:: Re: [Dng] Hardened Devuan (was Re: …
Forside
Slet denne besked
Besvar denne besked
Skribent: Neo Futur
Dato:  
Til: Adam Borowski
CC: dng@lists.dyne.org
Emne: Re: [Dng] Hardened Devuan (was Re: Plan for Devuan to use Mozilla products as is)
also answering here to jaromil about a grsec question on another thread :


On Fri, Mar 6, 2015 at 2:33 PM, Jaromil <jaromil@???> wrote:
>> I hope to be able to continue my Grsecurity/Pax Deployment in Devuan for
>> the Newbies (or of a similar title), like I did in Debian Forums (see my
>> first message in this thread). And about the rest of non-poeterware (and
>> related like, for me, dbus). Maybe in the Wiki, sure Devuan Wiki.


> I will be among the newbies following your guides: last time I've used
> grsecurity was long time ago, before I gave up the maintainance of
> dyne.org servers to more volunteers. Wondering how much has changed in
> 10 years or so.

quite a bit, new options and new features are regularly added :

https://grsecurity.net/changelog-stable.txt
https://grsecurity.net/features.php
https://grsecurity.net/compare.php

the patches are very actively maintained and working very well on
gentoo hardened, but once again I use only the sanitizing features,
not the RBAC system.

as a sysadmin, grsec have helped me quite a bit those last ten years,
most of the kernel security problems, 0 days, local roots . . . have
been useless against my grsec kernels ;) usefull ehen you provide a
shell to most of your customers/users !



On Fri, Mar 6, 2015 at 7:22 PM, Neo Futur <dng@???> wrote:
> at the beginning we plan :
>
> * to use only the pax options of the grsec kernel, no rbac enabled
> * to work on vanilla sources or gentoo hardened sources
> * no debian patches, no exotic patches
> * shipping the kernel with warnings that, as a default, java wont work
> with a secure kernel, and possibly any other graphical applications
> doing dirty stuff with memory ( buffer overflow, relocations and much
> more )
>
> as soon as we have a devuan beta version we feel confident enough to
> install on at least one dedicated server ( something like dell r210 )
> and on a laptop ( something like a thinkpad ), we ll start packaging a
> grsec patched kernel.
>
>
> speaking of installing on a dedicated server, do we have plans to
> provide some kind of easy install system to install on a server from a
> rescue mode ? ( not everyone have full kvm access to install
> graphically, many datacenters provide only the rescue mode )
>
>
>
> On Fri, Mar 6, 2015 at 6:27 PM, Adam Borowski <kilobyte@???> wrote:
>> On Fri, Mar 06, 2015 at 03:19:29PM -0300, hellekin wrote:
>>> *** I'm so happy to see this group. I've been using this kernel lately,
>>> running on Parabola:
>>>
>>> 3.14.34-gnu-201502271838-1-lts-grsec-knock
>>>
>>> GRSecurity, and Knock support. Knock is a kernel patch that enables
>>> single packet port knocking [0], thwarting common scanning attacks. I
>>> would love to see this running on Devuan. Parabola GNU/Linux was the
>>> first distro to deploy it, and I've been using it happily with SSH.
>>
>> It looks like Knock breaks everything TCP SQN is used for, including even
>> such basics as packet retransmission/duplication detection. I've read the
>> LKML discussion to see if I'm missing something, but apparently, I don't.
>>
>> As such, I'd say Knock has no place on a distribution kernel.
>>
>> --
>> // If you believe in so-called "intellectual property", please immediately
>> // cease using counterfeit alphabets. Instead, contact the nearest temple
>> // of Amon, whose priests will provide you with scribal services for all
>> // your writing needs, for Reasonable and Non-Discriminatory prices.
>> _______________________________________________
>> Dng mailing list
>> Dng@???
>> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng