Debian now has propper Grsecurity support

sudo apt-get install build-essential libncurses5-dev gcc-4.8-plugin-dev libssl-dev

That needs to be on Mint and I assume on ubuntu for the script to complete

 

Download it add that libncurses5-dev gcc-4.8-plugin-dev libssl-dev in root open the bin folder run in terminal It doesn't finish the install but it always creates the grsec kernel. I end up running the script sometime 2 -3 times before it works but the kernel is build just has to be installed.

 

Access the extracted file as root go bin and under bin there is a start script to there is only two options 1 and the answer has to be Y then it starts running. If it works correctly it'll say phase 1 ok then after a long time it starts to remove the install script it creates a .deb file of a grsec kernel that installs on reboot.

Mint anyway is missing this needed for Grsec

sudo apt-get install build-essential libncurses5-dev gcc-4.8-plugin-dev libssl-dev

 

A big extra, for me, has been having to use the terminal to do everything it screws all the gui so I'me forced to use the terminal for everything so I'm learning everything now

 

There's no need to manually compile the Kernel on Debian.

• Debian Sid/Testing already have grsec and all the tools on the repo
• Debian Jessie (Stable) has all the tools, and the Kernel is here

The Jessie repo I linked is maintained by the security researcher and Debian developer Corsac, so there's no need for worry and you guys can use it without hesitation

 

But you have to remember the target audience for Mint.

I don't think Mint developers will make grsec available, because almost all Mint users are regular users who don't even know about grsec or won't care about it anyway because they just want a more bug-free and secure alternative to Windows.

What Mint developers could do is implement some of grsec's features on the Kernel, by default. This would require no effort and no thought for the users.

However, given how Mint takes care of security, I seriously doubt such thing will be done unless they actually get under attack.

 

I'll give it a go this weekend on Ubuntu again but using the .deb grsec kernel package.

 

It's your call Let us know if it works.

 

Well I finally got Debian Jessie (stable) with grsec Kernel from Corsac's repo working.

https://raw.githubusercontent.com/amarildojr/Debian/master/GRSecurity

 

Once you have libssl-dev on your system all you have to do is reboot once its done. It says its downloading necessary files 'installing curl' but it doesn't always do that - when that's the case the script just stops. I had to see what was missing by trying to compile it manually once.

I download it, extract it, open as root, make my way to the script home/user/Desktop/Downloads/grsecurity-Debian-Installer-master/usr/bin - open in terminal - it downloads the kernel - downloads the latest patch - patches the kernel, cleans up, compiles and creates a .deb file that installs as the new kernel after reboot. If it reaches 'phase 2' the new kernel is compiling. If it fails the patched kernel is still right there waiting to be compiled and installed.

It installs in /usr/src/ creates a couple of folders and the .deb file. Its pretty amazing really.

 

Hello,

I am just wondering if one also need to:
1. Add Jessie backport repo to /etc/apt/sources.list
2. Update initrd.img. The reason for Question#2 is some weeks ago I installed a backported kernel 4.3 ish. After reboot, my PC still booted into default kernel 3.16. Wondering if I failed to do #2 (just don't know how).
I am running Jessie 8.4 AMD64 version.
Any suggestions? Thanks for your help.

 

Yes, but you only need to install the Kernel from backports. All the other tools, with the exception of paxctld, are in jessie's main repo.

I highly recommend you to install paxctld as noted in that file you linked.

It should automatically update everything to load the new Kernel automatically. You don't need to manually update the initrd.img

It's possible. Nevertheless, once you reboot you'll be presented with GRUB. Don't let GRUB load, click (down) at "Advanced options for Debian etc", and select the kernel image you want to load. Once you boot with the image you want, it should be automatically loaded on every boot.

Yes.

Debian's GRSec is very well built and very secure. It's so secure you won't even be able to boot into graphical mode if you use ssdm or lightdm. I think that's because corsac builds the Kernel mainly for server use.

With that in mind, you'll probably want to do the following:

• add your user to the "grsec-tpe" group;
• If that group doesn't exist, create it, add your user to it, and set it's GID to 200 (probably not necessary, test without the group first);
• Make a backup copy of "/etc/sysctl.d/grsec.conf";
• Edit the file;
• Edit the TPE section as bellow:

Code:

#
# Trusted Path Execution
#
# tpe_gid: tpe group
#

#kernel.grsecurity.tpe = 1
kernel.grsecurity.tpe_gid = 200
#kernel.grsecurity.tpe_invert = 1
kernel.grsecurity.tpe_restrict_all = 1

This will losen up the Kernel a bit, allowing for an easier use overall. This is how Arch Linux handles the TPE section.

