Grsecurity/Pax installation on Devuan GNU/Linux

miroR · 2017-05-13 00:53:55

This is a placeholder. I managed to do it, and I need the link before I go to sleep.
(
I'll be posting from Devuan, but my Mutt is only in Gentoo yet, and the link I need for this thread:
unoffic-grsec 4.9.27 kernel compile, one last hurdle
https://lists.dyne.org/lurker/message/2 … 31.en.html [1]
where I need to send an email to, just next... --and then go to sleep, so tired, but so happy!--
)
---
[1] EDIT: Unfortunately, Devuan DNG Mailing List appears to (currently) scrub all attachments. Another mail archive to the rescue! Pls., for now, advanced users can find useful tips if they study esp. this attachment:
grsec-dev1-compile.sh.gz
which is part of this email:
unoffic-grsec 4.9.27 kernel compile, one last hurdle
(which is the same email as in Devuan DNG ML, just the attachments are available)
(of course I hope that condition will be fixed in Devuan DNG; I did write a report --or here-- about it)

Last edited by miroR (2017-05-14 05:42:22)

miroR · 2017-05-14 05:47:07

I successfully compiled grsecurity for my Gentoo, and also for my Devuan, from that git repo that you can read in that emal (on either location):
...grsec, unofficial, by minipli
https://github.com/minipli/linux-unoffi … cial_grsec

I have then used paxrat, which I haven't found in Devuan (could be my lack of understanding):

https://packages.debian.org/sid/paxrat

installed it:

# dpkg -i <the-package>

applied it, and now I browse and am posting this with Iceweasel.

$ uname -a
Linux localhost 4.9.27-unofficial+grsec170512-22 #1 SMP PREEMPT Fri May 12 22:33:08 UTC 2017 x86_64 GNU/Linux
$

Last edited by miroR (2017-05-14 05:48:14)

miroR · 2017-09-15 13:58:07

Pls., find all in the script at:
https://github.com/miroR/grsec-dev1-compile
There is the config, with all modules just as the usual Devuan/Debian kernels at:
https://croatiafidelis.hr/gnu/deb/ (all there old, just the:
https://croatiafidelis.hr/gnu/deb/confi … l+grsec.gz
and
https://croatiafidelis.hr/gnu/deb/confi … +grsec.sig
are new)
but all is now much closer for even newbies.
Will try and post more about it, in the next post(s)...

Last edited by miroR (2017-09-15 14:06:29)

miroR · 2017-09-15 14:01:44

Really good news [1].
E.g.:
A paravirt RAP violation got fixed as well:
https://twitter.com/_minipli/status/907226600244219904

And that's Devuan's own Parazyd contributing there

Yet more to say, but no more time. Learn (if you need to), and of course: enjoy!
---
[1] Well, the level of the geniuses spender and PaX Team was too high for even Linus the Mr. Linux guy... But Minipli, parazyd and friends seem to be doing well...
I have been using minipli's unofficial-grsec since around the time of creation of the repo, and I for one, can tell you it is good, it protected me well!!

Last edited by miroR (2017-09-15 14:05:27)

miroR · 2017-09-15 14:29:14

One important note for users new to grsecurity is kind of urgent...
You will get, by default, huge logs.
It's because of these:

# grep -E 'GRKERNSEC' /boot/config-4.9.50-unofficial+grsec170915-04  | grep -E 'EXECLOG|AUDIT_CH'
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y

( well, not the chroot in all cases, but the other two, yes! because of those )

So, if you don't want to have to cope with all that huge info, then when you are offered by the script that you downloaded from https://github.com/miroR/grsec-dev1-compile to modify you .config[/config, i.e. when it reaches to make menuconfig, set those to: =n, and you won't have the deluge.

