EDIT start
https://forums.grsecurity.net/viewtopic.php?f=3&t=3709
EDIT end
this I believe is the other side of the same coin what we will find here. So most of the time I won't go into details again on what is described in that first part.
- Code: Select all
root@debinv35:/home/mr# uname -r
3.10.9-grsec-130821
root@debinv35:/home/mr# grub-mkconfig -o /boot/grub/grub.cfg
Killed
Generating grub.cfg ...
Found linux image: /boot/vmlinuz-3.10.9-grsec-130821
Found initrd image: /boot/initrd.img-3.10.9-grsec-130821
Killed
Killed
Found linux image: /boot/vmlinuz-3.10.5-grsec-130807
Found initrd image: /boot/initrd.img-3.10.5-grsec-130807
Killed
Killed
Found linux image: /boot/vmlinuz-3.10.4-grsec-130806
Found initrd image: /boot/initrd.img-3.10.4-grsec-130806
Killed
Killed
Killed
Syntax errors are detected in generated GRUB config file.
Ensure that there are no errors in /etc/default/grub
and /etc/grub.d/* files or please file a bug report with
/boot/grub/grub.cfg.new file attached.
done
root@debinv35:/home/mr#
However, it's only Grsec/Pax that needs to be relaxed in some particular configuration options.
I kind of know it, because previous Grsec/Pax install on 3.10.5 kernel I checked, where Grsec/Pax I was yet only practicing installing (now the time for deploying more fully), runs grub-mkconfig faultlessly.
So, my current configuration with most of the Grsec/Pax bells and whistles deployed follows (somewhat based on Gentoo's grsecurity's guide, but I noticed they have been lagging behind, quite a few of the newer options not there either; so I'm really left with only the terse and precise kernel help).
Actually before the Grsecurity's 180 or so lines, I think I need to find some Debian security peculiarities if I haven't disabled all yet. Such as, and the readers should check this first when installing Grsec/Pax on Debian:
- Code: Select all
# cat /boot/config-3.10.9-grsec-130821 | grep -i selin
#
That is checking if anything pertaining to SELinux is installed. If it is, disable those options (Goes without saying, check on your own grsec kernel config file, don't just blindly copy my line(s). Applies to other places in my "prolific writing" (that's Pax Team's words) as well.
- Code: Select all
│ │ Grsecurity ---> │ │
│ │ -*- Enable access key retention support │ │
│ │ < > TRUSTED KEYS │ │
│ │ < > ENCRYPTED KEYS │ │
│ │ [*] Enable the /proc/keys file by which keys may be viewed │ │
│ │ [ ] Restrict unprivileged access to the kernel syslog │ │
│ │ [ ] Enable different security models │ │
│ │ -*- Enable the securityfs filesystem │ │
│ │ [ ] Enable Intel(R) Trusted Execution Technology (Intel(R) TXT) │ │
│ │ Default security module (Unix Discretionary Access Controls) │ │
│ │ │ │
The above is just a paste. My pressing of '?' gives the name of the configuration option under "Enable the /proc/keys...":
CONFIG_KEYS_DEBUG_PROC_KEYS
I'll leave it, don't know if I need it or not... No. I'll deselect it. There's talk there of " LSM security " (Linux Securiy Model) and I know Grsec/Pax don't need those. So:
- Code: Select all
│ │ [ ] Enable the /proc/keys file by which keys may be viewed │ │
I did find something peculiar. And will explain it verbosely. But first let's get you the long awaited Grsec/Pax configuration 180-something lines, that can be found in one consecutive row of lines in the /boot/config-my-grsec-patched-kernel.