If you don't want a more losen Kernel, keep the TPE section intact (and so the grsec.conf file) and follow the file you linked (this also means setting the grsec-tpe group with GID 64040). But you WILL have to add pax exceptions for almost every program you use. Either use attr for that (see here for instructions), or edit /etc/paxd.conf.

Here's a good start:

Code:

# This file contains a list of exceptions to be applied by paxd. Empty lines
# are ignored and comments can be written by starting a line with `#`. The
# format of other lines is `flags /path/to/executable`.
#
# Exceptions will be applied on start-up and then again as-needed when the
# configuration file or the executables are replaced.
#
# A lowercase letter disables a feature, and an uppercase letter enables it.
#
# The following features are available:
#
# * P(AGEEXEC) <https://pax.grsecurity.net/docs/pageexec.txt>
# * E(MUTRAMP) <https://pax.grsecurity.net/docs/emutramp.txt>
# * M(PROTECT) <https://pax.grsecurity.net/docs/mprotect.txt>
# * R(ANDMMAP) <https://pax.grsecurity.net/docs/randmmap.txt>
# * S(EGMEXEC) <https://pax.grsecurity.net/docs/segmexec.txt>
#
# The default flags are `PeMRs` with softmode=0 and `pemrs` with softmode=1.
#
# An exception without an explicit EMUTRAMP flag will enable EMUTRAMP, so most
# rules should include `e`.

em  /opt/brackets/Brackets
em  /opt/dropbox/dropbox
em  /opt/LightTable/ltbin
em  /opt/mendeleydesktop/lib/mendeleydesktop/libexec/mendeleydesktop.x86_64
em  /opt/mendeleydesktop/lib/mendeleydesktop/libexec/mendeleydesktop.i486
em  /opt/SpiderOak/lib/SpiderOak
em  /opt/telegram/Telegram
em  /opt/urbanterror/urbanterror
em  /opt/visual-studio-code/Code
em  /opt/VSCode/Code
em  /usr/bin/avogadro
em  /usr/bin/blender
em  /usr/bin/btsync
em  /usr/bin/cabal
em  /usr/bin/copyq
em  /usr/bin/cutegram
em  /usr/bin/dolphin-emu
em  /usr/bin/dosbox
em  /usr/bin/gendesk
em  /usr/bin/ghb
em  /usr/bin/glxdemo
em  /usr/bin/glxgears
em  /usr/bin/glxinfo
em  /usr/bin/glxspheres
em  /usr/bin/gnucash
em  /usr/bin/goldendict
em  /usr/bin/HandBrakeCLI
em  /usr/bin/hhvm
em  /usr/bin/inkscape
em  /usr/bin/konstruktor
em  /usr/bin/liferea
em  /usr/bin/lli
em  /usr/bin/love
em  /usr/bin/love08
emr /usr/bin/luajit
E   /usr/bin/make
em  /usr/bin/minitube
em  /usr/bin/mono
em  /usr/bin/mono-sgen
em  /usr/bin/mplayer
em  /usr/bin/mumble
em  /usr/bin/node
em  /usr/bin/nvim
em  /usr/bin/obex-data-server
em  /usr/bin/quassel
em  /usr/bin/quasselcore
em  /usr/bin/racket
emr /usr/bin/sbcl
em  /usr/bin/scheme
em  /usr/bin/sddm-greeter
em  /usr/bin/sigil
em  /usr/bin/smplayer
em  /usr/bin/spicec
em  /usr/bin/stellarium
em  /usr/bin/systemsettings
em  /usr/bin/tcc
em  /usr/bin/texmaker
em  /usr/bin/texstudio
em  /usr/bin/trojita
em  /usr/bin/vbetool
em  /usr/bin/vim
em  /usr/bin/vlc
emr /usr/lib/couchdb/bin/couchjs
em  /usr/lib/kodi/kodi.bin
em  /usr/lib/libreoffice/program/soffice.bin
em  /usr/lib/racket/gracket
em  /usr/share/atom/atom
em  /usr/share/atom/resources/app/apm/bin/node

# GCC (precompiled headers)
er /usr/lib/gcc/i686-pc-linux-gnu/5.3.0/cc1
er /usr/lib/gcc/i686-pc-linux-gnu/5.3.0/cc1plus
er /usr/lib/gcc/x86_64-unknown-linux-gnu/5.3.0/cc1
er /usr/lib/gcc/x86_64-unknown-linux-gnu/5.3.0/cc1plus

