Tips on Grsecurity installation for Gentoo newbies

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Moderators: spender, PaX Team

Tips on Grsecurity installation for Gentoo newbies

Postby timbgo » Mon Jun 09, 2014 3:58 pm

This could be a temporary post in this current form. Namely, if it is found out that I can quote those lines in the bottom (read on to understand what exact lines), then most of this text will be deleted from here (more precisely posted onto Gentoo Forums), and I'm yet to decide which parts to still retain, what to add, what to rerwrite.

Further below, this text will repeat once again. Why am I posting it here two times? Read and understand. This needs to become common knowledge of GNU/Linux users. This text:


#### can't post on Gentoo as long as copyright issue stands in the way ######

I want that this simple but somewhat hidden from view information, and not common knowledge which it should be, on these total antagonists, the surveillance-enabler SELinux and the privacy-enabler Grsecurity, be available to new GNU/Linux users, especially Gentoo users, for them to decide. I gained it with a considerable effort through the years. I want to share it. Here's an article we can obtain most important information from:

Developer Raps Linux Security
http://www.crmbuyer.com/story/39565.html

I'll quote fractions of it and give my take on them. I'm just somewhat advanced user, my words can't have much weight, and I don't expect them to, but I believe I am entitled to, and wish to, give advice to users less informed of these issues, beginners in Gentoo, who may even not have the courage to ask on the forums, since it really is often only big boys playing here.

Because Gentoo is looked at from all around the world, and there are a lot of people potentially interested in gaining this information.

A newbie needs to know the general attitude towards security in GNU/Linux has changed since around 2004/2005, the time of the article. It is 2014. I doubt anyone could credibly assert that it has changed for the better in the meantime.

Linus' team sent Spender's team with their security solutions to vendors
========================================================================
You can read in the article how, instead of dealing with the other genius that matches his own stature with respect and friendly, here is how Linus, via his associates, dealt with Spender.

The article reads:
LinuxInsider wrote:
Spender wrote:What we are told to do currently is to e-mail vendor-sec, which is a large list of people involved with vendors that will handle security issues, However, they cannot be trusted (just recently the uselib() exploit was leaked or stolen from vendor-sec) and they cannot be communicated with securely (they have no PGP key),


LinuxInsider wrote:While 'blackhats' exploit stolen information from vendor-sec, vendors on the list sit on the vulnerabilities, he asserted.
Spender wrote:What results is that the vulnerabilities are being exploited for weeks while Linux users as a whole are unaware that there is a vulnerability,



But the most important information, for a newbie who wants to start developing a privacy-viable Gentoo, is what SELinux really is.

LinuxInsider wrote:Spengler was also critical of LSM, which has been incorporated into version 2.6 of the Linux kernel. He characterized LSM as merely a way to allow the National Security Agency's SELinux to be used as a module.
Spender wrote:The framework is unfit for any security system that does anything remotely innovative, such as grsecurity and RSBAC [Rule Set-Based Access Control],



And now the huge holes that have been introduced into GNU/Linux kernel, and I doubt that much has changed in the meantime.
LinuxInsider wrote:He contends that LSM provides many hooks deep into the inner workings of the kernel, which can be used just as easily by a rootkit (a program for hacking the root), or malware, as a legitimate security module.
Spender wrote:The hooks LSM provides to rootkit authors were previously very difficult (or impossible) to obtain, so having LSM in the kernel, if unused by a security module that prevents rootkits, will result in new, advanced rootkits that will be nearly impossible to detect,


#### can't post on Gentoo as long as copyright issue stands in the way ######

I announced what I would do "in my next topic" here:
Uninstalling dbus and *kits (to Unfacilitate Remote Seats)
https://forums.gentoo.org/viewtopic-t-9 ... ml#7565530

Find the announcement of my next topic on Gentoo in bottom of that post of mine.

And that topic in which I announced the next is a topic which I based in one fundamental part of it on a very strong and but undismissable statement from:
False Boundaries and Arbitrary Code Execution
viewtopic.php?f=7&t=2522
( the string "backdoor any binary on the system" from that Spender's article is easily found in my topic in some four places". I can elaborate if needed. )

I started that topic of mine, the link above, which is mostly concluded at this time, as somewhat advanced user, not expert by any means. I'm simply not one.

