated/utsrelease.h
  CC      kernel/bounds.s
  GEN     include/generated/bounds.h
  CC      arch/x86/kernel/asm-offsets.s
  GEN     include/generated/asm-offsets.h
  CALL    scripts/checksyscalls.sh
  HOSTCC  scripts/genksyms/genksyms.o
  SHIPPED scripts/genksyms/lex.lex.c
  SHIPPED scripts/genksyms/keywords.hash.c
  SHIPPED scripts/genksyms/parse.tab.h
  HOSTCC  scripts/genksyms/lex.lex.o
scripts/genksyms/lex.lex.c_shipped: In function ‘yy_get_next_buffer’:
scripts/genksyms/lex.lex.c_shipped:1135:3: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  SHIPPED scripts/genksyms/parse.tab.c
  HOSTCC  scripts/genksyms/parse.tab.o
  HOSTLD  scripts/genksyms/genksyms
  CC      scripts/mod/empty.o
  HOSTCC  scripts/mod/mk_elfconfig
  MKELF   scripts/mod/elfconfig.h
  CC      scripts/mod/devicetable-offsets.s
  GEN     scripts/mod/devicetable-offsets.h
  HOSTCC  scripts/mod/file2alias.o
scripts/mod/file2alias.c: In function ‘do_vmbus_entry’:
scripts/mod/file2alias.c:878:16: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/mod/file2alias.c: In function ‘do_ipack_entry’:
scripts/mod/file2alias.c:1035:2: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
scripts/mod/file2alias.c:1036:2: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  HOSTCC  scripts/mod/modpost.o
  HOSTCC  scripts/mod/sumversion.o
  HOSTLD  scripts/mod/modpost
  HOSTCC  scripts/kallsyms
  HOSTCC  scripts/conmakehash
  HOSTCC  scripts/sortextable
scripts/sortextable.c: In function ‘main’:
scripts/sortextable.c:295:6: warning: variable ‘n_error’ might be clobbered by ‘longjmp’ or ‘vfork’ [-Wclobbered]
  CC      init/main.o
  CHK     include/generated/compile.h
  UPD     include/generated/compile.h
  CC      init/version.o
  CC      init/do_mounts.o
  CC      init/do_mounts_initrd.o
  LD      init/mounts.o
  CC      init/initramfs.o
  CC      init/calibrate.o
  CC      init/init_task.o
  LD      init/built-in.o
  HOSTCC  usr/gen_init_cpio
  GEN     usr/initramfs_data.cpio
  AS      usr/initramfs_data.o
  LD      usr/built-in.o
  LD      arch/x86/crypto/built-in.o
  CC [M]  arch/x86/crypto/ablk_helper.o
  CC [M]  arch/x86/crypto/glue_helper.o
  AS [M]  arch/x86/crypto/aes-x86_64-asm_64.o
  CC [M]  arch/x86/crypto/aes_glue.o
  AS [M]  arch/x86/crypto/aesni-intel_asm.o
  CC [M]  arch/x86/crypto/aesni-intel_glue.o
  CC [M]  arch/x86/crypto/fpu.o
  AS [M]  arch/x86/crypto/blowfish-x86_64-asm_64.o
  CC [M]  arch/x86/crypto/blowfish_glue.o
  CC [M]  arch/x86/crypto/crc32c-intel_glue.o
  AS [M]  arch/x86/crypto/crc32c-pcl-intel-asm_64.o
  AS [M]  arch/x86/crypto/ghash-clmulni-intel_asm.o
  CC [M]  arch/x86/crypto/ghash-clmulni-intel_glue.o
  AS [M]  arch/x86/crypto/salsa20-x86_64-asm_64.o
  CC [M]  arch/x86/crypto/salsa20_glue.o
  AS [M]  arch/x86/crypto/sha1_ssse3_asm.o
  CC [M]  arch/x86/crypto/sha1_ssse3_glue.o
  AS [M]  arch/x86/crypto/twofish-x86_64-asm_64-3way.o
  CC [M]  arch/x86/crypto/twofish_glue_3way.o
  AS [M]  arch/x86/crypto/twofish-x86_64-asm_64.o
  CC [M]  arch/x86/crypto/twofish_glue.o
  LD [M]  arch/x86/crypto/aes-x86_64.o
  LD [M]  arch/x86/crypto/blowfish-x86_64.o
  LD [M]  arch/x86/crypto/twofish-x86_64.o
  LD [M]  arch/x86/crypto/twofish-x86_64-3way.o
  LD [M]  arch/x86/crypto/salsa20-x86_64.o
  LD [M]  arch/x86/crypto/aesni-intel.o
  LD [M]  arch/x86/crypto/ghash-clmulni-intel.o
...[snip]...
This of course may take its time. I use Debian on my slow boxes, where conpilation which is done on my Gentoo boxes is prohibitive task in terms of time... Gentoo compilations (I also use Gentoo on a few machines of my SOHO), Gentoo compilations are compilations of all and any programs (well almost) that you install, while in Debian we have only compilation of this "pristine" kernel Grsecurity/Pax patched (unless you are a developer... well but then you don't need to read this, do you?).

On this box (the one I was to replace back then, now call them my old machines), one of the slow same MBO pack of my SOHO:

Use old amd64 gentoo image on new amd64 hardware, possible?
https://forums.gentoo.org/viewtopic-t-9 ... ight-.html

it'll take a few hours of compilation to get the packages compiled and ready for installation.

Longer. But pls. notice that it's some 7-8 yrs old technology, these machines of which this one is maybe the slowest I have...

After two hours twenty minutes I am at the last stretch with my kernel compilation:

Code: Select all

...[snip]...
  INSTALL include/linux/sunrpc (1 file)
  INSTALL include/linux/tc_act (7 files)
  INSTALL include/linux/tc_ematch (4 files)
  INSTALL include/linux/usb (10 files)
  INSTALL include/linux/wimax (1 file)
  INSTALL include/linux (386 files)
  INSTALL include/mtd (5 files)
  INSTALL include/rdma (6 files)
  INSTALL include/scsi/fc (4 files)
  INSTALL include/scsi (3 files)
  INSTALL include/sound (10 files)
  INSTALL include/video (3 files)
  INSTALL include/xen (2 files)
  INSTALL include/uapi (0 file)
  INSTALL include/asm (64 files)
dpkg-deb: building package `linux-firmware-image' in `../linux-firmware-image_3.11.6-grsec-131029-1_amd64.deb'.
dpkg-deb: building package `linux-headers-3.11.6-grsec-131029' in `../linux-headers-3.11.6-grsec-131029_3.11.6-grsec-131029-1_amd64.deb'.
dpkg-deb: building package `linux-libc-dev' in `../linux-libc-dev_3.11.6-grsec-131029-1_amd64.deb'.
dpkg-deb: building package `linux-image-3.11.6-grsec-131029' in `../linux-image-3.11.6-grsec-131029_3.11.6-grsec-131029-1_amd64.deb'.
Yeah, from here there's at least one more hour. But then I will be able to install these same binaries that the last one is being churned out, onto this and one more of my Debian boxes.

No. The command prompt is back after only ;-) one half more hour.

But pls., again, bear in mind that it is really old tech, these machines.

# repasting part of the last paste here

Code: Select all

dpkg-deb: building package `linux-image-3.11.6-grsec-131029' in `../linux-image-3.11.6-grsec-131029_3.11.6-grsec-131029-1_amd64.deb'.
me@mybox:/some-dir/src/linux-3.11.6$ 
So I go root now.

Code: Select all

root@mybox:/some-dir/mr# cd /some-dir/src
root@mybox:/some-dir/src# ls -l
total 518296
-rw-r--r--  1 mr mr   3738234 Oct 27 19:53 grsecurity-2.9.1-3.11.6-201310271552.patch
drwx------ 26 mr mr      4096 Oct 29 16:51 linux-3.11.6
-rw-r--r--  1 mr mr   1136064 Oct 29 16:52 linux-firmware-image_3.11.6-grsec-131029-1_amd64.deb
-rw-r--r--  1 mr mr   9188410 Oct 29 16:52 linux-headers-3.11.6-grsec-131029_3.11.6-grsec-131029-1_amd64.deb
-rw-r--r--  1 mr mr 515704298 Oct 29 17:16 linux-image-3.11.6-grsec-131029_3.11.6-grsec-131029-1_amd64.deb
-rw-r--r--  1 mr mr    947038 Oct 29 16:52 linux-libc-dev_3.11.6-grsec-131029-1_amd64.deb
root@mybox:/some-dir/src# 
And simply:

Code: Select all

root@mybox:/some-dir/src# dpkg -i *.deb
(Reading database ... 233022 files and directories currently installed.)
Preparing to replace linux-firmware-image 3.11.3-grsec-131009-1 (using linux-firmware-image_3.11.6-grsec-131029-1_amd64.deb) ...
Unpacking replacement linux-firmware-image ...
Selecting previously unselected package linux-headers-3.11.6-grsec-131029.
Unpacking linux-headers-3.11.6-grsec-131029 (from linux-headers-3.11.6-grsec-131029_3.11.6-grsec-131029-1_amd64.deb) ...
Selecting previously unselected package linux-image-3.11.6-grsec-131029.
Unpacking linux-image-3.11.6-grsec-131029 (from linux-image-3.11.6-grsec-131029_3.11.6-grsec-131029-1_amd64.deb) ...
Preparing to replace linux-libc-dev 3.11.3-grsec-131009-1 (using linux-libc-dev_3.11.6-grsec-131029-1_amd64.deb) ...
Unpacking replacement linux-libc-dev ...
Setting up linux-firmware-image (3.11.6-grsec-131029-1) ...
Setting up linux-headers-3.11.6-grsec-131029 (3.11.6-grsec-131029-1) ...
Setting up linux-image-3.11.6-grsec-131029 (3.11.6-grsec-131029-1) ...
update-initramfs: Generating /boot/initrd.img-3.11.6-grsec-131029
Killed
Generating grub.cfg ...
Found linux image: /boot/vmlinuz-3.11.6-grsec-131029
Found initrd image: /boot/initrd.img-3.11.6-grsec-131029
Killed
Killed
Found linux image: /boot/vmlinuz-3.11.3-grsec-131009
Found initrd image: /boot/initrd.img-3.11.3-grsec-131009
Killed
Killed
Found linux image: /boot/vmlinuz-3.10.9-grsec-130827
Found initrd image: /boot/initrd.img-3.10.9-grsec-130827
Killed
Killed
Found linux image: /boot/vmlinuz-3.10.5-grsec-130807
Found initrd image: /boot/initrd.img-3.10.5-grsec-130807
Killed
Killed
Found linux image: /boot/vmlinuz-3.2.0-4-amd64
Found initrd image: /boot/initrd.img-3.2.0-4-amd64
Killed
Killed
Killed
Syntax errors are detected in generated GRUB config file.
Ensure that there are no errors in /etc/default/grub
and /etc/grub.d/* files or please file a bug report with
/boot/grub/grub.cfg.new file attached.
done
Setting up linux-libc-dev (3.11.6-grsec-131029-1) ...
root@mybox:/some-dir/src# 
Aarghhh!!! There goes one problem that I haven't yet solved...

