On Fri, Mar 06, 2015 at 08:33:20PM +0100, Jaromil wrote: > > dear Miroslav, > > On Fri, 06 Mar 2015, miroslav.rov...@zg.ht.hr wrote: > > > I hope to be able to continue my Grsecurity/Pax Deployment in Devuan for > > the Newbies (or of a similar title), like I did in Debian Forums (see my > > first message in this thread). And about the rest of non-poeterware (and > > related like, for me, dbus). Maybe in the Wiki, sure Devuan Wiki. > > yes, the gitlab on https://git.devuan.org good that you made a login. > > people can contact me, Nextime or Hellekin to have groups or projects > created and its wiki can be used for documentation. I've taken notice, kind brother in *nix! I'll also browse more extensively to see how things are faring. But I have to remind you that I am only an advanced user. Capable, I think, to transfer what I know (and what I will yet learn), to less advanced users, though. Surely, when things call for an expert insight, I'll have to ask for help.
> I will be among the newbies following your guides: last time I've used > grsecurity was long time ago, before I gave up the maintainance of > dyne.org servers to more volunteers. Wondering how much has changed in > 10 years or so. If I'm moderated by the Elder members with insight into, and understanding of, the code, and the architectural/programming design/other expert aspects, where necessary (and I hope there already are members of Devuan who can oversee my work, prior to publishing it), then maybe I can serve the community successfully. And we can ask for help, if more difficult issues arise, and when they are really needed, both spender and PaX Team from grsecurity.net have shown to be available, as are the experts for hardened from the higher echalons of the Gentoo Foundation, such as blueness, the capable Accademic behind Gentoo grsecurity-hardening. A sidenote. I've already pointed to my slowliness, and it shows here: I've been into the preparation of this e-mail if I view it since I sent my first mail, for roughly one third of the time elapsed since then... And have been writing this message, in which I want to reply to both you, Jaromil, and Neo Futur, and hellekin, and others, at once. So: I am slow... Count with it. And may Vis Major (Latin) disband other possible hindrances to my future work. > > If that is the space that Jaromil is talking about? (I can log in, I > > also posted my ssh key, I hope I'll be able to contribute somewhere > > somehow). > > > > ...Aaah, the beta, we're all impatient for the beta release! > > there is some more time to be waited, but I'm also impatient indeed. > > thanks for your enthusiasm :^) I dream of a successful fight of FOSS Linux for true security/privacy/freedom. > ciao Mi piacerebbe scriverti in italiano, ma altri non capirebbero. PerciĆ²... (translation: I'd like to write to you in Italian, but others would not understand, So...) On Fri, Mar 06, 2015 at 03:19:29PM -0300, hellekin wrote: > On 03/06/15 05:06, Neo Futur wrote: > >> the Grsecurity/Pax hardening of the kernel, will you think of it, > >> instead of SELinux, or as an option besides SELinux? It sure will be > >> attainable in the way I got it in Debian in that Tip, but official > >> support would be so great! > > > > https://git.devuan.org/groups/hardened > > > > we are a few guys planning to try and maintain a grsec kernel for > > devuan, for now we are waiting for a bevuan beta version before > > starting working on it. > > anyone interested, feel free to join ! > > > *** I'm so happy to see this group. I've been using this kernel lately, > running on Parabola: > > 3.14.34-gnu-201502271838-1-lts-grsec-knock > > GRSecurity, and Knock support. Knock is a kernel patch that enables > single packet port knocking [0], thwarting common scanning attacks. I > would love to see this running on Devuan. Parabola GNU/Linux was the > first distro to deploy it, and I've been using it happily with SSH. > > == > hk > > [0]: https://gnunet.org/kirsch2014knock I left the above in my message, because I feel it is important. > -- > _ _ We are free to share code and we code to share freedom > (_X_)yne Foundation, Free Culture Foundry * https://www.dyne.org/donate/ On Fri, Mar 06, 2015 at 07:22:16PM -0500, Neo Futur wrote: > at the beginning we plan : > > * to use only the pax options of the grsec kernel, no rbac enabled > * to work on vanilla sources or gentoo hardened sources I can say grsec-hardened gentoo works great on my systems, and using their kernel could decrease the workload... But maybe only as far as hardening goes? What I do know, from experience, and I do have a nasty regime, against me, currenty in power in Croatia (not saying this for politics; some of my friends have to go to jail or worse before I mention politics in my messages here, but because of intrusions that I suffered, for years, all findable by my name, Miroslav Rovis, in Gentoo Fora and Grsecurity Fora, maybe some in Debian Fora --not sure for the last ones)... [What I do know, from experience], is that the Gentoo install was always much harder to break in than Debian was. Again, study my posts in those if someone