Best Grsecurity settings without breaking mint?

[alexofthewest]

Just so I am understanding this right, refcontrol blocks the ability of the second site you visited from seeing the http you came from? The one you linked seems to be in german, is there an english version?

[Cosmo.]

https://addons.mozilla.org/en-us/firefo ... efcontrol/

You might find this site also useful: http://www.stardrifter.org/refcontrol/

[waynea]

I installed mint 17.3 64-bit. Compiled grsecurity into the corresponding 4.2.7 kernel, set it up using default automatic settings, and installed the kernal. It made mint crash on loading up. I had to disable a Pax setting to allow it to boot. But it still broke other things like synaptic, file explorer open as root, and virtualbox.
Can someone share the perfect settings they did on grsecurity, to make it play nice on mint? I am sick of changing the settings one by one and compiling each time, each compile takes a few hours and it is getting tedious.

the guide I used was this one..http://www.insanitybit.com/2012/05/31/c ... rsecurity/

its works perfectly with the exception of breaking the update manager GUI, so you have to install from CLI. (need to underdstand why that it is...)

[Cosmo.]

so you have to install from CLI

That gives the risk, that this will break even more in the future. This is not advisable.

[waynea]

so you have to install from CLI

That gives the risk, that this will break even more in the future. This is not advisable.

It also breaks the Users and Groups GUI. Again, it work ok from Terminal.
I suspect that these breakages relate to one specific setting within GRsec...

[offthegrid]

An add-blocker like ublock origin does not block anything on its own, but it need filter to do that; the add-on "only" provides the interface for the filters. Instead if creating filters on its own you usually subscribe filter-lists. UB-O comes by default with a good choice of lists, especially EasyPrivacy. A good filter list to ad it Fanboy’s Enhanced Tracking List.

You can actually block most things using ublockO without filter lists if that is someone's prerogative. You just tell it you are an advanced user and block the 3rd party sites that are responsible for the ads.

[ZakGordon]

I was told Grsecurity will stop keyloggers.

There is NO Security without Physical Security.
Pwning Past Whole Disk Encryption
What's grsecurity going to do for the "evil maids" of this world?

from that article:

I tried this on a friend of mine and managed to steal his disk encryption passphrase, the contents of his passwd and shadow files, SSH credentials for a couple of different servers, and his GnuPG secret key and passphrase. I also got reverse root shells sent to me at regular intervals. I finished up by putting a document on his desktop, digitally signed with his own PGP key, containing his disk encryption passphrase and a link to a defaced page on his web server. All it took was about 10 minutes of physical access while his computer was turned off (and of course, countless hours developing this attack beforehand). I have since apologized to him, and he has still been unsuccessful at pwning me back.

This same technique will work for any Linux distribution that uses dm-crypt for whole disk encryption, which is included by default in Ubuntu, Debian, Fedora Core, and likely others. I’m only focusing on Ubuntu because it’s popular, and that happens to be what my friend was using.

With friends like that......!

@500 i have nothing to add to help your problem, BUT yes i would say i was surprised at the lack of additional security when i started using Mint.

For example the fact the firewall is not(!) setup by default during install, you have to do it manually (and that can be slightly confusing to a new comer to Mint/Linux). That seemed pretty freakish to me. Or the fact there are no inbuilt antimalware scanners (and very little seemingly available in general).

But this is speaking as an ex Windows user that got used to dealing with a whole battery of security products as normal SOP in daily use, just because Windows was such an easy target for malware in general. The amount of times i've had my Windows PC's get pwnd has increased over time, but in general it was a rare week when my tools and scans did not find anything, and this is not just on my own PC's that i know where they go when online (so just 'safe' sites etc).

This is a typical windows setup of mine:

A Top scoring firewall (active)
A top scoring always on Antivirus (active, with various layers of running protection - email scanners/sandbox mode etc)
3 of the best in class Antimalware scanners (1 active, 2 passive)
6 specific case threat analysis and treatment tools (for dealing with the hard to remove stuff, all passive on demand)

ALL browsers used to block flash/run NoScript by default, with additional add-on/plugins for security related issues (all well reviewed and written about).

And finally (on my own PC's) good end user operations to minimize infection rate, NO visits to shady websites, NO falling for silly scams in your email, NO just clicking on stuff out of habit etc.

With all that i'd get a few minor infections every few weeks, and maybe a real nasty one every six months (nuke from orbit required etc).

That is a normal windows situation, so here is my going on 10 month old Mint setup:

A firewall that i had to configure myself (i wanted the GUI for my ease of use), and there seems to be only this firewall(!) I don't know how it 'scores' vs other firewalls i've used.

A third party on demand antivirus scanner i had to do some pretty hard searching for (not many options out there). I know this in general is frowned upon in Linux/Mint circles (these products can become vectors themselves etc), BUT i do basically all my internet based stuff on Mint now but still use Windows and transfer files to those via Mint, so i do 'need' some kind of file scanner to help ensure i'm not passing nsty stuff to my fragile (security related) Windows OS.