However, those are great logging information. I can with certainty say that my Gentoo was attacked, because the logs say so (and you don't get such with anything but grsecurity):
https://croatiafidelis.hr/foss/cap/cap- … ange-bash/
https://lists.gt.net/gentoo/user/325985#325985

Regards!

miroR · 2017-09-18 03:45:14

This explanation is missing (due to political, and even criminal --morally so-- reasons grsec is not in widespread use [1]):

mr@gdOv:~$ sudo -s
[sudo] password for root: 
root@gdOv:/home/mr# ls -l /proc/sys/kernel/grsecurity/^C
root@gdOv:/home/mr# echo 0 > /proc/sys/kernel/grsecurity/exec_logging ; echo 0 > /proc/sys/kernel/grsecurity/audit_chdir ; 
root@gdOv:/home/mr# echo 1 > /proc/sys/kernel/grsecurity/exec_logging ; echo 1 > /proc/sys/kernel/grsecurity/audit_chdir ; 
root@gdOv:/home/mr# echo 0 > /proc/sys/kernel/grsecurity/tpe ; 
tpe               tpe_gid           tpe_restrict_all  
root@gdOv:/home/mr# cat /proc/sys/kernel/grsecurity/tpe ; 
1
root@gdOv:/home/mr# cat /proc/sys/kernel/grsecurity/tpe_restrict_all ; 
1
root@gdOv:/home/mr# echo 0 > /proc/sys/kernel/grsecurity/tpe ; echo 0 >  /proc/sys/kernel/grsecurity/tpe_restrict_all ; 
root@gdOv:/home/mr#

The setting to disable exec_logging with "echo 0", and likewise the setting to disable of audit_chdir is if you compile with exec_logging and audit_chdir. Enable it again with the "echo 1 ..." line.

Currently, and I don't know why, the tpe ([T]rusted [P]ath [E]xecution, pls. read in the kernel help when you issue "menu makeconfig" about it), just does not work right in Devuan/Debian/Ubuntu. E.g. I couldn't run any scripts from /usr/local/bin because of it. So, disabling it with issuing the two "echo 0 ..." lines.

---
[1] Pls. see my sig for that... BTW, my current sig links to:
https://forums.grsecurity.net/viewtopic … 699#p17127
https://lists.dyne.org/lurker/message/2 … 4b.en.html
in case that should change in the future.

Last edited by miroR (2017-09-18 03:47:56)

miroR · 2017-09-18 13:18:13

There's great evidence (in worrying circumstances, for me) of the goodness of grsec's exec_logging and audit_chdir features at my recent investigation at:
Strange Bash under grsecurity's exec logging
https://dev1galaxy.org/viewtopic.php?id=1598

Regards!

Last edited by miroR (2017-09-18 14:48:26)

miroR · 2017-09-24 05:31:11

Those who are willing to risk somewhat, the new page with the freshly compiled packages at:

https://croatiafidelis.hr/gnu/deb/linux … 170923-22/

says it all openly. Pls. read the big fat warning there.

IOW, at your own risk, you can try your luck and install my packages from above.

Regards!

miroR · 2017-09-24 13:29:37

Cleaner script available now:
https://github.com/miroR/grsec-dev1-com … /tag/v0.15
(that's what I sign, the tags, but that's latest branch in master)

Or from:
https://github.com/miroR/grsec-dev1-compile/tags

Or, of course, once you clone grsec-dev1-compile repo, the old non-GUI way. Something to this effect:

you@yr-machine:~$ git clone https://github.com/miroR/grsec-dev1-compile
Cloning into 'grsec-dev1-compile'...
remote: Counting objects: 14, done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 14 (delta 3), reused 14 (delta 3), pack-reused 0
Unpacking objects: 100% (14/14), done.
you@yr-machine:~$ cd grsec-dev1-compile/
you@yr-machine:~/grsec-dev1-compile$ git tag --list
v0.01
v0.1
v0.15
you@yr-machine:~/grsec-dev1-compile$ git tag --verify v0.15
object 888fb7a5024139f14b024eb0a2cff6bd34054d2a
type commit
tag v0.15
tagger Miroslav Rovis <miro.rovis@croatiafidelis.hr> 1506259462 +0000

comments sorted
gpg: Signature made Sun 24 Sep 2017 13:24:37 UTC
gpg:                using RSA key FCF13245ED247DCE443855B7EA9884884FBAF0AE
gpg: Good signature from "Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: FCF1 3245 ED24 7DCE 4438  55B7 EA98 8488 4FBA F0AE
you@yr-machine:~/grsec-dev1-compile$

I thought I'd explain this, for newbies that are still learning. Advanced users, thank you for your patience.

