From 328dba9e9a22eae7cd1acd8b1fa9240474b7c20d Mon Sep 17 00:00:00 2001 From: "Runa A. Sandvik" Date: Thu, 31 Jul 2014 18:39:12 -0400 Subject: [PATCH 01/14] Fix path --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8a2f938..6aac4e9 100644 --- a/README.md +++ b/README.md @@ -257,7 +257,7 @@ Set the new kernel to be the default on both servers. Start by finding the exact menuentry name for the kernel. ``` -grep menuentry /boot/grub/grub +grep menuentry /boot/grub/grub.cfg ``` Copy the output and use it in the *sed* command below to set this kernel From 9be0e394e9f3c329381d4c1403b66156188eb37f Mon Sep 17 00:00:00 2001 From: "Runa A. Sandvik" Date: Tue, 26 Aug 2014 13:35:25 -0400 Subject: [PATCH 02/14] Stop apache2 on the app server before running paxctl commands --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 6aac4e9..5f3c338 100644 --- a/README.md +++ b/README.md @@ -227,8 +227,10 @@ The following commands ensure the web server can start and should **only** be run on the App server. ``` +sudo schroot -a -u root --directory / service apache2 stop sudo paxctl -cm /var/chroot/source/usr/sbin/apache2 sudo paxctl -cm /var/chroot/document/usr/sbin/apache2 +sudo schroot -a -u root --directory / service apache2 start ``` ### Install new kernel on both App and Monitor servers From c055709e1d8e13c2bea8ca6970f84b9cd4e9ef0c Mon Sep 17 00:00:00 2001 From: "Runa A. Sandvik" Date: Tue, 26 Aug 2014 13:41:27 -0400 Subject: [PATCH 03/14] Disable conflicting jail restrictions as the root user --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 5f3c338..20952b6 100644 --- a/README.md +++ b/README.md @@ -248,9 +248,10 @@ The following commands disable conflicting jail restrictions and should **only** be run on the App server. ``` -sudo echo "kernel.grsecurity.chroot.caps = 0" >> /etc/sysctl.conf -sudo echo "kernel.grsecurity.chroot.deny.unix = 0" >> /etc/sysctl.conf -sudo sysctl -p /etc/sysctl.conf +sudo su - +echo "kernel.grsecurity.chroot.caps = 0" >> /etc/sysctl.conf +echo "kernel.grsecurity.chroot.deny.unix = 0" >> /etc/sysctl.conf +sysctl -p /etc/sysctl.conf ``` ### Configure App and Monitor servers to use new kernel by default From 55022a7af2492b45bc14b9f9f7e981ba3b493010 Mon Sep 17 00:00:00 2001 From: "Runa A. Sandvik" Date: Tue, 26 Aug 2014 13:46:52 -0400 Subject: [PATCH 04/14] Change sed command for grub entry --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 20952b6..c0a3010 100644 --- a/README.md +++ b/README.md @@ -267,7 +267,7 @@ Copy the output and use it in the *sed* command below to set this kernel as the default. ``` -sudo sed -i "s/^GRUB_DEFAULT=.*$/GRUB_DEFAULT=2>Ubuntu, with Linux 3.2.61-grsec/" /etc/default/grub +sudo sed -i "s/^GRUB_DEFAULT=.*$/GRUB_DEFAULT=2 # Ubuntu with Linux 3.2.61-grsec/" /etc/default/grub sudo update-grub sudo reboot ``` From f5a0f0a1a446b5bf75f489757ca499fbaa64faf8 Mon Sep 17 00:00:00 2001 From: "Runa A. Sandvik" Date: Tue, 26 Aug 2014 14:02:59 -0400 Subject: [PATCH 05/14] Update sed command to correctly include quotes --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c0a3010..dd4ebbe 100644 --- a/README.md +++ b/README.md @@ -267,7 +267,7 @@ Copy the output and use it in the *sed* command below to set this kernel as the default. ``` -sudo sed -i "s/^GRUB_DEFAULT=.*$/GRUB_DEFAULT=2 # Ubuntu with Linux 3.2.61-grsec/" /etc/default/grub +sudo sed -i "s/^GRUB_DEFAULT=.*$/GRUB_DEFAULT=\"2>Ubuntu, with Linux 3.2.61-grsec\"/" /etc/default/grub sudo update-grub sudo reboot ``` From 2540821928f5baa67855be0f7dc631d1e767aa2a Mon Sep 17 00:00:00 2001 From: "Runa A. Sandvik" Date: Tue, 26 Aug 2014 14:06:13 -0400 Subject: [PATCH 06/14] Configure Grsecurity lock as the root user --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index dd4ebbe..3988794 100644 --- a/README.md +++ b/README.md @@ -284,5 +284,8 @@ Once you have confirmed that everything works, configure the Grsecurity lock in *sysctl.conf*. ``` -sudo echo "kernel.grsecurity.grsec_lock = 1" >> /etc/sysctl.conf +sudo su - +echo "kernel.grsecurity.grsec_lock = 1" >> /etc/sysctl.conf +exit +sudo sysctl -p /etc/sysctl.conf ``` From 21c0bf4a5094530a4dae05f22afc0363a6c0f507 Mon Sep 17 00:00:00 2001 From: William Budington Date: Wed, 10 Sep 2014 21:14:47 -0700 Subject: [PATCH 07/14] Full fingerprint for --recv-key --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3988794..5904db3 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,7 @@ mkdir grsec cd grsec/ wget https://grsecurity.net/spender-gpg-key.asc gpg --import spender-gpg-key.asc -gpg --recv-key 6092693E +gpg --keyserver pool.sks-keyservers.net --recv-key 647F28654894E3BD457199BE38DBBDC86092693E ``` At this point, you should disconnect this server from the Internet and From 4417cf5e4ed5b714560a096c3f034c618f4f7c8f Mon Sep 17 00:00:00 2001 From: Garrett Robinson Date: Fri, 12 Sep 2014 11:08:56 -0500 Subject: [PATCH 08/14] clarify building for 64-bit Ubuntu --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 5904db3..df4a591 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,8 @@ kernel * An online server running 12.04 or 14.04 that you use to download package dependencies +Since SecureDrop is only supported on 64-bit platforms, make sure you download a 64-bit version of Ubuntu to build the kernel. The `.iso` filename will have an `-amd64` suffix. + The idea is that you will use the online server to download package dependencies, put the files on a USB stick and transfer them to the offline server, then use the offline server to verify digital signatures From 916dab7bde7bc060d21c461d6bbd5b2e507efb9b Mon Sep 17 00:00:00 2001 From: Garrett Robinson Date: Wed, 17 Sep 2014 11:55:28 -0700 Subject: [PATCH 09/14] fix incorrect grsecurity kernel flags --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5904db3..d8bd7ba 100644 --- a/README.md +++ b/README.md @@ -249,8 +249,8 @@ The following commands disable conflicting jail restrictions and should ``` sudo su - -echo "kernel.grsecurity.chroot.caps = 0" >> /etc/sysctl.conf -echo "kernel.grsecurity.chroot.deny.unix = 0" >> /etc/sysctl.conf +echo "kernel.grsecurity.chroot_caps = 0" >> /etc/sysctl.conf +echo "kernel.grsecurity.chroot_deny_unix = 0" >> /etc/sysctl.conf sysctl -p /etc/sysctl.conf ``` From 3366386368c060b2dbe182e68f85520d37571781 Mon Sep 17 00:00:00 2001 From: Garrett Robinson Date: Wed, 17 Sep 2014 12:32:59 -0700 Subject: [PATCH 10/14] Clarify grub instructions and add note to confirm that the new kernel booted by default --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5904db3..7e2499e 100644 --- a/README.md +++ b/README.md @@ -257,10 +257,10 @@ sysctl -p /etc/sysctl.conf ### Configure App and Monitor servers to use new kernel by default Set the new kernel to be the default on both servers. Start by finding -the exact menuentry name for the kernel. +the exact menuentry name for the new kernel. ``` -grep menuentry /boot/grub/grub.cfg +grep menuentry /boot/grub/grub.cfg | cut -d "'" -f2 | grep "grsec$" ``` Copy the output and use it in the *sed* command below to set this kernel @@ -272,6 +272,8 @@ sudo update-grub sudo reboot ``` +After reboot, verify the you booted the new kernel by running `uname -a`. Confirm the the `-grsec` kernel is the one shown. If it is not, double-check the value you set for `GRUB_DEFAULT` in the previous sed command. + ### Test SecureDrop functionality Before you move on to the final step, ensure that SecureDrop is working From f0a48dde007ca724ea197c21112a12dea1489990 Mon Sep 17 00:00:00 2001 From: "Runa A. Sandvik" Date: Mon, 22 Sep 2014 07:16:28 -0400 Subject: [PATCH 11/14] Remove blurb we no longer need, via @dolanjs in #8 --- README.md | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/README.md b/README.md index 61a5734..9d55168 100644 --- a/README.md +++ b/README.md @@ -223,18 +223,6 @@ sudo paxctl -Cpm /usr/bin/grub-script-check sudo paxctl -Cpm /usr/bin/grub-mount ``` -### Ensure the web server can start on the App server - -The following commands ensure the web server can start and should -**only** be