Debian now has propper Grsecurity support

Discussion in 'all things UNIX' started by amarildojr, Jan 26, 2016.

  1. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    I did a test install of Debian today, because I'm starting to look over Debian as a replacement for Arch. After searching in synaptic for "grsec" I noticed a lot of good, new, and interesting stuff:

    Code:
    linux-grsec-base
    linux-grsec-source-4.3
    linux-grsec-support-4.3.0-1
    linux-headers-4.3.0-1-common-grsec
    linux-headers-4.3.0-1-grsec-686-pae
    linux-headers-4.3.0-1-grsec-amd64
    linux-image-4.3.0-1-grsec-686-pae
    linux-image-4.3.0-1-grsec-amd64
    https://packages.debian.org/search?...suite=all&section=all&sourceid=mozilla-search

    "What does this mean?", glad you asked. Well, my friend, from now on it seems Debian Unstable/Testing will enable users to use grsecurity without having to grab the kernel source, configure it, patch it, edit the grsec part, then compile it. Yup, all it takes now is this simple command:

    Code:
    apt install linux-grsec-base linux-grsec-source-4.3 linux-grsec-support-4.3.0-1 linux-headers-4.3.0-1-common-grsec linux-headers-4.3.0-1-grsec-amd64 linux-image-4.3.0-1-grsec-amd64
    Obviously the command may vary. I decided to give it a try with all of the above, just to prevent trouble.

    Code:
    asd@amarildo:~$ uname -a
    Linux amarildo 4.3.0-1-grsec-amd64 #1 SMP Debian 4.3.3-7+grsec201601171913+1 (2016-01-20) x86_64 GNU/Linux
    I assume the downstream distros like Ubuntu and Mint will pick this up at some point.
    The next-Stable Debian will likely have this kind of support (hopefully).

    The only downside of this magic moment for us is that Debian developers still haven't tested the Kernel properly (which is a problem on Debian). I'm getting a few errors:

    Code:
    asd@amarildo:~$ journalctl  | grep grsec
    Jan 26 19:35:29 amarildo kernel: Linux version 4.3.0-1-grsec-amd64 (corsac@debian.org) (gcc version 5.3.1 20160114 (Debian 5.3.1-6) ) #1 SMP Debian 4.3.3-7+grsec201601171913+1 (2016-01-20)
    Jan 26 19:35:29 amarildo kernel: Command line: BOOT_IMAGE=/vmlinuz-4.3.0-1-grsec-amd64 root=/dev/mapper/debian-root ro quiet
    Jan 26 19:35:29 amarildo kernel: Kernel command line: BOOT_IMAGE=/vmlinuz-4.3.0-1-grsec-amd64 root=/dev/mapper/debian-root ro quiet
    Jan 26 19:35:29 amarildo kernel: grsec: mount of sysfs to /sys by /bin/mount[mount:52] uid/euid:0/0 gid/egid:0/0, parent /init[init:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of proc to /proc by /bin/mount[mount:53] uid/euid:0/0 gid/egid:0/0, parent /init[init:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of udev to /dev by /bin/sh[exe:54] uid/euid:0/0 gid/egid:0/0, parent /init[init:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of devpts to /dev/pts by /bin/sh[exe:56] uid/euid:0/0 gid/egid:0/0, parent /init[init:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of tmpfs to /run by /bin/sh[exe:57] uid/euid:0/0 gid/egid:0/0, parent /init[init:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: usb usb1: Manufacturer: Linux 4.3.0-1-grsec-amd64 ehci_hcd
    Jan 26 19:35:29 amarildo kernel: usb usb2: Manufacturer: Linux 4.3.0-1-grsec-amd64 ohci_hcd
    Jan 26 19:35:29 amarildo kernel: grsec: mount of /dev/mapper/debian-root to /root by /bin/sh[exe:273] uid/euid:0/0 gid/egid:0/0, parent /init[init:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of /dev to /root/dev by /bin/sh[exe:281] uid/euid:0/0 gid/egid:0/0, parent /scripts/init-bottom/udev[udev:279] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of /run to /root/run by /bin/sh[exe:284] uid/euid:0/0 gid/egid:0/0, parent /init[init:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of /sys to /root/sys by /bin/sh[exe:287] uid/euid:0/0 gid/egid:0/0, parent /init[init:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of /proc to /root/proc by /bin/sh[exe:288] uid/euid:0/0 gid/egid:0/0, parent /init[init:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of . to / by /bin/run-init[run-init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of securityfs to /sys/kernel/security by /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: time set by /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of tmpfs to /dev/shm by /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of tmpfs to /run/lock by /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of tmpfs to /sys/fs/cgroup by /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of cgroup to /sys/fs/cgroup/systemd by /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of pstore to /sys/fs/pstore by /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of none to / by /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of cgroup to /sys/fs/cgroup/net_cls,net_prio by /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of cgroup to /sys/fs/cgroup/cpuset by /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of cgroup to /sys/fs/cgroup/blkio by /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of cgroup to /sys/fs/cgroup/cpu,cpuacct by /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of cgroup to /sys/fs/cgroup/devices by /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of cgroup to /sys/fs/cgroup/freezer by /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of cgroup to /sys/fs/cgroup/perf_event by /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of tmpfs to /sys/fs/cgroup by /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of systemd-1 to /proc/sys/fs/binfmt_misc by /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of mqueue to /dev/mqueue by /bin/mount[mount:306] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: mount of hugetlbfs to /dev/hugepages by /bin/mount[mount:307] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: denied modification of grsecurity sysctl value : audit_gid by /lib/systemd/systemd-sysctl[systemd-sysctl:311] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: denied modification of grsecurity sysctl value : disable_priv_io by /lib/systemd/systemd-sysctl[systemd-sysctl:311] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo kernel: grsec: denied modification of grsecurity sysctl value : tpe_invert by /lib/systemd/systemd-sysctl[systemd-sysctl:311] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:29 amarildo systemd-sysctl[311]: Couldn't write '0' to 'kernel/grsecurity/audit_gid', ignoring: Operation not permitted
    Jan 26 19:35:29 amarildo systemd-sysctl[311]: Couldn't write '1' to 'kernel/grsecurity/disable_priv_io', ignoring: Operation not permitted
    Jan 26 19:35:29 amarildo systemd-sysctl[311]: Couldn't write '1' to 'kernel/grsecurity/tpe_invert', ignoring: Operation not permitted
    Jan 26 19:35:31 amarildo kernel: grsec: mount of /dev/mapper/debian-root to / by /bin/mount[mount:426] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd-remount-fs[systemd-remount:422] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:37 amarildo kernel: grsec: mount of /dev/mapper/debian-home to /home by /bin/mount[mount:527] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:38 amarildo kernel: grsec: mount of /dev/mapper/debian-tmp to /tmp by /bin/mount[mount:539] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:38 amarildo kernel: grsec: mount of /dev/mapper/debian-var to /var by /bin/mount[mount:541] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:39 amarildo kernel: grsec: mount of /dev/sda1 to /boot by /bin/mount[mount:577] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of none to / by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of tmpfs to /tmp/namespace-dev-ZhCZUv/dev by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of /dev/pts to /tmp/namespace-dev-ZhCZUv/dev/pts by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of /dev/shm to /tmp/namespace-dev-ZhCZUv/dev/shm by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of /dev/mqueue to /tmp/namespace-dev-ZhCZUv/dev/mqueue by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of /dev/hugepages to /tmp/namespace-dev-ZhCZUv/dev/hugepages by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of /tmp/namespace-dev-ZhCZUv/dev to /dev by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: unmount of /dev/mapper/debian-home by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of /run/systemd/inaccessible to /home by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of /run/systemd/inaccessible