Last edited by miroR (2017-09-24 13:46:20)

miroR · 2017-09-29 15:38:06

If I don't fix the warnings by user downloading of the new packages, the warnings are here;
https://www.croatiafidelis.hr/gnu/deb/l … 170923-22/
( but don't use those old packages )
And the packages are here:

linux-deb-4.9.52-unofficial+grsec170929-07
https://www.croatiafidelis.hr/gnu/deb/l … 170929-07/

I think it's a good kernel... Barring some tests and some research/advice that I've been seeking as per the warnings page...

miroR · 2017-11-15 17:10:52

There is new patch, and new packages available:

https://www.croatiafidelis.hr/gnu/deb/l … 171114-19/

I just explained it on Debian Forums:

http://forums.debian.net/viewtopic.php? … 53#p658753

( because there was a little discussion there, so they took precedence this time )

Regards!

cynwulf · 2017-11-16 09:37:43

I'm still not sure if grsec is actually worth the effort these days, especially in view of this: https://grsecurity.net/passing_the_baton.php

i.e. in the future you'll have to pay for it...

I also wonder what exactly KSPP are trying to achieve, it seems like a talking shop at this stage.

And the attitudes of certain people, mean kernel security is never going to be anything more than a retroactive approach anyway: http://lkml.iu.edu/hypermail/linux/kern … 06228.html (nothing unusual there, it's just the usual dismissive disdain for "security people")

I also wonder what exactly KSPP are trying to achieve, it seems like a talking shop at the moment...

miroR · 2017-11-16 12:35:21

cynwulf wrote:

I'm still not sure if grsec is actually worth the effort these days, especially in view of this: https://grsecurity.net/passing_the_baton.php

My views on it are in my signature. (important: the ripoff by Google, but read there spender's statement or roll back for more verbose view of mine

i.e. in the future you'll have to pay for it...

Not in the future, you already have to pay for it. But not the unofficial-grsecurity which is completely open, and which I talk about and post packages of, since the closure of free official grsecurity.

I also wonder what exactly KSPP are trying to achieve, it seems like a talking shop at this stage.
And the attitudes of certain people, mean kernel security is never going to be anything more than a retroactive approach anyway: http://lkml.iu.edu/hypermail/linux/kern … 06228.html (nothing unusual there, it's just the usual dismissive disdain for "security people")
I also wonder what exactly KSPP are trying to achieve, it seems like a talking shop at the moment...

You do point to another... erhm...historical remark by Linus... Appreciated!

But no time for discussion here on my part, too many things to solve are on my hands instead.

The patches, I believe, are still good, the unofficial ones, but surely more testing would be needed by more people!

Last edited by miroR (2017-11-16 12:45:40)

miroR · 2017-11-16 21:22:27

There's corsac's grsecurity packages (with the new grsecunoff patches, and all the necessary recommends in Ceres.

So updating to Ceres, one can install them, probably something like:

# apt-get install linux-image-4.9.0-4-grsec-amd64

Updating to Ceres is first I'll do, and then report about it.
The news I was told on Debian Forums in the llink I gave two or so posts above.

Regards!

Last edited by miroR (2017-11-16 21:23:43)

miroR · 2017-12-10 01:56:04

I've decided to offer packages that, according to the latest realization --but that may change, therefore the warning in the download page--:

NULL pointer deref in do_blockdev_direct_IO()
https://github.com/minipli/linux-unoffi … -350482590

protect my system, while the vanilla kernel does not.

Pls. feel free to test:

https://croatiafidelis.hr/gnu/deb/linux … 171209-20/

miroR · 2017-12-21 07:31:39

4.9.70 under:
https://www.croatiafidelis.hr/gnu/deb/l … c-current/
(i.e. https://www.croatiafidelis.hr/gnu/deb/l … 171220-11/ )
For those who verify, ls-1.sum.asc is missing. Busy, but it's coming later.
EDIT 2017-12-21 09:30:44+00:00, there now:
https://www.croatiafidelis.hr/gnu/deb/l … -1.sum.asc

Last edited by miroR (2017-12-21 09:30:28)

miroR · 2017-12-29 11:43:46

New grsecunoff kernel is available for the brave:
https://www.croatiafidelis.hr/gnu/deb/l … 171228-16/

Last edited by miroR (2017-12-29 11:45:02)

golinux · 2017-12-29 17:04:46

Wishing you a happy new year MiroR. And everyone else too of course . . .

miroR · 2017-12-29 17:31:05

golinux wrote:

Wishing you a happy new year MiroR. And everyone else too of course . . .

