grsecurity forums

Posted: **Sat Jan 05, 2008 12:14 pm**

Where can I get grsecurity for 2.6.18 debian etch? Also does it come with complete README or INSTALL as this is my first time applying this patch?

Thanks

Posted: **Sat Jan 05, 2008 9:50 pm**

I found grsecurity-2.1.9-2.6.18-200610021833.patch but when I applied it to my 2.6.18 kernel i get 4 errors which prevent from compiling. I followed directions frmo grsecurity quickstart guide. Any help would be appreciated.

Posted: **Sun Jan 06, 2008 10:12 am**

I have an "alternative" grsecurity patch for 2.6.18 vanilla kernel. Basis: Debian etch kernel.

It contains some backported patches (for examle grsecurity, k8temp driver, IDE_ACPI, / "pax expand stack() update" / etc.)

http://www.freeweb.hu/oscon/debhyber.patch.bz2

You can apply this patch - I hope so it works ;-)

- with vanilla 2.6.18 and it works with gradm 2.1.9.

OFF: Sorry, I don't speak good english.

Posted: **Sun Jan 06, 2008 2:26 pm**

I can't uncompress your file.. i tried tar and gunzip without success.

Posted: **Sun Jan 06, 2008 2:47 pm**

you have to use bunzip2 to uncompress this file ((debhyber.patch.bz2). ;-)

then / for example /

Code: Select all: cd /usr/src/linux patch -p1 -E < debhyber.patch

Posted: **Sun Jan 06, 2008 6:03 pm**

allright i uncompressed it but when I apply the patch i get asked questions;

root@silver1:/usr/src/linux-source-2.6.18# patch -p1 -s < debhyber.patch
Reversed (or previously applied) patch detected! Assume -R? [n]

what do I do?

Posted: **Mon Jan 07, 2008 12:10 pm**

cizzi wrote:allright i uncompressed it but when I apply the patch i get asked questions;

root@silver1:/usr/src/linux-source-2.6.18# patch -p1 -s < debhyber.patch
Reversed (or previously applied) patch detected! Assume -R? [n]

what do I do?

linux-source-2.6.18 isn't vanilla 2.6.18 kernel. It is an 2.6.18 kernel with debian patches / 2.6.18-17 /.

This patch contains these debian patches / 2.6.18-17 / so you have got "this message" / previous apply / ! You have not to use debian kernel with this patch!!

This patch works ONLY with vanilla 2.6.18 kernel, but it is contains the debian patches (2.6.18-17) / for example security fixes, minor bugfixes, others /.

For example

Code: Select all: 1. wget ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-2.6.18.tar.bz2 2. cd /usr/src 3. tar -xjf ["directory"]/linux-2.6.18.tar.bz2 4. cd /usr/src/linux-2.6.18 5. bunzip2 debhyber.patch.bz2 6. patch -p1 -E < debhyber.patch ... x. make menuconfig /xconfig, other .... /if you use debian / y. make-kpkg --revision silver.20080109 --bzimage kernel_image etc... z. cd .. dpkg -i kernel-image-2.6.18-limbo*deb

Posted: **Mon Jan 07, 2008 1:14 pm**

Then I guess I can't use it becasue I compile with that version of the kernel source for some previous patches that only work with that version. (User ip accounting Patch).

Posted: **Mon Jan 07, 2008 3:38 pm**

cizzi wrote:Then I guess I can't use it becasue I compile with that version of the kernel source for some previous patches that only work with that version. (User ip accounting Patch).

I don't ken user ip account patch.

maybe.... :

1st : 2.6.18 vanilla kernel
2nd : debhyber patch
3rd : "useripaccount" patch and other minor patches...

I think UIpacc. patch is small and it changes only in networking section of kernel. (?)

maybe it works. (?)

Posted: **Tue Jan 08, 2008 7:44 am**

It compiled fine, when I booted in the new kernel it hangs on a line complaining about "disabling logging for 10 seconds" and repeats that same message over and over. when i did make menuconfig I only selected "GR Secuurity" and high security level..

Posted: **Tue Jan 08, 2008 1:20 pm**

cizzi wrote:It compiled fine, when I booted in the new kernel it hangs on a line complaining about "disabling logging for 10 seconds" and repeats that same message over and over. when i did make menuconfig I only selected "GR Secuurity" and high security level..

I can't reproduce your problem...

I tested a "default grsecurity high" kernel, but i haven't got any problems.

