You are not logged in.
- Topics: Active | Unanswered
#76 Re: Installation » sans-dbus, Questions, Tips and Tricks on its Implementation » 2017-12-21 13:41:48
I'll give here, as I promised in my EDIT of today in the first post, what I believe is necessary (a query too about it will follow afterwards).
Some of these are needed, and I wasn't able to find /etc/apt/preferences.d/avoid-systemd in dev1fanboy's wiki, even though I had, months ago now, picked it from there, to my best recollection:
# ls -ABRgo /etc/apt/preferences*
-rw-r--r-- 1 262 2017-12-01 14:30 /etc/apt/preferences
/etc/apt/preferences.d:
total 4
-rw-r--r-- 1 62 2015-04-20 22:25 avoid-systemdSo:
# cat /etc/apt/preferences
Package: *dbus*
Pin: origin ""
Pin-Priority: -1
Package: *consolekit*
Pin: origin ""
Pin-Priority: -1
Package: *policykit*
Pin: origin ""
Pin-Priority: -1
Package: *pulse*
Pin: origin ""
Pin-Priority: -1
Package: *pulseaudio*
Pin: origin ""
Pin-Priority: -1
#and:
# cat /etc/apt/preferences.d/avoid-systemd
Package: systemd-sysv
Pin: release o=Debian
Pin-Priority: -1
#Now the query. Is it better I stick:
# cat > /etc/apt/preferences.d/avoid-systemd
Package: systemd
Pin: release o=Debian
Pin-Priority: -1
Package: systemd
Pin: release *
Pin-Priority: -1
#or should what I already have in place be fine? Anybody, what's your take?
That we call it no-systemd or avoid-systemd is irrelevant, just whether:
Package: systemd-sysvgets the same effect on the system as:
Package: systemdin the two included variants fro the new script?
BTW, I don't have issues. My Ceres is not plagued by either systemd or dbus.
(Nor pulseaudio either. And my audio is functioning well, in PaleMoon, FFmpeg, MPlayer, Mencoder, Mpv, Vlc...)
Regards!
#77 Re: Documentation » Grsecurity/Pax installation on Devuan GNU/Linux » 2017-12-21 07:31:39
4.9.70 under:
https://www.croatiafidelis.hr/gnu/deb/l … c-current/
(i.e. https://www.croatiafidelis.hr/gnu/deb/l … 171220-11/ )
For those who verify, ls-1.sum.asc is missing. Busy, but it's coming later.
EDIT 2017-12-21 09:30:44+00:00, there now:
https://www.croatiafidelis.hr/gnu/deb/l … -1.sum.asc
#78 Re: Documentation » Grsecurity/Pax installation on Devuan GNU/Linux » 2017-12-10 01:56:04
I've decided to offer packages that, according to the latest realization --but that may change, therefore the warning in the download page--:
NULL pointer deref in do_blockdev_direct_IO()
https://github.com/minipli/linux-unoffi … -350482590
protect my system, while the vanilla kernel does not.
Pls. feel free to test:
#79 Re: Installation » OpenRC and eudev installation in Devuan ceres » 2017-12-02 09:06:33
Also great to read from golinux!
To answer your question:
Since I am using Devuan in VM, I can't use grsec (only exception is VirtualBox for grsec customized by Alpine Linux). I gave up on grsec because of ended updates.
There's
kernel tried to execute NX-protected page - exploit attempt?
https://github.com/minipli/linux-unoffi … -348678535
Aahh..., I gave a particular subpage... But, never mind, read how good grsec-unoff is, all visitors! And it's all linked from there.
My kernels are small ~3.7MB vmlinuz and I don't use initrd.
If you are asking about compiling deb kernels this is listed in debian handbook.
No, that's not what I asked, you can, if you don't take me wrong, pls. don't do, reread what I asked.
See also...
But I have to post this temporarily, incomplete, else I might lose it... attacked too often lately...
