Thanks to everyone involved in the Gentoo Hardened project, especially
Spender and Pax Guy, for the effort and guidance throughout the years. The
anecdotes shared in this thread echo my own experiences to a degree, and
I've learned a lot about computer security by trying to get the grsec RBAC
syste
Hello, Robert.
Do you have the package "app-admin/setools" installed? If so, you can run
"cat /var/log/audit/audit.log | audit2why" to get an explanation of why the
denials occur, with suggestions for fixing them.
Of course, if your system is logging AVC denials elsewhere, adjust the
command acco
That sounds rad...
You'll need a [robust?] box with decent bandwith... I'm not doing much
with mine...
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Fri, 24 Apr 2009, ironicf...@earthlink.net wrote:
Date: Fri, 24 Apr 2009 15:00:45 -0400 (EDT)
Fro
nd re-reading the original message real quick, methinks
that this would fall under the "Ugly" category...
Blah...
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Fri, 24 Apr 2009, Aaron Leonard wrote:
Date: Fri, 24 Apr 2009 13:51:45 -0500
From: Aaron Leonard
To:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
I'd like to go eventually... perhaps next month? I might even know some
Perl by then...
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Tue, 13 Jan 2009, Andrew Moore wrote:
Date: Tue, 13 Jan 2009 17:21:45 -0600
ithin cron.
hth
- -brant
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Sat, 10 Jan 2009, Chris O'Regan wrote:
Date: Sat, 10 Jan 2009 00:51:47 -0500
From: Chris O'Regan
Reply-To: gentoo-security@lists.gentoo.org
To: gentoo-security@lists.gentoo.org
Subject:
running, are you perhaps trying
to run gradm in learning mode while the RBAC system is already active?
Hrm...
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Sun, 23 Nov 2008, brant williams wrote:
Date: Sun, 23 Nov 2008 16:38:16 -0600 (CST)
From: brant williams &
quot;rx" will still not allow you to write
to the file.
You might want to take a look at this[1] link...
[1] http://www.grsecurity.net/wiki/index.php/GrsecurityRBACObjModes
Hope that helps...
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Sun, 23 Nov 2008, [EMAIL PR
/usr/portage/profiles/package.mask
# Bryan Stine <[EMAIL PROTECTED]> (26 Apr 2007)
# Masked until it works with current baselayout and
# application locations.
app-admin/bastille
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Fri, 24 Oct 2008, Chris PeBenito
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Well, that would explain the lack of logs...
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Wed, 8 Oct 2008, RB wrote:
Date: Wed, 8 Oct 2008 09:59:34 -0600
From: RB <[EMAIL PROTECTED]>
Reply-To: gentoo-ha
issue. I just installed "net-misc/dhcpcd"
on my grsec box, but do not see a way to run it chrooted. Can you share
your configuration/installation steps?
Tschuess!
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Wed, 8 Oct 2008, Markus Bartl wrote:
Date: Wed,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Riker (to Worf): "You /do/ still remember how to fire phasers...?"
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Tue, 7 Oct 2008, James Matthews wrote:
> Date: Tue, 7 Oct 2008 23:25:08 -0700
> From
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
You might also have turned on socket restrictions...
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Mon, 6 Oct 2008, Markus Bartl wrote:
Date: Mon, 06 Oct 2008 17:04:15 +0200
From: Markus Bartl <[EMAIL PROTEC
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Did you enable any chroot restrictions in the kernel config?
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Mon, 6 Oct 2008, Markus Bartl wrote:
Date: Mon, 06 Oct 2008 17:04:15 +0200
From: Markus Bartl <[EM
dress:4.2.2.2#53
Non-authoritative answer:
Name: gentoo-portage.com
Address: 69.31.133.16
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Sun, 13 Apr 2008, Fabiano - deStilaDo wrote:
Date: Sun, 13 Apr 2008 23:14:24 -0300
From: Fabiano - deStilaDo <[EMAIL PROTECTED]&g
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Just the right message for a security-minded list! And on April Fool's!
=)
This reminds me of a recent Wired article[1].
Cheers!
[1]
http://www.wired.com/politics/security/commentary/securitymatters/2008/03/securitymatters_0320
SUN8x16=y
# CONFIG_FONT_SUN12x22 is not set
# CONFIG_FONT_10x18 is not set
CONFIG_LOGO=y
# CONFIG_LOGO_LINUX_MONO is not set
# CONFIG_LOGO_LINUX_VGA16 is not set
# CONFIG_LOGO_LINUX_CLUT224 is not set
CONFIG_LOGO_SUN_CLUT224=y
# CONFIG_FB_SPLASH is not set
brant williams
FCAA CDCA 20BC 3925 D634
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
What kind of 'update' did you run? Can you detail what you did before the
change ocurred?
You might need to update sshd_config or /etc/init.d/sshd... weird, though.
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
d will try to get additional information.
I'll also test with 2.6.24 and recheck my configs.
As for web-rsync, I've never used it nor had the need... eix-sync has been
working fine for several months now.