I thought I have, but I haven't yet...

As can be read here:

https://forums.grsecurity.net/viewtopic ... 712#p13424
1. grub has nested function trampolines (you would have seen it in the kernel logs probably) so you'll either have to enable EMUTRAMP or disable MPROTECT on the grub binaries.
I investigated and tried to apply:

Code: Select all

root@mybox:/home/me# paxctl -v /usr/sbin/grub-mkdevicemap  /usr/sbin/grub-probe
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

file /usr/sbin/grub-mkdevicemap does not have a PT_PAX_FLAGS program header, try conversion
file /usr/sbin/grub-probe does not have a PT_PAX_FLAGS program header, try conversion
root@mybox:/home/me# paxctl -cm /usr/sbin/grub-mkdevicemap  /usr/sbin/grub-probe
file /usr/sbin/grub-mkdevicemap had a PT_GNU_STACK program header, converted
file /usr/sbin/grub-probe had a PT_GNU_STACK program header, converted
root@mybox:/home/me# paxctl -v /usr/sbin/grub-mkdevicemap  /usr/sbin/grub-probe
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-x-e-- [/usr/sbin/grub-mkdevicemap]
	MPROTECT is disabled
	RANDEXEC is disabled
	EMUTRAMP is disabled
- PaX flags: -----m-x-e-- [/usr/sbin/grub-probe]
	MPROTECT is disabled
	RANDEXEC is disabled
	EMUTRAMP is disabled
root@mybox:/home/me#
But, hey, the emutrap is disabled. Let's enable it.

Code: Select all

root@mybox:/home/me# paxctl -E /usr/sbin/grub-mkdevicemap  /usr/sbin/grub-probe
root@mybox:/home/me# paxctl -v /usr/sbin/grub-mkdevicemap  /usr/sbin/grub-probe
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-xE--- [/usr/sbin/grub-mkdevicemap]
	MPROTECT is disabled
	RANDEXEC is disabled
	EMUTRAMP is enabled
- PaX flags: -----m-xE--- [/usr/sbin/grub-probe]
	MPROTECT is disabled
	RANDEXEC is disabled
	EMUTRAMP is enabled
root@mybox:/home/me# 
But the right way to go about it, I think, is first uninstall the packages that may not be properly installed...

No, not, because it's there, the new kernel is installed.

Code: Select all

root@mybox:/some-dir/mr# ls -l /boot/
total 74051
-rw-r--r-- 1 root root   126974 Aug  7 04:37 config-3.10.5-grsec-130807
-rw-r--r-- 1 root root   126725 Aug 28 01:47 config-3.10.9-grsec-130827
-rw-r--r-- 1 root root   128663 Oct  9 06:37 config-3.11.3-grsec-131009
-rw-r--r-- 1 root root   128663 Oct 29 16:49 config-3.11.6-grsec-131029
-rw-r--r-- 1 root root   129038 Mar 26  2013 config-3.2.0-4-amd64
drwxr-xr-x 3 root root     5120 Oct 29 17:22 grub
-rw-r--r-- 1 root root 11189354 Aug  7 05:05 initrd.img-3.10.5-grsec-130807
-rw-r--r-- 1 root root 11309328 Oct 11 02:06 initrd.img-3.10.9-grsec-130827
-rw-r--r-- 1 root root 11371623 Oct 11 02:07 initrd.img-3.11.3-grsec-131009
-rw-r--r-- 1 root root 11370633 Oct 29 17:22 initrd.img-3.11.6-grsec-131029
-rw-r--r-- 1 root root  3372771 Apr 17  2013 initrd.img-3.2.0-4-amd64
drwx------ 2 root root     1024 Sep 18 15:22 lost+found
-rw-r--r-- 1 root root  2171130 Aug  7 04:37 System.map-3.10.5-grsec-130807
-rw-r--r-- 1 root root  2180693 Aug 28 01:47 System.map-3.10.9-grsec-130827
-rw-r--r-- 1 root root  2220919 Oct  9 06:37 System.map-3.11.3-grsec-131009
-rw-r--r-- 1 root root  2221258 Oct 29 16:49 System.map-3.11.6-grsec-131029
-rw-r--r-- 1 root root  2105340 Mar 26  2013 System.map-3.2.0-4-amd64
-rw-r--r-- 1 root root  2972112 Aug  7 04:37 vmlinuz-3.10.5-grsec-130807
-rw-r--r-- 1 root root  3167504 Aug 28 01:47 vmlinuz-3.10.9-grsec-130827
-rw-r--r-- 1 root root  3181136 Oct  9 06:37 vmlinuz-3.11.3-grsec-131009
-rw-r--r-- 1 root root  3182608 Oct 29 16:49 vmlinuz-3.11.6-grsec-131029
-rw-r--r-- 1 root root  2833216 Mar 26  2013 vmlinuz-3.2.0-4-amd64
root@mybox:/some-dir/mr# 
I think I can try:

Code: Select all

root@mybox:/some-dir/mr# update-initramfs -u
update-initramfs: Generating /boot/initrd.img-3.11.6-grsec-131029
root@mybox:/some-dir/mr# 
Seems OK.

I am yet to know if all really went well.

I am going to see if I can now reboot into my new kernel.

# ((after the reboot))
Of course not. It was the grub-mkconfig, stupid!... wasn't concentrated in here (was watching Russia Today as I was writing this).

Code: Select all

root@mybox:/home/me# grub-mkconfig -o /boot/grub/grub.cfg
Generating grub.cfg ...
Found background image: .background_cache.png
Found linux image: /boot/vmlinuz-3.11.6-grsec-131029
Found initrd image: /boot/initrd.img-3.11.6-grsec-131029
Found linux image: /boot/vmlinuz-3.11.3-grsec-131009
Found initrd image: /boot/initrd.img-3.11.3-grsec-131009
Found linux image: /boot/vmlinuz-3.10.9-grsec-130827
Found initrd image: /boot/initrd.img-3.10.9-grsec-130827
Found linux image: /boot/vmlinuz-3.10.5-grsec-130807
Found initrd image: /boot/initrd.img-3.10.5-grsec-130807
Found linux image: /boot/vmlinuz-3.2.0-4-amd64
Found initrd image: /boot/initrd.img-3.2.0-4-amd64
Killed
Syntax errors are detected in generated GRUB config file.
Ensure that there are no errors in /etc/default/grub
and /etc/grub.d/* files or please file a bug report with
/boot/grub/grub.cfg.new file attached.
done
root@mybox:/home/me# 
Much better than before.

Now comes one important thing that users need to know, the users of Grsecurity/Pax (or simply Grsecurity, which is often used for short, but this is a two-pack of programs).

You need to get a little more familiar with the logs in /var/log/
Well. some of the logs.
Grsec writes a lot, and it writes mostly in messsages (/var/log/messages) and importantly, kern.log
So, I'll try to find what got killed (there's now only one "Killed" instead of many) in the grub-mkconfig trampoline execution (IIUC).

And I find these four lines:

Code: Select all

Oct 29 17:43:29 naibd7 kernel: [  282.917617] grsec: exec of /usr/bin/grub-script-check (/usr/bin/grub-script-check /boot/grub/grub.cfg.new ) by /usr/bin/grub-script-check[grub-mkconfig:4511] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/grub-mkconfig[grub-mkconfig:3331] uid/euid:0/0 gid/egid:0/0
Oct 29 17:43:29 naibd7 kernel: [  282.921526] PAX: execution attempt in: <stack>, 380ef9a7000-380ef9c9000 3fffffdd000
Oct 29 17:43:29 naibd7 kernel: [  282.921535] PAX: terminating task: /usr/bin/grub-script-check(grub-script-che):4511, uid/euid: 0/0, PC: 00000380ef9c79f0, SP: 00000380ef9c6398
Oct 29 17:43:29 naibd7 kernel: [  282.921542] PAX: bytes at PC: 41 bb 30 27 40 00 49 ba e0 79 9c ef 80 03 00 00 49 ff e3 90 
Oct 29 17:43:29 naibd7 kernel: [  282.921552] PAX: bytes at SP-8: 0000000000000011 0000000000404011 0000000003a49b50 0000000000000000 0000000003a49ad0 0000000003a49b50 0000000003a49b51 0000000003a4bb91 0000000003a4bb90 0000000000405ca6 0000000000000002 
Oct 29 17:43:29 naibd7 kernel: [  282.921581] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/grub-script-check[grub-script-che:4511] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/grub-mkconfig[grub-mkconfig:3331] uid/euid:0/0 gid/egid:0/0
There I see that the binary in question could be:

Code: Select all

root@mybox:/home/me# ls -l /usr/bin/grub-script-check
-rwxr-xr-x 1 root root 88240 Jul  3 03:40 /usr/bin/grub-script-check
root@mybox:/home/me# file /usr/bin/grub-script-check
/usr/bin/grub-script-check: ELF 64-bit LSB  executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=da65413513b541d3b796a3249cc6b62289d4e42e, stripped
root@mybox:/home/me# paxctl -v /usr/bin/grub-script-check
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

file /usr/bin/grub-script-check does not have a PT_PAX_FLAGS program header, try conversion
root@mybox:/home/me# paxctl -cmE /usr/bin/grub-script-check
file /usr/bin/grub-script-check had a PT_GNU_STACK program header, converted
root@mybox:/home/me# paxctl -v /usr/bin/grub-script-check
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-xE--- [/usr/bin/grub-script-check]
	MPROTECT is disabled
	RANDEXEC is disabled
	EMUTRAMP is enabled
root@mybox:/home/me# 
This should work now.