# Popcorn Time
em /opt/popcorntime-bin/Popcorn-Time
em /usr/lib/popcorntime/Popcorn-Time

# p11-kit (libffi)
E /usr/bin/p11-kit
E /usr/bin/trust

# p7zip
em /usr/lib/p7zip/7z
em /usr/lib/p7zip/7zFM
em /usr/lib/p7zip/7zG
em /usr/lib/p7zip/7za
em /usr/lib/p7zip/7zr

# clamav
em /usr/bin/clamd
em /usr/bin/clamscan
em /usr/bin/freshclam

# cinnamon/gnome/gtk (mostly caused by gjs and webkitgtk)
em  /usr/bin/cheese
em  /usr/bin/cinnamon
emr /usr/bin/cjs-console
em  /usr/bin/empathy
em  /usr/bin/empathy-accounts
em  /usr/bin/gdk-pixbuf-query-loaders
em  /usr/bin/gdk-pixbuf-query-loaders-32
em  /usr/bin/geary
em  /usr/bin/gitg
em  /usr/bin/gjs-console
em  /usr/bin/gnome-control-center
em  /usr/bin/gnome-maps
em  /usr/bin/gnome-shell
em  /usr/bin/gnome-shell-extension-prefs
em  /usr/bin/gnome-web-photo
em  /usr/bin/gtk-query-immodules-2.0
em  /usr/bin/gtk-query-immodules-2.0-32
em  /usr/bin/gtk-query-immodules-3.0
em  /usr/bin/gtk-query-immodules-3.0-32
em  /usr/bin/seahorse
em  /usr/bin/seed
em  /usr/bin/yelp
em  /usr/lib/empathy/empathy-auth-client
em  /usr/lib/empathy/empathy-call
em  /usr/lib/empathy/empathy-chat
em  /usr/lib/gstreamer-1.0/gst-plugin-scanner
emr /usr/lib/nemo-preview/nemo-preview-start
em  /usr/lib/sushi/sushi-start
em  /usr/lib/webkit2gtk-4.0/WebKitWebProcess
em  /usr/lib/webkitgtk/WebKitWebProcess

# grub
emr /usr/bin/grub-bios-setup
em  /usr/bin/grub-probe
er  /usr/bin/grub-script-check

# python
em /usr/bin/python2
em /usr/bin/python3
em /opt/pypy/bin/pypy-c
em /opt/pypy3/bin/pypy-c

# Java 6
em /usr/lib/jvm/java-6-openjdk/bin/java
em /usr/lib/jvm/java-6-openjdk/bin/javac
em /usr/lib/jvm/java-6-openjdk/jre/bin/java

# Java 7 JRE
em /usr/lib/jvm/java-7-openjdk/jre/bin/java
em /usr/lib/jvm/java-7-openjdk/jre/bin/keytool
em /usr/lib/jvm/java-7-openjdk/jre/bin/orbd
em /usr/lib/jvm/java-7-openjdk/jre/bin/pack200
em /usr/lib/jvm/java-7-openjdk/jre/bin/policytool
em /usr/lib/jvm/java-7-openjdk/jre/bin/rmid
em /usr/lib/jvm/java-7-openjdk/jre/bin/rmiregistry
em /usr/lib/jvm/java-7-openjdk/jre/bin/servertool
em /usr/lib/jvm/java-7-openjdk/jre/bin/tnameserv

# Java 7 JDK
em /usr/lib/jvm/java-7-openjdk/bin/appletviewer
em /usr/lib/jvm/java-7-openjdk/bin/apt
em /usr/lib/jvm/java-7-openjdk/bin/extcheck
em /usr/lib/jvm/java-7-openjdk/bin/idlj
em /usr/lib/jvm/java-7-openjdk/bin/jar
em /usr/lib/jvm/java-7-openjdk/bin/jarsigner
em /usr/lib/jvm/java-7-openjdk/bin/javac
em /usr/lib/jvm/java-7-openjdk/bin/javadoc
em /usr/lib/jvm/java-7-openjdk/bin/javah
em /usr/lib/jvm/java-7-openjdk/bin/javap
em /usr/lib/jvm/java-7-openjdk/bin/jcmd
em /usr/lib/jvm/java-7-openjdk/bin/jconsole
em /usr/lib/jvm/java-7-openjdk/bin/jdb
em /usr/lib/jvm/java-7-openjdk/bin/jhat
em /usr/lib/jvm/java-7-openjdk/bin/jinfo
em /usr/lib/jvm/java-7-openjdk/bin/jmap
em /usr/lib/jvm/java-7-openjdk/bin/jps
em /usr/lib/jvm/java-7-openjdk/bin/jrunscript
em /usr/lib/jvm/java-7-openjdk/bin/jsadebugd
em /usr/lib/jvm/java-7-openjdk/bin/jstack
em /usr/lib/jvm/java-7-openjdk/bin/jstat
em /usr/lib/jvm/java-7-openjdk/bin/jstatd
em /usr/lib/jvm/java-7-openjdk/bin/native2ascii
em /usr/lib/jvm/java-7-openjdk/bin/rmic
em /usr/lib/jvm/java-7-openjdk/bin/schemagen
em /usr/lib/jvm/java-7-openjdk/bin/serialver
em /usr/lib/jvm/java-7-openjdk/bin/wsgen
em /usr/lib/jvm/java-7-openjdk/bin/wsimport
em /usr/lib/jvm/java-7-openjdk/bin/xjc

