{"id":1046,"date":"2011-06-04T00:00:51","date_gmt":"2011-06-03T18:30:51","guid":{"rendered":"http:\/\/judepereira.com\/blog\/?p=1046"},"modified":"2012-01-14T07:13:35","modified_gmt":"2012-01-14T01:43:35","slug":"playing-with-grsecurity-a-brief-tutorial","status":"publish","type":"post","link":"https:\/\/judepereira.com\/blog\/playing-with-grsecurity-a-brief-tutorial\/","title":{"rendered":"playing with grsecurity | a brief tutorial"},"content":{"rendered":"<p>This <em>howto<\/em> is intended for those looking for better means to secure the Linux kernel, and the userland by the means of a powerful and simple role based access control policy.<\/p>\n<h2>Contents<\/h2>\n<ol>\n<li><a href=\"#whatis\">What is grsecurity?<\/a><\/li>\n<li><a href=\"#setup\">Setting up grsecurity + gentoo in a VM<\/a><\/li>\n<li><a href=\"#grsec\">The real thing: Grsecurity<\/a>\n<ol type=\"i\">\n<li><a href=\"#gradm\">Getting familiar with gradm<\/a><\/li>\n<li><a href=\"#policy\">Generating the policy<\/a><\/li>\n<li><a href=\"#fixme\">Fixing the errors<\/a><\/li>\n<li><a href=\"#rso\">Roles, subjects and objects<\/a><\/li>\n<li><a href=\"#include\">The include directive<\/a><\/li>\n<li><a href=\"#bestp\">Best Practices for \/etc\/grsec\/policy<\/a><\/li>\n<\/ol>\n<\/li>\n<li><a href=\"#rsyslog\">Filtering grsecurity logs with rsyslog<\/a><\/li>\n<\/ol>\n<h2><a id=\"whatis\">What is grsecurity?<\/a><\/h2>\n<p>grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is a set of patches for the Linux kernel with an emphasis on enhancing security. Its typical application is in web servers and systems that accept remote connections from untrusted locations, such as systems offering shell access to its users.<\/p>\n<p>Extensive information about grsecurity can be found from the following links:<\/p>\n<ul>\n<li><a href=\"http:\/\/grsecurity.net\">grsecurity home<\/a><\/li>\n<li><a href=\"http:\/\/en.wikibooks.org\/wiki\/Grsecurity\">grsecurity wiki<\/a><\/li>\n<\/ul>\n<p>This tutorial <em><strong>briefly<\/strong><\/em> gives you an introduction on using grsecurity. The grsecurity wikibook is written by the creator(Bradley Spengler) of the subject in discussion.<\/p>\n<h2><a id=\"setup\">Setting up grsecurity + gentoo in a VM<\/a><\/h2>\n<p>To test grsecurity&#8217;s features, we&#8217;ll setup gentoo hardened in a virtual machine using QEMU. Let&#8217;s get QEMU installed.<\/p>\n<ul>\n<li>Redhat: yum install qemu qemu-img<\/li>\n<li>Debian: aptitude install kvm<\/li>\n<li>Gentoo: emerge -av qemu-kvm with the following use flags: aio hardened jpeg ncurses png qemu_softmmu_targets_arm qemu_softmmu_targets_i386 qemu_softmmu_targets_x86_64 qemu_user_targets_x86_64 ssl<\/li>\n<\/ul>\n<p>Create a raw image and set it up:<\/p>\n<pre># qemu-img create -f raw grsec.gentoo.img 2G\r\n# fdisk grsec.gentoo.img\r\nDevice contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel\r\nBuilding a new DOS disklabel with disk identifier 0xe2c8c9c9.\r\nChanges will remain in memory only, until you decide to write them.\r\nAfter that, of course, the previous content won't be recoverable.\r\n\r\nWarning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)\r\n\r\nCommand (m for help): n\r\nCommand action\r\n   e   extended\r\n   p   primary partition (1-4)\r\np\r\nPartition number (1-4, default 1): 1\r\nFirst sector (2048-4194303, default 2048):\r\nUsing default value 2048\r\nLast sector, +sectors or +size{K,M,G} (2048-4194303, default 4194303):\r\nUsing default value 4194303\r\n\r\nCommand (m for help): a\r\nPartition number (1-4): 1\r\n\r\nCommand (m for help): p\r\n\r\nDisk grsec.gentoo.img: 2147 MB, 2147483648 bytes\r\n255 heads, 63 sectors\/track, 261 cylinders, total 4194304 sectors\r\nUnits = sectors of 1 * 512 = 512 bytes\r\nSector size (logical\/physical): 512 bytes \/ 512 bytes\r\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\r\nDisk identifier: 0xe2c8c9c9\r\n\r\n\t   Device Boot      Start         End      Blocks   Id  System\r\ngrsec.gentoo.img1   *        <strong>2048<\/strong>     4194303     2096128   83  Linux\r\n\r\nCommand (m for help): w\r\nThe partition table has been altered!