sudo apt-get install build-essential libncurses5-dev gcc-4.8-plugin-dev libssl-dev That needs to be on Mint and I assume on ubuntu for the script to complete
Download it add that libncurses5-dev gcc-4.8-plugin-dev libssl-dev in root open the bin folder run in terminal It doesn't finish the install but it always creates the grsec kernel. I end up running the script sometime 2 -3 times before it works but the kernel is build just has to be installed.
Access the extracted file as root go bin and under bin there is a start script to there is only two options 1 and the answer has to be Y then it starts running. If it works correctly it'll say phase 1 ok then after a long time it starts to remove the install script it creates a .deb file of a grsec kernel that installs on reboot. Mint anyway is missing this needed for Grsec sudo apt-get install build-essential libncurses5-dev gcc-4.8-plugin-dev libssl-dev
A big extra, for me, has been having to use the terminal to do everything it screws all the gui so I'me forced to use the terminal for everything so I'm learning everything now
There's no need to manually compile the Kernel on Debian. Debian Sid/Testing already have grsec and all the tools on the repo Debian Jessie (Stable) has all the tools, and the Kernel is here The Jessie repo I linked is maintained by the security researcher and Debian developer Corsac, so there's no need for worry and you guys can use it without hesitation
But you have to remember the target audience for Mint. I don't think Mint developers will make grsec available, because almost all Mint users are regular users who don't even know about grsec or won't care about it anyway because they just want a more bug-free and secure alternative to Windows. What Mint developers could do is implement some of grsec's features on the Kernel, by default. This would require no effort and no thought for the users. However, given how Mint takes care of security, I seriously doubt such thing will be done unless they actually get under attack.
Well I finally got Debian Jessie (stable) with grsec Kernel from Corsac's repo working. https://raw.githubusercontent.com/amarildojr/Debian/master/GRSecurity
Once you have libssl-dev on your system all you have to do is reboot once its done. It says its downloading necessary files 'installing curl' but it doesn't always do that - when that's the case the script just stops. I had to see what was missing by trying to compile it manually once. I download it, extract it, open as root, make my way to the script home/user/Desktop/Downloads/grsecurity-Debian-Installer-master/usr/bin - open in terminal - it downloads the kernel - downloads the latest patch - patches the kernel, cleans up, compiles and creates a .deb file that installs as the new kernel after reboot. If it reaches 'phase 2' the new kernel is compiling. If it fails the patched kernel is still right there waiting to be compiled and installed. It installs in /usr/src/ creates a couple of folders and the .deb file. Its pretty amazing really.
Hello, I am just wondering if one also need to: 1. Add Jessie backport repo to /etc/apt/sources.list 2. Update initrd.img. The reason for Question#2 is some weeks ago I installed a backported kernel 4.3 ish. After reboot, my PC still booted into default kernel 3.16. Wondering if I failed to do #2 (just don't know how). I am running Jessie 8.4 AMD64 version. Any suggestions? Thanks for your help.
Yes, but you only need to install the Kernel from backports. All the other tools, with the exception of paxctld, are in jessie's main repo. I highly recommend you to install paxctld as noted in that file you linked. It should automatically update everything to load the new Kernel automatically. You don't need to manually update the initrd.img It's possible. Nevertheless, once you reboot you'll be presented with GRUB. Don't let GRUB load, click (down) at "Advanced options for Debian etc", and select the kernel image you want to load. Once you boot with the image you want, it should be automatically loaded on every boot. Yes. Debian's GRSec is very well built and very secure. It's so secure you won't even be able to boot into graphical mode if you use ssdm or lightdm. I think that's because corsac builds the Kernel mainly for server use. With that in mind, you'll probably want to do the following: add your user to the "grsec-tpe" group; If that group doesn't exist, create it, add your user to it, and set it's GID to 200 (probably not necessary, test without the group first); Make a backup copy of "/etc/sysctl.d/grsec.conf"; Edit the file; Edit the TPE section as bellow: Code: # # Trusted Path Execution # # tpe_gid: tpe group # #kernel.grsecurity.tpe = 1 kernel.grsecurity.tpe_gid = 200 #kernel.grsecurity.tpe_invert = 1 kernel.grsecurity.tpe_restrict_all = 1 This will losen up the Kernel a bit, allowing for an easier use overall. This is how Arch Linux handles the TPE section. If you don't want a more losen Kernel, keep the TPE section intact (and so the grsec.conf file) and follow the file you linked (this also means setting the grsec-tpe group with GID 64040). But you WILL have to add pax exceptions for almost every program you use. Either use attr for that (see here for instructions), or edit /etc/paxd.conf. Here's a good start: Code: # This file contains a list of exceptions to be applied by paxd. Empty lines # are ignored and comments can be written by starting a line with `#`. The # format of other lines is `flags /path/to/executable`. # # Exceptions will be applied on start-up and then again as-needed when the # configuration file or the executables are replaced. # # A lowercase letter disables a feature, and an uppercase letter enables it. # # The following features are available: # # * P(AGEEXEC) <https://pax.grsecurity.net/docs/pageexec.txt> # * E(MUTRAMP) <https://pax.grsecurity.net/docs/emutramp.txt> # * M(PROTECT) <https://pax.grsecurity.net/docs/mprotect.txt> # * R(ANDMMAP) <https://pax.grsecurity.net/docs/randmmap.txt> # * S(EGMEXEC) <https://pax.grsecurity.net/docs/segmexec.txt> # # The default flags are `PeMRs` with softmode=0 and `pemrs` with softmode=1. # # An exception without an explicit EMUTRAMP flag will enable EMUTRAMP, so most # rules should include `e`. em /opt/brackets/Brackets em /opt/dropbox/dropbox em /opt/LightTable/ltbin em /opt/mendeleydesktop/lib/mendeleydesktop/libexec/mendeleydesktop.x86_64 em /opt/mendeleydesktop/lib/mendeleydesktop/libexec/mendeleydesktop.i486 em /opt/SpiderOak/lib/SpiderOak em /opt/telegram/Telegram em /opt/urbanterror/urbanterror em /opt/visual-studio-code/Code em /opt/VSCode/Code em /usr/bin/avogadro em /usr/bin/blender em /usr/bin/btsync em /usr/bin/cabal em /usr/bin/copyq em /usr/bin/cutegram em /usr/bin/dolphin-emu em /usr/bin/dosbox em /usr/bin/gendesk em /usr/bin/ghb em /usr/bin/glxdemo em /usr/bin/glxgears em /usr/bin/glxinfo em /usr/bin/glxspheres em /usr/bin/gnucash em /usr/bin/goldendict em /usr/bin/HandBrakeCLI em /usr/bin/hhvm em /usr/bin/inkscape em /usr/bin/konstruktor em /usr/bin/liferea em /usr/bin/lli em /usr/bin/love em /usr/bin/love08 emr /usr/bin/luajit E /usr/bin/make em /usr/bin/minitube em /usr/bin/mono em /usr/bin/mono-sgen em /usr/bin/mplayer em /usr/bin/mumble em /usr/bin/node em /usr/bin/nvim em /usr/bin/obex-data-server em /usr/bin/quassel em /usr/bin/quasselcore em /usr/bin/racket emr /usr/bin/sbcl em /usr/bin/scheme em /usr/bin/sddm-greeter em /usr/bin/sigil em /usr/bin/smplayer em /usr/bin/spicec em /usr/bin/stellarium em /usr/bin/systemsettings em /usr/bin/tcc em /usr/bin/texmaker em /usr/bin/texstudio em /usr/bin/trojita em /usr/bin/vbetool em /usr/bin/vim em /usr/bin/vlc emr /usr/lib/couchdb/bin/couchjs em /usr/lib/kodi/kodi.bin em /usr/lib/libreoffice/program/soffice.bin em /usr/lib/racket/gracket em /usr/share/atom/atom em /usr/share/atom/resources/app/apm/bin/node # GCC (precompiled headers) er /usr/lib/gcc/i686-pc-linux-gnu/5.3.0/cc1 er /usr/lib/gcc/i686-pc-linux-gnu/5.3.0/cc1plus er /usr/lib/gcc/x86_64-unknown-linux-gnu/5.3.0/cc1 er /usr/lib/gcc/x86_64-unknown-linux-gnu/5.3.0/cc1plus # Popcorn Time em /opt/popcorntime-bin/Popcorn-Time em /usr/lib/popcorntime/Popcorn-Time # p11-kit (libffi) E /usr/bin/p11-kit E /usr/bin/trust # p7zip em /usr/lib/p7zip/7z em /usr/lib/p7zip/7zFM em /usr/lib/p7zip/7zG em /usr/lib/p7zip/7za em /usr/lib/p7zip/7zr # clamav em /usr/bin/clamd em /usr/bin/clamscan em /usr/bin/freshclam # cinnamon/gnome/gtk (mostly caused by gjs and webkitgtk) em /usr/bin/cheese em /usr/bin/cinnamon emr /usr/bin/cjs-console em /usr/bin/empathy em /usr/bin/empathy-accounts em /usr/bin/gdk-pixbuf-query-loaders em /usr/bin/gdk-pixbuf-query-loaders-32 em /usr/bin/geary em /usr/bin/gitg em /usr/bin/gjs-console em /usr/bin/gnome-control-center em /usr/bin/gnome-maps em /usr/bin/gnome-shell em /usr/bin/gnome-shell-extension-prefs em /usr/bin/gnome-web-photo em /usr/bin/gtk-query-immodules-2.0 em /usr/bin/gtk-query-immodules-2.0-32 em /usr/bin/gtk-query-immodules-3.0 em /usr/bin/gtk-query-immodules-3.0-32 em /usr/bin/seahorse em /usr/bin/seed em /usr/bin/yelp em /usr/lib/empathy/empathy-auth-client em /usr/lib/empathy/empathy-call em /usr/lib/empathy/empathy-chat em /usr/lib/gstreamer-1.0/gst-plugin-scanner emr /usr/lib/nemo-preview/nemo-preview-start em /usr/lib/sushi/sushi-start em /usr/lib/webkit2gtk-4.0/WebKitWebProcess em /usr/lib/webkitgtk/WebKitWebProcess # grub emr /usr/bin/grub-bios-setup em /usr/bin/grub-probe er /usr/bin/grub-script-check # python em /usr/bin/python2 em /usr/bin/python3 em /opt/pypy/bin/pypy-c em /opt/pypy3/bin/pypy-c # Java 6 em /usr/lib/jvm/java-6-openjdk/bin/java