Easiest way to get Grsecurity and Pax on Linux

Discussion in 'all things UNIX' started by kinder2, Sep 18, 2015.

  1. kinder2

    kinder2 Registered Member

    Joined:
    Aug 17, 2015
    Posts:
    51
    I am new to Linux and need to include Grsecurity and Pax to my Linux for security reasons.
    What is the easiest way to do this?
    Is it easy to include it in Ubuntu or Mint or Debian?
    I do not know how to compile a kernel, nor check what kernel version I need. There is added complexity now that Grsecurity stable 3.x versions are no longer available for download to public.
    Some distributions like Alpine, Arch and Gentoo include support out of the box, however these are distributions aimed at experienced users not newbies like me. I shudder at the thought of installing these distributions on my PC.
     
  2. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    625
    Location:
    United States
    The easiest way is through their store if this is still available that way. I'm not sure how they deal with AppArmor or SELinux on Ubuntu, Fedora et all. Also in reading the Grsec forums I've learned that Alpine uses an unsupported grsec kernel. So while small they are in the same boat with Intel and Verifone.

    I've thought about doing this with something like Tahrpup.

    Edited: *** links to store removed at request of "grsecurity.net" representatives. The store is not publicly available any longer and all payment methods are removed.

    Debian: Wheezy, Jessie
    Ubuntu: 12.04, 12.10, 14.04, 14.10
    CentOS/RHEL: 6.x, 7.x
    Fedora: 19, 20, 21

    If your distro is a derivative of one of the above listed distro versions, then yes. This includes Linux Mint, KUBUNTU, XUBUNTU, etc. Gentoo, Arch Linux, SuSE, Slackware, and others are not currently supported.
     
    Last edited by a moderator: Jan 2, 2016
  3. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    That's incorrect. I haven't checked SuSE and Slackware but Gentoo has been supporting grsecurity for many years, and Arch Linux also offers an official kernel with grsecurity.
     
  4. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    625
    Location:
    United States
    The Grsecurity Store doesn't support those distros. I merely copied and pasted from the Store FAQs. I'm betting you didn't go to the links and read it there did you? It appears to be automated so they probably can't automate the process for the distros the store doesn't support.

    "For just 15 USD via Paypal or Bitcoin, our service compiles a kernel with the base distro config of your choice and sends you a private link when the build is complete. The link will provide you with the binary packages, all associated source code, and simple installation instructions. Update plans offer significant cost savings."
     
  5. kinder2

    kinder2 Registered Member

    Joined:
    Aug 17, 2015
    Posts:
    51
    Sorry I never pay for software as a matter of principle, especially when it is for Linux a free OS.
    Is there a leaked or hacked copy of the Grsecurity floating around?
    Gentoo and Arch are too difficult to install, Alpine has no wiki. I want Grsecurity to work on easy Ubuntu or Mint, any help for that?
     
  6. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    625
    Location:
    United States
    You asked for the easiest way and gave no conditions. Also as I said Alpine uses an unsupported GRSec kernel.

    You can try Mempo but I'm betting if Gentoo and Arch are too much mempo will be also. Mempo lacks monetary support so some links are bad etc. Most other distros that support it out of the box like Pentoo or Funtoo are Gentoo derivatives and the workstation user is not their target.

    https://wiki.debian.org/SameKernel

    https://wiki.debian.org/Mempo

    https://wiki.debian.org/grsecurity

    https://wiki.debian.org/Mempo/mempo-deb

    Good Luck.


     
  7. wshrugged

    wshrugged Registered Member

    Joined:
    Jun 12, 2009
    Posts:
    202
    If those hosts could add hardware to their circulations, maybe they could evoke satiety. Will the hosts run dry first? Is there a never ending supply?
     
  8. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    You'd never pay for the software, even in this case from Grsecurity, want it to run user-friendly and don't mind a hacked copy.
    What exactly are those 'security needs' you mentioned in post #1?
     
  9. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    Installing Arch is actually not difficult if you perform those steps in the Installation Guide and the Beginner's Guide. Alternatively, you can install Antergos or install Arch through Architect Linux (formerly Evo/Lution). Both have a graphical installer.
     