\r\n\r\nSyncing disks.\r\n# losetup -v -o $((512*<strong>2048<\/strong>)) -f grsec.gentoo.img\r\nLoop device is \/dev\/loop0\r\n# mkfs.ext4 -L \"grsec.gentoo\" \/dev\/loop0\r\n# mkdir grsec.gentoo-rootfs\r\n# mount \/dev\/loop0 grsec.gentoo-rootfs<\/pre>\n<p>Now <a href=\"http:\/\/mirrors.kernel.org\/gentoo\/releases\/amd64\/autobuilds\/current-stage3\/hardened\">download the hardened gentoo stage3<\/a>. Follow the chapters 5 to 10, of the handbook keeping in mind the following set of instructions (<a href=\"http:\/\/www.gentoo.org\/doc\/en\/handbook\/handbook-amd64.xml?full=1\">gentoo x86_64 handbook<\/a>):<\/p>\n<ul>\n<li>Select the profile &#8220;hardened\/linux\/amd64&#8221;<\/li>\n<li>For networking, choose the DHCP method. We&#8217;ll discuss how to create custom rules for ssh.<\/li>\n<li>When doing anything related to GRUB, see below<\/li>\n<li>Install the kernel source: =sys-kernel\/hardened-sources-2.6.38 and =sys-apps\/gradm-2.2.2.201103262019 . If necessary, unmask them.<\/li>\n<li>The extra packages that I installed are dhcp openssh eix pciutils vim gentoolkit rsyslog vixie-cron grub =sys-kernel\/hardened-sources-2.6.38 =sys-apps\/gradm-2.2.2.201103262019<\/li>\n<li>Kernel config for the QEMU envionment is listed as follows.<\/li>\n<\/ul>\n<p>Kernel configuration for the environment(only essentials):<\/p>\n<pre>-&gt; Processor type and features\r\n  -&gt; Processor family\r\n    -&gt; Core 2\/newer Xeon (set this to your host CPU)\r\n\r\n-&gt; Device Drivers\r\n   -&gt; Serial ATA and Parallel ATA drivers\r\n     -&gt; ATA SFF support\r\n       -&gt; ATA BMDMA support\r\n         -&gt; Intel ESB, ICH, PIIX3, PIIX4 PATA\/SATA support\r\n\r\n-&gt; Device Drivers\r\n  -&gt; Network device support\r\n    -&gt; Ethernet (10 or 100Mbit)\r\n      -&gt; RealTek RTL-8129\/8130\/8139 PCI Fast Ethernet Adapter support\r\n\r\n-&gt; File systems\r\n  -&gt; The Extended 4 (ext4) filesystem\r\n    -&gt; Use ext4 for ext2\/ext3 file systems\r\n\r\n-&gt; Security options\r\n  -&gt; Grsecurity\r\n    -&gt; Grsecurity\r\n      -&gt; Security Level\r\n        -&gt; Hardened Gentoo [virtualization]\r\n    -&gt; Filesystem Protections\r\n      -&gt; Restrict \/proc to user only\r\n  -&gt; Restrict unprivileged access to the kernel syslog<\/pre>\n<p>That&#8217;s all that&#8217;s essential, go ahead and drop extra things that just make the kernel fat. Make sure you disable Paravirtualized guest support under Processor type and features in any case. Enabling that causes the system to not boot.<\/p>\n<p>GRUB menu entry:<\/p>\n<pre>title gentoo hardened\r\nroot (hd0,0)\r\nkernel \/boot\/vmlinuz-2.6.38-hardened root=\/dev\/sda1<\/pre>\n<p>Exit the chroot. Unmount the filesystem, and prepare it for booting. DO NOT unmount anything yet.<\/p>\n<pre># losetup -v -f grsec.gentoo.img\r\nLoop device is \/dev\/loop1\r\n# echo \"(hd0) \/dev\/loop1\" &gt; \/tmp\/device.map\r\n# grub --device-map=\/dev\/null<\/pre>\n<pre>    GNU GRUB  version 0.97  (640K lower \/ 9216K upper memory)\r\n\r\n     [ Minimal BASH-like line editing is supported.  For the first word, TAB\r\n       lists possible command completions.  Anywhere else TAB lists the possible\r\n       completions of a device\/filename. ]\r\n\r\ngrub&gt; device (hd0) \/dev\/loop1\r\n\r\ngrub&gt; root (hd0,0)\r\nFilesystem type is ext2fs, partition type 0x83\r\n\r\ngrub&gt; setup --stage2=\/path\/to\/grsec.gentoo-rootfs\/boot\/grub\/stage2\r\n Checking if \"\/boot\/grub\/stage1\" exists... yes\r\n Checking if \"\/boot\/grub\/stage2\" exists... yes\r\n Checking if \"\/boot\/grub\/e2fs_stage1_5\" exists... yes\r\n Running \"embed \/boot\/grub\/e2fs_stage1_5 (hd0)\"...  