Easiest way to get Grsecurity and Pax on Linux

Discussion in 'all things UNIX' started by kinder2, Sep 18, 2015.

  1. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    OP seems like a very serious candidate for the troll of the month award.
     
  2. kinder2

    kinder2 Registered Member

    Joined:
    Aug 17, 2015
    Posts:
    51
    I have nothing against learning, in fact I started my Linux adventure with an optimistic and open mind. I kept hearing how Linux is the most secure OS, then I discovered by default Linux is not secure, it has few malware only by obscurity, and any hacker can target and hijack a default Linux setup more easily than a Windows setup loaded with security software. This made me search for improving Linux security. Every tweak I do to harden Linux has found problems. None of the tutorials work completely. It is normal to become irritated and impatient after repeatedly running into problems, with no one giving straight answers.
    In Windows it is easy to manage HIPS, a popup appears when you do something, you click to allow or deny. In Linux the HIPS does not give popup, you need to dig in a text file and add commands, there is no real time feedback, you need to check log file to see what happened when. It is too much work compared to Windows.
    I tried to install Arch, which comes with Grsecurity, but the loading of the boot CD gives fatal error of CPU Fifo underrun, I search online what it means and found no answer. Another example of Linux always having a problem. Besides I am not sure if Arch philosophy is for me, keeping Arch updated will probably be a pain.
    I'll just settle for Apparmor and Firejail until someone competent writes a proper working tutorial for Grsecurity.
     
  3. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    That's not what you showed us.

    Where in the hell did you get this BS? On "I-love-windows-and-linux-sucks.com"?

    I could refute your statements one by one, but I don't have time for this crap again. Read the following threads:

    * Arch Linux and anti-malware?
    * [TUTORIAL] Expert Linux Firewalling

    But I have a sense that you don't want to learn, just like zakazak.

    That's because YOU are the problem ;) Don't blame the tutorials, they worked fine when they were created. You don't know much about Linux and that's fine, but you need to learn more about it in order to understand WHY those tutorials aren't working for you.

    Probably you installed grsec and pax and didn't learn their manuals and therefore you don't know how to add exceptions. Read this: https://wiki.archlinux.org/index.php/Pax#PaX_exceptions

    It's like if you car broke and you wanted everyone to fix it. Instead, we pointed you to the mechanics.

    That's because people who actually need this kind of protection are sysadmins. You see, webservers are completely open to the internet, so they need to secure ssh/git, make it so that no user gets root access, etc. To be more cautious, a sysadmin could install a HIPS tool, but there's a big difference: he wanted to learn how to use the tool, and you didn't.

    And this is why you don't have fancy GUI's for this kind of software, because nobody really bothered to write one... because 99.99% of people know how to manage things.

    Arch Linux might look like a 7-headed monster when you read the beginners' guide, but once you read it a few times and watch a few youtube tutorials, you'll realize it's a piece of cake to install. And after you install it, it's pretty simple to install linux-grsec. Here, I'll give you a link to my repository where I have all commands to install grsecurity and pax on Arch:

    https://github.com/amarildojr/Arch-Linux_what-to-do/blob/master/Step 3: GRSecurity + Pax

    It doesn't come with grsecurity. By default Arch comes with vanilla ("default") Linux Kernel.

    I said it one time, you might be trying to boot x64 on an x86 CPU. Either that, or your media (DVD, USB) are corrupt. I've used every single Arch ISO they put out and never encountered such error.

    Did you try to get help on their forums?

    Nononono!

    Keeping Arch up-and-running will require way less effort than keeping an Ubuntu install running. All you have to do is:

    Code:
    pacman -Syu
    Just remember to read the news, the forums, and the RSS feed, because all systems may experience bugs once in a while.

    In 3 years that I've been running Arch, I only experienced two bugs.