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Wed, 6
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Along with a similar post[1] from December, these all seem to be rsync
related...
[1]
http://www.nabble.com/PAX%3A-suspicious-general-protection-fault-tt14133006.html
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On
files, though, it looks like I may have rushed
through too quickly (sdiff attached).
I've got a screenshot of the log entry that occurred right before the
crash (png attached), and can provide the System.map and kernel image to
you off-list if that would help.
Thank you for your effort
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
You should recompile your kernel and choose a different gid for tpe
(anything above 1024 would be a good choice). Alternatively, you could
turn the feature off. ;)
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Thu
r the errors you get.
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Mon, 31 Dec 2007, Peter Humphrey wrote:
Date: Mon, 31 Dec 2007 17:44:14 +
From: Peter Humphrey <[EMAIL PROTECTED]>
Reply-To: gentoo-hardened@lists.gentoo.org
To: gentoo-hardened@lists.gento
icy.
The error message is the key... ;)
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Mon, 31 Dec 2007, Peter Humphrey wrote:
Date: Mon, 31 Dec 2007 16:48:33 +
From: Peter Humphrey <[EMAIL PROTECTED]>
Reply-To: gentoo-hardened@lists.gentoo.org
To:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
If grsec is denying the write, it should show up in your syslog. Are you
running grsec's RBAC system?
Can you paste the error you're referring to?
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Mon, 3
nd then see if there are any more of these log
entries. I believe the daemon also connects to port 113 (forgot which
protocol) for each incoming connection.
If it happens again, you can also check current connections with
netstat(1) to see what sshd is doing.
brant williams
FCAA CDCA 20BC 3925
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi Grant,
What does /var/log/kern.log show?
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Fri, 28 Dec 2007, Grant wrote:
Date: Fri, 28 Dec 2007 07:33:10 -0800
From: Grant <[EMAIL PROTECTED]>
Reply-To: gentoo-ha
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
So... yes. X needs direct (privileged) access to video hardware (and
hence DRI).
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Tue, 25 Dec 2007, Christian Heim wrote:
Date: Tue, 25 Dec 2007 01:53:25 +
From
`?
Also, what steps have you taken so far? You said that you just chrooted
into this system; are you just now doing this from the install disc? You
might want to compile a kernel and make sure the box will boot without the
install disc before emerging other packages or changing the profile.
bran
please send your request to [EMAIL PROTECTED]
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Thu, 6 Dec 2007, momentics wrote:
Date: Thu, 6 Dec 2007 22:34:42 +0300
From: momentics <[EMAIL PROTECTED]>
Reply-To: gentoo-hardened@lists.gentoo.org
To: gentoo-ha
Wouldn't you want the symlink to be to /etc/make.profile and not
/etc/make.conf?
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Tue, 27 Nov 2007, John Eckhart wrote:
Date: Tue, 27 Nov 2007 16:12:58 -0500
From: John Eckhart <[EMAIL PROTECTED]>
Reply
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
If you have gentoolkit installed on another box, you can do
`quickpkg gcc`
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Wed, 19 Sep 2007, Shawn Haggett wrote:
Date: Wed, 19 Sep 2007 22:55:23 +0930
From: Shawn
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Yeah, sorry, I'm a dufus. Re-read your original message...
Do you have 'gentoolkit' installed? If so, you might want to run
`revdep-rebuild` which will scan the linking on your system and re-emerge
any needed packages.
bran
/profiles/default-linux/sparc/sparc32/2006.1/2.4
/etc/make.profile
emerge --sync # if you haven't yet
emerge -uDav world
emerge -av silo
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Tue, 18 Sep 2007, Aggelos wrote:
Date: Tue, 18 Sep 2007 00:42:52 +0300
you could post /usr/src/linux/.config and (if possible) any dmesg
output, that'd be great.
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Mon, 17 Sep 2007, Aggelos wrote:
Date: Mon, 17 Sep 2007 19:46:21 +0300
From: Aggelos <[EMAIL PROTECTED]>
R
fstab?
brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
On Sat, 25 Aug 2007, Bryan wrote:
Date: Sat, 25 Aug 2007 11:36:26 +0800
From: Bryan <[EMAIL PROTECTED]>
Reply-To: gentoo-sparc@lists.gentoo.org
To: gentoo-sparc@lists.gentoo.org
Subject: [gentoo-sparc] help for silo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
did you use the same .config for both?
Public GPG/PGP key for Brant Williams: 0x88E1AA9E.
Available at your friendly local public keyserver.
On Fri, 6 Jul 2007, Natanael Copa wrote:
> Hi,
>
> Are anyone running 2.6.21-hardened-r3
hardened-2007.0_pre20070209.tar.bz2
ncftp ...al/x86/hardened/stages > pwd
ftp://ftp.osuosl.org/pub/gentoo/experimental/x86/hardened/stages/
This URL is also valid on this server:
ftp://ftp.osuosl.org/.1/gentoo/experimental/x86/hardened/stages/
later
Public GPG/PGP key for Brant Williams:
...and 'make modules'. 2.6 will make the modules when you do 'make', but
2.4 won't...
