Hehehehe. You're welcome. No problem What Desktop Environment do you use? With NetworkManager you can easily manage and connect to tons of VPN's. On Parabola you could do: Code: # systemctl disable dhcpcd # systemctl enable NetworkManager # pacman -S networkmanager-openvpn # systemctl stop dhcpcd # systemctl start NetworkManager Than you'll have the following: https://i.imgur.com/0wNLDdj.png Note: I added my autistici VPN manually.
I am using Xfce4 and connecting to my VPN manually is working fine. It's working like you explained. It's just that I am a little lazy regarding iptables and other rulesets. Air is one of the VPNs I am using and the client is working perfectly. In Parabola I have to use the portable version which needs root priviliges at startup. I think I'll figure it out reading more about the whole subject.
I understand. However, in this case I would recommend uMatrix which allows for a very granular control and which is a combination of Noscript + RequestPolicy on steroids. Another question regarding Grsec and Pax: I had tried the linux-grsec kernel in Arch (not the LTS one, though) in the past but didn't succeed in running Virtualbox (sometimes I still need Windows for special purposes - sigh). Virtualbox wouldn't even start and freeze the whole system. Are you using Virtualbox under linux-grsec, and if so - how did you do that?
Meh I tried uMatrix and didn't like it a bit. Even if I set it to deny everything, it wouldn't deny everything You should try starting Virtualbox via Terminal to see what's the exact output, and if some "permission denied" messages appear than you know you have to set one or more Pax exceptions flag to it. https://wiki.archlinux.org/index.php/Pax Remember, don't start giving "pemrs" permissions right away, because this is how executables are handled if "kernel.pax.softmode" is set to "1" (meaning all mitigations are off and opt-in). Most problematic execuables can be allowed under "kernel.pax.softmode=0" by giving the executables the following permission: "m". Remember that uppercase letters (PEMRS) mean mitigations are ON; and lowercase letters (pemrs) mean mitigations are OFF. No, I only run 100% FreeSoftware. Well, 99.999%, because the default Linux Kernel has binary firmware blobs, and unfortunately I need one of them. For the programs that are problematic under Grsec + Pax I just set the "m" exception flag, usually under "/usr/bin/problematic_binary". if that doesn't work I try the "e" flag as well.
What You're really the first user reporting this. Please be informed that uMatrix is writen by gorhill who is also the author of uBlock O. Actually I had these problems without installing Pax (just to make sure that that one is not the culprit).
It just came to my mind that this might be related to the fact that in the 1st-party row all 1st-party requests are allowed by default to make it easier for newbies. However, this can be easily changed: Select the global scope in uMatrix, un-whitelist the respective cells in the 1st-party row, save those changes by clicking the padlock and switch back to the domain-specific scope. Now scripts, XHR etc. are blocked everywhere. A good (but very incomplete) starter is this one, most of the documentation for the predecessor HTTP Switchboard still applies.
I've tried installing Alpine which had grsecurity in their kernel by default and have hit brick walls every time. I know grsec is the way to go though so I keep looking at it. If there was a distro that was as easy to install as Ubuntu or Fedora that had GrSec built into it I would start using it today. What company is behind the meltdown at GRsec? http://www.theregister.co.uk/2015/08/27/grsecurity/ The gurus behind the popular and respected Linux kernel hardening service Grsecurity have decided to stop providing support for its stable offering. Patches will be ceased in the next two weeks in response to an expensive and lengthy court case between the small outfit and a “multi-billion dollar” corporation which it says flagrantly infringed its trademark. Grsecurity man Brad Spengler says he has “had enough” of the embedded device industry ripping of his company's efforts, trashing its trademarks and breaching the GPL, without donating “a single dime”.
Desktop Linux does have that advantage to an extent. You're welcome. I only added VirusTotal as an option for those "adventurous ones" who doesn't want the hassle of setting up FireJail and whatnot... Thank you for sharing your setup!
Timely thread, thanks. I'd just been getting all excited by the fairly recent work on Debian desktop releases with Grsecurity/PAX, and combining that with a little RBAC and Firejail. And the work of the Mempho team at: https://rawgit.com/mempo/mempo-websites/master/mempo-main/html/index.html This link describes a setup for a Live Debian grsec and firejail setup: https://fatemachine.github.io/live-armor/ I've been having some pretty good times with Firejail, which I like a lot, and have applied it (on various Debian/Ubuntu distros) with ease of use to a variety of applications. But then I read the news above regarding Grsecurity, and am unclear about the implications - is anyone able to interpret what the fallout from that will be?
