# Alternative to grsecurity

## Fulgurance

Hello, i have just one question. Now, grsecurity stop to give his hardened kernel. Is there alternative, with patch for linux kernel ?

----------

## krinn

there's just none, and grsecurity was use in hardened gentoo, but grsecurity is not hardened ; grsecurity is grsecurity

----------

## fedeliallalinea

https://blogs.gentoo.org/ago/2017/08/21/sys-kernel-grsecurity-sources-available/

----------

## toralf

 *Fulgurance wrote:*   

> Hello, i have just one question. Now, grsecurity stop to give his hardened kernel. Is there alternative, with patch for linux kernel ?

 Yes. Just use always the latest stable vanilla kernel, matured a lot in the mean while.

----------

## mirekm

There is patch for latest kernel of version 4.9.

You can find it at:

https://github.com/dapperlinux/dapper-secure-kernel-patchset-stable/releases

This patch contains 2 parts. before making ebuild you have to split these parts, because in other case ebuild will not work.

Unfortunately, this patch is not compatible with Meltdown and Spectre fixes.

----------

## depontius

Kernel developer Keys Cook has been working at getting security assists into the mainline kernel.  Some of this has been from GRSecurity, some not.  He has kernel configuration recommendations for the mainline vanilla sources (applies to gentoo-sources as well) here: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

It's not everything in GRSecurity, but it's better than default, and it's a work-in-progress.

----------

## Fulgurance

Vanilla source ??? Why ? I thinking its just linux kernel without any patches ? Is it dangerous for security to use testing package ?

----------

## Ant P.

If you don't trust the mainline kernel how can you trust a distro-patched one? Gentoo-Sources doesn't magically make the system more secure, it only adds non-security features, and it'd be a hugely irresponsible thing if it did apply security patches without upstreaming them.

----------

## depontius

GRSecurity is another layer, and should be considered one of several/many, not THE security layer.

----------

## abduct

 *depontius wrote:*   

> Kernel developer Keys Cook has been working at getting security assists into the mainline kernel.  Some of this has been from GRSecurity, some not.  He has kernel configuration recommendations for the mainline vanilla sources (applies to gentoo-sources as well) here: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
> 
> It's not everything in GRSecurity, but it's better than default, and it's a work-in-progress.

 

Are these settings realitively safe or will they hamper the daily use of a system in a way that it becomes a chore to use. Back when I was using the hardened sources in 3.xx it seemed as if I had to fight the system to do basic things. Most of those troubles went away after starting fresh with latest gentoo-sources. Not sure if they were specifically the kernels fault or not.

Also how bad is the performance impact. A few of these there are warnings that they could effect system performance.

I have quite a few of the common ones enabled, but things like the kernel hacking debugs and slub/slab/page poisoning I don't.

----------

## ct85711

 *Quote:*   

> Are these settings realitively safe or will they hamper the daily use of a system in a way that it becomes a chore to use.

 

This is the key issue that any admin has to decide, on what level of security vs userability is acceptable.  As you increase the level of security, the more of a chore of using the system it becomes; and vice versa.  All security choices is going to have a cost on userability, some may not be as visible.  Take a firewall for an example, having a firewall by it's self adds some latency on your network (may not be noticeable right away, but it is there).  Now a firewall, has an additional cost depending on how restrictive of rules is setup on the firewall(i.e. additional latency cost, possible restrictions on network communication, etc).  When you get around to the mitigations towards the Meltdown hassle, it is much easier to see the cost (noticeable to significant performance loss).

In the end, you are going to need to sit down and go over what threats is applicable/important to you.  For example, I consider the threat of a virus on my machine to be minimal, so I am not worried about having a anti virus.  Most of the Meltdown, is only minor (as my primary threat is through the network, if it got through the firewalls; than the network and systems are compromised anyways).  It is only me that has physical access, so no threat that I need to be concerned about on that side.  I've heard others have a different threat analysis, to the point where they air-gap their machine completely.