    • Virtualbox was updated while virtualbox-host-modules wasn't. This caused the virtual machines not to start. Nothing to panic, there was an easy solution which was to install virtualbox-host-modules from the [testing] repo;
    • LVM outputed an error on boot. Nothing to worry too, boot resumed fine.
    These two errors were fixed in 2-3 days.
    I've had less problems running Arch for 3 years than running Ubuntu for 10 minutes. I'm not kidding! hehehehe.[/code]
     
  4. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    OP, I hope you have learnt your lesson. If yes, good; if not, very good. Just writing this for the sake of people who will come here searching how to install a Grsec kernel in Ubuntu.

    Go to synaptic package manager, search for gcc and see which version of gcc you have in your system. Install the corresponding version of gcc-*-plugin-dev. If you have gcc-4.8, you install:
    gcc-4.8-plugin-dev

    make-kpkg is not recommended. For that to work, you have to install the package "kernel-package". Instead use only this:

    make deb-pkg

    If compilation is successful four .deb packages will be generated. You install the only one that corresponds to the main kernel image.
     
    Last edited: Oct 9, 2015
  5. kinder2

    kinder2 Registered Member

    Joined:
    Aug 17, 2015
    Posts:
    51
    What lesson, you mean learning that some Linux helpers have an attitude problem and superiority complex? Nothing new there.
    How hard was it to write this instead of throwing the textbook at people. I hope you learnt your lesson.
    The gcc problem is solved, but the "make deb-pkg" command is a problem. Get this, the kernal size is 0.5gb, after leaving "make deb-pkg" running on it for 3 hours it filled up a 30gb hard drive. Needless to say I cancelled the command, could not find where the space went, had to system restore the computer to get it back to normal. Your new instructions do not work unless I am missing something too obvious for the high and mighty to mention.
     
  6. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    Nothing can work for someone like you. Anybody having a semblance of working brain will get this to work, which obviously eludes you. Better use some toy operating system (if there is any) which will do whatever you want without you needing to do anything.

    Others who may want to install grsec in Ubuntu/Mint/Debian: these instructions work, it's that the one sitting infront of computer who has is the problem.
     
  7. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    Can you please elaborate what lesson is this? Who's helping who here? Or am I your paid help? What will I get if you use Linux, Windows or some toyOS or don't use anything? Do you think it's some sort of duty for people to help you, with this pathetic attitude?

    My vote goes to OP too.
     
  8. kinder2

    kinder2 Registered Member

    Joined:
    Aug 17, 2015
    Posts:
    51
    Look at all the good working tutorials littering the internet, do the authors get paid for writing them? No. Do people get paid to write entries in wikipedia? No. It is the norm today to share information for free. Frankly I do not care what motivates them to do it for free, perhaps it makes them feel good to help others, to share their thoughts, and to satisfy their egos showing off their knowledge. None of them care about the attitude of readers they are helping, otherwise there will be no information shared on the internet.
    Why did you bother replying at all, did you ask yourself?
    The lesson for you? Do not create confusion by attempting to help with your half baked non working solutions and giving the textbook to read. Do not expect others to give you a pat on the back for a vague incomplete reference. Spend the extra minute to type out a solid solution, or be silent. There is nothing worse than a time waster. Save the space for someone who actually makes helpful comments. Remember that.
     
  9. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    There can be no full-baked solution for an idiot. These non-working solutions work for me, as well as for others, every time I compile a kernel. This is my last post in this thread, no point arguing with a complete idiot.
     
    Last edited: Oct 13, 2015
  10. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    LOL, I'm having a good laugh at this thread! :argh::argh::argh:

    Probably because they make a tutorial and leave it at that, not many users will complain like "boohoo it's not working for me!!! FIX MY PC NOOOWWW!!111! I WANT A STRAIGHT ANSWER THAT WILL SOLVE ALL MYSTERIES OF THE UNIVERSEEeee!!!!!"
     
