diff --git a/README.md b/README.md index 8a2f938..96dd8ce 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,7 @@ Ubuntu kernel with grsecurity ============================= -This guide outlines the steps required to compile a kernel for [Ubuntu -Server 12.04 LTS (Precise Pangolin)](http://releases.ubuntu.com/12.04/) -with [Grsecurity](https://grsecurity.net/), specifically for use with -[SecureDrop](https://pressfreedomfoundation.org/securedrop). At the end +This guide outlines the steps required to compile a kernel for [Ubuntu Server 14.04 (Trusty Tahr)](http://releases.ubuntu.com/14.04/) with [Grsecurity](https://grsecurity.net/), specifically for use with [SecureDrop](https://pressfreedomfoundation.org/securedrop). At the end of this guide, you will have two Debian packages that you transfer to the *App* and *Monitor* servers. @@ -20,6 +17,8 @@ kernel * An online server running 12.04 or 14.04 that you use to download package dependencies +Since SecureDrop is only supported on 64-bit platforms, make sure you download a 64-bit version of Ubuntu to build the kernel. The `.iso` filename will have an `-amd64` suffix. + The idea is that you will use the online server to download package dependencies, put the files on a USB stick and transfer them to the offline server, then use the offline server to verify digital signatures @@ -60,9 +59,18 @@ mkdir grsec cd grsec/ wget https://grsecurity.net/spender-gpg-key.asc gpg --import spender-gpg-key.asc -gpg --recv-key 6092693E +gpg --keyserver pool.sks-keyservers.net --recv-key 647F28654894E3BD457199BE38DBBDC86092693E +``` + +Verify that the keys you have received are authentic by checking the fingerprint for each one: + +``` +gpg --with-fingerprint spender-gpg-key.asc +gpg --fingerprint 647F28654894E3BD457199BE38DBBDC86092693E ``` +Bradley Spengler should have a fingerprint of "DE94 52CE 46F4 2094 907F 108B 44D1 C0F8 2525 FE49" and Greg Kroah-Hartman should have a fingerprint of "647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E". If either of the fingerprints do not match what you see here, please get in touch at securedrop@freedom.press. + At this point, you should disconnect this server from the Internet and treat it as an offline (air-gapped) server. @@ -221,16 +229,6 @@ sudo paxctl -Cpm /usr/bin/grub-script-check sudo paxctl -Cpm /usr/bin/grub-mount ``` -### Ensure the web server can start on the App server - -The following commands ensure the web server can start and should -**only** be run on the App server. - -``` -sudo paxctl -cm /var/chroot/source/usr/sbin/apache2 -sudo paxctl -cm /var/chroot/document/usr/sbin/apache2 -``` - ### Install new kernel on both App and Monitor servers Install the new kernel with Grsecurity on both servers. @@ -240,35 +238,26 @@ sudo dpkg -i *.deb sudo update-grub ``` -### Disable conflicting jail restrictions on the App server - -The following commands disable conflicting jail restrictions and should -**only** be run on the App server. - -``` -sudo echo "kernel.grsecurity.chroot.caps = 0" >> /etc/sysctl.conf -sudo echo "kernel.grsecurity.chroot.deny.unix = 0" >> /etc/sysctl.conf -sudo sysctl -p /etc/sysctl.conf -``` - ### Configure App and Monitor servers to use new kernel by default Set the new kernel to be the default on both servers. Start by finding -the exact menuentry name for the kernel. +the exact menuentry name for the new kernel. ``` -grep menuentry /boot/grub/grub +grep menuentry /boot/grub/grub.cfg | cut -d "'" -f2 | grep "grsec$" ``` Copy the output and use it in the *sed* command below to set this kernel as the default. ``` -sudo sed -i "s/^GRUB_DEFAULT=.*$/GRUB_DEFAULT=2>Ubuntu, with Linux 3.2.61-grsec/" /etc/default/grub +sudo sed -i "s/^GRUB_DEFAULT=.*$/GRUB_DEFAULT=\"2>Ubuntu, with Linux 3.2.61-grsec\"/" /etc/default/grub sudo update-grub sudo reboot ``` +After reboot, verify the you booted the new kernel by running `uname -a`. Confirm that the `-grsec` kernel is the one shown. If it is not, double-check the value you set for `GRUB_DEFAULT` in the previous sed command. + ### Test SecureDrop functionality Before you move on to the final step, ensure that SecureDrop is working @@ -281,5 +270,8 @@ Once you have confirmed that everything works, configure the Grsecurity lock in *sysctl.conf*. ``` -sudo echo "kernel.grsecurity.grsec_lock = 1" >> /etc/sysctl.conf +sudo su - +echo "kernel.grsecurity.grsec_lock = 1" >> /etc/sysctl.conf +exit +sudo sysctl -p /etc/sysctl.conf ```