Code: Select all

root@mybox:/home/me# grub-mkconfig -o /boot/grub/grub.cfg
Generating grub.cfg ...
Found background image: .background_cache.png
Found linux image: /boot/vmlinuz-3.11.6-grsec-131029
Found initrd image: /boot/initrd.img-3.11.6-grsec-131029
Found linux image: /boot/vmlinuz-3.11.3-grsec-131009
Found initrd image: /boot/initrd.img-3.11.3-grsec-131009
Found linux image: /boot/vmlinuz-3.10.9-grsec-130827
Found initrd image: /boot/initrd.img-3.10.9-grsec-130827
Found linux image: /boot/vmlinuz-3.10.5-grsec-130807
Found initrd image: /boot/initrd.img-3.10.5-grsec-130807
Found linux image: /boot/vmlinuz-3.2.0-4-amd64
Found initrd image: /boot/initrd.img-3.2.0-4-amd64
done
root@mybox:/home/me# 
Let's reboot now.

# ((after another reboot))

Code: Select all

me@mybox:~$ uname -r
3.11.6-grsec-131029
me@mybox:~$ 
Right! Thanks God!

I wish I could explain more in detail the few possibly more difficult points as newbies may find them to be, but I'm really out of time.

I've just had another instance of fine defence by Grsecurity/Pax against bruteforce attack on the other of my two Debian machines:

https://forums.grsecurity.net/viewtopic.php?f=3&t=3841

and I feel I need to report how it went on Grsecurity's forums, because I may be a stubborn political/religeous/anti-surveillance nerd (that some of the disbelievers might think, who read around the link with Pax Team's line on trampolining grub binaries), if you really want, but I am not ungrateful.

Anyway, a newbie can get a lot of information if he/she just followed the links that are suggested further from somewhere around that already given link(s), or simply the suggested documentation on Grsecurity's site and regular Debian GNU/Linux documentation.

Miroslav Rovis,
Zagreb, Croatia
Last edited by timbgo on 2013-10-31 17:33, edited 2 times in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#5 Post by timbgo »

The
config-3.11.3-grsec-131009
that I actually used in the compilation I am now trying to attach (32k gzipped archive)
But I am getting the notice:
Sorry, the board attachment quota has been reached.
Will try later or try other means, don't know.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#6 Post by timbgo »

Trying with 28k xz archive...
Not allowed...
Will try later, or differently...
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#7 Post by timbgo »

Here the config file
http://www.croatiafidelis.hr/gnu/deb/co ... -131009.gz
Pls. make sure you verify it:
http://www.croatiafidelis.hr/gnu/deb/co ... 009.gz.sig
And I think that a newbie can still do it today, and maybe in a few days ahead.
Grsecuriy is a "conditio sine qua non"!
The other missing "LINK HERE" I'll try and fix later. They are less important than this one.
EDIT START
Thu Oct 31 10:15:59 UTC 2013
Righy now fixed those too. All is fine now, I guess. Newbies and others, your feedback is most appreciated!
EDIT END
I checked it, the link is alive, but pls. bear in mind that the rightwings like me are badly surveilled and censored in my Croatia which is ruled by traitors of this day.

Miroslav Rovis,
Zagreb, Croatia
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

/dev/null
Posts: 62
Joined: 2013-01-30 17:31

Re: Grsecurity/Pax installation on Debian GNU/Linux

#8 Post by /dev/null »

Outstanding stuff!!!
It's a real pity that debian's security is so shamefully disregard (let's face it, comparing to gentoo, debian is a helpless little girl - last time I checked debian's gradm didn't even work, I had to copiled it from source :cry: ).
THANK YOU!

BTW why this thread is not sticky yet???

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#9 Post by timbgo »

/dev/null wrote:Outstanding stuff!!!
It's a real pity that debian's security is so shamefully disregard (let's face it, comparing to gentoo, debian is a helpless little girl - last time I checked debian's gradm didn't even work, I had to copiled it from source :cry: ).
THANK YOU!

BTW why this thread is not sticky yet???
Thanks, /dev/null !
I'm sorry I wasn't around in the meantime.
I did leave notes aound explaining how I actually take sometimes patience-breaking times to do things, and occasionally I even desist from exhaustion... And postpone things. (And I can only dedicate a couple of days maximum per month to this hardening of my Debian with Grsecurity... from other things in my life.)

However there is a pattern in applying Grsecurity/Pax to harden your Debian GNU Linux and every next time I really employ less and less time to achieve the correct compilation and things.

I have just successfully compiled, and am browsing this forum now, with:

Code: Select all

# uname -r
3.11.8-grsec-131123
#
131123 is for 2013-11-23, which has just begun.

I'll try and explain, next, in new post, the exact commands that newbies can, surely at their own responsability, if they dare, try and reuse (amd64 is my arch).

I hope I won't need long to update this tips & trick page for the current kernel and current Grsecurity/Pax patch, as can be found here:
https://grsecurity.net/download.php
Cheers!
Miroslav Rovis
Zagreb, Croatia
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#10 Post by timbgo »

This is a call to give more space/interest/insight into Greater Security in Debian GNU Linux, esp. for newbies! Suffer them to have this information, they will be less likely to hurl bad words at you at later times in their lives when these things become clear to them whether you like it or not.

But I don't want to deluge newbies with sad stories about politics and treason (yes, as in any other movement, treason took roots in GNU Linux development too!)

But rather this tips & tricks page is about call to other users like me, and above all newbies of lesser understanding at this time then me, to truly secure their systems like I probably have succeeded in doing by now, only thanks to Grsecurity/Pax (which is often named short just Grsecurity) twin program patched into the kernel.

I gave, some two weeks ago, in the first few installments of this Tips & Trick page, in the previous posts to this post, a detailed, command lines and outputs of commands, recount how I installed the previous version of the kernel, patched with Grsecurity.

So, let's remind the users of just a few things to more easily deploy the tips for the current kernel.

But of course, the following will not anymore be sufficient for newbies without those previous posts, no!. Read attentively the entire page if you feel some of the concepts and explanations below don't sit as they should with you!

So first of all, the path that we take, in our approach, is:

1) _Not_ the Debian stock kernel, from Debian repositories, no!, but instead, the "pristine" kernel is to be used!
And that means, no aptitude, no apt-get install [name-of-the-kernel-package], but tar.xz (or tar.gz or tar.bz2) archive from:
https://www.kernel.org/
and precise (in case of about half of the Debian users who have the amd64 arch as I do, and in case those exact packages from my command lines below are available)...
...[and precise] commands to execute on those packages once the kernel is patched with the corresponding grsecurity patch.

2) no warranties, do it at your own risk. Works for me if I made it by the time this update to this tips & tricks page is made (sure I started writing this installment before, but by the time I'm finishing off these here lines, such as these words that you are exactly now reading, they are an addition to the draft from some three or more hours ago... And I did make it in the meantime).

Recommended: https://www.grsecurity.net and any pages you are pointed to from there and links of second and third (and further if needed) reference from there...

But it could, it could work for you just fine, simply running the commands below... It coooouuuld...

The place to start, for, not just today, but for our future installs of future Grsecurity patched kernels (just remember that I am a rightwinger, and that means the persecuted kind in Croatia of this day of its traitors, never mind my being tolerant and respectful of honest leftists, so if this does not get updated in months, I may not be among the free anymore, even worse...), so the place to start for our securing our Debian GNU Linuces is generally this one:

https://grsecurity.net/download.php

(The https is if you have HTTPS Everywhere [recommended], that you need to download from https://www.eff.org and install into your iceweasel, a quick and easy thing to do, really recommended, Electronic Frontier Foundation have been in anti-surveillance since long years, but this very note is not related to this tips & tricks page in any other way.)

Before I tell you what we need from that page, let me tell you that even though I will, for myself, regularly use a kernel without most of the modules that are all compiled into the stock kernel, and those modules are activated as needed for the recognized hardware, but also they can be abused by intruders...

...Let me tell you that even though I'll compile, for myself, for my regular use of my Debian machines, a kernel without most of the modules which are not needed for my hardware, I will try and still keep around a config file for compiling the kernel with most of the modules (or almost all actually), as I derived it from the old stock kernel whose config file I used when I first installed Grsecurity-pacthed kernel.

I will keep such all-modules-to-compile-in config file around precisely for reasons that it is quite likely that the commands below will then work for users with amd64 arch machines on various hardware, even totally different hardware from mine. (Once it does work for you, you surely will be better off and more secure if you then remove the config options for modules you have no need for, and recompile your kernel! But I won't indulge in that exercize. This page is just a call to the right direction, not an attempt to follow anyone in their particular issues, I have no resources of time, nor expertize to do so.)

OK. Let's get our system ready for kernel compilation.

Since the kernel will be about the most recent --actually just the next one after the bleeding edge kernel, because Grsecurity, the secret pride of Microsoft Skype (oh, but hackers, the hackers are thankfully often better off and cleverer than the corporate traitors! it didn't remain a secret, the stolen other peopls's product, the free product that those robbers, legal robbers that Billy and his gang and his kind are, thought thay could use secretly and hide from the world and from the hackers cleverer than they will ever be... please find links on Microsoft's use of Grsecurity in Skype in previous installments of this Tips and Tricks page)...

LINK HERE maybe to that instance of M$ stealing of others' program.

