Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi, I am new to here. This is my first question.
I am using debian 9 with mate desktop. I have enabled apparmor. Used backports to install prepatched grsec kernel. Now with carefull work I disabled mprotect for libreoffice and firefox to make them usable. But I need precise executable files for bleachbit, debian report bug, synaptic package manager to configure it for grsecurity and recommended paxctl flag.
I especially want help for recommended paxctl flag of most common apps and their path to execute them. Also want a default tight security settings for global defaults, enabling chroot and several features usable for security. Except RBAC because I am satisfied with apparmor.
Also I want to ensure tight kernel configuration like seccomp, namespaces and several kernel executable features(if these are compatible with pax then also I will use them). But how to configure it and compile install, reload it into grub and delete the optional kernel.
Oh yes, I also want to block root and run xorg rootless.
Here is my question. I am quite a newbie. So advance apology for any commited mistakes.
I haven't used GRSecurity since before the big announcement that Brad and his team were closing off the source. That being said, with all respect, I think your question is too broad:
1. Rootless Xorg would be more of a Debian security team issue if they chose to implement it, and not something you can tweak GRSec settings to bring about, although keeping "disable IOPL/IOPERM" unchecked should keep you in the Xorg money period.
2. Most flag configuration issues for day to day use (at least only in my own experience) are really going to be disabling MPROTECT.
3. What do you mean by "block root"? If you want to forego root login, how well that works out would instead be dependent on your distro. If you want to confine root's abilities like the SELinux sysadm_u user mapping might, that is more of a RBAC thing, sorry.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.