newbie type question.

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

newbie type question.

Postby dodobrain » Sat Oct 24, 2009 9:03 pm

hello there, greetings all.
this is partho from india, so greetings from india.
okay i hope its enough of intro. now please help me get out of the numerous FUD's. yes i got tremendous amount of FUD's. they are as follows.
this is the first time i will be implementing this grsecurity in the debian box. i run debian x86 i686 and i486 on an intel celeron m540 cpu on a HP c734tu laptop which is my primary laptop for usual play and sandbox tool and where i do all kind of nuclear experiments related to OS which often leads to maximum blowups and i then have to bend my head with a fixme OS livecd and fix the issues. and my knowledge in c/c++ and other programming language is minimal so i am a typical PITA newbie and arrogant about trying out new things.
i recently deployed a lot of security enabled feature/bugs in the PC trying to harden up the base OS as it doesnt offer any lead as opposed to windows unless i patch/protect it up nicely and it holds true with any OS. so i know many people here will point out the DO's now i am looking for a complete different approach, which has the "DONT'S IN RED AND 100 FONT SIZE" as its sure to screw up the pc and also i am RTFM'ing the wiki and other docs and books as i could lay my hand and i spend time reading the fabulous information(s).
my particular scare is with regards to the rootkits and those rootkits which are impossible to detect, as we have gone from kernel and ring 0 to ring -3 root kits and how can i use grsecurity to protect me. yes needless to say i am very paranoid and i dont overlook security and i dont want to learn it in field when i can learn at home it saves me more time and also effort than learn it the HARD CORE BEATEN ALL OVER TO DEATH WAY. and please the caps are not yelling but these are the red lettered method of mine to make sure i am not making errors or possible/probable errors, so kindly regard them as my way of pre-warning (think think think think think like a tank but for sake of whosoever blink less) myself what to do and what not to be done ever and never at all.
so in this insecure world where i am being attacked every second from the not so very friendly internet neighbor what are various ways i can implement grsecurity with sort of peace in mind.
i know grsecurity is not the perfect security solution as security is a myth can i atleast do a ground up approach method to get my work done, because no security is perfect and there is/will be some flaw or the other flowing considering human being is designed imperfect, so since i am so dumb i need you folks help, thats why.
i mean those are using it and also the inventor who invented it could you please note out some best practices methods and also a big fat warning about what a user should never do?
yes i am paranoid when it comes to violation of my IT space on the wire/wireless. what are the various methods can i use?
like i have installed bastille to make it sort of ACL based and yet if i edit the visudo i can give a lot of admin rights, and sometime i need to use some tool without the mush required nag "access denied/permission denied"
i know many have already listed out these options in the doc, i am reading those, but i am more focussed on the rootkits and steg methods which are extremely hard to detect and they go normally w/o a wink visibility under the giant microscope.
please consider me an annoying retard who wishes to use this wonderful technology to beef up his peace of mind than spend expensive amount of resource and money on expensive overbloated pieces of hardware/softwares.
i would also like to know how to use binaries which are non-free and i must use them along with opensource versions eg mathematica and octave and interoperate and w/o poking my finger in the work of each and lastly if i can use the jail functionality to restrict the jail itself as there are methods of jailbreak. so if i can use this acl and mac and rbac and all other methods to safe and secure jail and prevent jailbreaks and run closed source/ propietery binaries i will be more than glad. jailbreak is the major concern of mine and also preventing the ring -ABCXYZ123890!+ where the severity of rootkits to this keeps on increasing headache causing level.
and yes of course one more info is required, can i also use grsecurity for and/or in openwrt and coreboot? i mean common the linux kernel pattern is almost same be it embedded or not its just the coding style/logic and hardware dependency linux runs from s390 to handheld from mips to i386 to amd64. since my devices are cheap mips based atm modem "beetel 220bx" from airtel, how can i implement grsecurity with openwrt? i know i am just still worse than a newbie and a paranoid abnormal moron but my queries are can be justified. why cant i use grsecurity in coreboot and in openwrt as i will be porting them soon to my networking devices which happens to be the cheapest usb dsl modems and laptop which is a barebone which i am planning with a coreboot supported chipset.
there is a solution to everything finding it is the hardest path, so can the angels of this forum who are aces and experts please show me the light and lead me to ecstasy? any help is more than a welcome and yes i am ready to kidnap the help for my peace of mind and also please list the NO NO NO in best practices considering me a total newbie in this field. thank you.
-paul
openwrt and coreboot is optional and a far off dream and right now i am more of trying to do it with the basic debian thingie and yes i am reading the docs and materials in wiki to help me walk on with this software.
:-)
dodobrain
 
Posts: 1
Joined: Sat Oct 24, 2009 8:28 pm

Re: newbie type question.

Postby Grach » Sun Oct 25, 2009 11:05 pm

What a vast amounts of text... I just didn't get through. :) Oh, well... If you want extra security, don't waste your time on Debian. Security is not much of a concern for Debian developers. They compile packages without _any_ compile-time enforced protection: no SSP, no PIE, GOTs are writable and resides at constant addresses; the code of shared libs and executables is 100% known to the attacker. So expect 100% reliable ret2libc-style exploits to work in case of stack buffer overflow vulnerabilities, regardless of PaX and Grsecurity.

Want something more secure than Debian yet mainstream? Look at the packages in: CentOS, Ubuntu, openSUSE - in that order. CentOS and Ubuntu got PIEs here and there, while openSUSE is still (s)lacking them; all of them got -fstack-protector (not -fstack-protector-all), but partial RELRO, so are still more or less an option. But if you ask me, I prefer to stick with right applications and Hardened Gentoo on -grsec test kernels (which I test before deploy), that gives me valuable protection and no reliability issues on the servers at all.
Grach
 
Posts: 66
Joined: Thu Feb 05, 2009 11:15 pm


Return to grsecurity support

cron