Since the kernel will be about the most recent --actually just the next one after the bleeding edge kernel, because Grsecurity, the pride of M$ Skype that was to be secret but was uncovered, wasn't good enough for Linus Torvalds the friend of NSA who decided for NSA's SELinux... instead... But I didn't mean to write about that, and will not now. I just don't have the time.

I only have to say one thing in this regard though. It is a lie that NSA was asked to help with SELinux, as somewhere I found a link to an article about it. No. SELinux is straght child of NSA. Fullstop.

LINK HERE (if I make it to find that link which I was pointed to from Debian Forums some two weeks ago.)

Since the kernel will be about the most recent --actually just the next one after the bleeding edge (I'm restarting to tell this for the third time), since the kernel will be as close to the bleeding edge version as the Security geniuses like Spender and Pax Team can make it because the one in charge suffers from Not-Invented-Here envy and makes it hard for the better ones than him to take part in development, how sad!...

Since the kernel will be almost the hottest last one, we also should best use the:

Debian Testing branch repositories (but, pls. note that it is not required, stable is just fine as well)

to update the system before we recompile the still warm kernel.

I do it by downloading with jigdo-file, the templates and things as can be found here:

http://cdimage.debian.org/cdimage/weekl ... jigdo-dvd/

It is not difficult to set up Apache, mount all the ISO files, and serve them on your SOHO, or on your standalone host, and set the links to these Apache local repos in /etc/apt/sources.list.

I'm telling you that, because if you want to counter possible, sorry probable (it is very probable, it's ubiquitous) surveillance (and the worse scenarios that build on it, such as intrusions and attacks), you certainly don't really want to just update your system while online. C'mon! But while I could write a tips & tricks page about it, which I would like to, because I don't live selfishly but wish freedom not only for me but for everybody (I'd actually want the corporate banksters and such in jail only), I can not indulge on it here because it is not the topic here...

EDIT START Mon Jan 6 16:37:08 UTC 2014
I just wrote a page "Scripts to automate jigdo download":
http://forums.debian.net/viewtopic.php?f=16&t=110503
EDIT END

Anyways, the core of what I am trying to suggest at this stage of preparation, is, before you compile the kernel, get the new packages and do the:

# apt-get update
...[snip]...
# apt-get upgrade
...[snip]...

It may not be absolutely necessary, but is good practice to update the system before compiling the system.

I feel I need to name this installment somehow.
Let this be:
Part II-1
And:
Part II-2 is to follow.
Last edited by timbgo on 2014-01-06 17:42, edited 3 times in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#11 Post by timbgo »

Part II-2
EDIT START
Corrections starting to apply at:
Sat Nov 23 10:43:45 UTC 2013
(will mark them with [edit131123-11h])
EDIT END
So, open up in your iceweasel (or other browser):
https://grsecurity.net/download.php

Download (within these 5 hours, there is now new kernel to compile, well, I wasn't fast enough this time, 3.11.8 is not there anymore...):

https://grsecurity.net/test/grsecurity- ... 2137.patch

https://grsecurity.net/test/grsecurity- ... .patch.sig

https://www.kernel.org/pub/linux/kernel ... .11.tar.xz

https://www.kernel.org/pub/linux/kernel ... .9.tar.sig

[edit131123-11h start]
http://www.croatiafidelis.hr/gnu/deb/co ... -131009.gz

http://www.croatiafidelis.hr/gnu/deb/co ... 009.gz.sig
[edit131123-11h end]

Download the new Spender's key (the old that he used was DSA, now it is very much recommended to use stronger RSA keys):

https://grsecurity.net/spender-gpg-key.asc

Allow me now a little time and I'll be back with the set of commands that will, hopefully, work, or will have already worked for me...

I'm back.
I'll now try and complete this page...
On the other machine, offline (an NSA "denigrator" like me to compile online, not a good idea!), the system is churning on the codes.
Here are the lines from the history ( 'history' command at the prompt output, and cleansed to be terse this time. If you don't understand, go and read the previous posts):

[edit131123-11h start]
All the commands are best done in a newly created dir with all the downloads moved into.
[edit131123-11h end]

Code: Select all

 unxz linux-3.11.9.tar.xz 
 gpg --verify linux-3.11.9.tar.sign 
 gpg --verify grsecurity-2.9.1-3.11.9-201311222137.patch.sig 
 tar xvf linux-3.11.9.tar 
 cd linux-3.11.9/
 patch  -p1 < ../grsecurity-2.9.1-3.11.9-201311222137.patch
 cd ../
 gpg --verify config-3.11.3-grsec-131009.gz.sig 
 gunzip config-3.11.3-grsec-131009.gz 
 cp config-3.11.3-grsec-131009 linux-3.11.9/.config
 cd  linux-3.11.9/
 make menuconfig
[edit131123-11h start]
Of course one of the things is change tho local version. Explained in previous posts.

Code: Select all

 fakeroot make deb-pkg

I forgot the last command last night:

Code: Select all

dpkg -i *.deb
You can probably recognize the same .config that I posted on http://www.CroatiaFidelis.hr pls. The link where you can downloaded from above in previous posts.
[edit131123-11h end]

I'll be back to tell if all went fine.

It is now morning, and I haven't slept yet.

So, good night!
[edit131123-11h start]
I have:

Code: Select all

# uname -r
3.11.9-grsec-131123
#
 
kernel running now. All seems fine. Have a fine free and, when you wish so, private life!
[edit131123-11h end]
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#12 Post by timbgo »

It's been:

Code: Select all

$ ps aux | grep fakeroot
mr         899  0.0  0.0  18320   880 pts/10   S+   21:02   0:00 grep fakeroot
mr       19542  0.0  0.0  18976  1332 pts/3    S+   19:16   0:00 /bin/bash /usr/bin/fakeroot make deb-pkg
$
almost two hours that (on one of my slowest systems, OK), that fakeroot has been churning on.

So let's post the commands. Very probably many users on AMD64 machines could try and run these commands, but, as usual:

*** solely at your own risk! ***

Also, don't just run them. Say, change the LOCALVERSION when the menuconfig presents itself to you. Look up a little bit and read the extensive help that all the Grsecurity and Pax options have...

If you don't already have, get the keys to verify the kernel, grsecurity and my config, it's
gpg --recv-key 0xNNNNNNNN where the number is, say in my case you can see what a revoked key looks like, 17D681FC, so 0x17D681FC (0x is for hex)...
Or whatever else...
You were supposed to read the thread above anyways, where I went into great lengths to explain things.

Code: Select all

wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.12.6.tar.sign
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.12.6.tar.xz
wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.12.6-201401021726.patch
wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.12.6-201401021726.patch.sig
wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.11.3-grsec-131009.gz.sig
wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.11.3-grsec-131009.gz
mkdir /Cmn/src/
cp -iav linux-3.12.6.tar.* /Cmn/src/
cp -iav grsecurity-3.0-3.12.6-201401021726.patch* /Cmn/src/
cp -iav config-3.11.3-grsec-131009.gz* /Cmn/src/
cd /Cmn/src/
unxz linux-3.12.6.tar.xz 
gpg --verify linux-3.12.6.tar.sign 
gpg --verify grsecurity-3.0-3.12.6-201401021726.patch.sig
gpg --verify config-3.11.3-grsec-131009.gz.sig 
tar xvf linux-3.12.6.tar 
cd linux-3.12.6
patch -p1 < ../grsecurity-3.0-3.12.6-201401021726.patch
cd ../
gunzip config-3.11.3-grsec-131009.gz
cp -iav config-3.11.3-grsec-131009 linux-3.12.6/.config
cd linux-3.12.6
make menuconfig
diff .config*
fakeroot make deb-pkg
The 'diff .config' is not strictly necessary, but, as I mentioned much previously in this thread, I purposefully use stock-kernel-derived config, so it can work on most ADM64 machines, not just mine, and it's from an old stock kernel now, 3.11.3, but I believe it'll work...
All the above as common user (but wait, read first the next paragraph).
Now as root:

Code: Select all

cd /Cmn/src/
dpkg -i *.deb
[ The following I wrote ahead of time, in expectation all would build fine, forgetting that I didn't have enough space available on the device... Sorry for the inconvenience... ]
The above commad might not yet work.
If you tried, or, I believe it's innocuous, if you want to try, as root, if you have Grsecurity/Pax patched kernel already installed, and you now try and install the kernel, and it fails with some of the errors you found or can find in the previous (old) thread above, then check these:

Code: Select all

# paxctl -v /usr/bin/grub-script-check /usr/sbin/grub-mkdevicemap /usr/sbin/grub-probe
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-xE--- [/usr/bin/grub-script-check]
	MPROTECT is disabled
	RANDEXEC is disabled
	EMUTRAMP is enabled
- PaX flags: -----m-xE--- [/usr/sbin/grub-mkdevicemap]
	MPROTECT is disabled
	RANDEXEC is disabled
	EMUTRAMP is enabled
- PaX flags: -----m-xE--- [/usr/sbin/grub-probe]
	MPROTECT is disabled
	RANDEXEC is disabled
	EMUTRAMP is enabled
# 
I believe it's just these three. For my configuration and things, it could be differently if you enabled/disabled various options differently than me, I am not an expert, have to remind that I am publishing these tips as I teach myself things.

So if these don't look like that for you, then run:

Code: Select all

# paxctl -cmE  /usr/bin/grub-script-check /usr/sbin/grub-mkdevicemap /usr/sbin/grub-probe
and they will. Unless something more/different is yet the matter.

OK. Now you can execute the dpkg -i *.deb command as in the previous paragraph. You should upon smooth run of it, have you Grsecurity/Pax kernle installed, and can reboot into it.
Probably. I warned you you're doing it all on your own responsability, not mine.