Continuing. Pls read those traces linked from above that alomost undeniably indicate attemped intrusions and forgive my stuttered posting 
My config file is really for VM. This in fact is the reason why libre kernel is working on the laptop:
libre disables all firmware including my intel wireless, but in VM I set guest with virtual eth0 which is NATed to whatever connection host is making.I did install eudev without exiting X.
That note was for other future users of eudev
This is probably advantage of VM using most common virtual hardware that do not cause problems with installed OS.
If you are looking for good secure VM try Qubes, but to take full advantage of Qubes, you will have to have specific hardware. This is on the other hand quite risky considering latest revelations about bugs in intel me.
The problem is Qubes, IIRC, can't be used without dbus, and I don't have dbus, and don't want to use it, don't trust it.... My Devuan is sans-dbus.
Else, I read about Qubes, I have their paxrat installed in my box.
I have found one way to completely remove ME (BIOS free space will go up from 1MB to 5MB), but I did not try it yet.
On my AMD64 it's PSP, not ME.
Regards!
#80 Re: Installation » OpenRC and eudev installation in Devuan ceres » 2017-12-01 22:54:39
Similar setup in my machines (I use Air-Gap cloning, so it's kind of same system on master and clones, only built in Air-Gapped)
I intentionally selected the subject similar to this one:
https://dev1galaxy.org/viewtopic.php?id=1128
that is I did exactly the same as described in the topic above.
in detail:
1) updated Devuan Jesse
https://talk.devuan.org/t/upgrading-dev … -ascii/363
2) installed openrc
https://dev1galaxy.org/viewtopic.php?id=1128
and removed services I don't need
I was late on this one:
3) installed eudev
https://dev1galaxy.org/viewtopic.php?id=1543
I mean, I've deployed it on two of my system only today (and a third system will be getting it via cloning).
But I have a question about this one:
4) installed libre linux kernel from sources
http://linux-libre.fsfla.org/pub/linux-libre/releases/
And the question is (no time to research on my own right now): can grsec-unoff be patched onto libre linux kernel... Umhh, no! I don't think... It gets patched on the LTS 4.9.x series from kernel.org... so, at least not directly, not without modifications...
compiled deb kernel streamlined for my hardware/virtualbox
I would have liked if I knew how to do that when I was trying to, months ago... But no time to research now. (But if you have quick links, I could return (at some unspecified time) later knowing where to start my research from.)
When I was trying ceres a month ago system was freezing often. Now, after few hours ceres still behaves. To me this means that developers are working hard to get new Devuan ready.
Yep!
One usuful note about eudev: exit Xorg before you install eudev. On two of my machines (with same system, though, but one never sees online: the Air-Gapped master), upon installing eudev, Xorg froze. Nothing broke in the least, and the installation continued, just I wouldn't see it but in the logs later (having grsec's exec_logging and audit_chdirenabled, I was able to know upon reboot, that it all went fine).
#81 Re: Other Issues » Fighting persistent intrusionals in Devuan (Devuan wins!) » 2017-11-25 14:53:05
I apologize to have to prolong the story I announced in this topic.
Other attacks (unconfirmed by experts following there, so pls. wait for replies in the below):
https://github.com/minipli/linux-unoffi … /issues/19
https://github.com/minipli/linux-unoffi … /issues/18
https://github.com/minipli/linux-unoffi … /issues/17
https://github.com/minipli/linux-unoffi … /issues/13
have happened in the meantime, and those, and other in links from below, took huge time for me to analyze:
https://www.croatiafidelis.hr/foss/cap/ … -RAP-Oops/
Regards!
#82 Re: Documentation » Grsecurity/Pax installation on Devuan GNU/Linux » 2017-11-16 21:22:27
There's corsac's grsecurity packages (with the new grsecunoff patches, and all the necessary recommends in Ceres.
So updating to Ceres, one can install them, probably something like:
# apt-get install linux-image-4.9.0-4-grsec-amd64Updating to Ceres is first I'll do, and then report about it.
The news I was told on Debian Forums in the llink I gave two or so posts above.