Similarly I plan another topic in the same capacity: simply user.

In the next topic that I planned (and announced) to start on Gentoo, I would like to quote from the article that features the interview with the Grsecurity author Spender.

#################################################################################
And my problem for which I am posting this here instead of on Gentoo Forums, is the all-of-a-sudden-arisen (possible) copyright issue.
#################################################################################

I am quite confident that there can not be any copyright issue for my posting it here as a request for opinion whether I can, or whether I should not, pending unknown penalty, quote Spender's words, reported in direct and in indirect speech in that article.

But the aim is posting it in Gentoo Forums, not here.
====================================================

###################################################################
######## This is a request for opinion #############
###################################################################

My regime in Croatia has dragged me through numerous court sessions, and I nearly ended up in jail, due to their rigging of witnesses and various secret arrangements. So I am wary.

Pls. some reader who is qualified (I don't know if Spender can find time for this, I know how developers are busy), pls. reply to me on this question.

Can I use the quoted direct and indirect Spender's words as reported in the article on crmbuyer.com without incurring some unknown penalty?

Look up at the end of quoted article, there is (pasting):

crmbuyer.com wrote:Get Permission to License or Reproduce this Article
Print Version E-Mail Article Reprints More by John P. Mello Jr.


But the link under "Get Permission to License or Reproduce this Article" does nothing unless you pay some price, and the link under "E-Mail Article" simply sends the title and the link and nothing else (I checked it).

I can't really go on, until I solve the permissibility of my quoting Spender... On the other hand, I will open a topic on which this text below should end up, but I will only post a notice and a link to here, on that Gentoo Forums new topic.
I just opened a tentative topic there:

Grsecurity configuration and install, for non-experts
https://forums.gentoo.org/viewtopic-p-7565726.html

The lines from crmbuyer.com that I intend to quote, are close to the bottom of this post.
###################################################################
######## This is a request for opinion #############
### The text below may be deleted here, as soon as ######
##### it is, hopefully, posted on Gentoo Forums #########
###################################################################
Code: Select all
 # eselect kernel list
Available kernel symlink targets:
  [1]   linux-3.14.2-hardened
  [2]   linux-3.14.4-hardened-r1 *
  [3]   linux-3.14.4-hardened-r1.ORIG
 #


What linux-3.14.4-hardened-r1.ORIG is, is simply before any configuration whatsoever, let alone compilations in it, a copy of freshly installed linux-3.14.4-hardened-r1/ , of this package:

Code: Select all
 # emerge -p hardened-sources

These are the packages that would be merged, in order:

Calculating dependencies                   ... done!     
[ebuild   R    ] sys-kernel/hardened-sources-3.14.4-r1:3.14.4-r1  USE="-build
-deblob -symlink" 0 kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB
 #


Simply upon emerge-ing of that hardened-sources package, I did:
Code: Select all
 # cp -ai linux-3.14.4-hardened-r1/ linux-3.14.4-hardened-r1.ORIG/


That dir linux-3.14.4-hardened-r1/ , at this time contains the compiled source, because I afterwards compiled and installed from that dir my currently running kernel:

Code: Select all
 # uname -a
Linux gbn 3.14.4-hardened-r1-140606-17 #5 SMP Fri Jun 6 17:38:45 CEST 2014
x86_64 AMD Phenom(tm) II X4 965 Processor AuthenticAMD GNU/Linux
 #


You can see it in my /boot:

Code: Select all
 # mount /boot/
 # ls -l /boot/
total 15524
-rw-r--r-- 1 root root  102333 2014-05-03 10:02 config-3.14.2-hardened-140503-09
-rw-r--r-- 1 root root  102358 2014-06-06 17:39 config-3.14.4-hardened-r1-140606-17
drwxr-xr-x 6 root root    1024 2014-06-06 17:39 grub
-rw-r--r-- 1 root root 3243059 2014-05-03 10:02 System.map-3.14.2-hardened-140503-09
-rw-r--r-- 1 root root 3216277 2014-06-06 17:39 System.map-3.14.4-hardened-r1-140606-17
-rw-r--r-- 1 root root 4603120 2014-05-03 10:02 vmlinuz-3.14.2-hardened-140503-09
-rw-r--r-- 1 root root 4555840 2014-06-06 17:39 vmlinuz-3.14.4-hardened-r1-140606-17
 # umount /boot/


I decided to save it to demonstrate what is, IMO, the default bad way (IMO!) of configuration that it contains.