# Java 8 JRE
em /usr/lib/jvm/java-8-openjdk/jre/bin/java
em /usr/lib/jvm/java-8-openjdk/jre/bin/jjs
em /usr/lib/jvm/java-8-openjdk/jre/bin/keytool
em /usr/lib/jvm/java-8-openjdk/jre/bin/orbd
em /usr/lib/jvm/java-8-openjdk/jre/bin/pack200
em /usr/lib/jvm/java-8-openjdk/jre/bin/rmid
em /usr/lib/jvm/java-8-openjdk/jre/bin/rmiregistry
em /usr/lib/jvm/java-8-openjdk/jre/bin/servertool
em /usr/lib/jvm/java-8-openjdk/jre/bin/tnameserv

# Java 8 JDK
em /usr/lib/jvm/java-8-openjdk/bin/appletviewer
em /usr/lib/jvm/java-8-openjdk/bin/extcheck
em /usr/lib/jvm/java-8-openjdk/bin/idlj
em /usr/lib/jvm/java-8-openjdk/bin/jar
em /usr/lib/jvm/java-8-openjdk/bin/jarsigner
em /usr/lib/jvm/java-8-openjdk/bin/javac
em /usr/lib/jvm/java-8-openjdk/bin/javadoc
em /usr/lib/jvm/java-8-openjdk/bin/javah
em /usr/lib/jvm/java-8-openjdk/bin/javap
em /usr/lib/jvm/java-8-openjdk/bin/jcmd
em /usr/lib/jvm/java-8-openjdk/bin/jconsole
em /usr/lib/jvm/java-8-openjdk/bin/jdb
em /usr/lib/jvm/java-8-openjdk/bin/jdeps
em /usr/lib/jvm/java-8-openjdk/bin/jhat
em /usr/lib/jvm/java-8-openjdk/bin/jinfo
em /usr/lib/jvm/java-8-openjdk/bin/jmap
em /usr/lib/jvm/java-8-openjdk/bin/jps
em /usr/lib/jvm/java-8-openjdk/bin/jrunscript
em /usr/lib/jvm/java-8-openjdk/bin/jsadebugd
em /usr/lib/jvm/java-8-openjdk/bin/jstack
em /usr/lib/jvm/java-8-openjdk/bin/jstat
em /usr/lib/jvm/java-8-openjdk/bin/jstatd
em /usr/lib/jvm/java-8-openjdk/bin/native2ascii
em /usr/lib/jvm/java-8-openjdk/bin/rmic
em /usr/lib/jvm/java-8-openjdk/bin/schemagen
em /usr/lib/jvm/java-8-openjdk/bin/serialver
em /usr/lib/jvm/java-8-openjdk/bin/wsgen
em /usr/lib/jvm/java-8-openjdk/bin/wsimport
em /usr/lib/jvm/java-8-openjdk/bin/xjc

# Qt
em /usr/bin/designer-qt4
em /usr/bin/qtcreator-bin
em /usr/lib/qt/bin/designer
em /usr/lib/qt/bin/qml
em /usr/lib/qt/bin/qmlviewer