- Code: Select all
#
# Security options
#
#
# Grsecurity
#
CONFIG_PAX_KERNEXEC_PLUGIN=y
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_TASK_SIZE_MAX_SHIFT=42
CONFIG_PAX_USERCOPY_SLABS=y
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
#
# Customize Configuration
#
#
# PaX
#
CONFIG_PAX=y
#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_XATTR_PAX_FLAGS is not set
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_MPROTECT_COMPAT=y
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts"
#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
#
# Miscellaneous hardening features
#
CONFIG_PAX_MEMORY_STACKLEAK=y
CONFIG_PAX_MEMORY_STRUCTLEAK=y
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_CONSTIFY_PLUGIN=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
CONFIG_PAX_SIZE_OVERFLOW=y
# CONFIG_PAX_LATENT_ENTROPY is not set
#
# Memory Protections
#
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_JIT_HARDEN=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
# CONFIG_GRKERNSEC_MODHARDEN is not set
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_KERN_LOCKOUT=y
#
# Role Based Access Control Options
#
# CONFIG_GRKERNSEC_NO_RBAC is not set
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
# CONFIG_GRKERNSEC_PROC_USERGROUP is not set
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
CONFIG_GRKERNSEC_ROFS=y
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
# CONFIG_GRKERNSEC_CHROOT_INITRD is not set
#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_PTRACE=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
#
# Executable Protections
#
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
# CONFIG_GRKERNSEC_TPE is not set
#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set
#
# Sysctl Support
#
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6
CONFIG_KEYS=y
# CONFIG_TRUSTED_KEYS is not set
# CONFIG_ENCRYPTED_KEYS is not set
CONFIG_KEYS_DEBUG_PROC_KEYS=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set
# CONFIG_SECURITY is not set
CONFIG_SECURITYFS=y
# CONFIG_INTEL_TXT is not set
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_DEFAULT_SECURITY=""
CONFIG_XOR_BLOCKS=m
CONFIG_ASYNC_CORE=m
CONFIG_ASYNC_MEMCPY=m
CONFIG_ASYNC_XOR=m
CONFIG_ASYNC_PQ=m
CONFIG_ASYNC_RAID6_RECOV=m
CONFIG_CRYPTO=y
And now what I found.
- Code: Select all
# cat /boot/config-3.10.9-grsec-130821 | grep PAX_MEMORY_SANITIZE
#
(That is, it returns empty string!)
Not there! What do you mean?
Well, looking into the page in menuconfig where it should appear, and I'll show also the pages that open in between, from the initial to Grsecurity configuration, already shown above, so newbies might find it easier to follow.
Pls. note the pointer on each page, on the left, "->". That's not in the actual menuconfig pages, that is what I put there to tell you what to click to get the next page shown.
- Code: Select all
│ │ [*] Grsecurity │ │
│ │ Configuration Method (Custom) ---> │ │
->│ │ Customize Configuration ---> │ │
- Code: Select all
->│ │ PaX ---> │ │
│ │ Memory Protections ---> │ │
│ │ Role Based Access Control Options ---> │ │
│ │ Filesystem Protections ---> │ │
│ │ Kernel Auditing ---> │ │
│ │ Executable Protections ---> │ │
│ │ Network Protections ---> │ │
│ │ Sysctl Support ---> │ │
│ │ Logging Options ---> │ │
- Code: Select all
│ │ [*] Enable various PaX features │ │
│ │ PaX Control ---> │ │
│ │ Non-executable pages ---> │ │
│ │ Address Space Layout Randomization ---> │ │
->│ │ Miscellaneous hardening features ---> │ │
And the page that opens now does not have any:
- Code: Select all
│ │ [*] Sanitize all freed memory │ │
at all! "Curious!" (I'm quoting myself here, from yesterday's post of mine, at end. Again, if you want to full picture, I believe you need to read the topic developed since some two days ago, this I believe is the other side of the same coin what we will find here).
Again, for those who would like to read faster than they can, the option just shown immediately above is not a paste from Debian, but a manual copy from one of my Gentoo box's 'make menuconfig' screen, where, surely, it shows.
Yesterday's tribulations with the use-after-free bug that crashed my Gentoo kernel which belong to a system that was offline at that time, but influenced, over local, non-connected-to-internet network, to which network all my boxes are connected, by one of my Debian clones systems (which I use online for browsing with Tor, and for downloading things etc.), which Debian box was online for pretty long intervals of time altogether...
Yesterday's tribulations that we had with the use-after-free bug would go on forever if Mathias Krause's recent contribution in that respect, which gave the kernel
CONFIG_PAX_MEMORY_SANITIZE=y option when you select it to get it to look like this: [*] Sanitize all freed memory. Just not in this Debian kernel of mine...
I'll show you this time the entire page, where that option is entirely missing. And these will be pastes.
