Unix and Linux Stack Exchange
Unix and Linux Stack Exchange

Questions tagged [grsecurity]

Grsecurity is a set of patches for the Linux kernel to harden Linux systems.

Grsecurity is a set of patches for the Linux kernel to harden Linux systems. The main features include:

  • Role based access control with mandatory (policy driven) access control
  • Chroot-Jail hardening
  • Hardening against memory corruption (via integration of PaX)

Available documentation:

Related tags:

32 questions
43
votes
5 answers

Attempting to compile kernel yields a certification error

I'm currently attempting to follow Hardening Debian for the Desktop Using Grsecurity guide in order to install the 4.5.7 kernel with Grsecurity on my Kali Linux desktop. I am following that list of instructions verbatim, except for the fact that…
John Doe
  • 531
  • 1
  • 4
  • 3
22
votes
2 answers

Why are the grsecurity patches not included in the Vanilla Kernel?

What are the reasons that grsecurity patches (or the security features it brings) are not included in the kernel by default. When looking at the benefits for security it seems the vanilla kernel is quite insecure as it is. If this is a trade-off…
humanityANDpeace
  • 13,722
  • 13
  • 61
  • 107
20
votes
2 answers

What to use to harden Linux box? Apparmor, SELinux, grsecurity, SMACK, chroot?

I am planning to go back to Linux as a Desktop machine. I would like to make it more secure. And try a few hardening techniques, especially since I plan to get my own server. What would be a good, sane hardening strategy? Which tools should I use -…
jottr
  • 1,286
  • 3
  • 14
  • 19
9
votes
2 answers

Hide processes from other users based on groups (under Linux)?

Is it possible to configure process hiding for certain user groups under a linux system? For example: Users from group X should not see processes owned by users from group Y in ps/top or under /proc. Is it possible to configure such a setup with…
maxschlepzig
  • 56,316
  • 50
  • 205
  • 279
6
votes
4 answers

Which distributions maintain a kernel package with grsecurity support

I know that I can apply the grsecurity patches by compiling my own kernel. This is not a big deal to do it once, but too complex to have regular and easy kernel image updates. So I am looking for linux distributions which supports gsecurity as a…
student
  • 17,875
  • 31
  • 103
  • 169
5
votes
1 answer

I don't want other users see my processes in ps aux. I have root. It's Debian. How to use grsec?

I installed 'linux-patch-grsecurity2' and it has some sort of interface. ~$ sudo gradm2 gradm 2.1.14 grsecurity administration program Usage: gradm [option] ... Examples: gradm -P gradm -F -L /etc/grsec/learning.logs -O…
user13764
4
votes
1 answer

How do I simulate /proc/sys/kernel/grsecurity/deny_new_usb without grsecurity?

How do I flexibly enable and disable plugging in new USB devices (running driver code responsible for those devices) at runtime without Grsecurity patch? Are there other approaches or alternative kernel patches with this feature? Reopen:…
Vi.
  • 5,528
  • 7
  • 34
  • 68
4
votes
2 answers

Explicit kernel module load at startup

I'm using grsecurity kernel which disallows automatic kernel load thus several systemd services don't work. After manually loading modules with modprobe and restarting module everything works correctly but it's quite dirty solution. I'd like to do…
Lapsio
  • 1,283
  • 2
  • 18
  • 27
3
votes
1 answer

How does an "embargo" work in the context of Kernel development?

There has been a lot of noise about the newest Intel x86 vulnerability. I've seen posts on PostgreSQL, the Linux list, Intel, AMD -- all with vague mention of what's going on. I've seen a few pretty good and convincing write ups on the matter too.…
Evan Carroll
  • 28,578
  • 45
  • 164
  • 290
3
votes
1 answer

How can I persistently boot into linux-grsec?

I've installed the linux-grsec kernel on my machine via pacman. While I can edit grub's settings at boot time by hitting 'e' at the bootloader menu, the updates I make specifying which kernel and ramdisk to use are ephemeral, and don't persist after…
Jules
  • 2,064
  • 2
  • 24
  • 35
3
votes
1 answer

Automated kernel recompilation on security patches?

I'm on Ubuntu 14.04 and really enjoy the fact that I get automatic kernel security updates. When a kernel security problem is patched, a new package will be shipped with the new version. My machine is configured to scan for new security updates…
Naftuli Kay
  • 38,686
  • 85
  • 220
  • 311
3
votes
1 answer

Grsecurity resource oversteps

Can anybody explain what this kind of messages in dmesg really mean, or point me to some documentation? I have failed to find non-prehistoric info about dealing with such events. Sometimes programs seem to work just fine (both examples here) and…
lynx
  • 67
  • 1
  • 5
3
votes
1 answer

Grsecurity subject mode x

I am conducting some research on Grsecurity on Hardened Gentoo, see http://en.wikibooks.org/wiki/Grsecurity. To be more specific, I am trying to find an example where subject mode x makes a difference. As said in the wiki: subject mode x: Allows…
countermode
  • 7,373
  • 5
  • 31
  • 58
2
votes
1 answer

GRSecurity/PaX Preventing me from using TOR

So, while trying to open the Tor Browser Bundle while using the Grsecurity with Pax enabled it returns this error: ./start-tor-browser: line 368: 1848 Segmentation fault (core dumped) TOR_CONTROL_PASSWD=${TOR_CONTROL_PASSWD} ./firefox --class…
Erich
  • 69
  • 1
  • 8
2
votes
0 answers

How to I can compile the Linux Kernel with GRSecurity and SELinux using the git repositories?

I want compile the Linux kernel with two patches (Grsecurity and SELinux) using the git repositories if theses sources, my problem is in the patch file generation because I unknow how make the patches files of Grsecurity and SELinux to the main…
user217111
1
2 3