There is no .config file in it:

Code: Select all
 # ls -l .config
ls: cannot access .config: No such file or directory
 #


But, and you can try it, as soon as you run make menuconfig (or xconfig or some other) and look around it a little, descending via Enter, and ascending back via Esc-Esc (that's hitting Esc two times fast enough):

Code: Select all
mybox linux-3.14.4-hardened-r1.ORIG # make menuconfig

and just, when, upon hitting Esc-Esc all the way up, after all your perusal of the options, but without changing any of those whatsoever, when then this screen appears:

Code: Select all

            ┌──────────────────────────────────────────────────────────┐
            │  Do you wish to save your new configuration?             │ 
            │  (Press <ESC><ESC> to continue kernel configuration.)    │ 
            ├──────────────────────────────────────────────────────────┤ 
            │                   < Yes >      <  No  >                  │ 
            └──────────────────────────────────────────────────────────┘ 


if you then just moved with the Left Arrow on your keyboard to Yes and hit Enter, then you will have the default configuration in .config that ships with the package.

I saved that default configuration, to be my starting point here, with all the few newbies that I can hopefully reach. I kind of believe in GNU/Linux, and really like Gentoo, and wish that it spreads.

In my opinion, that default configuration, is one of the worst things that happened ever to GNU/Linux, so I'm fighting for the good option, the Grsecurity options, forever live and kicking especially in Gentoo GNU/Linux, arguably the most powerful of all Linuces.

#### FYI: the rest of the post is exact same as on top.
No new text ######
I want that this simple but somewhat hidden from view information, and not common knowledge which it should be, on these total antagonists, the surveillance-enabler SELinux and the privacy-enabler Grsecurity, be available to new GNU/Linux users, especially Gentoo users, for them to decide. I gained it with a considerable effort through the years. I want to share it. Here's an article we can obtain most important information from:

Developer Raps Linux Security
http://www.crmbuyer.com/story/39565.html

I'll quote fractions of it and give my take on them. I'm just somewhat advanced user, my words can't have much weight, and I don't expect them to, but I believe I am entitled to, and wish to, give advice to users less informed of these issues, beginners in Gentoo, who may even not have the courage to ask on the forums, since it really is often only big boys playing here.

Because Gentoo is looked at from all around the world, and there are a lot of people potentially interested in gaining this information.

A newbie needs to know the general attitude towards security in GNU/Linux has changed since around 2004/2005, the time of the article. It is 2014. I doubt anyone could credibly assert that it has changed for the better in the meantime.

Linus' team sent Spender's team with their security solutions to vendors
========================================================================
You can read in the article how, instead of dealing with the other genius that matches his own stature with respect and friendly, here is how Linus, via his associates, dealt with Spender.

The article reads:
LinuxInsider wrote:
Spender wrote:What we are told to do currently is to e-mail vendor-sec, which is a large list of people involved with vendors that will handle security issues, However, they cannot be trusted (just recently the uselib() exploit was leaked or stolen from vendor-sec) and they cannot be communicated with securely (they have no PGP key),


LinuxInsider wrote:While 'blackhats' exploit stolen information from vendor-sec, vendors on the list sit on the vulnerabilities, he asserted.
Spender wrote:What results is that the vulnerabilities are being exploited for weeks while Linux users as a whole are unaware that there is a vulnerability,



But the most important information, for a newbie who wants to start developing a privacy-viable Gentoo, is what SELinux really is.

