The officially official Devuan Forum!

You are not logged in.

#1 2017-05-13 00:53:55

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 123
Website

Grsecurity/Pax installation on Devuan GNU/Linux

This is a placeholder. I managed to do it, and I need the link before I go to sleep.
(
I'll be posting from Devuan, but my Mutt is only in Gentoo yet, and the link I need for this thread:
unoffic-grsec 4.9.27 kernel compile, one last hurdle
https://lists.dyne.org/lurker/message/2 … 31.en.html [1]
where I need to send an email to, just next... --and then go to sleep, so tired, but so happy!--
)
---
[1] EDIT: Unfortunately, Devuan DNG Mailing List appears to (currently) scrub all attachments. Another mail archive to the rescue! Pls., for now, advanced users can find useful tips if they study esp. this attachment:
grsec-dev1-compile.sh.gz
which is part of this email:
unoffic-grsec 4.9.27 kernel compile, one last hurdle
(which is the same email as in Devuan DNG ML, just the attachments are available)
(of course I hope that condition will be fixed in Devuan DNG; I did write a report --or here-- about it)

Last edited by miroR (2017-05-14 05:42:22)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#2 2017-05-14 05:47:07

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 123
Website

Re: Grsecurity/Pax installation on Devuan GNU/Linux

I successfully compiled grsecurity for my Gentoo, and also for my Devuan, from that git repo that you can read in that emal (on either location):
...grsec, unofficial, by minipli
https://github.com/minipli/linux-unoffi … cial_grsec

I have then used paxrat, which I haven't found in Devuan (could be my lack of understanding):

https://packages.debian.org/sid/paxrat

installed it:

# dpkg -i <the-package>

applied it, and now I browse and am posting this with Iceweasel.

$ uname -a
Linux localhost 4.9.27-unofficial+grsec170512-22 #1 SMP PREEMPT Fri May 12 22:33:08 UTC 2017 x86_64 GNU/Linux
$

Last edited by miroR (2017-05-14 05:48:14)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#3 2017-09-15 13:58:07

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 123
Website

Re: Grsecurity/Pax installation on Devuan GNU/Linux

Pls., find all in the script at:
https://github.com/miroR/grsec-dev1-compile
There is the config, with all modules just as the usual Devuan/Debian kernels at:
https://croatiafidelis.hr/gnu/deb/ (all there old, just the:
https://croatiafidelis.hr/gnu/deb/confi … l+grsec.gz
and
https://croatiafidelis.hr/gnu/deb/confi … +grsec.sig
are new)
but all is now much closer for even newbies.
Will try and post more about it, in the next post(s)...

Last edited by miroR (2017-09-15 14:06:29)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#4 2017-09-15 14:01:44

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 123
Website

Re: Grsecurity/Pax installation on Devuan GNU/Linux

Really good news [1].
E.g.:
A paravirt RAP violation got fixed as well:
https://twitter.com/_minipli/status/907226600244219904

And that's Devuan's own Parazyd contributing there smile

Yet more to say, but no more time. Learn (if you need to), and of course: enjoy!
---
[1] Well, the level of the geniuses spender and PaX Team was too high for even Linus the Mr. Linux guy... But Minipli, parazyd and friends seem to be doing well...
I have been using minipli's unofficial-grsec since around the time of creation of the repo, and I for one, can tell you it is good, it protected me well!!

Last edited by miroR (2017-09-15 14:05:27)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#5 2017-09-15 14:29:14

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 123
Website

Re: Grsecurity/Pax installation on Devuan GNU/Linux

One important note for users new to grsecurity is kind of urgent...
You will get, by default, huge logs.
It's because of these:

# grep -E 'GRKERNSEC' /boot/config-4.9.50-unofficial+grsec170915-04  | grep -E 'EXECLOG|AUDIT_CH'
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y

( well, not the chroot in all cases, but the other two, yes! because of those )

So, if you don't want to have to cope with all that huge info, then when you are offered by the script that you downloaded from https://github.com/miroR/grsec-dev1-compile to modify you .config[/config, i.e. when it reaches to make menuconfig, set those to:  =n, and you won't have the deluge.

However, those are great logging information. I can with certainty say that my Gentoo was attacked, because the logs say so (and you don't get such with anything but grsecurity):
https://croatiafidelis.hr/foss/cap/cap- … ange-bash/
https://lists.gt.net/gentoo/user/325985#325985

Regards!


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#6 2017-09-18 03:45:14

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 123
Website

Re: Grsecurity/Pax installation on Devuan GNU/Linux

This explanation is missing (due to political, and even criminal --morally so-- reasons grsec is not in widespread use [1]):

mr@gdOv:~$ sudo -s
[sudo] password for root: 
root@gdOv:/home/mr# ls -l /proc/sys/kernel/grsecurity/^C
root@gdOv:/home/mr# echo 0 > /proc/sys/kernel/grsecurity/exec_logging ; echo 0 > /proc/sys/kernel/grsecurity/audit_chdir ; 
root@gdOv:/home/mr# echo 1 > /proc/sys/kernel/grsecurity/exec_logging ; echo 1 > /proc/sys/kernel/grsecurity/audit_chdir ; 
root@gdOv:/home/mr# echo 0 > /proc/sys/kernel/grsecurity/tpe ; 
tpe               tpe_gid           tpe_restrict_all  
root@gdOv:/home/mr# cat /proc/sys/kernel/grsecurity/tpe ; 
1
root@gdOv:/home/mr# cat /proc/sys/kernel/grsecurity/tpe_restrict_all ; 
1
root@gdOv:/home/mr# echo 0 > /proc/sys/kernel/grsecurity/tpe ; echo 0 >  /proc/sys/kernel/grsecurity/tpe_restrict_all ; 
root@gdOv:/home/mr# 

The setting to disable exec_logging with "echo 0", and likewise the setting to disable of audit_chdir is if you compile with exec_logging and audit_chdir. Enable it again with the "echo 1 ..." line.

Currently, and I don't know why, the tpe  ([T]rusted [P]ath [E]xecution, pls. read in the kernel help when you issue "menu makeconfig" about it), just does not work right in Devuan/Debian/Ubuntu. E.g. I couldn't run any scripts from /usr/local/bin because of it. So, disabling it with issuing the two "echo 0 ..." lines.

---
[1] Pls. see my sig for that... BTW, my current sig links to:
https://forums.grsecurity.net/viewtopic … 699#p17127
https://lists.dyne.org/lurker/message/2 … 4b.en.html
in case that should change in the future.

Last edited by miroR (2017-09-18 03:47:56)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#7 2017-09-18 13:18:13

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 123
Website

Re: Grsecurity/Pax installation on Devuan GNU/Linux

There's great evidence (in worrying circumstances, for me) of the goodness of grsec's exec_logging and audit_chdir features at my recent investigation at:
Strange Bash under grsecurity's exec logging
https://dev1galaxy.org/viewtopic.php?id=1598

Regards!

Last edited by miroR (2017-09-18 14:48:26)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

Board footer