to /root by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of /run/systemd/inaccessible to /run/user by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of /tmp/systemd-private-83700bb096aa48f4bfa936f3d299c2ff-systemd-timesyncd.service-hRCF3E/tmp to /tmp by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of /var/tmp/systemd-private-83700bb096aa48f4bfa936f3d299c2ff-systemd-timesyncd.service-lMrqr5/tmp to /var/tmp by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of /bin to /bin by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of none to /bin by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of none to /boot by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of none to /dev/hugepages by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of none to /dev/shm by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of none to /dev by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of none to /dev/pts by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of none to /dev/mqueue by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of /etc to /etc by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of none to /etc by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of none to /home by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of /lib to /lib by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of none to /lib by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of /lib64 to /lib64 by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of none to /lib64 by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of none to /root by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of none to /run/user by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of /sbin to /sbin by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of none to /sbin by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of none to /tmp by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of /usr to /usr by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of none to /usr by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of none to /var/tmp by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:40 amarildo kernel: grsec: mount of none to / by /lib/systemd/systemd[(imesyncd):592] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:46 amarildo kernel: grsec: denied use of ioperm() by /usr/lib/xorg/Xorg[Xorg:677] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/lightdm[lightdm:656] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:52 amarildo kernel: grsec: mount of tmpfs to /run/user/115 by /lib/systemd/systemd-logind[systemd-logind:613] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:53 amarildo kernel: grsec: denied resource overstep by requesting 202584064 for RLIMIT_MEMLOCK against limit 65536 for /usr/sbin/lightdm-gtk-greeter[lightdm-gtk-gre:824] uid/euid:115/115 gid/egid:120/120, parent /usr/sbin/lightdm[lightdm:817] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:35:58 amarildo kernel: grsec: mount of tmpfs to /run/user/1000 by /lib/systemd/systemd-logind[systemd-logind:613] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:36:03 amarildo kernel: grsec: denied resource overstep by requesting 31 for RLIMIT_NICE against limit 0 for /usr/bin/pulseaudio[pulseaudio:930] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/pulseaudio[pulseaudio:929] uid/euid:1000/1000 gid/egid:1000/1000
    Jan 26 19:36:03 amarildo kernel: grsec: mount of none to / by /lib/systemd/systemd[(t-daemon):932] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:36:03 amarildo kernel: grsec: mount of /tmp/systemd-private-83700bb096aa48f4bfa936f3d299c2ff-rtkit-daemon.service-BKGmMm/tmp to /tmp by /lib/systemd/systemd[(t-daemon):932] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:36:03 amarildo kernel: grsec: mount of /var/tmp/systemd-private-83700bb096aa48f4bfa936f3d299c2ff-rtkit-daemon.service-M5OgHg/tmp to /var/tmp by /lib/systemd/systemd[(t-daemon):932] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:36:03 amarildo kernel: grsec: mount of none to /tmp by /lib/systemd/systemd[(t-daemon):932] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:36:03 amarildo kernel: grsec: mount of none to /var/tmp by /lib/systemd/systemd[(t-daemon):932] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:36:03 amarildo kernel: grsec: mount of none to / by /lib/systemd/systemd[(t-daemon):932] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:36:03 amarildo kernel: grsec: denied priority change of process (rtkit-daemon:933) by /usr/lib/rtkit/rtkit-daemon[rtkit-daemon:933] uid/euid:112/112 gid/egid:117/117, parent /lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:36:03 amarildo kernel: grsec: denied resource overstep by requesting 30 for RLIMIT_NICE against limit 0 for /usr/bin/pulseaudio[pulseaudio:930] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/pulseaudio[pulseaudio:929] uid/euid:1000/1000 gid/egid:1000/1000
    Jan 26 19:36:03 amarildo kernel: grsec: denied resource overstep by requesting 29 for RLIMIT_NICE against limit 0 for /usr/bin/pulseaudio[pulseaudio:930] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/pulseaudio[pulseaudio:929] uid/euid:1000/1000 gid/egid:1000/1000
    Jan 26 19:36:03 amarildo kernel: grsec: denied resource overstep by requesting 28 for RLIMIT_NICE against limit 0 for /usr/bin/pulseaudio[pulseaudio:930] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/pulseaudio[pulseaudio:929] uid/euid:1000/1000 gid/egid:1000/1000
    Jan 26 19:36:03 amarildo kernel: grsec: denied resource overstep by requesting 27 for RLIMIT_NICE against limit 0 for /usr/bin/pulseaudio[pulseaudio:930] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/pulseaudio[pulseaudio:929] uid/euid:1000/1000 gid/egid:1000/1000
    Jan 26 19:36:03 amarildo kernel: grsec: denied resource overstep by requesting 26 for RLIMIT_NICE against limit 0 for /usr/bin/pulseaudio[pulseaudio:930] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/pulseaudio[pulseaudio:929] uid/euid:1000/1000 gid/egid:1000/1000
    Jan 26 19:36:03 amarildo kernel: grsec: more alerts, logging disabled for 10 seconds
    Jan 26 19:39:35 amarildo kernel: grsec: denied use of ioperm() by /usr/lib/xorg/Xorg[Xorg:1199] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/lightdm[lightdm:656] uid/euid:0/0 gid/egid:0/0
    Jan 26 19:39:35 amarildo kernel: grsec: denied resource overstep by requesting 202575872 for RLIMIT_MEMLOCK against limit 65536 for /usr/sbin/lightdm-gtk-greeter[lightdm-gtk-gre:1210] uid/euid:115/115 gid/egid:120/120, parent /usr/sbin/lightdm[lightdm:1207] uid/euid:0/0 gid/egid:0/0
    