em /usr/lib/jvm/java-6-openjdk/bin/javac em /usr/lib/jvm/java-6-openjdk/jre/bin/java # Java 7 JRE em /usr/lib/jvm/java-7-openjdk/jre/bin/java em /usr/lib/jvm/java-7-openjdk/jre/bin/keytool em /usr/lib/jvm/java-7-openjdk/jre/bin/orbd em /usr/lib/jvm/java-7-openjdk/jre/bin/pack200 em /usr/lib/jvm/java-7-openjdk/jre/bin/policytool em /usr/lib/jvm/java-7-openjdk/jre/bin/rmid em /usr/lib/jvm/java-7-openjdk/jre/bin/rmiregistry em /usr/lib/jvm/java-7-openjdk/jre/bin/servertool em /usr/lib/jvm/java-7-openjdk/jre/bin/tnameserv # Java 7 JDK em /usr/lib/jvm/java-7-openjdk/bin/appletviewer em /usr/lib/jvm/java-7-openjdk/bin/apt em /usr/lib/jvm/java-7-openjdk/bin/extcheck em /usr/lib/jvm/java-7-openjdk/bin/idlj em /usr/lib/jvm/java-7-openjdk/bin/jar em /usr/lib/jvm/java-7-openjdk/bin/jarsigner em /usr/lib/jvm/java-7-openjdk/bin/javac em /usr/lib/jvm/java-7-openjdk/bin/javadoc em /usr/lib/jvm/java-7-openjdk/bin/javah em /usr/lib/jvm/java-7-openjdk/bin/javap em /usr/lib/jvm/java-7-openjdk/bin/jcmd em /usr/lib/jvm/java-7-openjdk/bin/jconsole em /usr/lib/jvm/java-7-openjdk/bin/jdb em /usr/lib/jvm/java-7-openjdk/bin/jhat em /usr/lib/jvm/java-7-openjdk/bin/jinfo em /usr/lib/jvm/java-7-openjdk/bin/jmap em /usr/lib/jvm/java-7-openjdk/bin/jps em /usr/lib/jvm/java-7-openjdk/bin/jrunscript em /usr/lib/jvm/java-7-openjdk/bin/jsadebugd em /usr/lib/jvm/java-7-openjdk/bin/jstack em /usr/lib/jvm/java-7-openjdk/bin/jstat em /usr/lib/jvm/java-7-openjdk/bin/jstatd em /usr/lib/jvm/java-7-openjdk/bin/native2ascii em /usr/lib/jvm/java-7-openjdk/bin/rmic em /usr/lib/jvm/java-7-openjdk/bin/schemagen em /usr/lib/jvm/java-7-openjdk/bin/serialver em /usr/lib/jvm/java-7-openjdk/bin/wsgen em /usr/lib/jvm/java-7-openjdk/bin/wsimport em /usr/lib/jvm/java-7-openjdk/bin/xjc # Java 8 JRE em /usr/lib/jvm/java-8-openjdk/jre/bin/java em /usr/lib/jvm/java-8-openjdk/jre/bin/jjs em /usr/lib/jvm/java-8-openjdk/jre/bin/keytool em /usr/lib/jvm/java-8-openjdk/jre/bin/orbd em /usr/lib/jvm/java-8-openjdk/jre/bin/pack200 em /usr/lib/jvm/java-8-openjdk/jre/bin/rmid em /usr/lib/jvm/java-8-openjdk/jre/bin/rmiregistry em /usr/lib/jvm/java-8-openjdk/jre/bin/servertool em /usr/lib/jvm/java-8-openjdk/jre/bin/tnameserv # Java 8 JDK em /usr/lib/jvm/java-8-openjdk/bin/appletviewer em /usr/lib/jvm/java-8-openjdk/bin/extcheck em /usr/lib/jvm/java-8-openjdk/bin/idlj em /usr/lib/jvm/java-8-openjdk/bin/jar em /usr/lib/jvm/java-8-openjdk/bin/jarsigner em /usr/lib/jvm/java-8-openjdk/bin/javac em /usr/lib/jvm/java-8-openjdk/bin/javadoc em /usr/lib/jvm/java-8-openjdk/bin/javah em /usr/lib/jvm/java-8-openjdk/bin/javap em /usr/lib/jvm/java-8-openjdk/bin/jcmd em /usr/lib/jvm/java-8-openjdk/bin/jconsole em /usr/lib/jvm/java-8-openjdk/bin/jdb em /usr/lib/jvm/java-8-openjdk/bin/jdeps em /usr/lib/jvm/java-8-openjdk/bin/jhat em /usr/lib/jvm/java-8-openjdk/bin/jinfo em /usr/lib/jvm/java-8-openjdk/bin/jmap em /usr/lib/jvm/java-8-openjdk/bin/jps em /usr/lib/jvm/java-8-openjdk/bin/jrunscript em /usr/lib/jvm/java-8-openjdk/bin/jsadebugd em /usr/lib/jvm/java-8-openjdk/bin/jstack em /usr/lib/jvm/java-8-openjdk/bin/jstat em /usr/lib/jvm/java-8-openjdk/bin/jstatd em /usr/lib/jvm/java-8-openjdk/bin/native2ascii em /usr/lib/jvm/java-8-openjdk/bin/rmic