18 sectors are embedded.\r\n succeeded\r\n Running \"install --stage2=\/path\/to\/grsec.gentoo-rootfs\/boot\/grub\/stage2 \/boot\/grub\/stage1 (hd0)\r\n  (hd0)1+18 p (hd0,0)\/boot\/grub\/stage2 \/boot\/grub\/menu.lst\"... succeeded\r\n Done.\r\n\r\ngrub&gt; quit<\/pre>\n<p>Now startup the virtual machine.<\/p>\n<pre>$ qemu-kvm -cpu qemu64 -smp 2 -m 384M -hda grsec.gentoo.img -curses \\\r\n-net user -net nic,model=rtl8139 -redir tcp:<strong>8022<\/strong>::22<\/pre>\n<p>This should bring up an ncurses based UI to the VM.<\/p>\n<h2><a id=\"grsec\">The real thing: Grsecurity<\/a><\/h2>\n<p>If you&#8217;ve noticed from the kernel configuration, you&#8217;ve set restrict \/proc to user only. Create a user unauth login to it. top will show you only the processes owned by that user. ls \/proc will confirm that. Further dmeg will tell you Operation not permitted. These are just a few basic security enhancements. You can go ahead and set the custom profile in the kernel config and setup the system as you like. For now, we&#8217;ll discuss the RBAC system of grsecurity.<\/p>\n<h2><a id=\"gradm\">Getting familiar with the RBAC system of grsecurity: gradm<\/a><\/h2>\n<p>gradm is a tool to enable, disable, and control the RBAC system of grsecurity. It is a very powerful tool. Let&#8217;s start from the beginning, setting passwords, and enabling the full learning process.<br \/>\nUse gradm -P to set the master password. This is used to disable and reload the RBAC mechanism. gradm -P  to set the password of any user role defined in the policy file.<\/p>\n<pre># gradm -P\r\nSetting up grsecurity RBAC password\r\nPassword:\r\nRe-enter Password:\r\nPassword written to \/etc\/grsec\/pw.\r\n# gradm -P admin\r\nSetting up password for role admin\r\nPassword:\r\nRe-enter Password:\r\nPassword written to \/etc\/grsec\/pw.\r\n# gradm -P shutdown\r\nSetting up password for role shutdown\r\nPassword:\r\nRe-enter Password:\r\nPassword written to \/etc\/grsec\/pw.<\/pre>\n<h2>Full system learning:<\/h2>\n<p>grsecurity has a feature called learning. In the beginning you can enable the full learning process, where grlearn will log all your actions. Any actions that you do not want other users access to, must be done by logging into the RBAC system. To enable full system learning, we do the following, create a new file \/etc\/local.d\/gradm.start with the following contents:<\/p>\n<pre>\/sbin\/gradm -FL \/grlearn.log<\/pre>\n<p>Make sure you make the file executable, by chmod +x \/etc\/local.d\/gradm.start<br \/>\nOn your next boot, it will automatically start. Add the service sshd and rsyslog to start by default and reboot:<\/p>\n<pre># rc-update add sshd default\r\n# rc-upadte add rsyslog boot\r\n# reboot<\/pre>\n<p>Now you can ssh into the machine, by:<\/p>\n<pre>$ ssh root@localhost -p <strong>8022<\/strong><\/pre>\n<p>Do something, and then check the logs, ssh into the VM from another terminal and <em>tail -f \/grlearn.log<\/em><br \/>\nYou&#8217;ll see many entries when you so some specific resource actions. Example, uptime, wget. Lots of entries are generated. System packages need only to be installed under the role of admin. So login to role admin, and install a package. Restarting the sshd service is a good idea too.<\/p>\n<pre># gradm -a admin\r\nPassword:\r\n# emerge -avuDN vim<\/pre>\n<p>Notice that nothing is logged in the grlearn.log file. To logout of that role, simply do a gradm -u<\/p>\n<h2><a id=\"policy\">Generating the policy<\/a><\/h2>\n<p>Once the full learning process is done, or rather you&#8217;ve done everything that you don&#8217;t want access to in the user role admin, its time to generate the policy. For desktop users, you may want to run the full learning process for a day or two. First disable it, then generate the policy and append it to the default policy.