Public GPG/PGP key for Brant Williams: 0x88E1AA9E.
Available at your friendly local public keyserver.
On Sun, 17 Jun 2007, René Rhéaume wrote:
> I did an experiment by bu
What steps are you taking when running the kernel
configuration/compilation? You might have forgotten to do 'make dep'...
Public GPG/PGP key for Brant Williams: 0x88E1AA9E.
Available at your friendly local public keyserver.
On Sun, 17 Jun 2007, René Rhéaume wrote:
> I did an
What error(s) do you see?
Public GPG/PGP key for Brant Williams: 0x88E1AA9E.
Available at your friendly local public keyserver.
On Mon, 18 Jun 2007, René Rhéaume wrote:
> No, the problem was SCSI and SCSI disk support were built as modules,
> not in-kernel. Now, init runs, but e2fsc
configure a role to allow editing of [certain] system files?
Public GPG/PGP key for Brant Williams: 0x88E1AA9E.
Available at your friendly local public keyserver.
On Sun, 10 Jun 2007, Krzysztof Koz�~Bowski wrote:
> Petre Rodan wrote:
> > - you're opening up a pandora'
inux policy for sudo
As you stated, they can be installed via modules...why not just emerge
what you need?
Not a very helpful response, I know... sorry. =)
You may want to look at the "targeted" policy... IIRC, that's where
SELinux was heading toward...
Public GPG/PGP key
I just emerged it with no problems. As for nptl, I'm running a 2.4
kernel. :)
Public GPG/PGP key for Brant Williams: 0x88E1AA9E.
Available at your friendly local public keyserver.
On Thu, 24 May 2007, [EMAIL PROTECTED] wrote:
> Are there any things to consider while upgrading
No luck last time so I'll fish again!
From: Brant Williams <[EMAIL PROTECTED]>
Date: May 9, 2007 5:05:12 PM EDT
To: yellowdog-newbie@lists.terrasoftsolutions.com
Subject: multipart
Hello everyone! I have Yellowdog 5 on my Mac mini, and I just
wanted to borrow your expertise f
I've run into this same issue a couple of times. Since I didn't want to
spend too much time fixing it, I just use the vanilla sources from
kernel.org and patch them against grsecurity. Each release of grsec is
dependent on specific kernels, though, so you'd want to check
www.grsecurity.net f
Hello everyone! I have Yellowdog 5 on my Mac mini, and I just wanted
to borrow your expertise for a bit to answer a few questions.
1) Java. I have Xubuntu running on my iMac G3. By following
the instructions posted here: https://help.ubuntu.com/community/Java
I have Java, and it run
That is correct. You could also use RSBAC and/or the GrSecurity RBAC
system.
Public GPG/PGP key for Brant Williams: 0x88E1AA9E.
Available at your friendly local public keyserver.
On Thu, 19 Apr 2007, [EMAIL PROTECTED] wrote:
> Hello,
>
> grsecurity kernel configs (like expand
date" messages that you get? Also, what does
`emerge --info` show you?
Public GPG/PGP key for Brant Williams: 0x88E1AA9E.
Available at your friendly local public keyserver.
On Thu, 9 Nov 2006, Derrick Hendricks wrote:
> I'm running a firewall for our work network using hardened
you can find a decent example one at:
http://forums.grsecurity.net/viewtopic.php?p=&;
Documentation can be found at:
http://hardened.gentoo.org
http://www.grsecurity.net/papers.php
Hope that helps; sorry I don't have an actual policy to show ATM...
- -Brant
Public GPG/PGP key fo
I'd be willing to take a first stab at a howto in about one week. I'm i
the middle of giving and grading exams right now. Anyone else
interested?
Yes.
I'm currently learning the RBAC system myself, and have already spent a
lot of time researching the (scattered) documentation. As not ever
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
In my experience, most doctors know little to nothing about computers, let
alone developing a hardened Linux distribution... ;)
try #gentoo or #gentoo-hardened on irc.freenode.net
- -Brant
On Sat, 6 May 2006, Jan V wrote:
mostly physicians a
I have the same problem with an iMac G3 600 MHz. Will not install
yaboot.
On Tue, 2006-04-18 at 17:11 -0400, Don Nuckols wrote:
> I have tried twice to install YDL, and each time it goes through the
> whole procedure, then at the end it puts up a small progress window
> entitled:
>
> Perform
Correct me if I'm wrong, but doesn't the "hardened" USE flag require the
"hardened" profile? AFAIK, that profile doesn't exist for SPARC.
-Brant
public GPG/PGP key:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEBA14420
On Tue, 14 Mar 2006, Paul Heinlein wrote:
On Tue, 14 Mar 2006,
greetings earthling
check /etc/inittab for TTYs...might want to comment them out if
it's a headless box
some dude named jose isaias cabrera said:
>
> Greetings!
>
> I just installed Gentoo kernel 2.4.27 on a sparc64 and I am
> getting this
> message:
>
> INIT: Id "c0" respawning too fast: disable
55 matches
Mail list logo