Regards!
#83 Re: Documentation » Grsecurity/Pax installation on Devuan GNU/Linux » 2017-11-16 12:35:21
I'm still not sure if grsec is actually worth the effort these days, especially in view of this: https://grsecurity.net/passing_the_baton.php
My views on it are in my signature. (important: the ripoff by Google, but read there spender's statement or roll back for more verbose view of mine
i.e. in the future you'll have to pay for it...
Not in the future, you already have to pay for it. But not the unofficial-grsecurity which is completely open, and which I talk about and post packages of, since the closure of free official grsecurity.
I also wonder what exactly KSPP are trying to achieve, it seems like a talking shop at this stage.
And the attitudes of certain people, mean kernel security is never going to be anything more than a retroactive approach anyway: http://lkml.iu.edu/hypermail/linux/kern … 06228.html (nothing unusual there, it's just the usual dismissive disdain for "security people")
I also wonder what exactly KSPP are trying to achieve, it seems like a talking shop at the moment...
You do point to another... erhm...historical remark by Linus... Appreciated!
But no time for discussion here on my part, too many things to solve are on my hands instead.
The patches, I believe, are still good, the unofficial ones, but surely more testing would be needed by more people!
#84 Re: Documentation » Grsecurity/Pax installation on Devuan GNU/Linux » 2017-11-15 17:10:52
There is new patch, and new packages available:
https://www.croatiafidelis.hr/gnu/deb/l … 171114-19/
I just explained it on Debian Forums:
http://forums.debian.net/viewtopic.php? … 53#p658753
( because there was a little discussion there, so they took precedence this time )
Regards!
#85 Re: Other Issues » Fighting persistent intrusionals in Devuan (Devuan wins!) » 2017-11-06 17:56:17
This post copy-paste removed over from the below post of this topic:
OpenRC installation in Devuan Ascii
https://dev1galaxy.org/viewtopic.php?id=1128#p6015
---
Am I missing something?
In case you are referring to my post some one hour ago, not yet. You're not missing. But figure out that the SHA256 sums might be for some crypto identifying a future analysis, by starting here:
BAD sig with Devuan Jessie 1.0.0-RC
https://dev1galaxy.org/viewtopic.php?id=568
and also look up:
[ same title as above ]
https://lists.dyne.org/lurker/message/2 … 59.en.html
and try not to miss:
[ same title as above, since in the same thread ]
https://lists.dyne.org/lurker/message/2 … f4.en.html
I've worked hard, and... I can't repeat myself. See again the previous post if you are, but don't be, impatient to know, because I can't satisfy impatience here. I'm not so very advanced... Thank you.
I'll be busy in the next days, and I may even find it too hard to tell much soon at all... I've needed to even update some of my (somewhat primitive) programs on github to be able to deal with understanding the intrusion... And I'm not a wizzard...
More patience, and I'll make a separate topic, once I, God willing, make it...
---
But notice that I don't want to touch the stamps on the previous post with the hashes:
https://dev1galaxy.org/viewtopic.php?id=1128#p6007
And I don't want to repost those here either, not duplicating things.
Now I got to analyze also the trace that went captured as I wrote this... I often get surprises, and very unseemly and unsavory... It's often is a very demanding struggle...
Regards!
#86 Re: Installation » OpenRC installation in Devuan Ascii » 2017-11-06 17:39:58
God willing, I will be patient!
) Thanks!... But I'll try and move the content of my posts into, what should I call it... maybe:
Fighting persistent intrusionals in Devuan (Devuan wins!)
...
But where do I open it? There is no "Network and Security" subforum.
And it its about Devuan's strength and prowess... Soo... maybe in:
Fighting persistent intrusionals in Devuan (Devuan wins!) #already given above
https://dev1galaxy.org/viewtopic.php?id=1703
Pls. read there how much I will have to struggle, and may even not be able to complete it...