I fell asleep in the meantime... But it failed to build. I got lots of:
mkdir: cannot create directory ‘/Cmn/src/linux-3.12.6/debian/tmp/lib/modules/3.12.6-grsec-140106/kernel/net/netfilter’: No space left on device
That's just one random line pasted over.
Well, it's no wonder. Have a look how little space I got left before I went to sleep, not knowing that I would need to explain here, I pasted my "df -h" line in another Tip I wrote, now yesterday:
http://forums.debian.net/viewtopic.php?f=16&t=110503
"Scripts to automate jigdo download"
(find there the string 'df -h')...
...and building need much space, currently, this unfinished failed (for no space) build:

Code: Select all

me@mybox:/Cmn/src$ du -hs linux-3.12.6
8.1G	linux-3.12.6
Be back.
Miroslav Rovis
Zagreb, Croatia,
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#13 Post by timbgo »

root@mybox:/Cmn/src# ls -l
total 1120184
-rw-r--r-- 1 mr mr 128663 Oct 30 17:20 config-3.11.3-grsec-131009
-rw-r--r-- 1 mr mr 543 Oct 31 09:30 config-3.11.3-grsec-131009.gz.sig
-rw-r--r-- 1 mr mr 3944503 Jan 2 22:30 grsecurity-3.0-3.12.6-201401021726.patch
-rw-r--r-- 1 mr mr 543 Jan 2 22:30 grsecurity-3.0-3.12.6-201401021726.patch.sig
drwx------ 26 mr mr 4096 Jan 6 21:45 linux-3.12.6
-rw-r--r-- 1 mr mr 544061440 Dec 20 16:04 linux-3.12.6.tar
-rw-r--r-- 1 mr mr 836 Dec 20 16:04 linux-3.12.6.tar.sign
-rw-r--r-- 1 mr mr 1136084 Jan 7 07:33 linux-firmware-image-3.12.6-grsec-140106_3.12.6-grsec-140106-3_amd64.deb
-rw-r--r-- 1 mr mr 9387176 Jan 7 07:33 linux-headers-3.12.6-grsec-140106_3.12.6-grsec-140106-3_amd64.deb
-rw-r--r-- 1 mr mr 31456652 Jan 7 07:34 linux-image-3.12.6-grsec-140106_3.12.6-grsec-140106-3_amd64.deb
-rw-r--r-- 1 mr mr 555656656 Jan 7 07:57 linux-image-3.12.6-grsec-140106-dbg_3.12.6-grsec-140106-3_amd64.deb
-rw-r--r-- 1 mr mr 961842 Jan 7 07:33 linux-libc-dev_3.12.6-grsec-140106-3_amd64.deb
root@mybox:/Cmn/src# dpkg -i *.deb
Selecting previously unselected package linux-firmware-image-3.12.6-grsec-140106.
(Reading database ... 227813 files and directories currently installed.)
Unpacking linux-firmware-image-3.12.6-grsec-140106 (from linux-firmware-image-3.12.6-grsec-140106_3.12.6-grsec-140106-3_amd64.deb) ...
Selecting previously unselected package linux-headers-3.12.6-grsec-140106.
Unpacking linux-headers-3.12.6-grsec-140106 (from linux-headers-3.12.6-grsec-140106_3.12.6-grsec-140106-3_amd64.deb) ...
Selecting previously unselected package linux-image-3.12.6-grsec-140106.
Unpacking linux-image-3.12.6-grsec-140106 (from linux-image-3.12.6-grsec-140106_3.12.6-grsec-140106-3_amd64.deb) ...
Selecting previously unselected package linux-image-3.12.6-grsec-140106-dbg.
Unpacking linux-image-3.12.6-grsec-140106-dbg (from linux-image-3.12.6-grsec-140106-dbg_3.12.6-grsec-140106-3_amd64.deb) ...
Preparing to replace linux-libc-dev 3.11.9-grsec-131123-1 (using linux-libc-dev_3.12.6-grsec-140106-3_amd64.deb) ...
Unpacking replacement linux-libc-dev ...
Setting up linux-firmware-image-3.12.6-grsec-140106 (3.12.6-grsec-140106-3) ...
Setting up linux-headers-3.12.6-grsec-140106 (3.12.6-grsec-140106-3) ...
Setting up linux-image-3.12.6-grsec-140106 (3.12.6-grsec-140106-3) ...
update-initramfs: Generating /boot/initrd.img-3.12.6-grsec-140106
Generating grub.cfg ...
Found background image: /usr/share/images/desktop-base/desktop-grub.png
Found linux image: /boot/vmlinuz-3.12.6-grsec-140106
Found initrd image: /boot/initrd.img-3.12.6-grsec-140106
Found linux image: /boot/vmlinuz-3.11.9-grsec-131123
Found initrd image: /boot/initrd.img-3.11.9-grsec-131123
Found linux image: /boot/vmlinuz-3.11.6-grsec-131103-14
Found initrd image: /boot/initrd.img-3.11.6-grsec-131103-14
Found linux image: /boot/vmlinuz-3.2.0-4-amd64
Found initrd image: /boot/initrd.img-3.2.0-4-amd64
Found Windows XP Professional x64 Edition on /dev/sda4
done
Setting up linux-image-3.12.6-grsec-140106-dbg (3.12.6-grsec-140106-3) ...
Setting up linux-libc-dev (3.12.6-grsec-140106-3) ...
root@mybox:/Cmn/src#

And that's real. If you saw XP above, that don't mean I would recommend Windows in any way. I need it for things such as checking how users would be able to view a video if I make it, or how web pages present or such purpose. Very little do I use it.

Now rebooting.

$ uname -a
Linux naibd9 3.12.6-grsec-140106 #3 SMP Tue Jan 7 07:26:38 UTC 2014 x86_64 GNU/Linux
$
Cheers!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#14 Post by timbgo »

Code: Select all

#!/bin/bash

echo "  Caveat emptor! " 

echo "  Do not use this script if you do not understand  " 
echo " what you are doing. You are responsible if anything "
echo " breaks in your system (possible!) "
echo " "
echo " OTOH, maybe you could open it in one terminal for "
echo " perusing each next step before hitting enter to run "
echo " that next step, one by one... Hit Enter if you think you could try so. "
read FAKE ; 

wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.12.7.tar.sign
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.12.7.tar.xz
wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.12.7-201401091837.patch
wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.12.7-201401091837.patch.sig
wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.11.3-grsec-131009.gz.sig
wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.11.3-grsec-131009.gz
mkdir -p /home/src/grsec/
cp -iav linux-3.12.7.tar.* /home/src/grsec/
cp -iav grsecurity-3.0-3.12.7-201401091837.patch* /home/src/grsec/
cp -iav config-3.11.3-grsec-131009.gz* /home/src/grsec/
cd /home/src/grsec/
pwd
#read FAKE ; # This is my way of telling the user to hit Enter if all
	    # is well, or Ctrl-C if something went wrong.
# But wait, I'll make a automate this little piece of instruction...
readfake="Hit Enter if all is well, or Ctrl-C if something went wrong."
echo $readfake ; read FAKE ; 

unxz linux-3.12.7.tar.xz 
echo $readfake ; read FAKE ; 
gpg --verify linux-3.12.7.tar.sign 
echo $readfake ; read FAKE ; 
gpg --verify grsecurity-3.0-3.12.7-201401091837.patch.sig
echo $readfake ; read FAKE ; 
gpg --verify config-3.11.3-grsec-131009.gz.sig 
echo $readfake ; read FAKE ; 
tar xvf linux-3.12.7.tar 
echo $readfake ; read FAKE ; 
cd linux-3.12.7
pwd
echo $readfake ; read FAKE ; 
patch -p1 < ../grsecurity-3.0-3.12.7-201401091837.patch
echo $readfake ; read FAKE ; 
cd ../
pwd
echo $readfake ; read FAKE ; 
gunzip config-3.11.3-grsec-131009.gz
echo $readfake ; read FAKE ; 
cp -iav config-3.11.3-grsec-131009 linux-3.12.7/.config
echo $readfake ; read FAKE ; 
cd linux-3.12.7
echo $readfake ; read FAKE ; 
make menuconfig
echo $readfake ; read FAKE ; 
diff .config*
echo
echo "Now this, the next one, is a longer one step
      in the process..."
echo
echo $readfake ; read FAKE ; 
fakeroot make deb-pkg


echo "Here, the deb packages ought to be there..."
echo $readfake ; read FAKE ; 
cd ../
echo $readfake ; read FAKE ; 
ls -l *.deb
echo "If you see the packages similar as for the 3.12,6,
     above and if you already used paxctl on grub binaries as
     I took care to explain in detail, you're at your
     last step."
echo "But, that step you need to execute as root, so it
     is not part of this script executed all as user."
echo $readfake ; read FAKE ; 
pwd
msgbeforeroot1="Become root and enter this command, in this directory:"
msgbeforeroot2="dpkg -i *.deb"
echo $msgbeforeroot1
echo "$msgbeforeroot2"

# Upon rebooting, I just got:
# $ uname -a
# Linux naibd9 3.12.7-grsec-140109 #2 SMP Sat Jan 11 00:50:25 UTC 2014 x86_64 GNU/Linux
# $
Upon download (just copy and paste), you need to name this script grsec_install.sh and you need to:
$ chmod 755 grsec_install.sh
and probably modify a few things (not many if you're running amd64) before finally running it with:
./grsec_install.sh
P.S. Actually, I just checked, and there are some differences in whitespace btwn what I posted and what can be downloaded.
I recommed (too much whitespace if using "Code: Select all" to copy)... I recommend selecting carefully manually with the mouse, and pasting manually with
$ cat > grsec_install.sh

(paste and press Ctrl-D)
Then the difference btwn what I entered, and which you don't have, and what you have from this forums page is OK, because upon running diff on it like this
$ diff -b -B grsec_install_mouse_select.sh grsec_install_which_you_dont_have.sh
...Then that diff returns empty string, meaning it's ok.