<\/p>\n<pre># gradm -FL \/grlearn.log -O \/etc\/grsec\/flearn.policy\r\nBeginning full learning 1st pass...done.\r\nBeginning full learning role reduction...done.\r\nBeginning full learning 2nd pass...done.\r\nBeginning full learning subject reduction for user sshd...done.\r\nBeginning full learning subject reduction for user root...done.\r\nBeginning full learning object reduction for subject \/...done.\r\nBeginning full learning object reduction for subject \/etc\/init.d...done.\r\nBeginning full learning object reduction for subject \/sbin\/rc...done.\r\nBeginning full learning object reduction for subject \/usr\/bin\/wget...done.\r\nBeginning full learning object reduction for subject \/usr\/sbin\/sshd...done.\r\nFull learning complete.\r\n# cat \/etc\/grsec\/flearn.policy &gt;&gt; \/etc\/grsec\/policy<\/pre>\n<h2><a id=\"fixme\">Fixing the errors:<\/a><\/h2>\n<p>If you simply do gradm -E, it wouldn&#8217;t work. Let&#8217;s look at the errors and fix them<\/p>\n<pre># gradm -E\r\nDuplicate object found for \"\/lib64\" in role shutdown, subject \/, on line 257 of \/etc\/grsec\/policy.\r\n\"\/lib64\" references the same object as the following object(s):\r\n\/lib (due to symlinking\/hardlinking)\r\n\/lib64 (due to symlinking\/hardlinking)\r\nspecified on an earlier line.  The RBAC system will not load until this error is fixed.<\/pre>\n<p>Open the policy file with your favorite editor, and go to that line. Then comment that line out, as its already protected because it&#8217;s a symlink to somewhere else. Check the policy file for errors again, do gradm -C. Another error, great! Yes, just comment out all those lines, they&#8217;re the same reference. Then at last you&#8217;ll come to the good error:<\/p>\n<pre># gradm -C\r\nDuplicate role admin on line 463 of \/etc\/grsec\/policy.\r\nThe RBAC system will not be allowed to be enabled until this error is fixed.<\/pre>\n<p>This duplicate is because the default policy which is put in place by installing gradm, contains an admin role already. So go to those lines and comment them.<\/p>\n<pre>#role admin sA\r\n#subject \/ rvka\r\n#       \/ rwcdmlxi<\/pre>\n<p>If you see an error like the following, then you have to add the variable $grsec_denied to that particular role.<\/p>\n<pre># gradm -C\r\nViewing access is allowed by role root to \/proc\/kcore [...]\r\n\r\nReading access is allowed by role root to \/proc\/slabinfo [...]\r\n\r\nReading access is allowed by role root to \/proc\/modules [...]\r\n\r\nReading access is allowed by role root to \/proc\/kallsyms [...]\r\n\r\nThere were 4 holes found in your RBAC configuration.  These must be fixed before the RBAC system will b\r\ne allowed to be enabled.<\/pre>\n<p>I&#8217;ll explain roles, subjects, objects and modes later further down in this tutorial. For now, search for the string &#8220;role root&#8221; in the policy file, and follow downwards from there, untill you come to -CAP_ALL, add $grsec_denied just before that.<br \/>\nNow the grsecurity RBAC system is ready to be loaded, once gradm -C reports no errors with the policy file. Enable it then, and see if it&#8217;s working<\/p>\n<pre># gradm -E<\/pre>\n<p>Now in the syslog you should see this:<br \/>\n<em>2011-05-21T05:11:15.536086+00:00 localhost kernel: [ 3070.796712] grsec: From 10.0.2.2: (root:U:\/sbin\/gradm) grsecurity 2.2.2 RBAC system loaded by \/sbin\/gradm[gradm:1767] uid\/euid:0\/0 gid\/egid:0\/0, parent \/bin\/bash[bash:1542] uid\/euid:0\/0 gid\/egid:0\/0<\/em><\/p>\n<pre># ls \/etc\/grsec\r\nls: cannot access \/etc\/grsec: No such file or directory<\/pre>\n<p>Viola! The RBAC system is running flawlessly!