# kde
em /usr/bin/akonadi_archivemail_agent
em /usr/bin/akonadi_followupreminder_agent
em /usr/bin/akonadi_imap_resource
em /usr/bin/akonadi_newmailnotifier_agent
em /usr/bin/akonadi_mailfilter_agent
em /usr/bin/akonadi_sendlater_agent
em /usr/bin/akonadiconsole
em /usr/bin/akregator
em /usr/bin/baloo_file
em /usr/bin/baloo_file_cleaner
em /usr/bin/blogilo
em /usr/bin/kalzium
em /usr/bin/kamoso
em /usr/bin/kate
em /usr/bin/kdeinit4
em /usr/bin/kdeinit5
em /usr/bin/kdenlive
em /usr/bin/kdevelop
em /usr/bin/kmail
em /usr/bin/knetwalk
em /usr/bin/knode
em /usr/bin/knotify4
em /usr/bin/kolourpaint
em /usr/bin/kontact
em /usr/bin/kreversi
em /usr/bin/krunner
em /usr/bin/ksmserver
em /usr/bin/ksplashqml
em /usr/bin/kwin
em /usr/bin/kwin_gles
em /usr/bin/kwin_x11
em /usr/bin/marble
em /usr/bin/marble-qt
em /usr/bin/muon-discover
em /usr/bin/okular
em /usr/bin/plasmashell
em /usr/bin/storageservicemanager
em /usr/bin/systemsettings5
em /usr/bin/tellico
em /usr/lib/kde4/libexec/drkonqi
em /usr/lib/kde4/libexec/kwin_opengl_test
em /usr/lib/kde4/libexec/kscreenlocker_greet
em /usr/lib/kde4/libexec/ktp-text-ui
em /usr/lib/kscreenlocker_greet

# imagemagick
em /usr/bin/animate
em /usr/bin/compare
em /usr/bin/composite
em /usr/bin/conjure
em /usr/bin/convert
em /usr/bin/display
em /usr/bin/identify
em /usr/bin/import
em /usr/bin/mogrify
em /usr/bin/montage
em /usr/bin/stream

# polkit
em /usr/lib/polkit-1/polkitd

# qemu (user mode emulation)
em /usr/bin/qemu-aarch64
em /usr/bin/qemu-alpha
em /usr/bin/qemu-arm
em /usr/bin/qemu-armeb
em /usr/bin/qemu-cris
em /usr/bin/qemu-i386
em /usr/bin/qemu-m68k
em /usr/bin/qemu-microblaze
em /usr/bin/qemu-microblazeel
em /usr/bin/qemu-mips
em /usr/bin/qemu-mips64
em /usr/bin/qemu-mips64el
em /usr/bin/qemu-mipsel
em /usr/bin/qemu-mipsn32
em /usr/bin/qemu-mipsn32el
em /usr/bin/qemu-or32
em /usr/bin/qemu-ppc
em /usr/bin/qemu-ppc64
em /usr/bin/qemu-ppc64abi32
em /usr/bin/qemu-s390x
em /usr/bin/qemu-sh4
em /usr/bin/qemu-sh4eb
em /usr/bin/qemu-sparc
em /usr/bin/qemu-sparc32plus
em /usr/bin/qemu-sparc64
em /usr/bin/qemu-unicore32
em /usr/bin/qemu-x86_64

# qemu (system emulation)
em /usr/bin/qemu-system-aarch64
em /usr/bin/qemu-system-alpha
em /usr/bin/qemu-system-arm
em /usr/bin/qemu-system-cris
em /usr/bin/qemu-system-i386
em /usr/bin/qemu-system-lm32
em /usr/bin/qemu-system-m68k
em /usr/bin/qemu-system-microblaze
em /usr/bin/qemu-system-microblazeel
em /usr/bin/qemu-system-mips
em /usr/bin/qemu-system-mips64
em /usr/bin/qemu-system-mips64el
em /usr/bin/qemu-system-mipsel
em /usr/bin/qemu-system-moxie
em /usr/bin/qemu-system-or32
em /usr/bin/qemu-system-ppc
em /usr/bin/qemu-system-ppc64
em /usr/bin/qemu-system-ppcemb
em /usr/bin/qemu-system-s390x
em /usr/bin/qemu-system-sh4
em /usr/bin/qemu-system-sh4eb
em /usr/bin/qemu-system-sparc
em /usr/bin/qemu-system-sparc64
em /usr/bin/qemu-system-unicore32
em /usr/bin/qemu-system-x86_64
em /usr/bin/qemu-system-xtensa
em /usr/bin/qemu-system-xtensaeb

# VirtualBox
em /usr/lib/virtualbox/VBoxBalloonCtrl
em /usr/lib/virtualbox/VBoxHeadless
em /usr/lib/virtualbox/VBoxManage
em /usr/lib/virtualbox/VBoxNetAdpCtl
em /usr/lib/virtualbox/VBoxNetDHCP
em /usr/lib/virtualbox/VBoxSDL
em /usr/lib/virtualbox/VBoxSVC
em /usr/lib/virtualbox/VBoxTunctl
em /usr/lib/virtualbox/VBoxTestOGL
em /usr/lib/virtualbox/VBoxXPCOMIPCD
em /usr/lib/virtualbox/VirtualBox

