Is Linux-hardened an Ok alternative to linux-grsec?

archlinux.org/packages/community/x86_64/linux-hardened/

Other urls found in this thread:

github.com/thestinger/linux-hardened/wiki
aboutthebsds.wordpress.com/2013/01/25/20/
github.com/thestinger/linux-hardened/issues
twitter.com/SFWRedditVideos

It seems promising at least, but not as good as grsec yet.

github.com/thestinger/linux-hardened/wiki

Should I install SElinux/app armor along side it?

...

What do you sugest? BSD?
aboutthebsds.wordpress.com/2013/01/25/20/

If you are on Arch it seems like kind of a pain in the ass to use app armor or selinux. Otherwise I'd say that it may be worth it depending how much security you think you need.

GRsecurity is still GPLv2
SELinux is still GPLv2

So, I'm kind of new to Linux a bit - I got one machine running Ubuntu and 2 running Raspian. This hardening here sounds like there's more security going up instead of down. Someone correct me if I'm wrong - Also, do we just copy the files to the directory or are we imaging the files to the hard drive (or whatever drive is running my OS) and just booting off of that?

providing that it is done after the actual install

I think he means free as in price.

not as good as grsecurity but still ok.

HAHAHHAHHAHAHHAAAHAHAHHAAHA

I would like arch more if the devs did not think they were being l33t haxckors by making a half-assed debian like gentoo wannabe.

Like fuck man I might as well install centos and slap a WM/DE on it for the amount of work I need to do to get basic functionality going. Not even fucking gentoo is as obtuse as arch.

This. Arch devs are the linux equivalent of windows devs, lazy and trying to make their laziness into something cool and admirable. Gentoo devs are fucking hardcore, they know their stuff. Gentoo mailing lists show this very well (and the distro itself).

what would you suggest? Other than gentoo? Qubes?

Not him but every distro is good in the hands of an experienced linux user. Gentoo is just a community where these practices are commonplace. Isolating all internet-connected services/applications under low-privilege users, using the right kernel settings, using user control software and in general just becoming a user permission expert. I use a low-privilege user for my browsing and torrenting for example. WIndows lacks proper permissions and this is why it's so easy use exploits on, because all of the security holes are under the admin account. Proper coding is fun and a good idea but if everything is segmented and the access of compromised software is limited then the mainstream-catch-all exploits are mitigated (if someone is actively attacking you they will find so many ways to do so it's not even funny). Qubes is good and virtual machines are effective but demanding and often require day-to-day hassle to upkeep. Security, at the end of the day, is painful and requires active participation. For most users just doing it the gentoo-way is the easiest (although I am a gentooman myself so I guess I am a bit out of touch with reality).

TL;DR read the gentoo wiki and a few whitepapers and do what feels is enough for you+some more

Well gentoo is way too much goddamn maintenance for me.

Fedora is too bleeding edge to a fault where shit will just straight up change all over the place. It very much feels like the distro that the RHEL uses as their throw shit at the wall and see what sticks then port the good ideas to redhat/centos.

Ubuntu is good if you just want to install it and have everything ready to go but if you want to do something other run the defaults good fucking luck.

Debian seems alright and has a minimal install option so you can go partial neckbeard if you want but unsure about the documentation on doing anything with a install that does not have the base essentials and DE already installed

Just started using centos on a webserver and holy fuck is it well put together which is unsurprising considering it is just redhat without support and possibly not getting the latest features of red hat. Unsure how it would work as desktop OS but they definitely allow you the option through their installer which is basically the fedora installer. I honestly like how you can just have it install barely anything or go full ubuntu with goddamn everything installed.

Gentoo is only if you are a hardcore neckbeard who has a lot of time to maintain it, I really feel it is more the linux you go to when you need to do something really fucking esoteric like trying to shove lunix on something that very much was never intended for you to modify the software. Or if you need some ultra specific setup that would either be almost impossible to run stably on any other distro or require fucking weeks of work to restructure how it operates and a lot of custom scripts.

Arch is very much the devs figuring out how to do stuff and then trying new things, which sucks when you just want the fucking thing to not break every update because they half-assed some implementation to "future proof" or they straight up did not do enough testing before hand. Also arch is the only distro that straight up broke my bootloader because of some dumb update, I fixed it by reinstalling it so have no fucking clue what they did but holy fuck that really soured it for me.

Other distros I have never used so I cannot comment on them. Personally I would say go with whatever you feel like using and fuck dumb internet nerds trying to convert you to their way of thinking.

Also considering I am jacking off the RHEL nerds, if you read any of the documentation for the latest redhat it almost always translates over directly for centos. Which is nice because having good documentation is a fucking must if you are trying to learn how to do shit.


Also to shit on arch more, I do not fucking understand why almost nothing comes with default config files. They just say lol u have to go to the wiki and copy and paste the default which is the dumbest fucking thing ever. Also also, having to install and configure shit that almost no one fucking cares about gets old as shit. The only example I can think of is how you have to setup vim-colors while every other distro ever made just auto-configures it because who the fuck cares, the fact you installed it is enough to assume you want to use it. I would not doubt there are other examples but my fuck, they obsess on "THE ARCH WAY" to the point where they go full fucking retarded.

