[How To] Configuring and installing a Grsecurity kernel

Hey there, I understand there is fairly comprehensive configuration and installation documentation here but I wanted to write something step by step and easy to understand to help spread adoption of grsec for the average Linux user.

This guide is for Debian and Debian based distributions, but most steps can be adapted to others. The main part that will be different is the packages required for compilation, the command used for compiling, then the installation method for the kernel.

What is Grsecurity?

Grsecurity is an extensive security enhancement to the Linux kernel that defends against a wide range of security threats. The PaX project is included, hardening both userspace applications and the kernel against memory corruption-based exploits. Grsecurity includes a powerful Mandatory Access Control system with an effortless automatic learning mode and a host of other miscellaneous hardening features.

Defends against zero-day

Only grsecurity provides protection against zero-day and other advanced threats that buys administrators valuable time while vulnerability fixes make their way out to distributions and production testing. This is made possible by our focus on eliminating entire bug classes and exploit vectors, rather than the status-quo elimination of individual vulnerabilities.

Mitigates shared-host/container weaknesses

In any kind of shared computing environment, whether it be simple UID separation, OpenVZ, LXC, or Linux-VServer, the most common and often easiest method of full system compromise is through kernel exploitation. No other software exists to mitigate this weakness while maintaining usability and performance.

Quote source

How to obtain it

1) Go here to their official downloads page. Decide between whether you would like one of the stable kernels or what they are calling the test kernel patch. Either or is good, it depends which kernel suits your needs best based on features or hardware requirements.

Personally I use the newer test kernel patch as the 4.x.x kernels have been very very stable and supports my hardware wonderfully.

2) After deciding which kernel patch you'd prefer, right click the link and copy the url

3) Open a terminal, and then type

    cd ~
    cd Downloads
    wget paste_url_here

This will change your present working directory to Downloads and then download the patch there

Obtaining a vanilla kernel to apply the patch to

4) Go to here and download the corresponding kernel for the patch you downloaded. Say this is the name of patch you downloaded: grsecurity-3.1-4.1.4-201508032312.patch the bolded section of the file name will be kernel version this is for.

Decompressing the kernel

5) After the download completes, type

tar -xf linux-*

This will decompress the archive of the tar, this assumes you only have the kernel we just downloaded in your Downloads folder as the command uses a wildcard (the asterisk *) which means anything

6) After the decompression finishes, type

cd linux-*

This will change your directory to the decompressed kernel that we just downloaded

Install the packages for compiling the kernel

7) I you haven't already previously installed the packages required to build a kernel we'll get that out of the way quickly, type

sudo apt install gcc libc6-dev binutils-dev make bin86 module-init-tools libncurses5-dev

This will download and install the required packages for compiling the kernel

8) TIme to patch the kernel itself

ls ..

Now copy the name of the patch and paste it into the next command below

patch -p1 < ../paste_the_patch_name_here

9) Now we will enter the kernels menu to change the settings, type

make menuconfig

Additionally there is a graphical version available if you're willing to install a few packages to use it

make gconfig

It will give an error and prompt you to install a few packages, install them and reissue the command

10) Use your arrow keys up and down to scroll up and down. Scroll down to the following paths, use enter to select each one as you navigate to it

Security options, press enter, then enter again on Grsecurity

11) Grsecurity configuration time. You'll see the following categories when you first enter this menu

Configuration Method: Keep it on automatic unless you plan to do extensive reading on the options

Usage Type: Keep it on Desktop unless you'll be using this on a server

Virtualization: If you use virtualization of some sort or plan to, change this to Host if this kernel is for the host computer. If this kernel is for a virtualized distro then choose Guest.

Virtualization Hardware: You likely have newer hardware that supports virtualization so keep this option default

Virtualization Software: Change this to the software you use for virtualization (VirtualBox, VMware, KVM, etc)

Required Priorities: This is for your priority whether you want the settings to be either security or performance oriented. If you have a slower computer perhaps choose performance, otherwise if it can handle a roughly 5% performance reduction then select Security

For a basic configuration that's all you need to change. For more advance users feel free to take a read through what each option does and choose whether you want to enable or disable it to fit your needs.

