Read the first post and you'll see that I mention NO PATCH WHATSOEVER. Actually read this time, because I'm getting tired of having to repeat myself just because you don't bother to read carefully. Did you even update your repositories after adding jessie-backports? What you have to install: linux-grsec-base linux-grsec-support linux-headers-4.X.X-X-common-grsec linux-headers-4.X.X-X-grsec-amd64 (if you have a 64-bit processor) linux-headers-4.X.X-X-grsec-686-pae (if you have a 32-bit processor) linux-image-4.X.X-X-grsec-686-pae (if you have a 32-bit processor) linux-image-4.X.X-X-grsec-amd64 (if you have a 64-bit processor) attr paxctl pax-utils Then wget paxctld and enable the service. Read previous posts to know how to do that, how to add your user to the correct group, and how to add Pax exceptions. That's it. Then just reboot.
Thanks I couldn't login with graphical environment, but not with the terminal either. I installed and enabled paxctld, added the whole list of applications posted in this thread to the config file and I added my user to the grsec-tpe group. Then I booted back in the grsec kernel and it still gives a lot of denied untrusted exec messages when trying to login via terminal. After that made no difference I changed the TPE section in grsec.conf as recommend. The denied messages no longer showed, but I couldn't do anything anymore. It seemed as it was frozen, but after a short while another Denied untrusted exec message spawned about /bin/kill (parent process systemd.)
Just remember: editing that section on the grsec.conf file like I said also means that you must change the group GID to 200. Maybe there was some conflict there.
What are the memory protections afforded by Debian at this point? Last time I checked (a while ago to be fair), it was noRELRO/no-canary/no-pie. This is fairly significant- most other distros run at least partial/canary/no-pie. Im just curious. Im eyeing Debian as a solid backup to my Arch install given that Xubuntu (my current backup) has a pretty poor update policy considering Universe packages arent supported for long (Debian doesnt have this problem).
https://wiki.debian.org/Security/Features Note that this site was updated in August 2014! More info: https://wiki.debian.org/Hardening
One thing Ive learned setting up Debian on another computer- its currently impossible to use nvidia drivers on the grsecurity kernel. You MIGHT be able to use the website installer, but DKMS doesnt work with the current grsecurity kernel. Fortunately on my own computer, I just use intel. The links above are cool, but it doesnt give a list of the actual packages that are built FullRELRO/Canary/PIE. I tried using the checksec.sh script found on Github, but it keeps telling me "syntax error; unexpected blah blah" despite the same script working on Arch. Idk what the issue is- ill have to dig in and find out. Either way, firejail was easy to get and apparmor was a piece of cake, so combining that with debians long period of offering updates, its a pretty good general use distro in terms of security. When I get the checksec script to work, ill update here.
GRSec isn't compatible with most proprietary drivers. There an NVIDIA patch for grsec, but there is no AMD patch that works. AMD's proprietary driver has a buffer overflow problem that prevents is from correctly running on grsec,and I again don't know the situation over NVIDIA (but I assume it's better).
Thanks, good point. Also didn't work unfortunately. I'm having a busy time right now so I have to postpone this for later.
When I try to install "linux-headers-4.X.X-X-grsec-amd64" using synaptic (after adding backports repository and having 64bit debian) it give me this error: could not mark all packages for installation or upgrade linux-headers-4.5.0-2-grsec-amd64: Depends: linux-kbuild-4.5 but it is not going to be installed Depends: gcc-4.9 but it is not going to be installed Depends: gcc-4.9-plugin-dev but it is not installable Is it because I have cinnamon Debian installed and cinnamon conflict with grsec? All the other grsec parts allow to be installed, except when installing linux-imageXXXX it say need to remove cinnamon task item.
@kinder2 I'm not sure why that error happens, but I'm sure it has nothing to do with cinnamon. GRSec is compatible with: GNOME KDE LXDE XFCE MATE Cinnamon These are the ones I've tested.
Hi everybody! Played yesterday first time with Arch. It was very straightforward to install and use firejail, however I ran into problems with Grsecurity I installed from their repos (installed linux-gsec and paxd etc - it seemed correctly). However usually Arch docs are great, in this case it is just stated: "After installing the linux-grsec package, edit your bootloader settings to load vmlinuz-linux-grsec and initramfs-linux-grsec.img." In my /etc/default/grub file I cannot see any hint to grsecurity and frankly I do not know how to edit settings so that vmlinuz-linux-grsec and initramfs-linux-grsec.img would be loaded. Does anybody have experience with Arch and Grsecurity?