  10. Nanobot

    Nanobot Registered Member

    Joined:
    Jun 23, 2010
    Posts:
    238
    Location:
    Neo Tokyo
    What "summerheat" said

    Check this video on how to install Arch with the Architect Linux installer
    https://www.youtube.com/watch?v=oolGy0tZdaM
     
    Last edited by a moderator: Sep 20, 2015
  11. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,977
    Location:
    Brasil
    I think learning how to install Arch is best, because you'll learn more about how Linux works and will make no effort when upgrading the Kernel because the "linux-grsec" maintainers compile the Kernel in a way that 99.99% of Arch software will work out the box (don't forget to read the grsecurity and pax wiki pages, though).

    Compiling the Kernel is easy, actually. You can download the vanilla 4.1.7 Kernel from kernel.org, or download Debian/Ubuntu/Mint default Kernel (from their package repositories, the source-code kernel, not the compiled one) and then just "patch" it with grsec.

    This tutorial makes it really easy, I followed it on Debian and it works: http://www.insanitybit.com/2012/05/...-secure-linux-kernel-with-pax-and-grsecurity/

    Nah, most distros like Ubuntu/Debian have working linux-grsec kernels.

    Actually, grsec developers stated that they will continue to make their Testing patches publicly available in order to support Arch and Gentoo communities.

    So what? It seems you don't get the difference between a business model and a community model.

    Which doesn't matter at all. Grsec devs releases a "generic" patch that works with vanilla kernel, and Arch developers make it fully compatible with Arch. It's really not that hard, not even 100 lines of configuration as far as I remember.

    That is really nice of grsecurity, but it's not needed and just because one doesn't pay doesn't mean the patch won't work.

    What the hell kind of principle is that? :mad:

    Luckly for you they have a Testing repo which is free for everyone.

    Gentoo might be. Arch isn't. If you read the beginner's guide wiki page for the first time you might consider it a 7-headed monster, but watch a few youtube tutorials and you'll understand what each command does and why they're there. Just read the wiki, watch youtube tutorials, and test installing Arch on virtualbox.

    Sorry, I don't work with Help-Vampires.

    He's probably just an immoral and unethical person who downloads tons of pirated software.
     
  12. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    625
    Location:
    United States
    All I did was point to the easiest way for him to get the patches. First I'm told that I am wrong when I c&p'd something directly from the site that no one bothered to actually read (and still won't acknowledge) now its seems to be my fault when someone else said they couldn't install Arch or Gentoo.

    If $15 one time or $120 a year is breaking someone's piggy bank then the problem is with someone's income stream not with the product.
     
  13. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,977
    Location:
    Brasil
    I understand.

    I would pay them 15$ a month if I could, but what I'm saying is that:

    * Nobody needs to pay;
    * Arch and Gentoo are supported;

    In fact, any Linux distro is supported if the user is willing to compile the Kernel.

    And it's not hard to install it on Arch:
    Code:
    pacman -S linux-grsec paxd checksec pax-utils  paxtest
    Then just make sure to boot the right kernel. I don't use GRUB, so my syslinux.cfg is as follows:
    # nano /boot/syslinux/syslinux.cfg

    Code:
    LABEL arch
        MENU LABEL Arch Linux
        LINUX ../vmlinuz-linux-grsec
        APPEND root=/dev/mapper/system-root cryptdevice=/dev/sda2:root rw
        INITRD ../initramfs-linux-grsec.img
     
  14. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    From Debian wiki:
    This may work in Ubuntu and/or Mint.

    Then again, the easiest option is to compile your custom kernel with grsecurity patch. You will learn more about grsecurity in the process.
     
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    I wonder if they are still maintained. The latest kernel therein is 3.14 which probably uses the stable grsecurity patches - like the former Arch linux-grsec-lts kernel which is no longer available because of this. The only alternative would be the Mempo kernels.
     
  16. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    625
    Location:
    United States
    Sorry about bugging out a bit - just a bad day yesterday all around.