# valgrind
em /usr/bin/valgrind
em /usr/lib/valgrind/cachegrind-amd64-linux
em /usr/lib/valgrind/cachegrind-x86-linux
em /usr/lib/valgrind/callgrind-amd64-linux
em /usr/lib/valgrind/callgrind-x86-linux
em /usr/lib/valgrind/drd-amd64-linux
em /usr/lib/valgrind/drd-x86-linux
em /usr/lib/valgrind/exp-bbv-amd64-linux
em /usr/lib/valgrind/exp-bbv-x86-linux
em /usr/lib/valgrind/exp-dhat-amd64-linux
em /usr/lib/valgrind/exp-dhat-x86-linux
em /usr/lib/valgrind/exp-sgcheck-amd64-linux
em /usr/lib/valgrind/exp-sgcheck-x86-linux
em /usr/lib/valgrind/helgrind-amd64-linux
em /usr/lib/valgrind/helgrind-x86-linux
em /usr/lib/valgrind/lackey-amd64-linux
em /usr/lib/valgrind/lackey-x86-linux
em /usr/lib/valgrind/massif-amd64-linux
em /usr/lib/valgrind/massif-x86-linux
em /usr/lib/valgrind/memcheck-amd64-linux
em /usr/lib/valgrind/memcheck-x86-linux
em /usr/lib/valgrind/none-amd64-linux
em /usr/lib/valgrind/none-x86-linux

# ruby
em /usr/bin/rbx
em /usr/bin/ruby

# skype
em /usr/lib/skype/skype
em /usr/lib32/skype/skype

# steam
em /usr/lib32/ld-linux.so.2

# standalone SpiderMonkey
emr /usr/bin/js
em  /usr/bin/js17
em  /usr/bin/js24

# xul-based web browsers and other applications
pem /usr/lib/aurora/aurora
em  /usr/lib/aurora/plugin-container
pem /usr/lib/firefox/firefox
em  /usr/lib/firefox/plugin-container
pem /usr/lib/firefox-developer-edition/firefox
em  /usr/lib/firefox-developer-edition/plugin-container
pem /usr/lib/iceweasel/iceweasel
em  /usr/lib/iceweasel/plugin-container
em  /usr/lib/seamonkey/seamonkey
em  /usr/lib/seamonkey/plugin-container
pem /usr/lib/thunderbird/thunderbird
em  /usr/lib/thunderbird/plugin-container
em  /usr/lib/xulrunner-38.0.1/xulrunner
em  /usr/lib/xulrunner-38.0.1/plugin-container
pem /usr/lib32/bin32-firefox/firefox32
em  /usr/lib32/bin32-firefox/plugin-container

# web browsers
em   /usr/bin/arora
em   /usr/bin/dwb
emr  /usr/bin/elinks
em   /usr/bin/epiphany
em   /usr/bin/konqueror
em   /usr/bin/luakit
em   /usr/bin/midori
em   /usr/bin/otter-browser
em   /usr/bin/qupzilla
em   /usr/bin/rekonq
em   /usr/bin/surf
em   /usr/bin/uzbl-core
em   /usr/lib/chromium/chromium
pems /usr/lib/chromium/nacl_helper
em   /usr/lib/opera/opera
em   /usr/lib/opera/pluginwrapper/operapluginwrapper-native

# wine
pemrs /usr/bin/wine-preloader
pemrs /usr/bin/wine64-preloader

# teamviewer
em /opt/teamviewer/tv_bin/teamviewerd
em /opt/teamviewer/tv_bin/wine/bin/wine-preloader

# spotify
em /usr/bin/spotify
em /usr/share/spotify/spotify
em /usr/share/spotify/spotify-client/Data/SpotifyHelper

I wouldn't use the "em" flag on most of these, because it's not necessary and it reduces the security a bit. Change every "em" to just "m" (without quotes) and see if your programs work (all my programs work with just 'm').