Regards!
#87 Other Issues » Fighting persistent intrusionals in Devuan (Devuan wins!) » 2017-11-06 17:37:19
- miroR
- Replies: 2
title (may change yet): Fighting persistent intrusionals in Devuan (Devuan wins!)
---
I've actually started this what I hope becomes a new topic (hopefully, I am having hard time fending off kind of... attacks, yes, although when matters more widely regarded) in:
OpenRC installation in Devuan Ascii
and I just visited there and want to move the content that don't belong in OpenRC (which works fabulously in Devuan, but YMMV)...
First: I've been working on this for about one month and a half. It is quite a few things/aspects/facts that are clearly intrusional behavior by some subjects... And I do have traces to prove it, a lot by now... And I do have where to post them. It is as usual for some people who did follow me a little, it's at:
https://www.croatiafidelis.hr/foss/cap/
likely the (at the time of this writing non-existent page):
( some title it will also have )
https://www.CroatiaFidelis.hr/foss/cap/ … -ssl-conv/
But I may suffer brutal attacks, with no brains, but with total control, before I do it... It's not excluded even a knock at the doors in the very early morning hours in Croatia, although at this time still not likely to happen to me...
So, while I promise to deliver on the story, I will as much as it depends on me, but sadly, as I explained above, it doesn't depend only on me. That said, I have a feeling that I will be able to make it, but in a longer time. The traces, the analysis, the unfinished programs that I wrote (actually improved, most of them I wrote previously, look up https://github.com/miroR), all that is a lot of work, and I'm not very advanced.
I'll try and move the content from the OpenRC topic, so it doesn't distract attention from what the matters and issues are there in that topic, next.
#88 Re: Installation » OpenRC installation in Devuan Ascii » 2017-11-04 20:07:29
Am I missing something?
In case you are referring to my post some one hour ago, not yet. You're not missing.
[ MOVED to:
Fighting persistent intrusionals in Devuan (Devuan wins!)
But I can't remove the SHA256 without becoming suspicious, no. That post further above must remain untouched...
#89 Re: Installation » OpenRC installation in Devuan Ascii » 2017-11-04 17:15:33
I'm actually quoting fungus:
fungus wrote:...
Website
......
(Have issues with attempted penetration into my system, can't stay, hope to be back later to tell.)
Yep!... But please have patience. These are hard stuff... some expertize to fight to gain... Tired...
e2a781c8a91233bab06c1808b5fdc94aea719b753eeab5d51bc2c7363cff4a82
50ba5468cca0fb2b680aa3defee9d954ec80b1b3d684d86d3678590ac7c5d723
b756f4016d5f4ca15995eaf03e633f83897208ccbcdcd2505fad3d953450c4d0
74775e06b33558cdf9f5432de953fa46f40280a35dd9f941ec29e04022059e01
980f7d350232df4bc9fa58c574888ead4e4d2f6dc62cc032b1aa4e0ec7791eb9
5d02f76d469a1660ae13784c4e6baa1876c7d01a18fe7bf0433e374c211bd892
39e3768157f666cb2f227f7712e5002bd84bb97ff797c784f1c1a2657eaf8c31
3f105964bb6f15190a184a78967392b82e4db7da448e4c22124cdf122d8bafee
b5de4481920edee8cb4ef7b5dacc575009e8069e432b26813522487041e80199
f2d6441c9311fc802be9f994eae28e99c28f23519929f386a03fa545b9fe5067
e644ec793e4dea6dc4ada4ea14ee93a6ea7a298eb69a7ca0c0cce12d397f2cddAllow time...
( BTW, pls also allow this post... Some of the admins know that I do have some understanding about network and such... The above is recent. But too much work to explain quickly, and like now with this posting, it will be way more credible. But I'll open a separate topic for it... Thank you...)