----------

## depontius

 *abduct wrote:*   

>  *depontius wrote:*   Kernel developer Keys Cook has been working at getting security assists into the mainline kernel.  Some of this has been from GRSecurity, some not.  He has kernel configuration recommendations for the mainline vanilla sources (applies to gentoo-sources as well) here: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
> 
> It's not everything in GRSecurity, but it's better than default, and it's a work-in-progress. 
> 
> Are these settings realitively safe or will they hamper the daily use of a system in a way that it becomes a chore to use. Back when I was using the hardened sources in 3.xx it seemed as if I had to fight the system to do basic things. Most of those troubles went away after starting fresh with latest gentoo-sources. Not sure if they were specifically the kernels fault or not.
> ...

 

I've been running this way for some time now, and don't notice any problems.  I'm not a gamer, thought.

----------

## abduct

@depontius:

Have you had any issues with virtual machines (qemu) or the like with these settings? Also do you use the GCC plugins portion as well?

I think I might backup my config and try out all the suggested settings on 4.17.9, but I am not sure if I want to use the GCC plugins settings. I would imagine I would have to emerge @world and rebuild every package for them to take effect anyways.

Also what do you suggest for sysctl tuning. Is local.d proper or should sysctl.conf be used instead? I imagine they are more or less the same thing.

Edit:: Also how do you tell if your system needs loadable module support. I've always compiled everything into the kernel (never selecting <M>), so I figure it's safe to turn it off.

Unless it's needed for some kind of intel display drivers or something.

----------

## depontius

I don't use virtual machines, so I wouldn't know about issues.

I do enable the gcc plugins.  I first started using these recommendations some time ago, and since then I've done several gcc upgrades.  Particularly after gcc-7.3 went stable I wanted to do a complete rebuild to get the Spectre mitigations into my system.  So I'm covered on that one.

When I posted the link I looked, and it appears that the sysctl changes have changed since I did mine.  When I did it, the sysctl stuff looked like alternatives to some of the kernel config options, which I'd already done.  I need to reexamine this.

I have loadable modules.  Once upon a time Gentoo had better module support than it does now, and included a way to automate module parms.  That also let you unload and tweak the parms, for testing without rebooting.  Of course my audio has been stable for a while, so I haven't had to do that in ages.  Everything is a risk, I haven't gotten to the level of doing away with modules.  On the other hand, I have the kernel build sign my modules, and require that signature.  What's more, immediately after the kernel build I "rm certs/signing_key.*, so after the kernel build no new module can ever be built for that kernel ever again.  I locked the kernel and threw away the key.

----------

## krinn

security depends also what you are securing.

it make sense to disable module loading on a server where you are not suppose for security to plug in something like that, hence you don't need modules because you are not suppose to handle new hardware that would randomly be add.

but for a desktop computer, it makes sense to use modules and makes sense to plug random hardware at will (usb disk, usb wifi cards or whatever).

Just like it makes sense to encrypt your desktop partition where you store your documents, it makes less sense to encrypt a server that hold nothing personal.

but strictly speaking about security, you can only claim encryption should be use. This doesn't mean all users have to encrypt their server.

You should had get a shop with mustard gas to really see security must be balance, because the first time you were not fully awaken and you enter your shop and get the gaz in your face and all your goods lost because the smell will never get off ; you realise that stupid ringing bell security was really doing a better job ; but yes, on paper, that mustard gas cannot be better, you even almost died to see that they didn't lie, nobody not equip with a mask could stole you, and even with one, nobody could use or sell anything with such smell on it, but this include you.

----------

## abduct

Hmm I guess I will need to test this out on actual hardware. Most of the changes besides the GCC plugins are reverseable easily so maybe I will set aside some time and test it out.

How did you end up doing a full system rebuild by the way? I don't think I've ever done one since upgrading GCC. Would be nice to know after I enable the plugins later on.

----------

## depontius

"emerge -e @system" followed by "emerge -e @world".  That was after the regular gcc upgrade, including "emerge -1 libtool".  Yes, there were multiple rebuilds of multiple packages, but I was off in the real world while my computer was chugging away at it's rebuilds.

I really need to read Kees Cook's guide again.  I know the sysctl stuff has changed, but I don't know what else might have.

----------

## depontius

 *krinn wrote:*   

> security depends also what you are securing.

 

My server is in my basement.  If someone evil gains physical access to my server, I've got a way bigger problem than my computer - I've got an intruder in my house.  Prioritize your problems.

----------