An link to my parallel thread on Grsecurity Forum:
https://forums.grsecurity.net/viewtopic.php?f=3&t=3835

Miroslav Rovis,
Zagreb, Croatia
www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#15 Post by timbgo »

There's new grsecurity patch, some two or so hours ago, but, till that one I (hopefully) compile, pls. if you use instructions for the old patch and kernel, use this one:

http://www.croatiafidelis.hr/gnu/deb/co ... -140109.gz

http://www.croatiafidelis.hr/gnu/deb/co ... 140109.asc

instead than what I gave above. Should have more modules and things...
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#16 Post by timbgo »

This below is actually the script that can be downloaded from:
http://www.croatiafidelis.hr/gnu/deb/src-3.12.8-grsec/
EDIT START Sat Jan 18 15:24:54 EST 2014
All the files there are some 360MB, and while compiling with this script is safer, for newbies willing to try at their own risk, downloading the Debian packages into a newly created directory and running (as root):
# dpkg -i *.deb
could install the Grsecurity patched kernel without much fuss. (Then no development tools installation is needed.)
EDIT END
See more talk about it in bottom.

Code: Select all

#!/bin/bash
#
# This is grsec_debian_v3.12.8.sh
#
# copyright  Miroslav Rovis, Zagreb, Croatia, www.CroatiaFidelis.hr
# (the above needs to be cited if the script is modified/further developed,
# even if my NGO Croatia Fidelis were to be shut down by my country's regime,
# as well as if the script is used as basis for later kernel versions
# patching and compilations)
#
# licenced under GNU v3.0 or later, at your choice
#
# How to use this script?
# =======================
# In case of issues, the user needs to consult official Debian documentation,
# such as Debian Kernel Handbook, as well as Grsecurity documentation, and
# other documentation and manuals, wikis and forums.
# 'chmod 755 grsec_debian_v3.12.8.sh' once you downloaded this script, place
# it, best, in your homedir, and follow instructions as you run it. If you
# encounter problems, modify for your needs. Also, pls. report errors on Debian
# Forums where I made the Tips page:
# "Grsecurity/Pax installation on Debian GNU Linux"
# but pls. if you will be waiting for my replies, it could take days and longer
# sometimes. Thank you!
#
echo
echo "  Caveat emptor! " 
echo
echo "  Do not use this script if you do not understand  " 
echo " what you are doing. You are responsible if anything "
echo " breaks in your system (possible!) "
echo " "
echo " OTOH, maybe you could open it in another terminal for "
echo " perusing each next step before hitting Enter to run "
echo " that next step, one by one in this terminal."
echo " Of course you should be checking yourself how the script is"
echo " faring, are the commands doing the intended and all."
echo " This is GNU Linux after all."
echo
echo "The script contains some code which is clumsy, but does the work; the"
echo "following: it is populated with 'read FAKE ;' lines. That is just"
echo "someone's (mine, who knows no better yet), way to tell you to decide"
echo "to continue running the script or issue Ctrl-C to kill it."
echo
        read FAKE ;
echo
echo "Tell this script what your username is, so we can create the workspace."
read user ;
echo "If you are user $user and your homedir is /home/$user/ then this"
echo "script should work for you. If not, modify the script to suit you."
        read FAKE ;
echo "We create next two directories in your homedir, 'dLo' for the downloads,"
echo "and 'src' for the compilation. Will not create them if they exist,"
echo "but pls. you make sure that nothing in them obstructs this script,"
echo "meaning, we'll run command: 'mkdir -pv /home/$user/dLo/ /home/$user/src/'"
        read FAKE ;
mkdir -pv /home/$user/dLo/ /home/$user/src/
echo ; echo ls -l /home/$user/dLo/ /home/$user/src/ ;
ls -l /home/$user/dLo/ /home/$user/src/
echo ; echo cd /home/$user/dLo/ ;
cd /home/$user/dLo/ ; pwd ;
echo ; echo "We download next the kernel, the patch, the config to use."
echo "In case you already did, you'll see info and/or innocuous errors."
echo "I only want the script to work, can't polish it. Sorry!"
        read FAKE ;
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.12.8.tar.sign
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.12.8.tar.xz
wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.12.8-201401160931.patch
wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.12.8-201401160931.patch.sig
wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.12.7-grsec-140113-16.sig
wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.12.7-grsec-140113-16.gz

echo ; echo "Import my new key, because I had to revoke the previous one:"
echo  "gpg -recv-key 0x4FBAF0AE"
        read FAKE ;
gpg -recv-key 0x4FBAF0AE
echo ; echo "Next, copy all downloads to /home/$user/src/"
        read FAKE ;
cp -iav linux-3.12.8.tar.* /home/$user/src/
cp -iav grsecurity-3.0-3.12.8-201401160931.patch* /home/$user/src/
cp -iav config-3.12.7-grsec-140113-16* /home/$user/src/
cd /home/$user/src/ ; pwd
ls -l linux-3.12.8*
        read FAKE ;
echo ; echo unxz linux-3.12.8.tar.xz ;
        read FAKE ; 
 unxz linux-3.12.8.tar.xz ;
echo ; echo gpg --verify linux-3.12.8.tar.sign ;
        read FAKE ; 
 gpg --verify linux-3.12.8.tar.sign ;
echo ; echo gpg --verify grsecurity-3.0-3.12.8-201401160931.patch.sig;
        read FAKE ; 
 gpg --verify grsecurity-3.0-3.12.8-201401160931.patch.sig;
echo ; echo gunzip config-3.12.7-grsec-140113-16.gz;
        read FAKE ; 
 gunzip config-3.12.7-grsec-140113-16.gz;
echo ; echo gpg --verify config-3.12.7-grsec-140113-16.sig ;
        read FAKE ; 
 gpg --verify config-3.12.7-grsec-140113-16.sig ;
echo ; echo tar xvf linux-3.12.8.tar ;
        read FAKE ; 
 tar xvf linux-3.12.8.tar ;
echo ; echo cd linux-3.12.8;
        read FAKE ; 
 cd linux-3.12.8; pwd
echo ; echo "patch -p1 < ../grsecurity-3.0-3.12.8-201401160931.patch";
        read FAKE ; 
 patch -p1 < ../grsecurity-3.0-3.12.8-201401160931.patch
echo ; echo cd ../;
 cd ../ ; pwd
        read FAKE ; 
echo ; echo cp -iav config-3.12.7-grsec-140113-16 linux-3.12.8/.config;
        read FAKE ; 
 cp -iav config-3.12.7-grsec-140113-16 linux-3.12.8/.config
echo ; echo cd linux-3.12.8;
        read FAKE ; 
 cd linux-3.12.8
pwd
echo ; echo "Here we modify the LOCALVERSION variable to be -YYMMDD-HH"
locver=`date +%y%m%d-%H`
echo $locver
read FAKE ;
echo sed -i.bak "s/140113-16/$locver/" .config
read FAKE ;
sed -i.bak "s/140113-16/$locver/" .config
echo ; echo "And we need to check that we did what we meant:"
grep LOCALVERSION .config
echo ; echo "And we can also move the backup out of way if it went well."
mv -vi .config.bak ../ ;
echo ; echo make menuconfig;
        read FAKE ; 
echo "If here you will see the script complaining:"
echo "./grsec_debian_v3.12.8.sh: line 125: make: command not found"
echo "then you need to install the development tools (don't be worry,"
echo "nothing much ;-) Pls. find instructions in some of my previous/later"
echo "posts in this Tip, or read the script itself at this point."
# Huh? You found it? Probably these commands would get you all you're missing at
# this point:"
# # apt-get install build-essential fakeroot ;
# # apt-get build-dep linux ;
# #  apt-get install libncurses5-dev ;
# that's not an error '# #'. Run as root. If run as user you would see '# $'
# instead.
# And there's more, essential for Grsecurity/Pax install:
# # apt-get install gcc-4.8-plugin-dev

 make menuconfig
echo ; echo "The diff .config below will only show differences if you edited"
echo "the config through the ncurses menuconfig interface. You may not and"
echo "you may need to, in case, say, you have some exotic hardware and"
echo "functionality is later found missing for you."
echo diff .config*;
 diff .config*
        echo
        echo ; echo "Now this, the next one, can be a longer one step
              in the process..."
        echo
echo ; echo fakeroot make deb-pkg;
        read FAKE ; 
 fakeroot make deb-pkg


        echo ; echo "Here, the deb packages ought to be there..."
        read FAKE ; 
echo ; echo cd ../ ;
cd ../ ; pwd ;
        read FAKE ; 
ls -l *.deb
        echo ; echo "If you see the packages named linux-XXXXXX-grsec-XXX.deb ,
             above and if you already used paxctl on grub binaries as
             I took care to explain in detail, you're at your
             last step."
        echo ; echo "But, that step you need to execute as root, so it
             is not part of this script executed all as user."
        read FAKE ; 
pwd
msgbeforeroot1="As root in directory /home/$user/src/ issue this command"
msgbeforeroot2="dpkg -i *.deb"
echo ; echo $msgbeforeroot1
echo ; echo "$msgbeforeroot2"

echo "If no errors there, you can reboot."
echo "Upon rebooting, you too should get something like I did below:"
echo "Pls. look up the rest of the script, for that and for a message"
echo "to users of Debian GNU Linux"
# $ uname -a
# 
# $

