also answering here to jaromil about a grsec question on another thread :
On Fri, Mar 6, 2015 at 2:33 PM, Jaromil <jaro...@dyne.org> wrote: >> I hope to be able to continue my Grsecurity/Pax Deployment in Devuan for >> the Newbies (or of a similar title), like I did in Debian Forums (see my >> first message in this thread). And about the rest of non-poeterware (and >> related like, for me, dbus). Maybe in the Wiki, sure Devuan Wiki. > I will be among the newbies following your guides: last time I've used > grsecurity was long time ago, before I gave up the maintainance of > dyne.org servers to more volunteers. Wondering how much has changed in > 10 years or so. quite a bit, new options and new features are regularly added : https://grsecurity.net/changelog-stable.txt https://grsecurity.net/features.php https://grsecurity.net/compare.php the patches are very actively maintained and working very well on gentoo hardened, but once again I use only the sanitizing features, not the RBAC system. as a sysadmin, grsec have helped me quite a bit those last ten years, most of the kernel security problems, 0 days, local roots . . . have been useless against my grsec kernels ;) usefull ehen you provide a shell to most of your customers/users ! On Fri, Mar 6, 2015 at 7:22 PM, Neo Futur <d...@ww7.be> wrote: > at the beginning we plan : > > * to use only the pax options of the grsec kernel, no rbac enabled > * to work on vanilla sources or gentoo hardened sources > * no debian patches, no exotic patches > * shipping the kernel with warnings that, as a default, java wont work > with a secure kernel, and possibly any other graphical applications > doing dirty stuff with memory ( buffer overflow, relocations and much > more ) > > as soon as we have a devuan beta version we feel confident enough to > install on at least one dedicated server ( something like dell r210 ) > and on a laptop ( something like a thinkpad ), we ll start packaging a > grsec patched kernel. > > > speaking of installing on a dedicated server, do we have plans to > provide some kind of easy install system to install on a server from a > rescue mode ? ( not everyone have full kvm access to install > graphically, many datacenters provide only the rescue mode ) > > > > On Fri, Mar 6, 2015 at 6:27 PM, Adam Borowski <kilob...@angband.pl> wrote: >> On Fri, Mar 06, 2015 at 03:19:29PM -0300, hellekin wrote: >>> *** I'm so happy to see this group. I've been using this kernel lately, >>> running on Parabola: >>> >>> 3.14.34-gnu-201502271838-1-lts-grsec-knock >>> >>> GRSecurity, and Knock support. Knock is a kernel patch that enables >>> single packet port knocking [0], thwarting common scanning attacks. I >>> would love to see this running on Devuan. Parabola GNU/Linux was the >>> first distro to deploy it, and I've been using it happily with SSH. >> >> It looks like Knock breaks everything TCP SQN is used for, including even >> such basics as packet retransmission/duplication detection. I've read the >> LKML discussion to see if I'm missing something, but apparently, I don't. >> >> As such, I'd say Knock has no place on a distribution kernel. >> >> -- >> // If you believe in so-called "intellectual property", please immediately >> // cease using counterfeit alphabets. Instead, contact the nearest temple >> // of Amon, whose priests will provide you with scribal services for all >> // your writing needs, for Reasonable and Non-Discriminatory prices. >> _______________________________________________ >> Dng mailing list >> Dng@lists.dyne.org >> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