Gentoo is too much maintenance?

I mean the first setup+getting your config working is a hassle, agree. After getting gentoo on its feet it's not at all high maintenance though, update once a month if you don't care for bleeding edge and the kernel compilation is nothing with genkernel (and funtoo with debian kernel included is not even that). Gentoo is only high maintenance when you are actively aiming for security, like any other distro. Compiling big packages is a pain though which you can't avoid (I use chromium and the few times a week that it updates is pain and I end up masking it temporarily, sealing my doom at the same time.) But sure if you don't want to do any maintenance you can use the easier distros, but the amount of maintenance with gentoo is exaggrerated.

Qubes is really nice if you don't mind fucking around with VMs 24/7.

Yeah but compiling is like the only reason to use gentoo, and compiling your own kernel is again the only reason to use gentoo.

Really when I install a desktop OS the only thing I want is only the shit I will actually use and make it look and function the way I want.

Thus maintenance beyond updating and modifying a few config files really defeats the point of a desktop OS.


Also avoiding updating your browser is bad unless you never login to anything ever on it.

Yeah but compiling is like the only reason to use gentoo, and compiling your own kernel is again the only reason to use gentoo.
For me it sure as hell isn't the only reason but yes these are key features of Gentoo. Compiling your own kernel is more of a learning experience than anything practical on the desktop.

This is the reason I use Gentoo. Compiling from source means you get to do this on a level that is even throughout the whole system. Gentoo is barebones so I install what I actually use and compile my programs without pulseaudio etc because I don't use those.

Thus maintenance beyond updating and modifying a few config files really defeats the point of a desktop OS.
Almost literally what I do when I update my gentoo. I have my saved up kernel config that I use with genkernel (a few config files modifications to the bootloader is all this takes).

I am guilty of this and the big package compiling issue is the one gripe I have with gentoo.

I guess we could say you win this argument by popular demand since I also use gentoo to satiate my autism for tinkering and having control and knowledge over my system on a whole new level compared to other distros. This is why I stated that I am a bit out of touch with reality since I like tinkering so much and having the bragging rights.

If I wasn't using Gentoo I'd probably use manjaro (which makes arch into a usable distro instead of a failed gentoo knockoff) or devuan/debian.

Man this guy sounds super butthurt, maybe his patch got declined?

1. Theo is a tyrant, it's called BDFL.

2. OpenBSD didn't start with security, they became security nuts after they got hacked.

3. You can modify the code, just because Theo doesn't accept your patch doesn't make the project North Korea or Microsoft.

4. Being told to fuck off because you spam the mailing list with stupid questions is not a bad thing.

5. An entire paragraph complaining about permissive licencing, no one is stopping you from forking or running your fork in the real world as proof.

6. wideopenbsd.org doesn't exist anymore.

7. OpenBSD is slower but not extremely slow, that all depends on what you want to do, if you rely on single threaded syscalls then yes, if you're running multithreaded userland then no, either way large parts of OpenBSD has been multithreaded now.

8. Crashing when unexpected things happens is good and secure, you are much better off crashing than continuing to run in an inconsistent state.

9. Gnome3 has a dedicated guy that specifically ports to OpenBSD, the other BSDs use OpenBSDs port. This must be super outdated.

10. OpenBSD does have 3D acceleration

11. No one has been able to determine that random FBI backdoor

12. pf is based off ipf, not iptables

I don't get it, this guy has said nothing true, did he get called a faggot by Theo?

...

github.com/thestinger/linux-hardened/issues

They basically want to put features in before they are being upstreamed.
This is a community effort to get grsecurity&PaX features in before so it's easier to upstream it since this will be following mainline and not stuck on 4.9.X LTS.
Anyway if you want to help you should try it.

probably.

You CIA MIT niggers don't know shit.

Yeah, in like the late 90's. It's been public domain and developed in the Linux world for almost 15 years. If they managed to sneak in a backdoor for that long, nothing is safe.

Nobody cares, so long as OpenBSD stays afloat.

OpenBSD doesn't even support luks iirc.

So grsecurity was considered a pretty important security patch to the linux kernel, does a fork exist? I presume OP is the best alternative yet.

How outdated is the 4.9 kernel?
Could someone explain to a dumb end user if it would be better to use the latest kernel security-wise, OP or the last public grsecurity patch as it's still only about a month old?
I reformated and only found about this now.
Seriously, what do I do?

s now a bad time to install hardened gentoo because of grsecurity? also is SELinux overkill?

Kernel version 4.9 is a long term support kernel; it will receive patches at least until January 2019, and possibly after then. So it is feasible for a distro to continue using the grsecurity 4.9 patch until 2019 at least. Past then, using grsecurity will involve using a kernel that may not receive bug fixes for vulnerabilities, which is not a good idea no matter how secure grsecurity is.

IIRC there are people working to port the 4.9 patch going forward, and some people are trying to merge grsecurity with the kernel self protection project. So we've got at least two years for them to get that up and running before grsecurity is no longer an option.

No shit m8, they have FDE by their softraid utility.

Nah, Kernel hardening does more than just help mitigate kernel exploits, it helps a lot with making sure applications behave correctly.

Unless there is a particularly bad exploit you'd be better off with an older hardened kernel.