Code: Select all: # # Security options # # # PaX # CONFIG_PAX=y # # PaX Control # # CONFIG_PAX_SOFTMODE is not set CONFIG_PAX_EI_PAX=y CONFIG_PAX_PT_PAX_FLAGS=y CONFIG_PAX_NO_ACL_FLAGS=y # CONFIG_PAX_HAVE_ACL_FLAGS is not set # CONFIG_PAX_HOOK_ACL_FLAGS is not set # # Non-executable pages # CONFIG_PAX_NOEXEC=y # CONFIG_PAX_PAGEEXEC is not set CONFIG_PAX_SEGMEXEC=y # CONFIG_PAX_EMUTRAMP is not set CONFIG_PAX_MPROTECT=y # CONFIG_PAX_NOELFRELOCS is not set # CONFIG_PAX_KERNEXEC is not set # # Address Space Layout Randomization # CONFIG_PAX_ASLR=y CONFIG_PAX_RANDKSTACK=y CONFIG_PAX_RANDUSTACK=y CONFIG_PAX_RANDMMAP=y # # Miscellaneous hardening features # # CONFIG_PAX_MEMORY_SANITIZE is not set # CONFIG_PAX_MEMORY_UDEREF is not set # # Grsecurity # CONFIG_GRKERNSEC=y # CONFIG_GRKERNSEC_LOW is not set # CONFIG_GRKERNSEC_MEDIUM is not set CONFIG_GRKERNSEC_HIGH=y # CONFIG_GRKERNSEC_CUSTOM is not set # # Address Space Protection # CONFIG_GRKERNSEC_KMEM=y # CONFIG_GRKERNSEC_IO is not set CONFIG_GRKERNSEC_PROC_MEMMAP=y CONFIG_GRKERNSEC_BRUTE=y CONFIG_GRKERNSEC_MODSTOP=y CONFIG_GRKERNSEC_HIDESYM=y # # Role Based Access Control Options # # CONFIG_GRKERNSEC_ACL_HIDEKERN is not set CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 # # Filesystem Protections # CONFIG_GRKERNSEC_PROC=y # CONFIG_GRKERNSEC_PROC_USER is not set CONFIG_GRKERNSEC_PROC_USERGROUP=y CONFIG_GRKERNSEC_PROC_GID=1001 CONFIG_GRKERNSEC_PROC_ADD=y CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_FIFO=y # CONFIG_GRKERNSEC_CHROOT is not set CONFIG_GRKERNSEC_CHROOT_MOUNT=y CONFIG_GRKERNSEC_CHROOT_DOUBLE=y CONFIG_GRKERNSEC_CHROOT_PIVOT=y CONFIG_GRKERNSEC_CHROOT_CHDIR=y CONFIG_GRKERNSEC_CHROOT_CHMOD=y CONFIG_GRKERNSEC_CHROOT_FCHDIR=y CONFIG_GRKERNSEC_CHROOT_MKNOD=y CONFIG_GRKERNSEC_CHROOT_SHMAT=y CONFIG_GRKERNSEC_CHROOT_UNIX=y CONFIG_GRKERNSEC_CHROOT_FINDTASK=y CONFIG_GRKERNSEC_CHROOT_NICE=y CONFIG_GRKERNSEC_CHROOT_SYSCTL=y CONFIG_GRKERNSEC_CHROOT_CAPS=y # # Kernel Auditing # # CONFIG_GRKERNSEC_AUDIT_GROUP is not set # CONFIG_GRKERNSEC_EXECLOG is not set CONFIG_GRKERNSEC_RESLOG=y # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set CONFIG_GRKERNSEC_AUDIT_MOUNT=y # CONFIG_GRKERNSEC_AUDIT_IPC is not set CONFIG_GRKERNSEC_SIGNAL=y CONFIG_GRKERNSEC_FORKFAIL=y CONFIG_GRKERNSEC_TIME=y # CONFIG_GRKERNSEC_PROC_IPADDR is not set # CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set # # Executable Protections # CONFIG_GRKERNSEC_EXECVE=y CONFIG_GRKERNSEC_SHM=y CONFIG_GRKERNSEC_DMESG=y CONFIG_GRKERNSEC_RANDPID=y # CONFIG_GRKERNSEC_TPE is not set # # Network Protections # CONFIG_GRKERNSEC_RANDNET=y CONFIG_GRKERNSEC_RANDISN=y CONFIG_GRKERNSEC_RANDID=y CONFIG_GRKERNSEC_RANDRPC=y # CONFIG_GRKERNSEC_SOCKET is not set # # Sysctl support # # CONFIG_GRKERNSEC_SYSCTL is not set # # Logging Options # CONFIG_GRKERNSEC_FLOODTIME=10 CONFIG_GRKERNSEC_FLOODBURST=4 # CONFIG_KEYS is not set # CONFIG_SECURITY is not set

Please upload your kernel'config and your kern.log or syslog - for example - to pastebin.ca.
What is the last 10 line in kern.log before "disable logging" ? Which daemon have you got in "boot process" ?

A last question:

Have you got same problem without "useripacct" and other minor patches ?

Posted: **Tue Jan 08, 2008 3:35 pm**

I tried recompiling without some options same thing. I think I will just forget about it. I'll secure my system with other ways.

grsecurity forums

need grsecurity for 2.6.18 kernel

need grsecurity for 2.6.18 kernel

Re: need grsecurity for 2.6.18 kernel

Re: need grsecurity for 2.6.18 kernel

Re: need grsecurity for 2.6.18 kernel

Re: need grsecurity for 2.6.18 kernel

Re: need grsecurity for 2.6.18 kernel

Re: need grsecurity for 2.6.18 kernel

Re: need grsecurity for 2.6.18 kernel

Re: need grsecurity for 2.6.18 kernel

Re: need grsecurity for 2.6.18 kernel

Re: need grsecurity for 2.6.18 kernel

Re: need grsecurity for 2.6.18 kernel