    But at least I'm able to login to X, open most of the programs I have installed, and actually do work on the system. So even with all these little problems, it's still easier/faster to do it this way than to do everything manually.

    Simple Q&A:

    Q - Will Jessie users have this functionality? A: I'm not sure, but I think users of Jessie (current Debian Stable) will have to compile the kernel manually for as long as they use it. In this regard, using Debian Unstable/Testing + Grsec is probably more secure than using Jessie with the default Linux Kernel. Also, Firejail is already present in Testing/Unstable repos;
    Q - Why only Testing/Unstable? A: Because of how Debian works. They have the Unstable and Testing branches to, well, test+debug+fix problems in them and to try new things. When the time comes, the current Testing branch will be "frozen" and the development team will fix most of the RC bugs. That's basically how they prepare the Stable releases. This process takes around 6 months, and once it starts, no new feature is added to Stable, only security fixes. This is why I'm not sure if Jessie users will have this support. History tells me only security fixes/patches go into Stable after it's been frozen;
    Q - Are you responding on behalf of Debian developers? A: No. This is my opinion only. Put a lot of salt on top of it!

    EDIT: Seems like Synaptic doesn't open via MATE menu anymore, though it opens via Terminal.
    Code:
    root@amarildo:~# journalctl | grep synaptic
    Jan 26 19:37:50 amarildo polkitd(authority=local)[644]: Registered Authentication Agent for unix-process:1121:15541 (system bus name :1.62 [pkexec /usr/sbin/synaptic], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
    Jan 26 19:37:55 amarildo polkitd(authority=local)[644]: Operator of unix-process:1121:15541 FAILED to authenticate to gain authorization for action com.ubuntu.pkexec.synaptic for unix-process:1121:15541 [/bin/sh /usr/bin/synaptic-pkexec] (owned by unix-user:asd)
    Jan 26 19:37:55 amarildo pkexec[1122]: asd: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/home/asd] [COMMAND=/usr/sbin/synaptic]
    Jan 26 19:38:37 amarildo sudo[1160]:  asd : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/asd ; USER=root ; COMMAND=/usr/sbin/synaptic
    
    EDIT 2: Changing the Synaptic menu to "gksudo synaptic" solved it.
     
    Last edited: Jan 26, 2016
  2. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    730
    That's great. Unfortunately, I can't use it because of its incompatibility with Virtualbox. This is also confirmed in the Arch wiki:

     
  3. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    You can use QEMU. I was thinking of creating a short tutorial on it, it's really great and has kernel support by default, even on linux-grsec.
     
  4. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    730
    I had tried it several years ago and wasn't convinced at all. But it's probably better now. Perhaps worth a new try.
     
  5. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    It's working great for me. I use it mostly for LiveCD's, it's really easy to get it started. But I also created a 100 GB disk image for it and it worked fine, it actually installed Debian faster than VirtualBox.

    All you need to get started: https://wiki.archlinux.org/index.php/QEMU
     
  6. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Awesome. And about freaking time. Thanks for mentioning this @amarildojr
     
  7. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    No problem :)
     
  8. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    730
  9. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599

    Put me down for joining your "class", but not until Debian puts it in stable. Soon I hope. No LIVECD needed just a solid host and multiple VM's. Would have to play well with TOR and PFSense. o_O??
     
  10. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    I could write you two commands if you wish :) Only if Github becomes online again, though.