has doubts. Gentoo has much better and more carefully hardened toolchain for package compilation. That can be read about in Gentoo Wiki (search for `hardened toolchain')... But the problem is compatibility, maybe. You probably can not easily apply the Gentoo type hardened toolchain to produce well hardened packages such as those that Gentoo compiles, in Devaun... from the existing Debian package repositories... I haven't compiled anything but the kernel, in Debian, yet. Not familiar with development in Debian/Devuan, yet. > * no debian patches, no exotic patches > * shipping the kernel with warnings that, as a default, java wont work > with a secure kernel, and possibly any other graphical applications > doing dirty stuff with memory ( buffer overflow, relocations and much > more ) The users should know that bloat such as Gnome and KDE can have problems to work, or sometimes can only work after a lot of dedicated work, with a hardened system. I don't want the Gnome/KDE/other-similar-desktops also because of dbus, they, most of them if not all, use dbus, and don't work without dbus, and unless someone defeats my arguments on the use of dbus (and its encryption and its RPCs) to mess up you machine for third parties' use, as I explained in my newest Gentoo post (the link given in my previous message), and I mean defeat my arguments, not just dismiss them, I intend to always advise users against dbus, as well. And the lack of at least some of oversophisticated and user unpowering or depowering (contrary to enpowering) desktops like GNOME/KDE/others above... may lose us some potential users. People are massively brainwashable, enough for them to be easily moulded as the one-ring-to-rule-them-all cravers wish. And we will see propaganda winning over here and there for the non-true-FOSS-systemd distros... So we are against systems here, as those few cravers mostly control the systems (never totally though, it's very mixed). However, the legislature of most of the world countries (also Croatia) is on our side: privacy is sacred in most Constitutions of most countries in the world --and especially in all of those that claim to be democracies, I believe--, and we can always claim our rights. We fight against their secret rule, but have the law, they don't, we do, on our side, when it comes to fights against censorship and intrusions by the various systems/regimes/other-third-parties. Looking at the above paragraph: marketing could be a problem if some of the glitz of the bloat is missing to seduce the eyes of the newbie... but only if poeple with true alegiance to FOSS, and capable of the kind of marketing necessary for FOSS (only for survival, not for me, I can live so poorly that some of you wouldn't even believe), I'm only talking infrastrucure for the projects... marketing could be a problem, but only if poeple with true alegiance to FOSS were to be missing from in among our members and don't come to our aide. Do we already have such members? But I'm going too far, not competent here. > > as soon as we have a devuan beta version we feel confident enough to > install on at least one dedicated server ( something like dell r210 ) > and on a laptop ( something like a thinkpad ), we ll start packaging a > grsec patched kernel. > > > speaking of installing on a dedicated server, do we have plans to > provide some kind of easy install system to install on a server from a > rescue mode ? ( not everyone have full kvm access to install > graphically, many datacenters provide only the rescue mode ) > I have no exerience with online servers and many users using them, I could only transfer the knowledge and experience of mine, to simple desktop workstation users. > > On Fri, Mar 6, 2015 at 6:27 PM, Adam Borowski <kilob...@angband.pl> wrote: > > On Fri, Mar 06, 2015 at 03:19:29PM -0300, hellekin wrote: > >> *** I'm so happy to see this group. I've been using this kernel lately, ...[snip: already brought up above]... > > > > It looks like Knock breaks everything TCP SQN is used for, including even > > such basics as packet retransmission/duplication detection. I've read the > > LKML discussion to see if I'm missing something, but apparently, I don't. > > > > As such, I'd say Knock has no place on a distribution kernel. > > I'm only taking notice of this above. On Fri, Mar 06, 2015 at 08:37:02PM -0500, Neo Futur wrote: > also answering here to jaromil about a grsec question on another thread : ...