Thanks! To everyone Happy New Year (and Merry Xmas for those who wish)!

Last edited by miroR (2017-12-29 17:31:24)

miroR · 2018-02-04 07:41:43

Retpoline-patched grsecunoff (AMD, butno meltdown protection yet for Intel) available under the "current" link, or:
https://www.croatiafidelis.hr/gnu/deb/l … 180203-22/

miroR · 2018-02-06 05:30:43

It might be worth trying (and reporting if you can install and load amd64-microcode with):
https://www.croatiafidelis.hr/gnu/deb/l … 180204-21/
Pls. read there, and the links, for the details.

miroR · 2018-06-01 11:50:35

The:
https://www.croatiafidelis.hr/gnu/deb/l … c-current/
now points to:
https://www.croatiafidelis.hr/gnu/deb/l … 180601-06/
That is the kernel package for Debian/Devuan that _may_ be worth trying out, bearing in mind the caveats of Dapper Linux patchset:
https://dapperlinux.com/
I.e. no meltdown protection, no spectre protection, currently no retpoline.

However, all the othe usual protection that grsec offered are there. And the kernel is up to date.

I am testing that kernel right now, it appears to be fine.

If you want to use it, pls. see previous posts, there are a lot of info how to dowload it, how to verify it, etc.

Regards!

miroR · 2018-06-01 13:29:13

The offered packages in the previous post (no issues have I had so far) are for any system hardware (well: x86_64 arch only).

The best way is surely, to compile. Nothing wrong with the other option. It's only that tailoring the compiled kernel for only your hardware reduces the huge attack surface.

While Dapper Secure Kernel Patchset (
https://github.com/dapperlinux/dapper-s … e/releases
) is still grsecurity, my script for newbies has changed to help new GNU-Debianers/Devuaners who want to look into kernel compiling.

So pls. look up:

https://github.com/miroR/grsec-dapper-compile/

I'm not sure, you might need to get dapper-linux PGP key from:

https://dapperlinux.com/contact.html
https://dapperlinux.com/matthew_gpg_public_key.asc

Regards!

Last edited by miroR (2018-06-01 13:30:35)

miroR · 2018-07-11 12:28:24

New stable packages:
https://www.croatiafidelis.hr/gnu/deb/l … 180710-21/
( https://www.croatiafidelis.hr/gnu/deb/l … c-current/ )
Any difficulty installing, pls. review previous long posts... (I'm probably too short on time currently)

miroR · 2018-07-27 18:01:14

https://www.croatiafidelis.hr/gnu/deb/l … 180727-10/ (under https://www.croatiafidelis.hr/gnu/deb/l … -current/)
Tested on three machines (but MBO are of only two kinds). No issues.
Refer to previous post for tips if needed.

The officially official Devuan Forum!

#1 2017-05-13 00:53:55

Grsecurity/Pax installation on Devuan GNU/Linux

#2 2017-05-14 05:47:07

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#3 2017-09-15 13:58:07

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#4 2017-09-15 14:01:44

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#5 2017-09-15 14:29:14

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#6 2017-09-18 03:45:14

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#7 2017-09-18 13:18:13

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#8 2017-09-24 05:31:11

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#9 2017-09-24 13:29:37

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#10 2017-09-29 15:38:06

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#11 2017-11-15 17:10:52

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#12 2017-11-16 09:37:43

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#13 2017-11-16 12:35:21

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#14 2017-11-16 21:22:27

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#15 2017-12-10 01:56:04

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#16 2017-12-21 07:31:39

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#17 2017-12-29 11:43:46

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#18 2017-12-29 17:04:46

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#19 2017-12-29 17:31:05

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#20 2018-02-04 07:41:43

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#21 2018-02-06 05:30:43

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#22 2018-06-01 11:50:35

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#23 2018-06-01 13:29:13

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#24 2018-07-11 12:28:24

Re: Grsecurity/Pax installation on Devuan GNU/Linux

#25 2018-07-27 18:01:14

Re: Grsecurity/Pax installation on Devuan GNU/Linux

Board footer