*Openbox, Fluxbox, PekWM, Awesome, and i3 Ive tested with grsecurity- no issues. They should in theory all work with grsecurity, and if one doesnt, all you need to do is make a paxd exception. All you need to do is check journalctl to see why that DE/wm has failed (sudo journalctl -r -b), then add the appropriate exceptions in /etc/paxd.conf. When you open the file you'll realize exactly how to do that. Its literally the exceptions followed by the path to the executable, which is usually /usr/bin/executablename. I am using Arch and can tell you anything you need to know (I think). You can also for testing purposes try editing grub from the menu when you first turn the computer on: just select Arch and then hit "e" and youll go into that entry- find the kernel line and change vmlinuz-linux to vmlinuz-linux-grsec and initramfs-linux.img to initramfs-linux-grsec.img, then press either 'b' or ctrl+f10 to boot. Another option if you use a separate /boot partition is to edit grubs grub.cfg for Arch's grsec kernel and then youll never need to touch it again. Unlike other distros, Arch's kernel names never change. Its always "linux" or "linux-lts" or "linux-grsec"- there are no version numbers. The same applies to the initramfs lines. **EDIT** This last part may not be true IF you install kernels from the AUR with version numbers, where the version numbers change. I havent personally used any of these, so I cant be sure.
I changed to KDE desktop, and tried to install linux-image-4.5.0.2-grsec-amd64 in Synaptic. It now says To Be Removed: task-cinnamon-desktop task-desktop task-kde-desktop xserver-xorg-input-all xserver-xorg-input-vmmouse Seems like the package will kill the graphical desktop manager and X? I did not proceed yet. What might be causing this problem, is Synaptic the problem? I only have official ftp.debian.org source in my sources.list
Have you tried grsecurity install the "easy way" on Debian, using the backports repository and apt-get? Not kernal compile because that takes too long and too complicated for novices like me.
Yes and it worked fine for me. That said, the paxd equivalent on Debian didnt work, so I had to start adding exceptions manually, and these need to be manually redone every time those excepted executables are updated. It might have just been an issue with the path to said executables in the config, but I havent dug into it farther on Debian as that computer needs the nvidia drivers. My own computer I just use intel, and I use Arch so.. I have to manually compile the kernel using makepkg (for apparmor), but its very easy on arch and gives me a total result of grsecurity/pax, apparmor, paxd and fullrelro/canary/pie (for running processes). Im glad to see Debian taking steps to be a solid grsecurity option. Knowing them it will happen relatively fast since Debian doesnt usually **** around.
Sorry but I am going to call b******* on this thread. I spent the day trying all the different Debian desktop environments, when installing the linux-image-xxxxx grsec package it ALWAYS require removal of essential packages that break the Debian. The essential packages being task-desktop and xserver-xorg. There is no way to install this grsec on Debian without breaking it. Give video proof of you installing grsec from jessie backports on Debian and we might believe you.
They should all work. And if they don't then it's not only "one" exception, it's hundreds (if not thousands). When something doesn't work after installing grsec, it's almost always the display manager (sddm, lightdm, gdm, etc) and in that case one exception is usually fine (/usr/bin/sddm, for example). No, it can't be synaptic. It's something you did. What do you mean? Then you did it wrong You first download paxctld from grsec, then install it. Then reboot, it's pretty easy, just edit the file. wget https://www.grsecurity.net/paxctld/paxctld_1.1-1_amd64.deb dpkg -i paxctld_1.1-1_amd64.deb Then, edit /etc/paxctld.conf and add whatever program you like. With all due respect, you seem to not know what the hell you're doing with your computers. Your ability to read has been proven to be very limited, you don't understand what people tell you, and your overall knowledge about Linux is very poor. GRSec is, without a doubt, not the problem here. No problem. Expect a video this week. Then, I expect YOU to stop complaining on this thread, to actually read what people write to you, and TO READ THE ***** MANUAL.
I installed debian jessie, free standard edition, fresh and clean from debian.org site. I checked iso hashes. Immediately after installation, I did a system update and added backports repository and opened synaptic to mark linux-image-4.5.0.2-grsec-amd64 for installation. It required removal of X and desktop. There is no chance of "something i did" screwing the process, because it was a fresh install. A video will help, thanks for doing it, I will pay attention to the linux-image-4.5.0.2-grsec-amd64 package.