  11. kinder2

    kinder2 Registered Member

    Joined:
    Aug 17, 2015
    Posts:
    51
    He gave an instruction that set off a neverending compile loop filling up the hard drive without warning, how are users supposed to swallow that and smile
     
  12. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    But compiling does that disk space, developers know that. But in the end, it's all cleaned up and only small files are generated. And it takes time too, it took me 2 hours to compile the Kernel. It's all normal.

    But then again, it's much easier to just learn how to install Arch and follow the guide I provided you (linking to my github page) than staying here complaining. You're actually useful when you DO things, you know...
     
  13. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    But I agree that a LOT of things in Linux are just plain stupid and a TON of things don't work.
     
  14. kinder2

    kinder2 Registered Member

    Joined:
    Aug 17, 2015
    Posts:
    51
    Good man, you talk sense unlike the other rude man.
    If compile takes so much space I need to buy a new hard disk.
    I wanted to install Arch, tried 32 bit version, it gave CPU error on my computer, probably incompatible with my old computer. If I get it installed one day I use your github.
     
  15. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    Yes, Arch is not compatible with older architectures, althouth it still supports i386 (but they'll drop support soon). Arch is a rolling release distro, you'll always get the latest software. On top of that, Arch only has around 30 developers, so they can't support more architectures.


    What processor was that?

    If your harddisk is 1 GB in capacity :( I had a HD like that while using Windows 95, you know? hehehe
    And compiling doesn't take much space, I think only 1 GB in the hard drive.

    The most probable cause of your problems isn't Arch or the Tutorials or the people here, but your old AF computer.
     
    Last edited: Oct 14, 2015
  16. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    The most probable cause for some people's problems are their moronic attitude. Sorry for breaking my promise of not posting again, I couldn't resist this temptation.


    This is the case with everything-- not just Linux, not just Operating systems, not just computer systems. Then again how can something possibly work without the person concerned making any effort to even try to make it work.

    Why are you giving the suggestion of using Arch? Do you think someone who doesn't even have a slightest of clue about what "*" means in the context of terminal commands, can possibly use Arch? And then even if he succeeds in installing Arch by the grace of God, he will be completely destroyed in the Arch forums. And then the blame will shift to you.

    Bottom line: Don't even try to help a moron.
     
  17. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    On Arch: If I simply download linux-grsec and enable it in grub + reload grub, is that all I have to do or will any parameters/settings that I haven previously done to tweak my system get lost ?
     
  18. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    Nothing will get lost. You don't have to do anything except installing the grsec package. I don't think you have to update grub either -- I don't really know because I have a multi boot setup where Arch doesn't have the grub. Even if it isn't automatic you just have to type this:
    # grub-mkconfig -o /boot/grub/grub.cfg

    Don't forget to install the paxd package, otherwise you won't have a running X with pax enabled.
     
  19. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Thank you, and from what I understand there isnt anything else I wiuld have to configure afterwards in grsecurity/pax?
     
  20. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    I try hard not to make things personal :) Could OP be the only cause of his problems? Probably, but I consider his old computer to be the most probable cause of his problems.

    That is very debatable and subject to a long conversation between you and me :D

    Yes. Arch isn't the 7-head monster people make it look. After reading the Beginner's Guide a few times and watching YouTube videos on how to install the system, one can do so. I'm recommending Arch because installing grsecurity there is a piece of cake :)

    Considering he doesn't use that old PC of his, I don't think he will have problems.

    Yeah, I kind of imagine him doing so if problems arise :p

    Read the Wiki :) All info is there. To sum it up: you have to make your boot manager (be it GRUB or Syslinux) to boot the correct Kernel. More instructions on my Github page.

    Remember: most people that use Arch get mad when people ask things that are in the Wiki :argh: I'm not one of them but everyone has a threshold.