    Is Arch compiled like Gentoo? I'll have to give it another shot. Somewhere in the Gentoo documentation I read you could bring up the documentation with a keyboard combo when you needed help during the install which would be great but I didn't bookmark that and can't find it now.
     
  17. wshrugged

    wshrugged Registered Member

    Joined:
    Jun 12, 2009
    Posts:
    202
    Are you referring to this?
    https://wiki.gentoo.org/wiki/Handbo...ional:_Viewing_documentation_while_installing
     
    Last edited: Sep 21, 2015
  18. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    625
    Location:
    United States
  19. kinder2

    kinder2 Registered Member

    Joined:
    Aug 17, 2015
    Posts:
    51
    Thanks for the replies. I am going to get Grsecurity by either installing Arch, or compiling the kernal in Ubuntu or Mint.

    The Architect Linux is just what I was after, a graphical Arch installer with latest Arch files and supported forum activity. It should be mentioned in Arch wiki.

    Before formating my computer and moving to Arch, I want to try compiling my own Grsecurity kernal first on existing Ubuntu and Mint. The Grsecurity site offers 4.x version for free. Do I need to match this with a corresponding 4.x kernal version for Ubuntu and Mint? I think mine are running 3.x currently, which won't match up with the Grsecurity 4.x. Does it matter I change my Ubuntu and Mint kernal from 3.x to 4.x? This is the part that I find no information about after searching.

    The link amar gave for compiling kernal is written in 2012, is there a 2015 version? I hate to run into problem when following outdated wikis.

    The Grsecurity site labels the 4.x version as trial or test. Does this mean it is buggy compared to the stable 3.x version? Any traps for using 4.x instead of the unavailable 3.x?

    When I asked for leaked or hacked stable 3.x, I of course only trust it if it is from reputable source. There is none I came across.

    Mempo is not going to last, the official links already are dead, not placing my trust in the creators. I am forgetting about Gentoo and Alpine because the other alternatives above are far easier for beginner such as I.
     
  20. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,977
    Location:
    Brasil
    No problem :)

    I
    Arch is pre-compiled like all other distros. The best part is that pacman (Arch's package manager) is way faster than the others, installing things 10x faster than dpkg (Debian).

    I
    But Arch's install is easier, way easier. A few youtube tutorials, a few reads on the arch's beginners' guide, and a few test installs on virtualbox, and you're ready to install it "for rea"l.
     
  21. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,977
    Location:
    Brasil
    You don't necessarily NEED, but I highly recommend you to.

    It could lead to disaster if you don't know what you're doing, actually.

    With a little more experience and understanding of Kernel configurations, it's easy to compile grsecurity patches to newer or even older kernels.

    You could use Debian Testing or better, Sid.
    I tested my compilation with a newer Kernel than Debian Sid currently has, and it worked fine, following the tutorial I linked.

    I did give you a tutorial that works.

    Well, generally if you're using Arch or Gentoo you're expected to know how to fix things. But I never ran into problems with the Testing branch of grsec.

    Because no reputable source would do that to another business, and because it's not safe to download "hacked" things, and because almost nobody is that dumb to install "hacked" things into their Linux systems.
     
    Last edited: Sep 22, 2015
  22. wshrugged

    wshrugged Registered Member

    Joined:
    Jun 12, 2009
    Posts:
    202
    You're welcome. Enjoy your project. :)
     
  23. wshrugged

    wshrugged Registered Member

    Joined:
    Jun 12, 2009
    Posts:
    202
    Read your stated contradictions. You need to debug your kernel.
     
  24. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    625
    Location:
    United States
    I remember now when I first installed Arch I thought I screwed it up because there was no browser installed so I moved on now I realize there are very few things built in by default. The barest Cinnamon I have ever seen. Maybe its just Cinnamon that comes browser bare.
     
    Last edited: Sep 26, 2015
  25. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    Do you know if the linux-grsec kernel also comes/supports selinux/apparmor/anything else ?
    linux-grsec is just install, reboot and it will work ?

    Thanks !
     
Loading...