run on the App server. - -``` -sudo schroot -a -u root --directory / service apache2 stop -sudo paxctl -cm /var/chroot/source/usr/sbin/apache2 -sudo paxctl -cm /var/chroot/document/usr/sbin/apache2 -sudo schroot -a -u root --directory / service apache2 start -``` - ### Install new kernel on both App and Monitor servers Install the new kernel with Grsecurity on both servers. From 46de00c402f93f6f60c740c31949cc45e9b383fc Mon Sep 17 00:00:00 2001 From: "Runa A. Sandvik" Date: Thu, 2 Oct 2014 09:11:37 -0400 Subject: [PATCH 12/14] No need to resolve conflicting jail restrictions --- README.md | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/README.md b/README.md index 9d55168..133e4fa 100644 --- a/README.md +++ b/README.md @@ -232,18 +232,6 @@ sudo dpkg -i *.deb sudo update-grub ``` -### Disable conflicting jail restrictions on the App server - -The following commands disable conflicting jail restrictions and should -**only** be run on the App server. - -``` -sudo su - -echo "kernel.grsecurity.chroot_caps = 0" >> /etc/sysctl.conf -echo "kernel.grsecurity.chroot_deny_unix = 0" >> /etc/sysctl.conf -sysctl -p /etc/sysctl.conf -``` - ### Configure App and Monitor servers to use new kernel by default Set the new kernel to be the default on both servers. Start by finding From e066e080bcf743d7d82cbb0fbb01d18e81ac340b Mon Sep 17 00:00:00 2001 From: "Runa A. Sandvik" Date: Tue, 14 Oct 2014 08:38:30 -0400 Subject: [PATCH 13/14] Update Ubuntu version and minor nitpick --- README.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 133e4fa..d1116b5 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,7 @@ Ubuntu kernel with grsecurity ============================= -This guide outlines the steps required to compile a kernel for [Ubuntu -Server 12.04 LTS (Precise Pangolin)](http://releases.ubuntu.com/12.04/) -with [Grsecurity](https://grsecurity.net/), specifically for use with -[SecureDrop](https://pressfreedomfoundation.org/securedrop). At the end +This guide outlines the steps required to compile a kernel for [Ubuntu Server 14.04 (Trusty Tahr)](http://releases.ubuntu.com/14.04/) with [Grsecurity](https://grsecurity.net/), specifically for use with [SecureDrop](https://pressfreedomfoundation.org/securedrop). At the end of this guide, you will have two Debian packages that you transfer to the *App* and *Monitor* servers. @@ -250,7 +247,7 @@ sudo update-grub sudo reboot ``` -After reboot, verify the you booted the new kernel by running `uname -a`. Confirm the the `-grsec` kernel is the one shown. If it is not, double-check the value you set for `GRUB_DEFAULT` in the previous sed command. +After reboot, verify the you booted the new kernel by running `uname -a`. Confirm that the `-grsec` kernel is the one shown. If it is not, double-check the value you set for `GRUB_DEFAULT` in the previous sed command. ### Test SecureDrop functionality From 7150245ede24658181ab35769c7e40440059f66a Mon Sep 17 00:00:00 2001 From: "Runa A. Sandvik" Date: Tue, 14 Oct 2014 09:04:39 -0400 Subject: [PATCH 14/14] Add fingerprint verification step from @eviljoel --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index d1116b5..96dd8ce 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,15 @@ gpg --import spender-gpg-key.asc gpg --keyserver pool.sks-keyservers.net --recv-key 647F28654894E3BD457199BE38DBBDC86092693E ``` +Verify that the keys you have received are authentic by checking the fingerprint for each one: + +``` +gpg --with-fingerprint spender-gpg-key.asc +gpg --fingerprint 647F28654894E3BD457199BE38DBBDC86092693E +``` + +Bradley Spengler should have a fingerprint of "DE94 52CE 46F4 2094 907F 108B 44D1 C0F8 2525 FE49" and Greg Kroah-Hartman should have a fingerprint of "647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E". If either of the fingerprints do not match what you see here, please get in touch at securedrop@freedom.press. + At this point, you should disconnect this server from the Internet and treat it as an offline (air-gapped) server.