LinuxInsider wrote:Spengler was also critical of LSM, which has been incorporated into version 2.6 of the Linux kernel. He characterized LSM as merely a way to allow the National Security Agency's SELinux to be used as a module.
Spender wrote:The framework is unfit for any security system that does anything remotely innovative, such as grsecurity and RSBAC [Rule Set-Based Access Control],



And now the huge holes that have been introduced into GNU/Linux kernel, and I doubt that much has changed in the meantime.
LinuxInsider wrote:He contends that LSM provides many hooks deep into the inner workings of the kernel, which can be used just as easily by a rootkit (a program for hacking the root), or malware, as a legitimate security module.
Spender wrote:The hooks LSM provides to rootkit authors were previously very difficult (or impossible) to obtain, so having LSM in the kernel, if unused by a security module that prevents rootkits, will result in new, advanced rootkits that will be nearly impossible to detect,

timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Tips on Grsecurity installation for Gentoo newbies

Postby timbgo » Sun Oct 25, 2015 12:37 pm

Anyway, I thought that newbies need to not (kind of) fear installing grsecurity...

There is a threshold which if you are able to step over it, you can be confident that you can join the good ole pure Unix computing which true FOSS Linux, such as especially Gentoo, still is (just make sure it is depoetterized, or that it has never been poetterized (no systemd, no dbus and associates)...

There is a threshold which if you are able to step over it, you can be confident you can join the pure Unix computing: maybe it is best assessed that you passed that threshold if you can compile your own kernel.

If you can do that, the grsecurity, the common part, the easy part, the patching of the kernel with grsecurity and getting, in Gentoo, the grsecurity-hardened kernel compiled for your machine, is just there within your reach.

And then, you can take time, even long time, to complete the deployment of grsecurity which, while really complete only with also RBAC policy deployed, is still so much more secure, hugely more secure then no-grsecurity-hardened kernel!

There is no comparison.

It took me several months to spend a few occasional weekends dedicated solely to gradm RBAC deployment, and in the meantime, I had got a huge following to my Debian Tips page! Before I even deployed RBAC policy and before I was able to administer my machine with gradm!

And I had still been quite safe, still... A few holes in the kernel I closed only later with RBAC and gradm, but I had still been quite safe already before deploying RBAC policy.

I thought newbies, and ambitious newbies will like to test their skills with Gentoo, surely!...

I thought newbies need to know this!

There really is hardly true security for poor users (and I'm sure also businesses, remember that Microsoft tried to steel grsecurity for their Skype)...

[There really is hardly true security for poor users] without grsecurity/PaX.

And the installation and deployment can be done gradually in slow time.

I came to the conclusion to try and write a few words of encouragement for newbies looking into grsecurity, after I, apparently, successfully helped a Gentoo users to keep up and keep on the right path with his Gentoo-OS machine:

I do not understands GrSecurity's RBAC-System with gradm
https://forums.gentoo.org/viewtopic-t-1030126.html

(
find there the reference and the link to the Debian Tips page mentioned above, and in that tip you should be able to find the links to the Microsoft attempt to steal grsecurity... Aaargh, I must find it now.... Here for the kind newbie readers:

Grsecurity/Pax installation on Debian GNU/Linux
http://forums.debian.net/viewtopic.php? ... 16#p516896

and search for the string 'Microsoft' without quotes
)

I really wish I was brighter and could spread these privacy-defending programs grsecurity/PaX (usually called just grsecurity for short) with teaching newbies more about it, but I'm overwhelmed with other work...

Regards!
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Tips on Grsecurity installation for Gentoo newbies

Postby timbgo » Mon Feb 01, 2016 9:32 am

Sadly this is a repeat of the information that I fogot I had already posted. However, I don't believe in deleting posts. It's poor eyesight and other issues with my health. Sorry!

=========== Pls. disregard. Already given in previous post. ===========
There is a piece of advice that Gentoo newbies seem to appreciate, and some links good for Gentoo newbies to visit at:

I do not understands GrSecurity's RBAC-System with gradm
https://forums.gentoo.org/viewtopic-t-1030126.html
=========== Pls. disregard. Already given in previous post. ===========

Regards!
Miroslav Rovis
http://www.CroatiaFidelis.hr
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia


Return to grsecurity support

cron