Install grsecurity kernel security from binary
package (without kernel recompile) on Debian and Ubuntu
GRsecurity is since long time known that it is a next generation
armouring agains 0 day local kernel exploits as well as various of
other cracker attacks.
Grsecurity is an innovative approach to security utilizing a
multi-layered detection, prevention, and containment model. It is
licensed under the GNU GPL.
GRSecurity is linux kernel patch which has to be applied to the
kernel before compile time. However we've been lucky and somebody
has taken the time and care to prepare
linux image binary deb packages for
Debian and Ubuntu .
Some of the key grsecurity features are :
- An intelligent and robust Role-Based Access Control (RBAC)
system that can generate least privilege policies for your entire
system with no configuration
- Change root (chroot) hardening
- /tmp race prevention
- Prevention of arbitrary code execution, regardless of the
technique used (stack smashing, heap corruption, etc)
- Prevention of arbitrary code execution in the kernel
- Reduction of the risk of sensitive information being leaked by
arbitrary-read kernel bugs
- A restriction that allows a user to only view his/her
processes
- Security alerts and audits that contain the IP address of the
person causing the alert
To install from the
http://debian.cr0.org/ grsecurity patched
kernel image repository use the following steps:
1. Include in your /etc/apt/sources.list
deb http://ubuntu.cr0.org/repo/ kernel-security/
deb http://debian.cr0.org/repo/ kernel-security/
Directly from the bash command line execute:
debian:~# echo "deb http://ubuntu.cr0.org/repo/
kernel-security/" >> /etc/apt/sources.list
debian:~# echo "deb http://debian.cr0.org/repo/ kernel-security/"
>> /etc/apt/sources.list
2. Add the debian.cr0.org repository gpg key to the trusted
repositories key ring
Download the repository's
gpg key , check
it (it has been signed with the
repository owner GPG
key )
Thence from to include the gpg key to the trusted repos key
issue:
debian:~# apt-key add kernel-security.asc
3. Install the linux-image-grsec package itself
Currently to install on my x86_amd64 Debian Squeeze/Sid and
possibly on Debian Lenny I've issued:
debian:~# apt-get install
linux-image-2.6.32.15-1-grsec
Now simply restarting your system and choosing the Linux kernel
patched with the
GRsecurity kernel patch included from Grub
should enable you to start using the grsecurity patched
kernel.
Though this tutorial is targetting Debian it's very likely that the
grsecurity hardened kernel installation on Debian will be
analogous.