# But I despise so much the fact that the best GNU Linux security is blocked
# from official Debian GNU Linux, that I intend to use my slow connection, a
# fraction of what I pay for, being myself a homeland living dissident whom the
# traitors in "power in my Croatia, try to keep under control through
# censorship like that and worse.. Illegally they do so, but those are a bunch
# of criminals, most of them, anyways... That exactly is what my friend Marko
# Francišković said to some of their servants, police officers, and is now
# paying for those words with being tortured, by being administered to him very
# hazardous medicament like Zypress (if I got the brand name of that sh*t
# correctly), and his life is in real danger.
# 
# But I was saying that I so much despise the fact that the best GNU Linux
# security is blocked from official Debian GNU Linux, that I intend to use my
# slow connection, a fraction of what I pay for, to try and upload these
# Grsecurity patched Debian GNU Linux packages I compiled, on
# www.CroatiaFidelis. And that task might take me a few hours to even ten or
# more hours time.
# 
# That's the measure of my disgust of the Debian GNU Linux leaders having
# practically and effectively, and for all intents and puposes, banned
# Grsecurity from anything official in Debian GNU Linux.
# 
# And yet it is such a small effort to compile Grsecurity/Pax patched GNU Linux
# kernel for Debian GNU Linux, that a user who may only be considered somewhat
# advanced and never really a developer, can do it .
# 
# And pls.let me know if this works for you, dear Debian GNU Linux user!  Those
# who know how to compile, and those who hopefully learn how to compile through
# my Tips pages on Debian Forums, pls. get active. We have to get a branch in
# the Official Debian GNU Linux repositories, this way, some other way or in
# yet other fashion, shape, form or shape, this huge injustice against us the
# users and against shiny honest developers Spender and Pax Team has to be
# reversed!
# 
# Miroslav Rovis, Zagreb, Croatia, Vankina 4, +385(0)16602633, +385(0)912660202
# (but you could only reach me if secret services here allow your call through)
# 
# miro.rovis@croatiafidelis.hr (but you have to be patient awaiting my replies,
# really!, and, sure, only if those evildoers let it through)
# 
# So the safest places to post a message to me, is on Debian Forums, and on
# Grsecurity Forums, the latter especially if you have private messages for me.
# But again, be patient awaiting for my replies!
# 
# Alternative sites, if www.CroatiaFidelis.hr "disappeared": www.exDeo.com and
# www.vankina2-10.com
# 
Pls. see also Grsecurity Forums, newbies topic, if it, say a problem more related to strictly Grsecuriy:
https://forums.grsecurity.net/viewtopic.php?f=3&t=3835
and off course, if it is more Debian specific, than in this topic, whre you are reading these lines.
Two only thing is due, for those who might go and try and download and install my packages:
1) at your own responsability, works for me, might nad might not for you, might even break your system, I don't think it really could, but I don't know and guarantie nothing
2) For those who install and are not home yet with Grsecurity/Pax...
get paxctl somewhere. The Iceweasel won't work out of the box, and maybe some other programs, but it's a simple fix to do it...
God, I'm so tired, but I can't go to sleep before I post that small little tip in here, right away...
I think it's:
# apt-get install paxctl
and then
# paxctl -cm /usr/lib/iceweasel/iceweasel

Miroslav Rovis,
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#17 Post by timbgo »

http://www.croatiafidelis.hr/gnu/deb/src-3.13.1-grsec/
All can be found there, but I can post the new script here.
A note first, though. I compiled it yesterday with the old patch.
So if anyone is venturing to compile their own Grsecurity patched kernel, they should use:

http://www.croatiafidelis.hr/gnu/deb/sr ... W_PATCH.sh

and it should just work.

Now, here the script which contains

########################
an open note
####################

to Debian leaders:

Code: Select all

#!/bin/bash
#
# This is grsec_debian_v3.13.1.sh
#
# copyright  Miroslav Rovis, Zagreb, Croatia, www.CroatiaFidelis.hr
# (the above needs to be cited if the script is modified/further developed,
# even if my NGO Croatia Fidelis were to be shut down by my country's regime,
# as well as if the script is used as basis for later kernel versions
# patching and compilations)
#
# licenced under GNU v3.0 or later, at your choice
#
# How to use this script?
# =======================
# In case of issues, the user needs to consult official Debian documentation,
# such as Debian Kernel Handbook, as well as Grsecurity documentation, and
# other documentation and manuals, wikis and forums.
# 'chmod 755 grsec_debian_v3.13.1.sh' once you downloaded this script, place
# it, best, in your homedir, and follow instructions as you run it. If you
# encounter problems, modify for your needs. Also, pls. report errors on Debian
# Forums where I made the Tips page:
# "Grsecurity/Pax installation on Debian GNU Linux"
# but pls. if you will be waiting for my replies, it could take days and longer
# sometimes. Thank you!
#
echo
echo "  Caveat emptor! " 
echo
echo "  Do not use this script if you do not understand  " 
echo " what you are doing. You are responsible if anything "
echo " breaks in your system (possible!) "
echo
echo " OTOH, maybe you could open it in another terminal for "
echo " perusing each next step before hitting Enter to run "
echo " that next step, one by one in this terminal."
echo " Of course you should be checking yourself how the script is"
echo " faring, are the commands doing the intended and all."
echo " This is GNU Linux after all."
echo
echo "The script contains some code which is clumsy, but does the work; the"
echo "following: it is populated with 'read FAKE ;' lines. That is just"
echo "someone's (mine, who knows no better yet), way to tell you to decide"
echo "to continue running the script hitting Enter or issue Ctrl-C to kill it."
echo
        read FAKE ;
echo
echo "Tell this script what your username is, so we can create the workspace."
read user ;
echo "If you are user $user and your homedir is /home/$user/ then this"
echo "script should work for you. If not, modify the script to suit you."
        read FAKE ;
echo "We create next two directories in your homedir, 'dLo' for the downloads,"
echo "and 'src' for the compilation. Will not create them if they exist,"
echo "but pls. you make sure that nothing in them obstructs this script,"
echo "meaning, we'll run command: 'mkdir -pv /home/$user/dLo/ /home/$user/src/'"
echo "A note is due here. If you don't have at least 10GB free in your homedir,"
echo "you need to modify the script such as to make the /home/$user/src a"
echo "symlink to somewhere with enough room for the compilation"
        read FAKE ;
mkdir -pv /home/$user/dLo/ /home/$user/src/
echo ; echo ls -l /home/$user/dLo/ /home/$user/src/ ;
ls -l /home/$user/dLo/ /home/$user/src/
echo ; echo cd /home/$user/dLo/ ;
        read FAKE ;
cd /home/$user/dLo/ ; pwd ;
echo ; echo "We download next the kernel, the patch, the config to use."
echo "In case you already did, you'll see info and/or innocuous errors."
echo "I only want the script to work, can't polish it. Sorry!"
        read FAKE ;
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.13.1.tar.sign
wget -nc https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.13.1.tar.xz
wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.13.1-201401301657.patch
wget -nc https://www.grsecurity.net/test/grsecurity-3.0-3.13.1-201401301657.patch.sig
echo ; echo "A note about the config to use: it should work (I'll try this"
echo "script first thing after I finish this updating/rewriting it from the"
echo "previous version), it is the same as next, just the LOCALVERSION changes"
echo "so you could use config-3.12.8-grsec-140117-06 if you compiled with the"
echo "previous version of this script, just modify the lines below to that effect"
echo ;
        read FAKE ;
wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.12.7-grsec-140113-16.sig
wget -nc http://www.croatiafidelis.hr/gnu/deb/config-3.12.7-grsec-140113-16.gz

echo ; echo "Import the necessary keys:"
echo  "gpg --recv-key 0x2525FE49"
        read FAKE ;
gpg --recv-key 0x2525FE49
echo  "gpg --recv-key 0x6092693E"
        read FAKE ;
gpg --recv-key 0x6092693E

echo ; echo "Import my key:"
echo  "gpg --recv-key 0x4FBAF0AE"
        read FAKE ;
gpg --recv-key 0x4FBAF0AE

echo "You can go offline now, internet not needed while compiling."
echo "I, myself, unplug the connection physically."

echo ; echo "Next, copy all downloads to /home/$user/src/"
        read FAKE ;
cp -iav linux-3.13.1.tar.* /home/$user/src/
cp -iav grsecurity-3.0-3.13.1-201401301657.patch* /home/$user/src/
cp -iav config-3.12.7-grsec-140113-16* /home/$user/src/
cd /home/$user/src/ ; pwd
ls -l linux-3.13.1*
        read FAKE ;
echo ; echo unxz linux-3.13.1.tar.xz ;
        read FAKE ; 
 unxz linux-3.13.1.tar.xz ;
echo ; echo gpg --verify linux-3.13.1.tar.sign ;
        read FAKE ; 
 gpg --verify linux-3.13.1.tar.sign ;
echo ; echo gpg --verify grsecurity-3.0-3.13.1-201401301657.patch.sig;
        read FAKE ; 
 gpg --verify grsecurity-3.0-3.13.1-201401301657.patch.sig;
echo ; echo gunzip config-3.12.7-grsec-140113-16.gz;
        read FAKE ; 
 gunzip config-3.12.7-grsec-140113-16.gz;
echo ; echo gpg --verify config-3.12.7-grsec-140113-16.sig ;
        read FAKE ; 
 gpg --verify config-3.12.7-grsec-140113-16.sig ;
echo ; echo tar xvf linux-3.13.1.tar ;
        read FAKE ; 
 tar xvf linux-3.13.1.tar ;
echo ; echo cd linux-3.13.1;
        read FAKE ; 
 cd linux-3.13.1; pwd
echo ; echo "patch -p1 < ../grsecurity-3.0-3.13.1-201401301657.patch";
        read FAKE ; 
 patch -p1 < ../grsecurity-3.0-3.13.1-201401301657.patch
echo ; echo cd ../;
 cd ../ ; pwd
        read FAKE ; 
echo ; echo cp -iav config-3.12.7-grsec-140113-16 linux-3.13.1/.config;
        read FAKE ; 
 cp -iav config-3.12.7-grsec-140113-16 linux-3.13.1/.config
echo ; echo cd linux-3.13.1;
        read FAKE ; 
 cd linux-3.13.1
pwd
echo ; echo "Here we modify the LOCALVERSION variable to be -YYMMDD-HH"
locver=`date +%y%m%d-%H`
echo $locver
read FAKE ;
echo sed -i.bak "s/140113-16/$locver/" .config
read FAKE ;
sed -i.bak "s/140113-16/$locver/" .config
echo ; echo "And we need to check that we did what we meant:"
grep LOCALVERSION .config
echo ; echo "And we can also move the backup out of way if it went well."
mv -vi .config.bak ../ ;
echo ; echo make menuconfig;
        read FAKE ; 
echo "If here you will see the script complaining:"
echo "./grsec_debian_v3.13.1.sh: line 125: make: command not found"
echo "then you need to install the development tools. Don't worry,"
echo "nothing much. Pls. find instructions in some of my previous/later"
echo "posts in this Tip, or read the script itself at this point."
# Huh? You found it? Probably these commands would get you all you're missing at
# this point:
# # apt-get install build-essential fakeroot ;
# # apt-get build-dep linux ;
# #  apt-get install libncurses5-dev ;
# that's not an error '# #'. Run as root. If run as user I would write '# $'
# instead, where the first # is necessary to make those lines comments
# in both cases.
# And there's more, essential for Grsecurity/Pax install:
# # apt-get install gcc-4.8-plugin-dev
# The lines above I won't be checking, since I have dev tools installed.
# Reports are welcome.

