Easiest way to get Grsecurity and Pax on Linux

Discussion in 'all things UNIX' started by kinder2, Sep 18, 2015.

  1. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    No, it doesn't.
    Yes! However, if you're using grub as your bootloader you will have to execute
    Code:
    sudo grub-mkconfig -o /boot/grub/grub.cfg
    before rebooting in order to add the new kernel. (I don't know how it works with syslinux as I'm not familiar with it.)

    Note that you will probably want to install the paxd and gradm packages in order to enable PaX amd RBAC.
     
  2. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    It does come with Tomoyo enabled.
    https://wiki.archlinux.org/index.php/TOMOYO_Linux#Installation_2

    Tomoyo is easy to use, but you have to create your own profiles and it takes time to create and maintain them.
     
  3. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
  4. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    SELinux and Appramor are very "weak" when compared to grsecurity. See here: https://grsecurity.net/compare.php
    For all I know grsecurity works with these two.

    On Arch, Ubuntu, and Debian: yes, if you use the official repos.

    You can easily compile your own linux-grsec Kernel under these OS's, but don't forget to read a few tutorials because a few grsecurity features only work with servers (because they'll break Xorg).
     
  5. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Packages in Arch are the most vanilla they can be: no custom icons, or menus, or anything. KDE won't come with ugly alterations, or XFCE, etc. That's a plus because other distros like to customize things the way they think is good: on Arch you build your own system, not "developer john system" ;)
     
  6. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    For the life of me I don't see the terminal commands to get a browser on it. I may get a Chromebook and just plant it next to the computer to do this. I've never felt so stupid in my life as with this. Dooooh!
     
  7. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Hehehehe. Well, installing things on Arch is pretty easy. For example, to install Firefox:
    Code:
    sudo pacman -S firefox
    or
    Code:
    sudo pacman -S chromium
    Even if you don't like Firefox, you can now use it to learn how to get Chrome :p
     
  8. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    Bless you!!
     
  9. kinder2

    kinder2 Registered Member

    Joined:
    Aug 17, 2015
    Posts:
    51
    I found the kernal compiling too difficult and gave up. Was not confident applying the Grsecurity 4.x kernal to a Ubuntu and Mint 3.x kernal. Ubuntu is switching to 4.x kernal in the next build, perhaps I try it then.

    I try to install Arch on a old computer with no PAE support. And it will not install, on boot of the installation usb there is error saying cpu not supported. Adding forcepae command does not work. Is there a way to force install Arch without PAE.
     
  10. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    What tutorial did you follow? The tutorial I linked >HERE< is pretty easy.

    I think you're trying to boot a x64 Kernel into a x86 CPU.
     
  11. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Well, it's not difficult once you're a bit familiar with the pacman commands. And it makes life much easier if you create some aliases for the most important ones in ~/.bashrc like:
    Code:
    alias i="sudo pacman -S"
    alias u="sudo pacman -Syu"
    alias r="sudo pacman -Rns"
    After adding those aliases just execute "source .bashrc" and they will be immediately available. So in order to install firefox you simply would have to execute
    Code:
    i firefox
    Easy, isn't it?

    But if you really want a graphical package manager you can chose, e.g., Octopi from the AUR. I think it's the default package manager in Manjaro. Here are other alternatives.

    EDIT: Here are some more useful aliases for you as a special service :D
    Code:
    alias li='pacman -Qi'  # Display information about a given package in the local database
    alias sl='pacman -Qs'  # Search for package(s) in the local database
    alias ar="pacman -Qdt" #To list all packages no longer required as dependencies (orphans)
    
    alias cleancache="sudo pacman -Scc"        # Clean cache - delete all not currently installed package files
    alias sc="systemctl"
    alias rsc="sudo systemctl"
    alias jcb="journalctl -b"  #Show all messages from this boot
    alias failed="journalctl -b | grep -e failed -e Failed"
    alias jce="journalctl -e"      #jump to the end of the journal
    alias jceu="journalctl -e -u"  #jump to the end of the journal for that unit
     
    Last edited: Sep 29, 2015
  12. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    Arch made a significant difference in the speed of Chromium but adding all the things I'm used to having by default wasn't my cup of tea but on the plus side I installed Mint LMDE and was able to install Grsec after wards. Do I need it? Maybe not but I'm trying it on for size. I don't believe there is much if any performance hit.
     
    Last edited: Sep 29, 2015
  13. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    I also didn't notice any performance hit. Do I need grsec? Probably not, but it's better to be protected and not need the protection than to need the protection and not be protected, right? :)
     
  14. kinder2

    kinder2 Registered Member

    Joined:
    Aug 17, 2015
    Posts:
    51
    Just as I suspected, the tutorial does not work. I went through step by step with these problems.
    1. apt-get install patch bin86 kernel-package build-essential libncurses5-dev gcc-*-plugin-dev There is error of no gcc-*-plugin-dev found. I ignored it and continued.
    2. make-kpkg --initrd --append-to-version "grsec1.0" kernel_image There is error of no -- command recognized. I change the -- to single -, and now it give error of grsec1.0 not a target. No compiling done!

    Like I said someone need to update this crappy 2012 tutorial to 2015.
     
  15. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    You ought to do a bit of reading before saying something like this. This tutorial is not crappy, neither is it outdated. Just one thing has changed.
    I don't want to spell out the exact command, just read this:
    https://debian-handbook.info/browse/stable/sect.kernel-compilation.html

     
  16. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Unfortunately, this seems to be a trend here among new Linux users ... :mad:
     
  17. kinder2

    kinder2 Registered Member

    Joined:
    Aug 17, 2015
    Posts:
    51
    Why should I read all that when you, or the maker of that tutorial, can spell out the exact command which works? Takes you 10 seconds to type it out, takes me 30 minute to read that. After a hard day at work the last thing I wanna do is read wall of boring text to find a solution that might not work. Your response is typical of many Linux users, it take no skill to answer someone's problem by giving a textbook to read, the skill come from answering it with precise solution. I wait for someone helpful to make a new working tutorial.
     