<br \/>\nNow if you ssh into the system, it will fail. Take a look at the logs(\/var\/log\/messages):<\/p>\n<p><em>2011-05-24T03:15:08.836286+00:00 localhost kernel: [ 2011.183591] grsec: From 10.0.2.2: (<strong>root:U:\/<\/strong>) denied open of \/proc\/1677\/oom_score_adj for writing by \/usr\/sbin\/sshd[sshd:1677] uid\/euid:0\/0 gid\/egid:0\/0, parent \/usr\/sbin\/sshd[sshd:1527] uid\/euid:0\/0 gid\/egid:0\/0<br \/>\n2011-05-24T03:15:08.836320+00:00 localhost kernel: [ 2011.183822] grsec: From 10.0.2.2: (<strong>root:U:\/<\/strong>) denied access to hidden file \/usr\/sbin\/sshd by \/usr\/sbin\/sshd[sshd:1677] uid\/euid:0\/0 gid\/egid:0\/0, parent \/usr\/sbin\/sshd[sshd:1527] uid\/euid:0\/0 gid\/egid:0\/0<br \/>\n2011-05-24T03:15:08.837263+00:00 localhost kernel: [ 2011.184485] grsec: From 10.0.2.2: (<strong>root:U:\/<\/strong>) denied connect() to the unix domain socket \/dev\/log by \/usr\/sbin\/sshd[sshd:1677] uid\/euid:0\/0 gid\/egid:0\/0, parent \/usr\/sbin\/sshd[sshd:1527] uid\/euid:0\/0 gid\/egid:0\/0<br \/>\n2011-05-24T03:15:08.857339+00:00 localhost kernel: [ 2011.204857] grsec: From 10.0.2.2: (<strong>root:U:\/<\/strong>) denied connect() to the unix domain socket \/dev\/log by \/usr\/sbin\/sshd[sshd:1677] uid\/euid:0\/0 gid\/egid:0\/0, parent \/usr\/sbin\/sshd[sshd:1527] uid\/euid:0\/0 gid\/egid:0\/0<br \/>\n2011-05-24T03:15:08.860352+00:00 localhost kernel: [ 2011.207771] grsec: From 10.0.2.2: (<strong>root:U:\/<\/strong>) use of CAP_SYS_CHROOT denied for \/usr\/sbin\/sshd[sshd:1678] uid\/euid:0\/0 gid\/egid:0\/0, parent \/usr\/sbin\/sshd[sshd:1677] uid\/euid:0\/0 gid\/egid:0\/0<\/em><\/p>\n<p>The text in <strong>bold<\/strong> indicates that that particular user is denying access to that particular resource. Login to the admin role(gradm -a admin), and search for the string &#8220;role root&#8221;, then &#8220;subject \/usr\/sbin\/sshd&#8221;. Add the following entries in the right places(stick to the alphabetical order, its easier to read):<\/p>\n<pre>        \/proc\/*\/oom_score_adj      rw\r\n        \/usr\/sbin\/sshd                  rx\r\n        \/var\/empty                      r<\/pre>\n<p>Reload the RBAC system, you should be able to ssh now. There are still a few errors in the logs. You can simply add the two following lines to fix them.<\/p>\n<pre>        \/var\/log\/tallylog           rw\r\n        \/proc\/*\/loginuid           rw<\/pre>\n<p>This should fix everything that ssh needs access to.<\/p>\n<h2><a id=\"rso\">Roles, subjects and objects<\/a><\/h2>\n<p>The structure takes the following pattern:<\/p>\n<pre>role &lt;user&gt; u\r\n&lt;user attributes&gt;\r\n\r\nsubject &lt;app\/binary&gt; o\r\n    &lt;object&gt;                &lt;mode&gt;\r\n\r\nsubject &lt;app\/binary&gt; &lt;mode(s)&gt;\r\n    &lt;object&gt;                &lt;mode&gt;<\/pre>\n<p>The letter &#8216;u&#8217; follows the username mentioned to indicate that it is a user. &#8216;g&#8217; can be used for groups. Attributes include transitions, ip_allow, etc. A complete detail of this is found on the grsecurity wikibook.<\/p>\n<p>Subjects have members called objects to define what access does the subject in question have. There are various modes here too. The &#8216;o&#8217; in the first subject is to make sure inheritance is not followed from the default policy or user policy.<\/p>\n<h2><a id=\"include\">The include directive<\/a><\/h2>\n<p>Once your familiar with the policy file, reinstall the default one, and use the include directive in the main policy file to include a certain directory containing policies for different users\/subjects etc.