- Code: Select all
.config - Linux/x86 3.10.9 Kernel Configuration
[...] rity > Customize Configuration > PaX > Miscellaneous hardening features
┌─────────────────── Miscellaneous hardening features ────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus --->. │
│ Highlighted letters are hotkeys. Pressing <Y> includes, <N> excludes, │
│ <M> modularizes features. Press <Esc><Esc> to exit, <?> for Help, </> │
│ for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ [*] Sanitize kernel stack │ │
│ │ [*] Forcibly initialize local variables copied to userland │ │
│ │ [*] Prevent invalid userland pointer dereference │ │
│ │ [*] Prevent various kernel object reference counter overflows │ │
│ │ [*] Automatically constify eligible structures │ │
│ │ [*] Harden heap object copies between kernel and userland │ │
│ │ [*] Prevent various integer overflows in function size parameters│ │
│ │ [ ] Generate some entropy during boot │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
├─────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > < Save > < Load > │
└─────────────────────────────────────────────────────────────────────────┘
As you can see, I really meant entire page!
The missing [*] Sanitize all freed memory should feature on top, above: [*] Sanitize kernel stack.
This reconstruction is in so much detail is because I write to gain as many as I can more newbies into GNU/Linux because I very much enjoy using the nearly sole true free computing operating system which GNU/Linux is, and am fond of Grsecurity/Pax, because it is with Grsecurity/Pax that the free computing survives or perishes. And Grsecuriy/Pax is the absolute necessity for GNU/Linux in the sense of its freedom. Pls. look up my posts of the last two days for more...
What now?
I seem to have two issues to solve.
The one which i started with, that is I need to relax some, but which of so many, Grsec/Pax option so that grub-mkconfig works, and don't get killed.
Or use paxctl in some way maybe, or sysctl interface in some, but in which way, and which of these?
And I have this missing CONFIG_PAX_MEMORY_SANITIZE from options for Grsec/Pax alltogether.
I think I need to post this unresoved as it is right now.
But what I do then, no more delays, is dd-pack the images of the entire Debian system that IMO is the major cause of the havoc on my Gentoo box, because that compromised Debian system, actually the attacker programs/persons using it through bugs and my weak configuration of Grsec/Pax, also messed up a little my server of my local jigdo downloaded repo, where I can install clean Deabian from, the server being on another of my Gentoo boxes.
So this will be the last of the internet that this compromised Debian will see, because it goes into images.
It goes into images which I will keep for months if I remain physically free in my Croatia. In case either I learn enough to investigate, or in case some of the big guys, and I don't mean the developers who are busy with fixing holes in Linus's kernel, but I'll keep then just in case.
If I remain physically free in my Croatia. Because I'm a persecuted rightwing, tollerant rightwing with a lot of listening ear for honest leftwings, but I stand on the right, and my country has gone to traitors. Look up the first post of mine on these forums.grsecurity.net for a little more about it. Some of my friends have already been forced to emigrate, and some are in jail. The tall guy in some of this footage was again arrested lately, and it's only speech, but we would not be allowed to think and speak:
Al Jazeera, Clashes on the Eve of EU Referendum, Francišković et. Al. HRVATSKI
https://www.youtube.com/watch?v=_dX-ek2mPaU
So... I thought I would do other things, but how can I? I rely on the internet as any of you, and if I don't find my way around these obstacles I'll be left in the UDBA virtual cage (that's the tiny STASI in the countries that broke out of former stinking Yugoslavia, that still hold together via corrupt political "elites" and all kinds of traitors of their own people.. And to only think that the neighboring Hungary has just got out of debt ahead of time and is sending the IMF home! Hungary who we share the most of our history of harmony and friendship under the same crown of St. Isztvan... there were hegemonic tendencies on the part of the Hungarians later centuries, and we defeated them militarily for that reason... but no hegemony in earlier centuries, there was harmony... And my country is selling out to EU... Going the Greece's way... and restoring filthy yugoslavian ideology... And BTW, all kinds of services cooperate, surely with the biggest the most...)
So, all I can do now, and what I have to do now, is post this urgently.
But then, since the system is not defended properly because I haven't studied enough and understood well how to do it, esp. in these cicrumstances when some subjects lurk over eagerly at mere sight of the internet from my conputers...
But then I do need to restore and recreate my compromised system, and that may take longer.
This is the same issue as yesterday's, only on the other side, the non-properly Grsec/Pax configured Debian side.
I will however open a separate topic, and call it:
grsec: halting the system... kernel crash, the Debian side
Any advice on the two issues explained above?
Miroslav Rovis
Zagreb, Croatia