    RTFM :thumb:
    https://wiki.archlinux.org/index.php/Grsecurity
     
  21. Michael371

    Michael371 Registered Member

    Joined:
    Oct 20, 2015
    Posts:
    7
    Hey guys,

    Sorry to bump up an older thread. :)
    But my question might also be usefull to others searching in this thread how to install compile a grsecurity kernel for Debian Jessie.

    I personaly dont' have any problems with compiling a kernel, and the various grsecurity/pax options are fairly well documented in the (very good) grsecurity documentation. I have confidence the kernel part won't be a problem. I did the comiplation several times on Arch :) So no questions about the compilation it self.

    My question is more related to systemd on Debian Jessie. My laptop (macbook pro mid 2010) runs realy well with it, and i'm a long time Debian user so i prefer to keep on using it with grsecurity.

    Do i need to do any extra steps, besides the compilation and installation of the kernel and gradm?

    For example, the debian wiki mentiones a script that i have to run the grsecurity/setfattr script in order to be able to use java related things like libreoffice and firefox. The link provided leads to the mempo git repository, but the link is dead. I managed to find another script with the same name on the mempo repo. It executes a lot of settfattr commands on libraries and and binaries, mostly related to mozilla applacations. The in documentation lines of the script are telling me that the related programs will not be protected.

    I'm getting a little confused about this :p
    I do use Linux for quite a long time, but i'm fairly new to grsecurity/pax/rbac. And i realy want to learn how to properly set it up.

    Can you please point me in the right direction?
    English is not my native language, so i hope i made my question clear to you.

    Thanks in advance for your answer!

    Regards,
     
  22. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    First of all, none of the Mempo links work, so forget about it.

    As you are just starting with Grsecurity you should compile the kernel with PAX set to "soft mode" that is it is disabled by default and you enable it for selected binaries which you want to protect. These are the relevant configs:
    CONFIG_PAX_SOFTMODE=y
    CONFIG_PAX_PAGEEXEC=n
    CONFIG_PAX_EMUTRAMP=n
    CONFIG_PAX_MPROTECT=n
    CONFIG_PAX_SEGMEXEC=n ( Only for x86 CPUs)
    CONFIG_PAX_RANDMMAP=n


    Now you can compile the kernel. Install the paxctl package which is used to set PAX flags on a per ELF object basis.

    This is how you enable PAX PAGEEXEC, EMULTRAP, MPROTECT, RANDMMAP and SEGMEXEC for a binary

    Code:
    # paxctl -PEMRS /path/to/binary
    Paxctl makes use of the PT_PAX_FLAGs, not XATTR_PAX. But XATTR_PAX is the recommended way. But I don't know how to setup XATTR_PAX flags in Debian.:doubt:
     
    Last edited: Oct 21, 2015
  23. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Thanks for that, and where can I set those relevant config parameters before compiling / installing with pacman -S linux-grsec ?
     
  24. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    C'mon! You're an Arch user now, you HAVE to look these things up or otherwise people will get tired of feeding the answers to you :D Use DuckDuckGo to find what is the ".conf" file that exists within the kernel directory before compiling. I already said where you can find the .conf file. In fact, in that same post, I also said where to get the Kernel that Arch uses, and this Kernel has everything, including that .conf file that has the options you're looking for.
     
  25. Michael371

    Michael371 Registered Member

    Joined:
    Oct 20, 2015
    Posts:
    7
    Thanks for your reply!

    I decided to switch back to Arch, it's easier to start with a working setup and adapt it to my needs. When i gained enough knowledge about Grsecurity / Pax i'll probably switch back to Debian and try to set it up there.
    I've got the grsecurity kernel up and running now, and i'm tinkering with the settings to see the effects of my actions to my system.
    I managed to compile the kernel in Debian, but it left me with a lot of problems :p, like locking myself out of X windows, and not being able to start java related software.
    In Arch the problems are way less severe, the only thing i encountered up to now is being unable to save documents in Libreoffice, but i'll work that out.

    Greetz,

    Edit: typo​
     
    Last edited: Oct 22, 2015
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.