[snip: already brought up above]... > dyne.org servers to more volunteers. Wondering how much has changed in > 10 years or so. > quite a bit, new options and new features are regularly added : > > https://grsecurity.net/changelog-stable.txt > https://grsecurity.net/features.php > https://grsecurity.net/compare.php > > the patches are very actively maintained and working very well on > gentoo hardened, but once again I use only the sanitizing features, > not the RBAC system. > > as a sysadmin, grsec have helped me quite a bit those last ten years, > most of the kernel security problems, 0 days, local roots . . . have > been useless against my grsec kernels ;) usefull ehen you provide a > shell to most of your customers/users ! > Obviously, you cater for server-people. And I want everybody to see that praise of grsecurity above. Not ever having heard of Knock (my first reading of it is in this mailing list), I can't yet judge about it, but it looks apealing to me. But I can say my systems are so much safer since I finally deployed the RBAC system on top of grsecurity-hardened kernel. The RBAC system (which I understand that, for many readers, this may be their first reading about, just like for me, it is my first hearing of Knock) could show very appealing to people, if it is presented well. And presented demonstrably. Maybe even in packet captures from someone's system's time online, combined with, where it applies, screencasts of the same time: those can be appealing, if you get to really capture an attack by some third party, which your deployed grsecurity/RBAC defended your system from, such as I captured Schmoog and Yooch in attack, go and see, since the Google defenders seem not to want to --I already gave previously this link below--, or don't understand (but they're forgiven in either of the cases), [go and see] how I captured Schmoog (my term of endearment for Google) and Yooch (pronounced with `ch' as in `Loch Ness' or as in some Arabic and Hebrew words, my term of endearment for Yahoo), [how I captured Schmoog and Yooch] clickjacking my connection to send mail from my machine: a clickjacking that only packets captured show: Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion https://forums.gentoo.org/viewtopic-t-999436.html#7685200 To get such stuff proving grsecurity and RBAC defending your system, such as the above proves an intrusion (sadly, to explain packets to a regular user is very much work), would be a scoop that helps appreciation from users and onlookers... But not the brainwashable onlookers. Sadly, little can be done for those. --- Here's my informal, but frank, in this Big Brotherly age, which only non-truthful, or for some other reason being, at the time of saying so, defective, people can say it is not such, here's my informal, but frank, introduction to RBAC for readers, for whom this may be their first reading about it. (I'm sending it to Devuan maling list as an incomplete idea for some future presentation.) RBAC or Role Base Access Control is the layer that finalizes what does grsecurity --which includes PaX-- and which [the grsecurity] is a collection of patches that, to explain it in lay terms: fix what Linus Torvalds, the little god of the Linux kernel, since he is its inventor and remains its main programmer, or more exactly the decider-programmer, may have even deliberately introduced (first the Linux Security Model or LSM and, later, the linux capabilities; read in the links in my signature below)... [Grsecurity fixes what Linus introduced] for, mild expression: third parties, into the Linux kernel, the engine of any FOSS Linux --or GNU/Linux-- operating system, such as the Devuan, which is rising to become the new sun among the distros, we hope... after the Debian false-FOSS-systemd-and-related-bad-choices suicide... (Systemd is not true Free Open Source Software, it is there for third parties, and invented for third parties, and financed by third parties, it is not there for the user enpowerment, but depowerment, it is there for the control over users, not for control by users of their own e-turf.) RBAC is the layer on top of the grsecurity-patched kernel, that fixes what cannot be fixed through patching of the kernel for one or another reason. Stuff such as linux capabilities (issue `man capabilities' and see the enormous potential for privilege escalation and planting binaries into `intruded system' --read: `your system', brother in *nix--, and especially, read what the author of grsecurity, Bradley spender Spengler, writes about it, it's in my signature, and probably in signatures of my future messages here)... [Stuff such as linux capabilities] by means of which a third party can gain arbitrary control over your machine, dear FOSS Linux and future Devuan user, such stuff is tackled with RBAC successfully (but I will only have sufficiently extensive experience of it, hopefully, with time, to be able to demonstrate it). --- Like I said the above is an incomplete idea for a presentation/introduction/explanation for our future users. And I now, after all this writing, have to first see if I'm not too late for simply sending this without first adding anything to this. Late replying, like this one of mine, may add a little confusion, without possibly necessary explanations... It's been hours since I read the replies to me, and other new messages from the Devuan mailing list. Apparently, it should be fine and not overly late just sending this. -- Miroslav Rovis, Zagreb, Croatia http://www.CroatiaFidelis.hr Try refute: rootkit hooks in kernel ( http://www.crmbuyer.com/story/39565.html ), linux capabilities for intrusion ( https://forums.grsecurity.net/viewtopic.php?f=7&t=2522 )
pgp3gKJ8vNLnZ.pgp
Description: PGP signature
_______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