    Sorry, but until Debian puts *what* in Stable? Because qemu *is* on Jessie.
     
  11. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    Update on Ubuntu: So far, 16.04 doesn't have linux-image-grsec. See attachment.
     

    Attached Files:

  12. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    Pretty sure they were referring to when Debian puts grsec in stable which earlier you said you expected within 6 mos.
     
  13. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599

    That is what I got when I read that too.
     
  14. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    Wow :argh: That was not what I said. At all.

    My commend was about how Debian releases work.
    You will see grsec in Stable, but not in Jessie (current Stable release).

    Right now, Jessie is Stable and Strech is Testing. Somewhere in the end of this year, Debian developers will "freeze" the current Testing branch (which is Strech) for 6 months before releasing it as Stable. When the freezing happens, no new feature gets into this frozen next-Stable, and no new feature gets in after it becomes stable. That's why there are 3 main releases, two (Unstable and Testing) are to test things before the next Stable relase. That's why you most likely won't see grsec in Jessie.

    But Debian is in such a state of development right now that you might actually see this happening.
     
  15. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Thanks for the follow up. I'll be watching. Its going to be tough to leave Jessie for me because it runs like a fine watch on my machines.
     
  16. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    But you don't have to. It's not hard to compile your own custom Kernel with GRSec support. Just grab the "linux-image-amd64" from their repos, and then patch it with grsec. Then compile with the options you want enabled.
     
  17. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    408
    Aug 2015
    "The gurus behind the popular and respected Linux kernel hardening effort Grsecurity will stop providing free support for their stable offering."
    http://news.softpedia.com/news/grse...release-patches-only-to-sponsors-490330.shtml

    Unless debian is a "paid sponsor", the "from now on" prospect seems unlikely...
    ...and the future prospect of "compiling your own" seems to be off the table.

    edited to add:
    https://micahflee.com/2016/01/debian-grsecurity/
     
    Last edited: Feb 6, 2016
  18. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    Debian has 3 main branches: Stable, Testing, and Unstable. Testing and Unstable will simply use GRSecurity's testing patches, just like Arch. When the time comes and Stretch freezes, I'm positive Debian developers will freeze the grsec Kernel as well and will maintain that on their own, without grsecurity's support.
     
  19. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    730
    Yes, please! If this can be simplified somehow it would be very helpful! :)
     
  20. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    OK :D

    First, you have to load the modules for your architecture. I have an AMD processor, so:
    Code:
    modprobe kvm_amd
    Code:
    modprobe kvm
    If you have an Intel processor:
    Code:
    modprobe kvm_intel
    Code:
    modprobe kvm
    Next, install qemu. If you're using Debian
    Code:
    apt install qemu
    Next, we'll start the image as a LiveCD. It's pretty easy:
    Code:
    qemu-system-x86_64 -enable-kvm -m 2G -vga std  /home/summerheat/image.iso/[code]
    
    The "[B]-m 2g[/B]" specifies 2 GB of memory for the machine.
    The "[B]-vga std[/B]" speficies which video driver the machine will use. Usually std works best.
    After that, it's the location of your ISO image. Pretty simple, right? :) No need to remove the image after you close qemu.
    
    Then, if you want to create a virtual HD so you can install an OS (in this example, Debian), do this:
    [code]qemu-img create -f raw Debian 30G[code]
    Change the "30G" to how many GB's of storage you want this new system to have.
    
    This is the basics of qemu. There are many other options, but this should get you started.
    
    Cheers.
     
  21. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    730
    @amarildojr: Thanks a lot, my friend - much appreciated! I will certainly tinker with it in the near future.
     
  22. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    Good news: linux-image-grsec will be backported to Jessie (Debian Stable) :)
     
  23. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    Does this mean being able to download the grsec kernel as part of the .iso ?
     
  24. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    I asked the developer the same thing :p Unfortunately no, because the Kernel will be present at the "jessie-backports" repo which is not enabled by default when you install the base system (only later when configuring apt), and you're not able to select extra packages anyway.

    But according to the developer (corsac, what a coincidence huh?) users will be able to install the Kernel as soon as the OS boots.
     
  25. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    841
    Location:
    Québec, Canada
Loading...