em /usr/lib/jvm/java-8-openjdk/bin/schemagen em /usr/lib/jvm/java-8-openjdk/bin/serialver em /usr/lib/jvm/java-8-openjdk/bin/wsgen em /usr/lib/jvm/java-8-openjdk/bin/wsimport em /usr/lib/jvm/java-8-openjdk/bin/xjc # Qt em /usr/bin/designer-qt4 em /usr/bin/qtcreator-bin em /usr/lib/qt/bin/designer em /usr/lib/qt/bin/qml em /usr/lib/qt/bin/qmlviewer # kde em /usr/bin/akonadi_archivemail_agent em /usr/bin/akonadi_followupreminder_agent em /usr/bin/akonadi_imap_resource em /usr/bin/akonadi_newmailnotifier_agent em /usr/bin/akonadi_mailfilter_agent em /usr/bin/akonadi_sendlater_agent em /usr/bin/akonadiconsole em /usr/bin/akregator em /usr/bin/baloo_file em /usr/bin/baloo_file_cleaner em /usr/bin/blogilo em /usr/bin/kalzium em /usr/bin/kamoso em /usr/bin/kate em /usr/bin/kdeinit4 em /usr/bin/kdeinit5 em /usr/bin/kdenlive em /usr/bin/kdevelop em /usr/bin/kmail em /usr/bin/knetwalk em /usr/bin/knode em /usr/bin/knotify4 em /usr/bin/kolourpaint em /usr/bin/kontact em /usr/bin/kreversi em /usr/bin/krunner em /usr/bin/ksmserver em /usr/bin/ksplashqml em /usr/bin/kwin em /usr/bin/kwin_gles em /usr/bin/kwin_x11 em /usr/bin/marble em /usr/bin/marble-qt em /usr/bin/muon-discover em /usr/bin/okular em /usr/bin/plasmashell em /usr/bin/storageservicemanager em /usr/bin/systemsettings5 em /usr/bin/tellico em /usr/lib/kde4/libexec/drkonqi em /usr/lib/kde4/libexec/kwin_opengl_test em /usr/lib/kde4/libexec/kscreenlocker_greet em /usr/lib/kde4/libexec/ktp-text-ui em /usr/lib/kscreenlocker_greet # imagemagick em /usr/bin/animate em /usr/bin/compare em /usr/bin/composite em /usr/bin/conjure em /usr/bin/convert em /usr/bin/display em /usr/bin/identify em /usr/bin/import em /usr/bin/mogrify em /usr/bin/montage em /usr/bin/stream # polkit em /usr/lib/polkit-1/polkitd # qemu (user mode emulation) em /usr/bin/qemu-aarch64 em /usr/bin/qemu-alpha em /usr/bin/qemu-arm em /usr/bin/qemu-armeb em /usr/bin/qemu-cris em /usr/bin/qemu-i386 em /usr/bin/qemu-m68k em /usr/bin/qemu-microblaze em /usr/bin/qemu-microblazeel em /usr/bin/qemu-mips em /usr/bin/qemu-mips64 em /usr/bin/qemu-mips64el em /usr/bin/qemu-mipsel em /usr/bin/qemu-mipsn32 em /usr/bin/qemu-mipsn32el em /usr/bin/qemu-or32 em /usr/bin/qemu-ppc em /usr/bin/qemu-ppc64 em /usr/bin/qemu-ppc64abi32 em /usr/bin/qemu-s390x em /usr/bin/qemu-sh4 em /usr/bin/qemu-sh4eb em /usr/bin/qemu-sparc em /usr/bin/qemu-sparc32plus em /usr/bin/qemu-sparc64 em /usr/bin/qemu-unicore32 em /usr/bin/qemu-x86_64 # qemu (system emulation) em /usr/bin/qemu-system-aarch64 em /usr/bin/qemu-system-alpha em /usr/bin/qemu-system-arm em /usr/bin/qemu-system-cris em /usr/bin/qemu-system-i386 em /usr/bin/qemu-system-lm32 em /usr/bin/qemu-system-m68k em /usr/bin/qemu-system-microblaze em /usr/bin/qemu-system-microblazeel em /usr/bin/qemu-system-mips em /usr/bin/qemu-system-mips64 em /usr/bin/qemu-system-mips64el em /usr/bin/qemu-system-mipsel em /usr/bin/qemu-system-moxie em /usr/bin/qemu-system-or32 em /usr/bin/qemu-system-ppc em /usr/bin/qemu-system-ppc64 em /usr/bin/qemu-system-ppcemb em /usr/bin/qemu-system-s390x em /usr/bin/qemu-system-sh4 em /usr/bin/qemu-system-sh4eb em /usr/bin/qemu-system-sparc em /usr/bin/qemu-system-sparc64 em /usr/bin/qemu-system-unicore32 em /usr/bin/qemu-system-x86_64 em /usr/bin/qemu-system-xtensa em /usr/bin/qemu-system-xtensaeb # VirtualBox em /usr/lib/virtualbox/VBoxBalloonCtrl em /usr/lib/virtualbox/VBoxHeadless em /usr/lib/virtualbox/VBoxManage em /usr/lib/virtualbox/VBoxNetAdpCtl em /usr/lib/virtualbox/VBoxNetDHCP em /usr/lib/virtualbox/VBoxSDL em /usr/lib/virtualbox/VBoxSVC em /usr/lib/virtualbox/VBoxTunctl em /usr/lib/virtualbox/VBoxTestOGL em /usr/lib/virtualbox/VBoxXPCOMIPCD em /usr/lib/virtualbox/VirtualBox # valgrind em /usr/bin/valgrind em /usr/lib/valgrind/cachegrind-amd64-linux em /usr/lib/valgrind/cachegrind-x86-linux em /usr/lib/valgrind/callgrind-amd64-linux em /usr/lib/valgrind/callgrind-x86-linux em /usr/lib/valgrind/drd-amd64-linux em /usr/lib/valgrind/drd-x86-linux em /usr/lib/valgrind/exp-bbv-amd64-linux em /usr/lib/valgrind/exp-bbv-x86-linux em /usr/lib/valgrind/exp-dhat-amd64-linux em /usr/lib/valgrind/exp-dhat-x86-linux em /usr/lib/valgrind/exp-sgcheck-amd64-linux em /usr/lib/valgrind/exp-sgcheck-x86-linux em /usr/lib/valgrind/helgrind-amd64-linux em /usr/lib/valgrind/helgrind-x86-linux em /usr/lib/valgrind/lackey-amd64-linux em /usr/lib/valgrind/lackey-x86-linux em /usr/lib/valgrind/massif-amd64-linux em /usr/lib/valgrind/massif-x86-linux em /usr/lib/valgrind/memcheck-amd64-linux em /usr/lib/valgrind/memcheck-x86-linux em /usr/lib/valgrind/none-amd64-linux em /usr/lib/valgrind/none-x86-linux # ruby em /usr/bin/rbx em /usr/bin/ruby # skype em /usr/lib/skype/skype em /usr/lib32/skype/skype # steam em /usr/lib32/ld-linux.so.2 # standalone SpiderMonkey emr /usr/bin/js em /usr/bin/js17 em /usr/bin/js24 # xul-based web browsers and other applications pem /usr/lib/aurora/aurora em /usr/lib/aurora/plugin-container pem /usr/lib/firefox/firefox em /usr/lib/firefox/plugin-container pem /usr/lib/firefox-developer-edition/firefox em /usr/lib/firefox-developer-edition/plugin-container pem /usr/lib/iceweasel/iceweasel em /usr/lib/iceweasel/plugin-container em /usr/lib/seamonkey/seamonkey em /usr/lib/seamonkey/plugin-container pem /usr/lib/thunderbird/thunderbird em /usr/lib/thunderbird/plugin-container em /usr/lib/xulrunner-38.0.1/xulrunner em /usr/lib/xulrunner-38.0.1/plugin-container pem /usr/lib32/bin32-firefox/firefox32 em /usr/lib32/bin32-firefox/plugin-container # web browsers em /usr/bin/arora em /usr/bin/dwb emr /usr/bin/elinks em /usr/bin/epiphany em /usr/bin/konqueror em /usr/bin/luakit em /usr/bin/midori em /usr/bin/otter-browser em /usr/bin/qupzilla em /usr/bin/rekonq em /usr/bin/surf em /usr/bin/uzbl-core em /usr/lib/chromium/chromium pems /usr/lib/chromium/nacl_helper em /usr/lib/opera/opera em /usr/lib/opera/pluginwrapper/operapluginwrapper-native # wine pemrs /usr/bin/wine-preloader pemrs /usr/bin/wine64-preloader # teamviewer em /opt/teamviewer/tv_bin/teamviewerd em /opt/teamviewer/tv_bin/wine/bin/wine-preloader # spotify em /usr/bin/spotify em /usr/share/spotify/spotify em /usr/share/spotify/spotify-client/Data/SpotifyHelper I wouldn't use the "em" flag on most of these, because it's not necessary and it reduces the security a bit. Change every "em" to just "m" (without quotes) and see if your programs work (all my programs work with just 'm').