What's the output of the following command? uname -a Show a PrintScreen of the Synaptic packages that appear to you. No problem. I haven't had time to record the video yet, but I'll do it soon, hopefully next week. In the mean time, make sure you have all selected packages in accordance with each other, like linux-image-grsec-4.5.7 and linux-headers-grsec-4.5.7, for example. All versions must match.
@kinder2 I just installed Debian in a virtual machine and here's my result: Upon installing grsec-image, it asked me to remove two packages: 1. xserver-xorg-input-all 2. xserver-xorg-input-vmmouse These packages are (probably) not compatible with grsec and they are actually not needed at all, unless you use vmware (which is probably not compatible with grsec anyway). You can safely remove these packages. I'd be worried if it asked to remove "xserver-xorg-video" or something like that (I don't remember how these packages are called in Debian). I recorded a video of me installing Debian from the beginning, with the mini.iso from their ftp server. I'm uploading it to youtube now. I did face problems when starting lightdm, but as I mentioned in my video it's likely because of VirtualBox's video drivers. I didn't face any problems when I installed it in my real hardware. I'll put a link to the Youtube video once it's finished uploading.
There you go: https://www.youtube.com/watch?v=OkmxNSklUIY Remember: disregard my error with lightdm, it doesn't happen on my real hardware. Or, you know, the debian guys screwed things again, which is not new ;-) Low resolution caused by recently installed Arch and driver/monitor not configyred.
I watched it, and see you had problems installing grsec too. I had similar result that there was lightdm error, on my real hardware. I did not use mini.iso to install, I used the full install DVD 4g in size to install MATE, using graphical install option. When I marked the "linux-image-4.5.0.2-grsec-amd64" package for install in synaptic, it required me to remove not only the 2 xorg items you said did not matter, it also required me to remove "task-desktop" package. It could be because this package was included using the full iso install by graphical install option. I did not try to add exceptions to paxctl, because I expected the grsec to work out of the box. I think after reboot I had the same problem with lightdm not working, and gave up. I was not installing in virtualbox, I installed on real hardware. But my graphics card is a AMD not Nvidia, maybe that has problem with the lightdm and your real hardware does not. Your video confirms it is not straight forward installing grsec on Debian. It can break the lightdm, and the fix is complex. Debian needs to make the install of grsecurity easy, for novices like me to successfully install grsec. I erased the failed debian install already, but if I try again I will do the command "uname -a" to troubleshoot problem. For now I sit here waiting for a failproof grsec Debian package install.
No I didn't. Those lightdm problems are (likely) related to VBox drivers. GRSec is, for what I know, compatible with AMD/Intel opensource drivers, and nothing besides that. I could be, but I wouldn't think that's the issue, though. I've installed the "task-foo-desktop" packages many times and never faced any problems with grsec. Of course, it's an issue that you're personally facing and it likely exists, but neither grsec or the taskel packages should cause problems when working together. Then grsec is not for you. I have an AMD card as well. Did you install the fglrx-driver package? No, that's not what the video shows. The video shows a very calm grsec installation, but problems with the VBox drivers, which is to be expected IMO. The grsec Kernel on Debian's repo is by far the most tight/secure out there, I wouldn't be impressed if it's not compatible with VBox video drivers. No, the fix is not complex. As you can see in the video, the fix is simple for real hardware: add "/usr/sbin/lightdm" to Pax exceptions. The fact that it didn't work is most likely related to how tight grsec is on Debian and it's likely incompatibility with XBox video drivers. You could install grsec on Arch which is waaaay easier. You have to add exceptions for almost no program. I, for instance, only need to add exceptions to Steam and other games. Lightdm, sddm, the KDE/MATE/GNOME stuff, and almost all GPL programs, work out of the box. See my gihtub page for instructions on how to do that on Arch. I could record a new video with my real hardware, but that would require way more time and effort. I have 3 HD's and all 3 are in use, so I'd have to back up the contents of one and then use it. So for now I stand to my conclusion that it's either you doing something wrong (which I believe is the most likely cause of your problems) or the Debian developer screwed things up, which is not likely because he's a security researcher and should know what he/she is doing.