In 10 months of Mint use i have yet to get anything nasty running, certainly nothing that is easily noticeable (in theory i could be running an infected machine, but not one with the usual hallmarks of a compromised machine, based on my experience in Windows). That is 10 months of completely trouble free internet based computer use. That is a rare and precious thing in my experience as a Windows user!

So while i too would love many more options in terms of security from malware in Linux, it seems indeed the basic principles on which the OS is built makes it more secure in general?

Still, let us keep in mind that just a few months ago now the whole Mint fabric was attacked and compromised, so maybe security of this awesome stable and solid OS is pushed further to the front of the concerns of those that have gone to all the trouble of creating it? Or in other words please ensure atleast a firewall is easily made active during install (you know make it REALLY easy, like for a spoon fed windows user like i used to be!).

I'm intrigued about Ubuntu having appArmor, that is a pretty solid bit of software which might be nice to have available for Mint?

[ZakGordon]

-how to actually use noscript? I find myself just turning off for every website...

It is sort of a strange art. For example when you visit a site and look at the noscript icon it will list maybe a bunch of things it is currently 'blocking'. Here on the Linuxmint forums as i type it is blocking 'linuxmint.com'.

Now if i wanted/needed to i would choose to use the 'temporarily allow Linuxmint.com' option to stop that blocking, if say it was interfering in the way linux mint forums were working. I works fine as is so i leave NoScript to do it's thing.

Many sites will have a huge list of (mostly) ad based, metrics/data gathering based things NoScript is blocking, and the worst sites will require you unblock those to get functionality for that website. When it seems a minefield of things to unblock or not, as long as you trust the site it can be ok to select 'temporarily allow all this page'. Sometimes, on the worst sites, this brings in a fresh new batch of things to unblock to get site functionality, so you go through the process again.

Sometimes it is a case of knowing just how many things you need to 'unblock' for site functionality without having to allow everything. For example i know that for the Photobucket website to work for me i have to 'temporarily allow' both photobucket.com and pbsrc.com before i can actually log in and use the site, all the other stuff NoScript blocks on that site is fine to leave 'blocked'.

So you get to know what certain sites require as you use it. I've been using NoScript for many years and it takes a bit of trial and error, where 'error' would be ever choosing something like 'permanently allow all this page' etc. I only ever give 'temporary' permissions as i care about the security NoScript is giving my browser. This is more legwork for me, and if someone prefers to use the 'permanently allow' options that is their call and not necessarily a bad thing, i just don't trust any website that much (say at some point that site gets compromised and bad code is set to run for visitors, you've given it permission).

Edit: at the end of my internet using day i always make sure to go into NoScript (via the icon) and select 'Revoke Temporary Permissions' to ensure it sets back to default 'block all'.

Some other Firefox add-ons i've used to maybe look at:

BetterPrivacy - helps remove 'super cookies' that are hard to get rid of by normal in-browser means
Ghostery - helps blocks online tracking
FlagFox - allows you to cross reference a sites geo-location (to help if needed determine that sites legitimacy etc)

[offthegrid]

I installed mint 17.3 64-bit. Compiled grsecurity into the corresponding 4.2.7 kernel, set it up using default automatic settings, and installed the kernal. It made mint crash on loading up. I had to disable a Pax setting to allow it to boot. But it still broke other things like synaptic, file explorer open as root, and virtualbox.
Can someone share the perfect settings they did on grsecurity, to make it play nice on mint? I am sick of changing the settings one by one and compiling each time, each compile takes a few hours and it is getting tedious.

the guide I used was this one..http://www.insanitybit.com/2012/05/31/c ... rsecurity/

its works perfectly with the exception of breaking the update manager GUI, so you have to install from CLI. (need to underdstand why that it is...)

I used the insanitybit guide using the custom settings he recommends, though I couldn't enable kernexec. The only issue I have is that my password manager - enpass (similar to keepass) doesn't work so I had to move back to LastPass. I'm using it with 4.4.7

[waynea]

I installed mint 17.3 64-bit. Compiled grsecurity into the corresponding 4.2.7 kernel, set it up using default automatic settings, and installed the kernal. It made mint crash on loading up. I had to disable a Pax setting to allow it to boot. But it still broke other things like synaptic, file explorer open as root, and virtualbox.
Can someone share the perfect settings they did on grsecurity, to make it play nice on mint? I am sick of changing the settings one by one and compiling each time, each compile takes a few hours and it is getting tedious.

the guide I used was this one..http://www.insanitybit.com/2012/05/31/c ... rsecurity/

its works perfectly with the exception of breaking the update manager GUI, so you have to install from CLI. (need to underdstand why that it is...)

I used the insanitybit guide using the custom settings he recommends, though I couldn't enable kernexec. The only issue I have is that my password manager - enpass (similar to keepass) doesn't work so I had to move back to LastPass. I'm using it with 4.4.7

what has your experience been with GRsecurity?

[offthegrid]

Positive. It does break some things but not enough for me to go without it.

[waynea]

Positive. It does break some things but not enough for me to go without it.

i would agree with that. I use Keepass BTW and it works perfecty