It could be my incompetence, but it looks like the Debian kernel source doesn't match with the Grsecurity patch.
I want to keep the Debian default settings because I trust that Debian knows what they are doing.
Grsecurity patch is for 3.0.4, while Debian has 3.0.0. Not much of a
difference (I guess), but I can't get that patch into the source.
I run: /usr/src# patch -p0 < grsecurity-2.2.2-3.0.4-201109150655.patch
It crashes with:
can't find file to patch at input line 4
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff -urNp linux-3.0.4/arch/alpha/include/asm/elf.h linux-3.0.4/arch/alpha/include/asm/elf.h
|--- linux-3.0.4/arch/alpha/include/asm/elf.h 2011-07-21 22:17:23.000000000 -0400
|+++ linux-3.0.4/arch/alpha/include/asm/elf.h 2011-08-23 21:47:55.000000000 -0400
Then it asks for a 'file to patch', I entered the path to the source (/usr/src/linux-2.6-3.0.0/).
But it crashes again with the error: 'patch: **** File /usr/src/linux-2.6-3.0.0/ is not a regular file -- can't patch'
I also used -p1 till p9, nothing...
I think I'll go for AppArmor, unless someone can help me here?
PS: Why is the Grsec2 patch not in the source? Then you can compile it yourself if you want to, just like AppArmor.
On Wed, Sep 14, 2011 at 11:31, Kees de Jong
<keesdejong@gmail.com> wrote:
I didn't knew that it was necessary to compile a custom kernel.
Before I installed Grsec2 I did some research. I bumped on a PDF that compared the different results with Debian, Gentoo, and some other distro's.
Debian didn't score very high, but it had sufficient protection. I recall that the document stated that the Debian kernel was precompiled to run Grsec2.
With the patch installed the features were active. But this wasn't the case as far as I read in this thread?
I'll compile a custom kernel and try the test again.
On Wed, Sep 14, 2011 at 07:58, Yves-Alexis Perez
<corsac@debian.org> wrote:
On mar., 2011-09-13 at 22:47 +0200, Kees de Jong wrote:
> I've been running my Debian machines with Grsec2 (package:
> "linux-patch-grsecurity2") for a long time.
> I thought that would keep me rather save, but I've ran Paxtest today
> (which is in the Debian repository only available for i386...)
> and I wonder now if it could be better.
>
>
> Mode: kiddie
> Linux 3.0.0-1-amd64 #1 SMP Sat Aug 27 16:21:11 UTC 2011 x86_64 GNU/Linux
You don't really seem to be running a grsec kernel here, by the way.
Regards,
--
Yves-Alexis
--
Met vriendelijke groet,
Kees de Jong
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde(n).
Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud
niet te gebruiken en de afzender direct te informeren door het bericht
te retourneren.
--
The information contained in this message may be confidential and is intended to be exclusively for the addressee(s).
Should you receive this message unintentionally, please do not use the
contents herein and notify the sender immediately by return e-mail.
--
Met vriendelijke groet,
Kees de Jong
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde(n).
Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud
niet te gebruiken en de afzender direct te informeren door het bericht
te retourneren.
--
The information contained in this message may be confidential and is intended to be exclusively for the addressee(s).
Should you receive this message unintentionally, please do not use the
contents herein and notify the sender immediately by return e-mail.