<\/p>\n<p>A reasonable structure would be to have:<\/p>\n<pre>\/etc\/grsec\r\n\/etc\/grsec\/policy.d\r\n\/etc\/grsec\/policy.d\/user1\r\n\/etc\/grsec\/policy.d\/user1\/logs\r\n\/etc\/grsec\/policy.d\/user1\/policy<\/pre>\n<p>To learn the actions of a new user, you can have the following in the main policy file(at the end of it):<\/p>\n<pre>role jude ul<\/pre>\n<p>Then start the learn process with <strong><em>gradm -L \/etc\/grsec\/policy.d\/jude\/learning.logs -E<\/em><\/strong>. Generate the policy from the logs, and place the policy as basic.policy in the policy directory. Once your done with that, delete the line you&#8217;ve added for the learn and replace it with:<\/p>\n<pre>include &lt;\/etc\/grsec\/policy.d\/user1\/policy&gt;<\/pre>\n<p>&nbsp;<\/p>\n<h2><a id=\"bestp\">Best Practices for \/etc\/grsec\/policy<\/a><\/h2>\n<ul>\n<li>Make the policy as restrictive as possible, there are many features that haven&#8217;t been touched in this tutorial, read the grsecurity wikibook for a complete hands on grsecurity.<\/li>\n<li>Keep things simple, keep to the alphabetic order.<\/li>\n<li>Create a policy and directory structure the way your comfortable with.<\/li>\n<li>In the beginning of the policy file, there are lot of details about the present RBAC system, read them.<\/li>\n<\/ul>\n<h2><a id=\"rsyslog\">Filtering grsecurity logs with rsyslog<\/a><\/h2>\n<p>If your using rsyslog, you may want to filter out the grsecurity messages. Append the following lines to \/etc\/rsyslog.conf, and restart rsyslog<\/p>\n<pre># grsec logs\r\n:msg, contains, \"grsec\" \/var\/log\/grsecurity.log\r\n:msg, contains, \"grsec\" ~<\/pre>\n<p><small>If you encounter any problems whilst following this tutorial, feel free to comment<\/small><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This howto is intended for those looking for better means to secure the Linux kernel, and the userland by the means of a powerful and simple role based access control policy. Contents What is grsecurity? Setting up grsecurity + gentoo in a VM The real thing: Grsecurity Getting familiar with gradm Generating the policy Fixing [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[10],"tags":[256,103,554,254,228,246,249,245,247,253,243,7,275,235,283,166,248,255,274,252,284,250,276,244,251,257],"class_list":["post-1046","post","type-post","status-publish","format-standard","hentry","category-linux","tag-beginner","tag-gentoo","tag-linux","tag-gradm","tag-grsecurity","tag-grsecurity-quick","tag-grsecurity-net","tag-guide","tag-howto","tag-kernel","tag-kvm","tag-new","tag-old","tag-paxctl","tag-policy","tag-qemu","tag-quick-start","tag-rbac","tag-rsyslog","tag-security","tag-startup","tag-testing-grsecurity","tag-traditional","tag-tutorial","tag-user-reviews","tag-working-with-grsecurity"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pqtyx-gS","jetpack-related-posts":[{"id":289,"url":"https:\/\/judepereira.com\/blog\/sabayon-four-oh\/","url_meta":{"origin":1046,"position":0},"title":"Sabayon fOuR oH","author":"Jude Pereira","date":"June 16, 2009","format":false,"excerpt":"Based on Gentoo, Sabayon 4.1, tells me: Great performance with less RAM(though you need like 1GB RAM for it to work well enough). Package Management System is absolutely fantastic, with it's new \"Entropy\". Totally the perfect distribution. A fine distribution for the newbie or the expert. This is what a\u2026","rel":"","context":"In &quot;gnu linux&quot;","block_context":{"text":"gnu linux","link":"https:\/\/judepereira.com\/blog\/category\/linux\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":903,"url":"https:\/\/judepereira.com\/blog\/usrlocalbinwaitpid\/","url_meta":{"origin":1046,"position":1},"title":"\/usr\/local\/bin\/waitpid","author":"Jude Pereira","date":"April 26, 2011","format":false,"excerpt":"A quick script to wait for a certain pid, then once that quits, execute a command. You may ask, why not just do command1 && command2 ? Well, if command1 exits with