 make menuconfig
echo ; echo "The diff .config below will only show differences if you edited"
echo "the config through the ncurses menuconfig interface. You may not and"
echo "you may need to, in case, say, you have some exotic hardware and"
echo "functionality is later found missing for you."
echo diff .config*;
 diff .config*
        echo
        echo ; echo "Now this, the next one, can be a longer one step \
              in the process..."
        echo
echo ; echo fakeroot make deb-pkg;
        read FAKE ; 
 fakeroot make deb-pkg


        echo ; echo "Here, the deb packages ought to be there..."
        read FAKE ; 
echo ; echo cd ../ ;
cd ../ ; pwd ;
        read FAKE ; 
ls -l *.deb
        echo ; echo "If you see the packages named linux-XXXXXX-grsec-XXX.deb ,"
        echo "above and if you already used paxctl on grub binaries as"
        echo "I took care to explain in detail in my Tips (above or linked"
        echo "somewhere, you're at your last step."
        echo ; echo "But, that step you need to execute as root, so it"
        echo "is not part of this script executed entire as user."
        read FAKE ; 
pwd
msgbeforeroot1="As root in directory /home/$user/src/ issue this command"
msgbeforeroot2="dpkg -i *.deb"
echo ; echo $msgbeforeroot1
echo ; echo "$msgbeforeroot2"

echo "And then, if no errors there, you can reboot."
echo "Upon rebooting, you too should get something like I did below:"
echo "Pls. look up the rest of the script, for that and for a message"
echo "to users of Debian GNU Linux"
# $ uname -a
# 
# $

# But I despise so much the fact that the best GNU Linux security is blocked
# and probably artificial, fabricated, manufactured issues introduced to arise
# in the Debian system once it is installed and Grsec kernel started and the
# system connects online, as I might be able to demonstrate that those issues I
# had since my installation of 3.21.8 version two week's ago. Reasons for my
# suspicion: no issues in the system until only offline, freshly cloned, as I
# do them, from other same hardware of my systems, safely offline, and strange
# issues arising solely after the system has connected to internet... And
# again, no issues with sysresccd booting and accessing internet from the same
# box.
#
# But, I was saying, I despise so much the fact that the best GNU Linux
# security is blocked from official Debian GNU Linux, that I intend to use my
# slow connection, a fraction speed of what I pay for, being myself a homeland
# living dissident whom the traitors in power in my Croatia try to keep under
# control through censorship like that and worse.. Illegally they do so, but
# those are a bunch of criminals, most of them, anyways... That exactly is what
# my friend Marko Francišković said to some of their servants, police officers,
# and is now paying for such words with being tortured, through being
# administered to him forcefully very hazardous medicaments like Zyprex (if I
# got the brand name of that sh*t correctly), and his life is in real danger.
#
# You can actually see Marko Francišković's brutal arrest by the police in a
# video that I linked to from the topic on Grsecurity Forums:
# "grsec: halting the system... kernel crash, the Debian side",
# just search for 'Marko Francišković'.
# 
# But I was saying that I so much despise the fact that the best GNU Linux
# security is blocked from official Debian GNU Linux, that I intend to use my
# slow connection, at a fraction speed of what I pay for, to try and upload
# these Grsecurity patched Debian GNU Linux packages I compiled, on
# www.CroatiaFidelis.hr . And that task might take me quite a few hours or more
# hours time. I hope to do that with the new packages that I just made, as I am
# giving a final revision to this script for Grsec patched kernel 3.13.1 for
# Debian, as I successfully uploaded them for 3.12.8 .
# 
# That's the measure of my disgust of the Debian GNU Linux leaders having
# practically and effectively, and for all intents and puposes, banned
# Grsecurity from anything official in Debian GNU Linux, and throwing in, or
# facilitating such actions but someone else, fake errors to confuse new
# Grsecurity users, as I might be able to demonstrate. That behavior, such
# hostile action or arrangements, are, apart from being severe moral
# degradation in their own right, against Debian declared social contract,
# aren't it?  Debian social contract forbids discrimination, and this is
# discrimination.
#
# Hey leaders of Debian, who either behave like a bunch of crooks, or
# facilitate crooks (state and corporate crooks, in all probability) against
# the users of Debian, you have a piece of commons, you have a property of, for
# short explanation, all good users in the world, a GNU property, a property
# which is there for all of us to benefit, and not for you to either sell users
# through your decisions and arrangements of that property, and by means of
# possibly shady dealings with spy agencies and their associates like Google,
# your great friend, or by facilitating others to do such deals and actions!
# 
# Hey leaders of Debian, you have a piece of commons which you are not allowed
# to do anything against us users with, and you are abusing it/allowing it to
# be abused against us!
#
# But I already said, in the script for the 3.12.8, and was to repeat it now, somewhat modified,
# and yet while it is such a small effort to compile Grsecurity/Pax patched GNU Linux
# kernel for Debian GNU Linux, that a user who may only be considered somewhat
# advanced and never really a developer, can do it.
#
# But, while it is small effort compiling Grsecurity into Debian, it is,
# however, not a minor effort to demonstrate how new Grsecurity attempts at
# installing and using Grsecurity are deterred, or facilitated to be deterred,
# purposefully, so go and study my work so far to decide for yourself whether
# my bare words with no proofs as yet are to be, or not, taken with, and with
# how much, serious consideration, and whether my accusations against Debian
# leaders might be or are probably not at all baseless. Because efforts I will
# make to prove the above suspicion, but it is really huge effort that is
# needed, and my machines and my SOHO are under attack...  So I am not at all
# certain to succeed in doing so.
# 
# Pls. let me know if this works for you, dear Debian GNU Linux user! Those who
# know how to compile, and those who hopefully learn how to compile through my
# Tips pages on Debian Forums, pls. get active. We have to get a branch in the
# Official Debian GNU Linux repositories, this way, some other way or in yet
# other fashion, shape or form, this huge injustice against us the users and
# against shiny honest developers Spender and Pax Team and other developers
# from their circle has to be reversed!
# 
# Miroslav Rovis, Zagreb, Croatia, Vankina 4, +385(0)16602633, +385(0)912660202
# (but you could only reach me if secret services here allow your call through,
# censorship in Croatia heavy and getting heavier yet)
# 
# miro.rovis@croatiafidelis.hr (but you have to be patient awaiting my replies,
# really!, and, sure, only if those evildoers let it through)
# 
# So the safest places to post a message to me, is on Debian Forums, and on
# Grsecurity Forums, the latter especially if you have private messages for me.
# But again, be patient awaiting for my replies!
# 
# Alternative sites, if www.CroatiaFidelis.hr "disappeared": www.exDeo.com and
# www.vankina2-10.com
#
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#18 Post by timbgo »

Carefully manually selecting the code from top of:
http://forums.debian.net/viewtopic.php? ... 16#p525714
and cat'ing it into like:
$ cat > grsec_install.sh

(paste and press Ctrl-D)
you can, to get the new packages for new compilation, do.
Frist:

Code: Select all

$  mv -iv grsec_install.sh  grsec_install.sh.OLD
Next, get the new links to use, get them from:
https://grsecurity.net/download.php
and from:
https://www.kernel.org/
and maybe, if I do more work in the future, from:
http://www.croatiafidelis.hr/gnu/deb/
and replace them (not if you are using this script today or not much later) as the second, the one that is to replace, input to the sed commans (three sed command, but concatenated) below:

Code: Select all

cat  grsec_install.sh.OLD |sed 's/grsecurity-3.0-3.12.7-201401091837/grsecurity-3.0-3.13.3-201402152204/' |sed 's/3.12.7/3.13.3/' | sed 's/config-3.11.3-grsec-131009/config-3.12.7-grsec-140109/' > grsec_install.sh
Then, surely,

Code: Select all

chmod 755 grsec_install.sh
and whatever advice I gave earlier, I checked and the new grsec_install.sh downloads all packages fine...

Since kernel compile usually is part of an overall update of the system, also see:
http://forums.debian.net/viewtopic.php? ... 87#p530787

Miroslav Rovis
Zagreb, Croatia,
http://www.croatiafidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#19 Post by timbgo »

Since it is a matter both Grsecurity and Debian ,and there wasn't any reason to cross-post, on Grsecurity Forums in this topic below, people can find some criticism addressed to the Debian leaders:
grsec: halting the system... kernel crash, the Debian side
https://forums.grsecurity.net/viewtopic ... 886#p13885
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
EDIT:
That is the principle, but I used my own posts too old, and version numbers are too old... The way to manipulate the script with sed is correct though.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: Grsecurity/Pax installation on Debian GNU/Linux

#20 Post by timbgo »

Here the new script, and the config, with respective signatures:
################################################

http://croatiafidelis.hr/gnu/deb/grsec_ ... v3.13.3.sh

http://croatiafidelis.hr/gnu/deb/grsec_ ... 3.3.sh.sig

That one you need for the script below...
==============================================

http://croatiafidelis.hr/gnu/deb/config ... 0130-21.gz

http://croatiafidelis.hr/gnu/deb/config ... 130-21.sig

And that script is safer to download and verify, so I'm not cluttering with same text here, I don't think it would be needed....
If it was needed for more than a week or two, when it, for reasons of the kernel being a moving target, needs update or can't be used really, probably not really.... Things change fast in GNU/Linux...
################################################
Feedback is welcome. Pls., public feedback if the questions are not of really private nature, which is not so likely, I guess.
And for topics more on the Debian side of possible issues, here, while if an issue partains prevalently on the Grsecurity side, then:
https://forums.grsecurity.net/viewtopic.php?f=3&t=3835

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

Post Reply