#91 Re: Documentation » Grsecurity/Pax installation on Devuan GNU/Linux » 2017-09-29 15:38:06
If I don't fix the warnings by user downloading of the new packages, the warnings are here;
https://www.croatiafidelis.hr/gnu/deb/l … 170923-22/
( but don't use those old packages )
And the packages are here:
linux-deb-4.9.52-unofficial+grsec170929-07
https://www.croatiafidelis.hr/gnu/deb/l … 170929-07/
I think it's a good kernel... Barring some tests and some research/advice that I've been seeking as per the warnings page...
#92 Re: Documentation » Grsecurity/Pax installation on Devuan GNU/Linux » 2017-09-24 13:29:37
Cleaner script available now:
https://github.com/miroR/grsec-dev1-com … /tag/v0.15
(that's what I sign, the tags, but that's latest branch in master)
Or from:
https://github.com/miroR/grsec-dev1-compile/tags
Or, of course, once you clone grsec-dev1-compile repo, the old non-GUI way. Something to this effect:
you@yr-machine:~$ git clone https://github.com/miroR/grsec-dev1-compile
Cloning into 'grsec-dev1-compile'...
remote: Counting objects: 14, done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 14 (delta 3), reused 14 (delta 3), pack-reused 0
Unpacking objects: 100% (14/14), done.
you@yr-machine:~$ cd grsec-dev1-compile/
you@yr-machine:~/grsec-dev1-compile$ git tag --list
v0.01
v0.1
v0.15
you@yr-machine:~/grsec-dev1-compile$ git tag --verify v0.15
object 888fb7a5024139f14b024eb0a2cff6bd34054d2a
type commit
tag v0.15
tagger Miroslav Rovis <miro.rovis@croatiafidelis.hr> 1506259462 +0000
comments sorted
gpg: Signature made Sun 24 Sep 2017 13:24:37 UTC
gpg: using RSA key FCF13245ED247DCE443855B7EA9884884FBAF0AE
gpg: Good signature from "Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: FCF1 3245 ED24 7DCE 4438 55B7 EA98 8488 4FBA F0AE
you@yr-machine:~/grsec-dev1-compile$ I thought I'd explain this, for newbies that are still learning. Advanced users, thank you for your patience.
#93 Re: Other Issues » Strange Bash under grsecurity's exec logging » 2017-09-24 11:39:56
In case there's anybody looking more seriously into these quirks/(exploits?), the system is Asrock Extreme 4
https://www.asrock.com/mb/AMD/970%20Extreme4/
You can also find out more datails at:
Use old amd64 gentoo image on new amd64 hardware, possible?
https://forums.gentoo.org/viewtopic-t-940916.html
That's when I bought those MBO's and most of the other components.
#94 Re: Documentation » Grsecurity/Pax installation on Devuan GNU/Linux » 2017-09-24 05:31:11
Those who are willing to risk somewhat, the new page with the freshly compiled packages at:
https://croatiafidelis.hr/gnu/deb/linux … 170923-22/
says it all openly. Pls. read the big fat warning there.
IOW, at your own risk, you can try your luck and install my packages from above.
Regards!
#95 Re: Documentation » xserver-xorg-legacy in ascii » 2017-09-18 23:08:50
Yes, X has been running as root forever, and that only changed with stretch. I don't know the details of how systemd works with that, but the dependence of xorg on systemd also appeared with stretch.
...
The one and the other change not be of the kind to put together as similar (not saying that you are doing so).
The change with Xorg is praisewothy (but probably came to be because the exploits went mad on Xorg...), the other change is sad as can be...
fsmithred, I just sent an email to dng mailing list (and to a few Devauners of the thread on Xorg, one of them being you).
And then I see this documentation post...
Good! Let's wait and see if my email to DNG ML appears at:
...
Gosh! It appeared! Phew! Feeling muuuch better now !
Here:
Subject: Re: [DNG] upgrade from Debian stretch to Devuan ascii?
https://lists.dyne.org/lurker/message/2 … f1.en.html
Readers here, take note that it is absolutely best for security of your Devuan boxen if you manage to use Xorg the new way, not as root!