 

Nice to see it coming to Jessie

I'm trying to compile my own GRsec kernel with this guide: (https://micahflee.com/2016/01/debian-grsecurity/)
First I had a fatal error because it couldn't find an openssl folder, but that was fixed by installing openssl devtools, though now I'm getting an error related to some cert. But I'm not sure what I need to do in order to fix it.
This is the last part of the terminal output:

Code:

PASYMS  arch/x86/realmode/rm/pasyms.h
  LDS     arch/x86/realmode/rm/realmode.lds
  LD      arch/x86/realmode/rm/realmode.elf
  RELOCS  arch/x86/realmode/rm/realmode.relocs
  OBJCOPY arch/x86/realmode/rm/realmode.bin
  AS      arch/x86/realmode/rmpiggy.o
  LD      arch/x86/realmode/built-in.o
  LD      arch/x86/built-in.o
make[2]: *** No rule to make target 'debian/certs/benh@debian.org.cert.pem', needed by 'certs/x509_certificate_list'.  Stop.
make[2]: *** Waiting for unfinished jobs....
  CC      certs/system_keyring.o
  CC      kernel/kprobes.o
Makefile:956: recipe for target 'certs' failed
make[1]: *** [certs] Error 2
make[1]: *** Waiting for unfinished jobs....
  CC      kernel/hung_task.o
  CC      kernel/seccomp.o
  CC      kernel/watchdog.o
  CC      kernel/relay.o
  CC      kernel/utsname_sysctl.o
  CC      kernel/delayacct.o
  CC      kernel/tsacct.o
  CC      kernel/taskstats.o
  CC      kernel/elfcore.o
  CC      kernel/irq_work.o
  CC      kernel/user-return-notifier.o
  CC      kernel/padata.o
  CC      kernel/crash_dump.o
  CC      kernel/jump_label.o
  CC      kernel/membarrier.o
  CC      kernel/memremap.o
  LD      kernel/built-in.o
make[1]: Leaving directory '/home/user/Downloads/linux-4.5.3'
debian/ruleset/targets/common.mk:295: recipe for target 'debian/stamp/build/kernel' failed
make: *** [debian/stamp/build/kernel] Error 2

 

Cough cough... "officially" coming to Jessie The same developer who works on the Kernel on Sid had a repo with the same Kernel backported to Jessie, but it wasn't present on jessie-backports. Now it is

Any particular reason to do so, considering how easy it is to install from the repo?

I only compiled the Kernel on Debian once, following this tutorial. I had to learn a lot, because the tutorial isn't perfect, but the end result was good.

Remember that corsac is building the images the way it's meant to be done: with Debian in mind. Most tutorials are pretty generic and may not be optimised for a specific distro. While it's fun to build your own Kernel, you're also risking borking the system by using the latest and greatest (it happened in the past, the grsec guys prevented the OS from booting up). So while the images from corsac (the Debian developer) may be a little outdated, they're pretty much your best guarantee of testing and compatibility with Debian

 

I agree that Mint will never use grsec. I have grsec and apparmor running on Mint now.

Once you have the Corsac kernel installed on Debian will it upgrade on its own as new Corsac kernels become available?

The Debian installer confuses me somewhat. The last time I tried it I couldn't gain root using the same password and user name I setup. I've had better luck with Arch - just that it doesn't come with anything - which I realize is a positive feature for their users no dead weight programs, just what's necessary.

 

I want to be able to use a Grsec kernel with other distro's as well.
I also actually tried the version in the Sid repo, but I'm even unable to login via terminal(With Ctrl+Alt+F2.) Multiple things are shown blocked by GRsec.
Today I succesfully compiled and installed the GRsec kernel, and I could succesfully login. Though Return to function (memcpy, PIE)and Return to function (memcpy)are still shown as vulnerable.

 

If you read >this post< you'll see that the Debian grsec is more secure by default, so it doesn't let you run binaries from untrusted directories (and yes, that includes /usr/bin).. That post also has a link to my Github repo where I specify how to properly run grsec on a Debian desktop PC. It needs just a little change ATM, one or two lines (already edited), but that's really easy to do. Thankfully for most people here I'm testing things so they don't break their systems and just giving the correct commands

wget https://www.grsecurity.net/paxctld/paxctld_1.1-1_amd64.deb
dpkg -i paxctld_1.1-1_amd64.deb

Then, edit /etc/paxctld.conf and add the following:

Code:

/usr/lib/iceweasel/iceweasel    pm
/usr/lib/iceweasel/plugin-container     m
/usr/bin/iceweasel

Or, you know, the program you're trying to run.

Then, just enable the paxctld service so it can read the configuration we just edited:

Code:

systemctl start paxctld
systemctl enable paxctld

I noticed you couldn't login with the graphical environment. That's because you're not on the grsec-tpe group. See my posts above to know how to add your users to that group, and how to properly create that group if it doesn't exist.

PS: I just installed Debian Jessie and installed the grsec kernel image from jessie-backports, and the group was automatically created.

That's probably because the secure configurations that Debian use are not present A lot will pass through.