    Last edited: Oct 5, 2015
  18. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    I've actually had the most RTFM responses asking questions at BSD or Virtualbox forums... Many times not even pointing out the specific command and instead telling me to read the whole section.

    Anyhow, I'm not sure why you specifically need Grsecurity in Ubuntu e al. Is AppArmor, FireJail, trusted repos, etc. not enough?
     
  19. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    Why should I, or anybody else, help someone who is not willing to help himself/herself? I gave you enough hint, if you just cared to read the last two lines of my reply you would have got it.

    Sorry, I can't help someone with this attitude. You name a tutorial crappy without understanding even an iota of it, you brand someone a "typical linux user" who took the time to write a reply pointing you towards the right direction.

    Anyway, I don't think you will be any more secure with Grsecurity et al. You don't want to understand, just click and forget. That's not how security, or anything else in the world, works.

    Others might help in a way that you think is helpful.
     
    Last edited: Oct 6, 2015
  20. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    Apples and oranges. The link I gave is not to a "RTFM" manual. It is a very readable, easy to understand handbook, also available in ebook format for those who like to read that way. Only one page to read, takes ten minutes, clearly says what used to be the case some times ago and what is now the case. If you still don't get it, you won't get it.
     
  21. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    @UnknownK Should we label him as "typical Windows user who wants his meat chewed on a plate"? :p

    @J_L Yeah, BSD forums and IRC can be a harsh place sometimes. But then again, they expect us to learn things and don't be a help-vampire, because that's the way they learned how to do things :D

    I too get upset when someone asks me simple things like "how do I update Ubuntu". I say "You know, DuckDuckGo is right there waiting for you to ask the same thing".
     
  22. kinder2

    kinder2 Registered Member

    Joined:
    Aug 17, 2015
    Posts:
    51
    That is fine, I do not need help from someone with your attitude.
    A tutorial is supposed to work, if it does not work it is by definition crappy in my books.
    I do not need someone to point me in the right direction, I need someone to give me the solution. Without having to read a wall of technical mumbo jumbo text. I have no interest in filling my precious brain space with learning programming, I just want something that works.
    If there is a guaranteed working solution hidden in the wall of text, I can read it. That is how I manage to read working tutorials and get things done. But my inner voice is telling me I will spend 30 minutes reading his link, only to raise more questions about how to do something that ultimately does not work. If it works he would have spelt out the solution than throw the textbook at me. This happens too many times in my Linux problems and I am frankly growing tired of it.
    I am sure I speak for the majority of new Linux users, they quit silently instead of complaining like I do here.

    I need Grsecurity to stop keyloggers and screen grabbers. Apparmor is not enough, it relies on profiles for specific programs, I need protection for Linux basic processes itself not only programs. Firejail only protects Firefox. Trusted repos do not stop dns redirection to malware done at ISP level.

    And it should not be necessary to understand how security works to have it work. Windows has many security software, no need to understand how they work, and they work. Linux needs the same approach.

    There are 2 ways advanced Linux users help others. You can tell someone to read a textbook or search online, making them do hard work to learn what you know, giving you an ego boost. Or you can cut the crap and say what the solution is. You know which way is better.
     
    Last edited: Oct 6, 2015
  23. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    Yes, that's what the OP exactly is. I wanted to help, but no, that was my mistake.
     
  24. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    And you think many people would be willing to help someone with YOUR attitude?
    We're not your paid support.
    That's because you made no effort to learn what the errors are. You just assumed the tutorial was "crap" because it didn't work for YOU. That's not how things work.

    I can see here that the two errors you posted are easily avoidable. The first one you can pretty much ignore, because if you knew something about pacakges you'd know that a * means "everything related to this package". You could search for each one of these packages, but you didn't.
    I don't know how you got the second error. I tried this "crappy 2012 tutorial" not long ago and it worked for me. Maybe it's a problem at your end?

    Again, we're not your paid support. You don't want directions, we don't want to give you the correct command (if it even exists) because of your attitude. Life is pretty simple sometimes.

    :argh::argh::argh:

    Learning works, it worked for me and for everyone in this thread except you :)

    You must be REALLY young, because young people these days don't move their arses for nothing, they want everything on a plate.

    Once more: we're not your paid support. We might not have the same machine or same distro or same setup as you, and we certainly will NOT do much effort just to satisfy your ego. You could have read the damn tutorials and more and even learned how to install Arch Linux, but nooo, you're still here arguing about why nobody served you the way you wanted. I'm sure that's how things are done at the Winners' table :thumb:

    Because they're used to getting everything done for them. That's not the correct way to manage your life.

    What kinds of nasty things are you doing with your system? Perhaps Linux isn't for you. There's absolutely no need to be as afraid as you are, unless you're like someone else I know and installs things from unknown sources and whatnot.

    Which is just what you need for most situations. Firejailing your most vulnerable apps.

    GRSec probably won't stop that either, because it's done at IPS level and therefore only occurs at your browser. In any case, you should do two things:

    * Sue this ISP;
    * Don't run anything they throw at you. You use Linux, your chances of being infected are close to zero.

    No, because if we just give you a command to compile the Kernel (and we did) you won't learn anything, and then if problems arise you'll come here asking for help instead of figuring out yourself.

    I don't mind helping people, as long as they deserve it ;)
     
  25. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    This is ridiculous. If you're using a Personal Firewall, a HIPS or even Emet in Windows you do need to understand how they work. Otherwise you will probably break your system or, at least, many applications.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.