12) Use your right arrow key to navigate right to where it says Save. Select enter a couple times until you're back to screen you were just at a moment ago.

13) Now select Exit at the bottom couple times or hit the ESC key until the kernel configuration menu closes and you're back at your terminal window.

14) To compile the kernel, type

Based on how many cores you want to use the concurrency level is based off amount of cores you want to use plus one. So setting it to 3 would use 2 cores. So replace the '5' in the string below to be the desired amount, otherwise leave it and it will use 4 cores

Next is the actual compiling:

sudo make -j 5 KDEB_PKGVERSION=1.grsec deb-pkg

I've had the above fail for some builds for whatever strange reason, and had the below work. So if you run into this give this a try:

sudo make deb-pkg

This will take a while depending on your hardware, and your computer will likely be slow during this as well. So find something to do for a bit

15) After the compilation has finished we can now install it, type

cd ..
sudo dpkg -i *.deb

16) Reboot your PC and select the new kernel. See if it boots, sometimes there are conflictions and it wont work so cross your fingers it works.

After notes and troubleshooting:

  • If you get an error saying something about your gcc not supporting plugins, do this
 gcc -v

It will say a bunch of stuff but look near the bottom and you will see something such as

gcc version 4.9.2 (Debian 4.9.2-10)

So now if I were missing the plugin I would need to install the package below as it corresponds to my version (4.9) so change the below command to reflect your installed version of gcc if yours is different

sudo apt install gcc-4.9-plugin-dev
  • If you use an Nvidia graphics card with the proprietary driver you'll need to read this

  • Avoid doing this as root, it's better to use sudo as it prevents any funny business from occurring during this process as this guide was written for this exact procedure. As an example, extracting the tar as root makes the linux folder owned by root so it caused some issues

    • Do this to use sudo

adduser enter_your_username_here sudo
reboot to make sure it works

If its not installed for whatever reason

apt install sudo

  • If you want to use grsecurity with LXC, then it takes some additional tweaks to allow it to run. I don't know exactly which options it requires, I imagine it has to do with /proc and mounting permissions though. Here a link to some settings which make this work, definitely play with it though to get it more fine tuned.

I suggest using make gconfig so you can match the kernel config options to the options in the menus as the names are different, otherwise you can do it the hard way and reference them from here.

Note: Skip the linux vserver portion and skip down to the PAX section below it


What about gradm, have you managed to apply rbac rules without screwing up the system? If so please make a guide on that too since theres not much 'for dummies' info to be found lol

I could look into that, pretty advanced for a basic step by step guide but I'll see if I can hammer something easy to understand out haha.

Interesting.. I will give it a shot in my Fedora Frankenserver.
Whatever it goes I will post the results.


You're welcome. Best of luck, if you can can you please post any differences in the process and the packages you required? Since I wrote this for Debian primarily it'd be nice to add some extra info the OP for rpm distros. Thanks

No problem.
Actually I reading the wiki from Fedora to build custom kernels.
I will stick with that info and search in the forums if someone try in CentOS or Fedora.
Also I will try to compile it with my old nvidia 9600gt too. (Don't ask... I couldn't let her die alone)

It will be a hard voyage.. but hey.. I got my viking beard :D
Any update I got I will pop in here. Right now I am at work.. so gonna try maybe tomorrow.. If I fix an issue with my pfSense and Squid3 with https.

Updated: Edited the lay out a bit, added some bits in, corrected some spelling, etc. If anyone has any suggestions or anything of the sort please say as I'd like to provide as high quality of a guide as I can

Well didnt work in Fedora 22 just kernel panics and random stuff.
Oddly.. it works in Fedora 20.
Why it works? dunno.. gonna make a post in the forums and see if someone gets around this..

  • What did you choose for your required priority, performance or security?
  • Can you try disabling mprotect? Its located: Security options > Grsecurity > Customize Configuration > PaX > Pax Control > Non-executable pages

Depends on: GRKERNSEC [=y] && PAX [=y] && (PAX_PAGEEXEC [=y] || PAX_SEGMEXEC [=n])

I've ran into issues with this being enabled, sometimes it wouldn't boot and panicked

if you want it already baked in could try Subgraph OS :D/