Nice to see it coming to Jessie I'm trying to compile my own GRsec kernel with this guide: (https://micahflee.com/2016/01/debian-grsecurity/) First I had a fatal error because it couldn't find an openssl folder, but that was fixed by installing openssl devtools, though now I'm getting an error related to some cert. But I'm not sure what I need to do in order to fix it. This is the last part of the terminal output: Code: PASYMS arch/x86/realmode/rm/pasyms.h LDS arch/x86/realmode/rm/realmode.lds LD arch/x86/realmode/rm/realmode.elf RELOCS arch/x86/realmode/rm/realmode.relocs OBJCOPY arch/x86/realmode/rm/realmode.bin AS arch/x86/realmode/rmpiggy.o LD arch/x86/realmode/built-in.o LD arch/x86/built-in.o make[2]: *** No rule to make target 'debian/certs/benh@debian.org.cert.pem', needed by 'certs/x509_certificate_list'. Stop. make[2]: *** Waiting for unfinished jobs.... CC certs/system_keyring.o CC kernel/kprobes.o Makefile:956: recipe for target 'certs' failed make[1]: *** [certs] Error 2 make[1]: *** Waiting for unfinished jobs.... CC kernel/hung_task.o CC kernel/seccomp.o CC kernel/watchdog.o CC kernel/relay.o CC kernel/utsname_sysctl.o CC kernel/delayacct.o CC kernel/tsacct.o CC kernel/taskstats.o CC kernel/elfcore.o CC kernel/irq_work.o CC kernel/user-return-notifier.o CC kernel/padata.o CC kernel/crash_dump.o CC kernel/jump_label.o CC kernel/membarrier.o CC kernel/memremap.o LD kernel/built-in.o make[1]: Leaving directory '/home/user/Downloads/linux-4.5.3' debian/ruleset/targets/common.mk:295: recipe for target 'debian/stamp/build/kernel' failed make: *** [debian/stamp/build/kernel] Error 2
Cough cough... "officially" coming to Jessie The same developer who works on the Kernel on Sid had a repo with the same Kernel backported to Jessie, but it wasn't present on jessie-backports. Now it is Any particular reason to do so, considering how easy it is to install from the repo? I only compiled the Kernel on Debian once, following this tutorial. I had to learn a lot, because the tutorial isn't perfect, but the end result was good. Remember that corsac is building the images the way it's meant to be done: with Debian in mind. Most tutorials are pretty generic and may not be optimised for a specific distro. While it's fun to build your own Kernel, you're also risking borking the system by using the latest and greatest (it happened in the past, the grsec guys prevented the OS from booting up). So while the images from corsac (the Debian developer) may be a little outdated, they're pretty much your best guarantee of testing and compatibility with Debian
I agree that Mint will never use grsec. I have grsec and apparmor running on Mint now. Once you have the Corsac kernel installed on Debian will it upgrade on its own as new Corsac kernels become available? The Debian installer confuses me somewhat. The last time I tried it I couldn't gain root using the same password and user name I setup. I've had better luck with Arch - just that it doesn't come with anything - which I realize is a positive feature for their users no dead weight programs, just what's necessary.
I want to be able to use a Grsec kernel with other distro's as well. I also actually tried the version in the Sid repo, but I'm even unable to login via terminal(With Ctrl+Alt+F2.) Multiple things are shown blocked by GRsec. Today I succesfully compiled and installed the GRsec kernel, and I could succesfully login. Though Return to function (memcpy, PIE)and Return to function (memcpy)are still shown as vulnerable.
If you read >this post< you'll see that the Debian grsec is more secure by default, so it doesn't let you run binaries from untrusted directories (and yes, that includes /usr/bin).. That post also has a link to my Github repo where I specify how to properly run grsec on a Debian desktop PC. It needs just a little change ATM, one or two lines (already edited), but that's really easy to do. Thankfully for most people here I'm testing things so they don't break their systems and just giving the correct commands wget https://www.grsecurity.net/paxctld/paxctld_1.1-1_amd64.deb dpkg -i paxctld_1.1-1_amd64.deb Then, edit /etc/paxctld.conf and add the following: Code: /usr/lib/iceweasel/iceweasel pm /usr/lib/iceweasel/plugin-container m /usr/bin/iceweasel Or, you know, the program you're trying to run. Then, just enable the paxctld service so it can read the configuration we just edited: Code: systemctl start paxctld systemctl enable paxctld I noticed you couldn't login with the graphical environment. That's because you're not on the grsec-tpe group. See my posts above to know how to add your users to that group, and how to properly create that group if it doesn't exist. PS: I just installed Debian Jessie and installed the grsec kernel image from jessie-backports, and the group was automatically created. That's probably because the secure configurations that Debian use are not present A lot will pass through.
