Tips on Grsecurity installation for Debian newbies

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Moderators: spender, PaX Team

Re: Tips on Grsecurity installation for Debian newbies

Postby timbgo » Thu Aug 27, 2015 10:54 am

This is good for newbies to know (and I still dream to learn RBAC deploying so well as to teach newbies to deploy it)...

This is good that newbies learn how it is (although mostly they won't be able to grasp completely the topic):

Re: Issues with and RBAC Policy for Postfix
viewtopic.php?f=5&t=4230#p15473

Just to get the feeling of what you need to defend yourself from, and the defences available to you.

Regards!
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Tips on Grsecurity installation for Debian newbies

Postby timbgo » Tue Jul 26, 2016 10:39 am

Apparently, Debian, Ubuntu, Devuan and other debian based/forked distro users, can now use:

Debian GrSecurity Kernels (by Abyss Project)
https://abyssproject.net/debian-grsecurity-kernels/

as I learned recently in this post:
PHP: denied RWX mmap of <anonymous mapping>
viewtopic.php?f=3&t=4513

(I haven't tried, but maybe it's really fine.)
---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Tips on Grsecurity installation for Debian newbies

Postby timbgo » Sun Aug 07, 2016 6:48 am

Reading over at this great privacy nerd and developer's site:
Micah Lee's Blog
https://micahflee.com/2016/01/debian-grsecurity/

I learned that finally grsecurity seems to be going mainstream in Debian (haven't checked how Devuan, it's no-systemd fork, my favorite-to-be, stands on this, but I'm sure they'll catch up). Here:

https://wiki.debian.org/grsecurity

and the packages:

https://packages.debian.org/search?suit ... inux-grsec

Anyway, grsecurity seems to be going mainstream. Finally! If only NSA Linux went into history, and stay in the past from a point that we would live soon in the future... The point when it becomes obsolete. NSA, ahem, SELinux.

And that we remember the light that still shines about how it was introduced, way back to years of this interview that tells the story how the LSM was invented for the sake of the rootkit hooks for the NSA, ahem, SELinux, ahem, hardening....

...[seems to be going mainstream] indeed. I'll give a title to this conversation btwn people that lead in Linux kernel (of which "Greg" in the conversation must be the signer of the stable Linux kernel, IIUC, Greg Kroah-Hartman)...

...[I'll give a title to this conversation] by copying one line from the conversation verbatim:

Who wants to see grsec fail?
https://soylentnews.org/comments.pl?sid ... ommentwrap

I had long ago written that even Gentoo without grsec will become just nice looking crap. Even Gentoo, which is probably the most nerdy of all distros...!

Here, in bottom of this post in this topic:
NSA SELinux Support??? wrote:...
If Grsecurity were not viable in Gentoo, Gentoo will become just nice looking crap, nothing else.
---


And I'm glad to see that the industry is finally, it appears to me so, slowly catching up with what spender and PaX Team have long advocated needs to be done to fix the kernel.

And that there will probably be no more need for me to add much to this topic in the future... (But you never know about future, so lets wait and see...)
---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Previous

Return to grsecurity support

cron