Happy !
#96 Re: Documentation » Grsecurity/Pax installation on Devuan GNU/Linux » 2017-09-18 13:18:13
There's great evidence (in worrying circumstances, for me) of the goodness of grsec's exec_logging and audit_chdir features at my recent investigation at:
Strange Bash under grsecurity's exec logging
https://dev1galaxy.org/viewtopic.php?id=1598
Regards!
#97 Re: Other Issues » Strange Bash under grsecurity's exec logging » 2017-09-18 13:12:38
I've posted what I promised at:
Strange script planted with Bash 2
https://www.croatiafidelis.hr/foss/cap/ … bash-2.php
I don't believe the possible issue here, and it does seem to me to be something very fishy in there... is related in particular way to Devuan, other than Devuan being a Linux, the vulnerable distro, because the good ways have been rejected because the geniuses that kept patching Mr Linux's kernel were attempted to be ripped off of their code, by Google, and likely in (but that I don't claim) with at least the approval of, if not in cahoots with, the aforesaid mister in charge...
Ah, but grsecurity has been taken the baton of by, I hope to God, competent people, one of them being our own, Devuan's own developer parazyd! I hope miniply, parazyd and friends make it... (Read about it in the link to grsec installation on Devuan below, in post(s) three days ago or so, of mine there.)
Aah...
Use grsecurity:
Grsecurity/Pax installation on Devuan GNU/Linux
https://dev1galaxy.org/viewtopic.php?id=596
It's the only hope left for Linux kernel's security...
#98 Other Issues » Strange Bash under grsecurity's exec logging » 2017-09-18 07:10:23
- miroR
- Replies: 3
title: Strange Bash under grsecurity's exec logging
---
I'm almost certain it will happen, because I tried it in my master Air-Gapped system which this systemmodel MBO and most other hardware) is a dd'ed clone of, and very fresh: only browsed https://dev1galaxy.org/ just to send an email and to post (first or only today's post) in
Grsecurity/Pax installation on Devuan GNU/Linux
https://dev1galaxy.org/viewtopic.php?id=596
(BTW see there about what exec_logging and audit_chdir features of grsecurity are).
mr@gdOv:~$ cd src/linux-4.9.50
mr@gdOv:~/src/linux-4.9.50$And now I type, without hitting Tab up to this point "make menucon":
mr@gdOv:~/src/linux-4.9.50$ make menuconAnd, sure, I need the complete command, which is "make menuconfig". And I will next hit Tab.
But I'll run my uncenz script, but without going online, to get to the reader very clear understanding (along with the paste of the lines that will appear before viewer's eyes in the /var/log/kern.log, which is being tail'ed to the fore in the terminal on my screen in bottom left with "tail -f".
There. It's 46 seconds of mistery, for me, now... The Screen_170918_0646_gdO.mkv which I get with my uncenz (primitive) program I need to convert to be web-friendly. I'll do it with:
i=Screen_170918_0646_gdO ; ffmpeg -i ${i}.mkv -map 0:v -b:v 200k -c:v libvpx -qmin 0 -qmax 20 -crf 5 ${i}.webmAt second 28 from the start, after I moved the mouse for you to turn your attention where the logs will start to flow, in bottom left, I just, you of course don't see it, but I just hit Tab, while the cursor being positioned right after "make menucon".
Previously you saw me copy the time count of the rsyslog's line, and paste it into the prepared command line that only waited for that input, and it, upon my later hitting Enter on that command, went like this:
root@gdOv:/home/mr# echo 0 > /proc/sys/kernel/grsecurity/tpe ; echo 0 > /proc/sys/kernel/grsecurity/tpe_restrict_all ;
root@gdOv:/home/mr# cat /var/log/kern.log | grep -aE -A300000 12983.777942 > kern.log_$(date +%y%m%d_%H%M%S)_$(hostname)0
root@gdOv:/home/mr# ls -l kern.log_170918_064755_gdOv0
-rw-r--r-- 1 root root 97748 2017-09-18 06:47 kern.log_170918_064755_gdOv0
root@gdOv:/home/mr# That's a lot of log line isn't it?