Cool. Does it run fine? Could you install "paxtest" and see if all mitigations are properly being done? The output should be something like this: Code: root@amarildo:~# paxtest blackhat PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> Released under the GNU Public Licence version 2 or later Writing output to /root/paxtest.log It may take a while for the tests to complete Test results: PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> Released under the GNU Public Licence version 2 or later Mode: Blackhat Linux amarildo 4.4.0-1-grsec-amd64 #1 SMP Debian 4.4.8-1+grsec201604252206+1~bpo8+1 (2016-05-03) x86_64 GNU/Linux Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable shared library bss : Killed Executable shared library data : Killed Executable anonymous mapping (mprotect) : Killed Executable bss (mprotect) : Killed Executable data (mprotect) : Killed Executable heap (mprotect) : Killed Executable stack (mprotect) : Killed Executable shared library bss (mprotect) : Killed Executable shared library data (mprotect): Killed Writable text segments : Killed Anonymous mapping randomisation test : 28 bits (guessed) Heap randomisation test (ET_EXEC) : 22 bits (guessed) Heap randomisation test (PIE) : 35 bits (guessed) Main executable randomisation (ET_EXEC) : 28 bits (guessed) Main executable randomisation (PIE) : 28 bits (guessed) Shared library randomisation test : 28 bits (guessed) Stack randomisation test (SEGMEXEC) : 35 bits (guessed) Stack randomisation test (PAGEEXEC) : 35 bits (guessed) Arg/env randomisation test (SEGMEXEC) : 39 bits (guessed) Arg/env randomisation test (PAGEEXEC) : 39 bits (guessed) Randomization under memory exhaustion @~0: 28 bits (guessed) Randomization under memory exhaustion @0 : 28 bits (guessed) Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Killed Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte. Return to function (memcpy, PIE) : Killed root@amarildo:~# Obviously, it's a repo like any other Right now you only need to add the "jessie-backports" repo and install everything from there. Corsac (the debian developer) has his Kernels there now. That is weird. I've been using Debian since 2006 and never noticed this problem, only when I actually type the wrong passphrase while installing Did you enable "allow login as roo"? Because if you did, your user will NOT be added to the "sudo" group and therefore you won't be able to use sudo until you add your user to the sudo group.
I'm going to spend some time today looking at their installer and see what I'm doing wrong. It asks for a user and password twice. While the user name I used is slightly different for the two the last time I tried I used the same password for both. I tried both user names with the same password. I would rather be on Debian so I'm going to do more looking around and try it again.
I never enabled mprotect because the settings guide I used said it would break X but the guide is a few years old so maybe I need to do this over again. It's just the one setting 'restrict mprotect'? Is it the same setting to kill 'Writable text segments'? Linux opm1 4.5.2-grsec #1 SMP Fri Apr 29 17:03:26 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable shared library bss : Killed Executable shared library data : Killed Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect) : Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable Executable stack (mprotect) : Vulnerable Executable shared library bss (mprotect) : Vulnerable Executable shared library data (mprotect): Vulnerable Writable text segments : Vulnerable Anonymous mapping randomisation test : 28 bits (guessed) Heap randomisation test (ET_EXEC) : 23 bits (guessed) Heap randomisation test (PIE) : 35 bits (guessed) Main executable randomisation (ET_EXEC) : 25 bits (guessed) Main executable randomisation (PIE) : 25 bits (guessed) Shared library randomisation test : 25 bits (guessed) Stack randomisation test (SEGMEXEC) : 35 bits (guessed) Stack randomisation test (PAGEEXEC) : 35 bits (guessed) Arg/env randomisation test (SEGMEXEC) : 39 bits (guessed) Arg/env randomisation test (PAGEEXEC) : 39 bits (guessed) Randomization under memory exhaustion @~0: 28 bits (guessed) Randomization under memory exhaustion @0 : 28 bits (guessed) Return to function (strcpy) : paxtest: return address contains a NULL byte. Return to function (memcpy) : Killed Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte. Return to function (memcpy, PIE) : Killed
Sorry, I don't remember anymore. But mprotect doesn't break X, don't worry I see your Kernel is still very vulnerable.
Why not this Corsac man make a full .iso with Grsecurity included by default on Debian installation? I do not feel comfortable installing Grsecurity by commands. I need it on there without any effort or chance of error installing. The last time I tried to compile Grsecurity in Mint it broke the system and wasted my entire week.
I installed Debian and looked for grsec in Synaptic, the only match showing is linux-patch-grsecurity2. When select for install it installed a bunch of other thing I not recognize, and had some error during install that ignored. I dont think it worked. Why they not make it easier to install??
Because it's not his job, and because he is a security researcher that has other things to do? Why don't YOU make such ISO? Than don't. Well that escalated quickly. Errors are unlikely to happen. I see your reading skills haven't improved since a few months ago. You don't need to compile on Debian anymore. Read the thread. That's because you haven't read this thread and haven't yet realised you're looking at the wrong repositories. Easier than opening Synaptic, searching for "grsec" and installing it?
I added jessie-backports repository to Synaptic. Now I can see the grsec patch in Synaptic. But when I mark it for install, it wont let me, says to fix broken packages first. This is another waste of time.