 

Cool. Does it run fine? Could you install "paxtest" and see if all mitigations are properly being done? The output should be something like this:

Code:

root@amarildo:~# paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Writing output to /root/paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Mode: Blackhat
Linux amarildo 4.4.0-1-grsec-amd64 #1 SMP Debian 4.4.8-1+grsec201604252206+1~bpo8+1 (2016-05-03) x86_64 GNU/Linux

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable shared library bss            : Killed
Executable shared library data           : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable stack (mprotect)              : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments                   : Killed
Anonymous mapping randomisation test     : 28 bits (guessed)
Heap randomisation test (ET_EXEC)        : 22 bits (guessed)
Heap randomisation test (PIE)            : 35 bits (guessed)
Main executable randomisation (ET_EXEC)  : 28 bits (guessed)
Main executable randomisation (PIE)      : 28 bits (guessed)
Shared library randomisation test        : 28 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 35 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 35 bits (guessed)
Arg/env randomisation test (SEGMEXEC)    : 39 bits (guessed)
Arg/env randomisation test (PAGEEXEC)    : 39 bits (guessed)
Randomization under memory exhaustion @~0: 28 bits (guessed)
Randomization under memory exhaustion @0 : 28 bits (guessed)
Return to function (strcpy)              : paxtest: return address contains a NULL byte.
Return to function (memcpy)              : Killed
Return to function (strcpy, PIE)         : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE)         : Killed

root@amarildo:~# 

Obviously, it's a repo like any other
Right now you only need to add the "jessie-backports" repo and install everything from there. Corsac (the debian developer) has his Kernels there now.

That is weird. I've been using Debian since 2006 and never noticed this problem, only when I actually type the wrong passphrase while installing
Did you enable "allow login as roo"? Because if you did, your user will NOT be added to the "sudo" group and therefore you won't be able to use sudo until you add your user to the sudo group.

 

I'm going to spend some time today looking at their installer and see what I'm doing wrong. It asks for a user and password twice. While the user name I used is slightly different for the two the last time I tried I used the same password for both. I tried both user names with the same password.

I would rather be on Debian so I'm going to do more looking around and try it again.

 

I never enabled mprotect because the settings guide I used said it would break X but the guide is a few years old so maybe I need to do this over again. It's just the one setting 'restrict mprotect'? Is it the same setting to kill 'Writable text segments'?

Linux opm1 4.5.2-grsec #1 SMP Fri Apr 29 17:03:26 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable stack (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Writable text segments : Vulnerable
Anonymous mapping randomisation test : 28 bits (guessed)
Heap randomisation test (ET_EXEC) : 23 bits (guessed)
Heap randomisation test (PIE) : 35 bits (guessed)
Main executable randomisation (ET_EXEC) : 25 bits (guessed)
Main executable randomisation (PIE) : 25 bits (guessed)
Shared library randomisation test : 25 bits (guessed)
Stack randomisation test (SEGMEXEC) : 35 bits (guessed)
Stack randomisation test (PAGEEXEC) : 35 bits (guessed)
Arg/env randomisation test (SEGMEXEC) : 39 bits (guessed)
Arg/env randomisation test (PAGEEXEC) : 39 bits (guessed)
Randomization under memory exhaustion @~0: 28 bits (guessed)
Randomization under memory exhaustion @0 : 28 bits (guessed)
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : Killed
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE) : Killed

 

Sorry, I don't remember anymore. But mprotect doesn't break X, don't worry

I see your Kernel is still very vulnerable.

 

Why not this Corsac man make a full .iso with Grsecurity included by default on Debian installation?
I do not feel comfortable installing Grsecurity by commands. I need it on there without any effort or chance of error installing. The last time I tried to compile Grsecurity in Mint it broke the system and wasted my entire week.

 

I installed Debian and looked for grsec in Synaptic, the only match showing is linux-patch-grsecurity2. When select for install it installed a bunch of other thing I not recognize, and had some error during install that ignored. I dont think it worked. Why they not make it easier to install??

 

Because it's not his job, and because he is a security researcher that has other things to do?

Why don't YOU make such ISO?

Than don't.

Well that escalated quickly.

Errors are unlikely to happen.

I see your reading skills haven't improved since a few months ago.

You don't need to compile on Debian anymore. Read the thread.

That's because you haven't read this thread and haven't yet realised you're looking at the wrong repositories.

Easier than opening Synaptic, searching for "grsec" and installing it?

 

I added jessie-backports repository to Synaptic.
Now I can see the grsec patch in Synaptic.
But when I mark it for install, it wont let me, says to fix broken packages first.
This is another waste of time.