And here I'll post it for your perusal, in the next post.
Just, I believe in hashing and timestamping when credibility is necessary with strange events in computing. So, first, before I make the screencast available on https://www.CroatiaFidelis.hr, as well as the kern.log_170918_064755_gdOv0 created above, here's their hashes:
f687eb6412b9880eb5bffe076671e942f2eaa061344dac25e1c88d762138ec8b Screen_170918_0646_gdO.webm
1d3b3ba803567142c01b9014d9d509802781b31397509950d98a7fa79ce76cfc kern.log_170918_064755_gdOv0Till the next post.
#99 Re: Documentation » Grsecurity/Pax installation on Devuan GNU/Linux » 2017-09-18 03:45:14
This explanation is missing (due to political, and even criminal --morally so-- reasons grsec is not in widespread use [1]):
mr@gdOv:~$ sudo -s
[sudo] password for root:
root@gdOv:/home/mr# ls -l /proc/sys/kernel/grsecurity/^C
root@gdOv:/home/mr# echo 0 > /proc/sys/kernel/grsecurity/exec_logging ; echo 0 > /proc/sys/kernel/grsecurity/audit_chdir ;
root@gdOv:/home/mr# echo 1 > /proc/sys/kernel/grsecurity/exec_logging ; echo 1 > /proc/sys/kernel/grsecurity/audit_chdir ;
root@gdOv:/home/mr# echo 0 > /proc/sys/kernel/grsecurity/tpe ;
tpe tpe_gid tpe_restrict_all
root@gdOv:/home/mr# cat /proc/sys/kernel/grsecurity/tpe ;
1
root@gdOv:/home/mr# cat /proc/sys/kernel/grsecurity/tpe_restrict_all ;
1
root@gdOv:/home/mr# echo 0 > /proc/sys/kernel/grsecurity/tpe ; echo 0 > /proc/sys/kernel/grsecurity/tpe_restrict_all ;
root@gdOv:/home/mr# The setting to disable exec_logging with "echo 0", and likewise the setting to disable of audit_chdir is if you compile with exec_logging and audit_chdir. Enable it again with the "echo 1 ..." line.
Currently, and I don't know why, the tpe ([T]rusted [P]ath [E]xecution, pls. read in the kernel help when you issue "menu makeconfig" about it), just does not work right in Devuan/Debian/Ubuntu. E.g. I couldn't run any scripts from /usr/local/bin because of it. So, disabling it with issuing the two "echo 0 ..." lines.
---
[1] Pls. see my sig for that... BTW, my current sig links to:
https://forums.grsecurity.net/viewtopic … 699#p17127
https://lists.dyne.org/lurker/message/2 … 4b.en.html
in case that should change in the future.
#100 Re: Documentation » Grsecurity/Pax installation on Devuan GNU/Linux » 2017-09-15 14:29:14
One important note for users new to grsecurity is kind of urgent...
You will get, by default, huge logs.
It's because of these:
# grep -E 'GRKERNSEC' /boot/config-4.9.50-unofficial+grsec170915-04 | grep -E 'EXECLOG|AUDIT_CH'
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y( well, not the chroot in all cases, but the other two, yes! because of those )
So, if you don't want to have to cope with all that huge info, then when you are offered by the script that you downloaded from https://github.com/miroR/grsec-dev1-compile to modify you .config[/config, i.e. when it reaches to make menuconfig, set those to: =n, and you won't have the deluge.
However, those are great logging information. I can with certainty say that my Gentoo was attacked, because the logs say so (and you don't get such with anything but grsecurity):
https://croatiafidelis.hr/foss/cap/cap- … ange-bash/
https://lists.gt.net/gentoo/user/325985#325985
Regards!
Board footer