Some of the Mempo links such as http://deb.mempo.org/ end up at TiguSoft which is a Polish website. Are they Mempo?
Yes, I was well confused by that. I don't think it's anything sinister, I think one of the lead mempo developers "lives" there, In any case, mempo's objectives are well more than "just" grsecurity/pax on debian, but the good news is that the work so far has that grsec/pax been bought somewhat closer into the debian fold so that the build scripts for repeatable deb production are tested, documented and supported, avoiding much wasted time. But I'm still bemused by the news you linked above, and what the upshot would be for projects of that sort. I'd certainly be in the market for some kind of subscription to a desktop LInux environment with grsec/pax + firejail built in and supported with updates, and maybe this is the kind of route-to-money that is needed in this environment since it appears that the gorillas won't play nice.
Add TOMOYO to the list. I have been playing with it recently. It looks easier and more powerful than apparmor. More Powerful in the sense that profiles can be created for whole of the system and it can also be used purely as system analysis tool. Don't know why this has not seen any widespread usage even though being very intutitive. I have created a very restrictive profile for Iceweasel where not even downloads are allowed! That's desirable becasue it's in a VM only used for browsing. In case anybody is intrested here is the official page. They have a very readable and easy-to-understand documentation. http://tomoyo.osdn.jp/index.html.en As a system analysis tool I saw unconfined Iceweasel creating various safe browsing files even though "Block reported attack sites" and "Block reported web forgeries" were turned off. Is it normal?
Neither do I. But perhaps it's due to the fact that there 3 branches of Tomoyo (1.x, 2.x and Askari) which are implemented in a different way and have different functionalities (e.g., Askari and Tomyo Linux 2.5 are not yet able to control capabilities). I guess that's a bit confusing for some people.
The main problem with TOMOYO seems to be that it won't resolve symlinks. So if you x-www-browser symlinked to iceweasel, the profiles for those files will be separate, and iceweasel's will not apply when it's started from x-www-browser. Which, let's face it, is a pretty big problem.
According to the comparison table mentioned above "Restrict creating symbolic links? (file symlink)" and "Check symbolic link's target when creating symbolic links?" are both answered with Y for all 3 branches ...
Then again I started /usr/bin/x-www-browser from terminal which has been linked to usr/bin/iceweasel for which I have an enforcing profile, Iceweasel starts unconfined.
Mempo certainly has defined goals. https://rawgit.com/mempo/mempo-websites/master/mempo-main/html/mempo-system-layers.png
Would this help? https://www.wilderssecurity.com/thre...ilable-to-general-public.379263/#post-2520693 https://www.wilderssecurity.com/thre...ilable-to-general-public.379263/#post-2520162
Interesting keynote by Jacob Appelbaum on improving the state of security in a broad meaning of the word, but has also some specific hardening tips. This is also the first time I heard that transport encryption of repositories is not only necessary to prevent passive surveillance/metadata collection, but also to prevent active, automated attacks taking place during upgrading. http://saimei.acc.umu.se/pub/debian..._done_Reflections_on_Free_Software_Usage.webm
Has anyone tried Oz? Sounds very interesting and is even said to limit access to X by using Xpra. Might be a (potentially superior?) alternative to Firejail.
The OS they are building looks interesting also. https://subgraph.com/sgos/index.en.html I've found a couple of other maybe less used sandbox tools for Linux - minijail - forked from Chromium https://github.com/omegaup/minijail & Mbox - A sandbox for non root users. http://pdos.csail.mit.edu/mbox/ https://github.com/tsgates/mbox https://www.usenix.org/conference/atc13/technical-sessions/presentation/kim I also ran across a grsec forum post where Brad states Alpine Linux doesn't use a supported grsec kernel.
Although I must say I'm not using Linux as often as before (mainly due to compatibility issues and busy work software testing on Windows), I think keeping this thread alive is still within everyone's best interests. Can't say I can share any new techniques for security though... My main usage of Linux being a Chromebook, I often look for convenience, shortcuts, and flexibility instead lol.