a non-zero exit status value, command2 will not get executed. Hence, I've brewed a quick script for this\u2026","rel":"","context":"In &quot;another snippet | code&quot;","block_context":{"text":"another snippet | code","link":"https:\/\/judepereira.com\/blog\/category\/code\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":64,"url":"https:\/\/judepereira.com\/blog\/faunos-shadow\/","url_meta":{"origin":1046,"position":2},"title":"FaunOS Shadow","author":"Jude Pereira","date":"January 20, 2009","format":false,"excerpt":"It's a distribution based totally on Arch Linux... specialized for USB Portable installs and can also be used as primary OS has over 600 packages pre-installed (I know... it reminds you of Fedora and me too!). So that's to say that it comes with definitely all the packages you would\u2026","rel":"","context":"In &quot;gnu linux&quot;","block_context":{"text":"gnu linux","link":"https:\/\/judepereira.com\/blog\/category\/linux\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":694,"url":"https:\/\/judepereira.com\/blog\/visual-basic-6-revisited-linux-wine\/","url_meta":{"origin":1046,"position":3},"title":"visual basic 6 revisited &#8211; linux &#8211; wine","author":"Jude Pereira","date":"August 5, 2010","format":false,"excerpt":"Earlier this year, I had written an article on running Visual Basic 6 on linux under wine, this is an update for it, the prior one is deprecated Getting Visual Basic 6 to work on linux is pretty easy, not much trouble, all the basic things work, as of what\u2026","rel":"","context":"In &quot;another snippet | code&quot;","block_context":{"text":"another snippet | code","link":"https:\/\/judepereira.com\/blog\/category\/code\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":893,"url":"https:\/\/judepereira.com\/blog\/coloured-varlogmessages-at-tty12\/","url_meta":{"origin":1046,"position":4},"title":"Coloured \/var\/log\/messages at tty12","author":"Jude Pereira","date":"April 26, 2011","format":false,"excerpt":"Reading logs could never become any more easier, at just a keystroke, you have your logs displayed where you want, in some fancy colour. They look great too. TTY's can be accessed by pressing Alt + Ctrl + F[1 - 12] simultaneously. In the following, you'll get a decent, colourized\u2026","rel":"","context":"In &quot;another snippet | code&quot;","block_context":{"text":"another snippet | code","link":"https:\/\/judepereira.com\/blog\/category\/code\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2126,"url":"https:\/\/judepereira.com\/blog\/upgrading-to-debian-bookworm-on-qnap-ts-112-also-ts-11x-ts-12x\/","url_meta":{"origin":1046,"position":5},"title":"Upgrading to Debian Bookworm on QNAP TS-112 (also TS-11x\/TS-12x)","author":"Jude Pereira","date":"October 16, 2024","format":false,"excerpt":"I decided to host Minio on a QNAP TS-112 device, bought from a second hand store. Here's a tale of me ditching the QNAP OS in favour of Debian Bookworm.","rel":"","context":"In &quot;gnu linux&quot;","block_context":{"text":"gnu linux","link":"https:\/\/judepereira.com\/blog\/category\/linux\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/posts\/1046","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/comments?post=1046"}],"version-history":[{"count":46,"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/posts\/1046\/revisions"}],"predecessor-version":[{"id":1229,"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/posts\/1046\/revisions\/1229"}],"wp:attachment":[{"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/media?parent=1046"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/categories?post=1046"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/judepereira.com\/blog\/wp-json\/wp\/v2\/tags?post=1046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}