Hey there, I understand there is fairly comprehensive configuration and installation documentation here but I wanted to write something step by step and easy to understand to help spread adoption of grsec for the average Linux user.
This guide is for Debian and Debian based distributions, but most steps can be adapted to others. The main part that will be different is the packages required for compilation, the command used for compiling, then the installation method for the kernel.
What is Grsecurity?
Grsecurity is an extensive security enhancement to the Linux kernel that defends against a wide range of security threats. The PaX project is included, hardening both userspace applications and the kernel against memory corruption-based exploits. Grsecurity includes a powerful Mandatory Access Control system with an effortless automatic learning mode and a host of other miscellaneous hardening features.
Defends against zero-day
Only grsecurity provides protection against zero-day and other advanced threats that buys administrators valuable time while vulnerability fixes make their way out to distributions and production testing. This is made possible by our focus on eliminating entire bug classes and exploit vectors, rather than the status-quo elimination of individual vulnerabilities.
Mitigates shared-host/container weaknesses
In any kind of shared computing environment, whether it be simple UID separation, OpenVZ, LXC, or Linux-VServer, the most common and often easiest method of full system compromise is through kernel exploitation. No other software exists to mitigate this weakness while maintaining usability and performance.
How to obtain it
1) Go here to their official downloads page. Decide between whether you would like one of the stable kernels or what they are calling the test kernel patch. Either or is good, it depends which kernel suits your needs best based on features or hardware requirements.
Personally I use the newer test kernel patch as the 4.x.x kernels have been very very stable and supports my hardware wonderfully.
2) After deciding which kernel patch you'd prefer, right click the link and copy the url
3) Open a terminal, and then type
cd ~ cd Downloads wget paste_url_here
This will change your present working directory to Downloads and then download the patch there
Obtaining a vanilla kernel to apply the patch to
4) Go to here and download the corresponding kernel for the patch you downloaded. Say this is the name of patch you downloaded: grsecurity-3.1-4.1.4-201508032312.patch the bolded section of the file name will be kernel version this is for.
Decompressing the kernel
5) After the download completes, type
tar -xf linux-*
This will decompress the archive of the tar, this assumes you only have the kernel we just downloaded in your Downloads folder as the command uses a wildcard (the asterisk *) which means anything
6) After the decompression finishes, type
This will change your directory to the decompressed kernel that we just downloaded
Install the packages for compiling the kernel
7) I you haven't already previously installed the packages required to build a kernel we'll get that out of the way quickly, type
sudo apt install gcc libc6-dev binutils-dev make bin86 module-init-tools libncurses5-dev
This will download and install the required packages for compiling the kernel
8) TIme to patch the kernel itself
Now copy the name of the patch and paste it into the next command below
patch -p1 < ../paste_the_patch_name_here
9) Now we will enter the kernels menu to change the settings, type
Additionally there is a graphical version available if you're willing to install a few packages to use it
It will give an error and prompt you to install a few packages, install them and reissue the command
10) Use your arrow keys up and down to scroll up and down. Scroll down to the following paths, use enter to select each one as you navigate to it
Security options, press enter, then enter again on Grsecurity
11) Grsecurity configuration time. You'll see the following categories when you first enter this menu
Configuration Method: Keep it on automatic unless you plan to do extensive reading on the options
Usage Type: Keep it on Desktop unless you'll be using this on a server
Virtualization: If you use virtualization of some sort or plan to, change this to Host if this kernel is for the host computer. If this kernel is for a virtualized distro then choose Guest.
Virtualization Hardware: You likely have newer hardware that supports virtualization so keep this option default
Virtualization Software: Change this to the software you use for virtualization (VirtualBox, VMware, KVM, etc)
Required Priorities: This is for your priority whether you want the settings to be either security or performance oriented. If you have a slower computer perhaps choose performance, otherwise if it can handle a roughly 5% performance reduction then select Security
For a basic configuration that's all you need to change. For more advance users feel free to take a read through what each option does and choose whether you want to enable or disable it to fit your needs.
12) Use your right arrow key to navigate right to where it says Save. Select enter a couple times until you're back to screen you were just at a moment ago.
13) Now select Exit at the bottom couple times or hit the ESC key until the kernel configuration menu closes and you're back at your terminal window.
14) To compile the kernel, type
Based on how many cores you want to use the concurrency level is based off amount of cores you want to use plus one. So setting it to 3 would use 2 cores. So replace the '5' in the string below to be the desired amount, otherwise leave it and it will use 4 cores
Next is the actual compiling:
sudo make -j 5 KDEB_PKGVERSION=1.grsec deb-pkg
I've had the above fail for some builds for whatever strange reason, and had the below work. So if you run into this give this a try:
sudo make deb-pkg
This will take a while depending on your hardware, and your computer will likely be slow during this as well. So find something to do for a bit
15) After the compilation has finished we can now install it, type
cd .. sudo dpkg -i *.deb
16) Reboot your PC and select the new kernel. See if it boots, sometimes there are conflictions and it wont work so cross your fingers it works.
After notes and troubleshooting:
- If you get an error saying something about your gcc not supporting plugins, do this
It will say a bunch of stuff but look near the bottom and you will see something such as
gcc version 4.9.2 (Debian 4.9.2-10)
So now if I were missing the plugin I would need to install the package below as it corresponds to my version (4.9) so change the below command to reflect your installed version of gcc if yours is different
sudo apt install gcc-4.9-plugin-dev
If you use an Nvidia graphics card with the proprietary driver you'll need to read this
Avoid doing this as root, it's better to use sudo as it prevents any funny business from occurring during this process as this guide was written for this exact procedure. As an example, extracting the tar as root makes the linux folder owned by root so it caused some issues
- Do this to use sudo
adduser enter_your_username_here sudo
reboot to make sure it works
If its not installed for whatever reason
apt install sudo
- If you want to use grsecurity with LXC, then it takes some additional tweaks to allow it to run. I don't know exactly which options it requires, I imagine it has to do with /proc and mounting permissions though. Here a link to some settings which make this work, definitely play with it though to get it more fine tuned.
I suggest using make gconfig so you can match the kernel config options to the options in the menus as the names are different, otherwise you can do it the hard way and reference them from here.
Note: Skip the linux vserver portion and skip down to the PAX section below it