Install grsecurity kernel security from binary package (without kernel recompile) on Debian and Ubuntu

Monday, 26th July 2010

GRsecurity is since long time known that it is a next generation armouring agains 0 day local kernel exploits as well as variousof other cracker attacks.
Grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GNU GPL.
GRSecurity is linux kernel patch which has to be applied to the kernel before compile time. However we’ve been lucky and somebody has taken the time and care to prepare linux image binary deb packages for Debian and Ubuntu .

Some of the key grsecurity features are :

  • An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
  • Change root (chroot) hardening
  • /tmp race prevention
  • Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
  • Prevention of arbitrary code execution in the kernel
  • Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
  • A restriction that allows a user to only view his/her processes
  • Security alerts and audits that contain the IP address of the person causing the alert

To install from the http://debian.cr0.org/ grsecurity patched kernel image repository use the following steps:

1. Include in your /etc/apt/sources.list

deb http://ubuntu.cr0.org/repo/ kernel-security/
deb http://debian.cr0.org/repo/ kernel-security/

Directly from the bash command line execute:

debian:~# echo "deb http://ubuntu.cr0.org/repo/ kernel-security/" >> /etc/apt/sources.list
debian:~# echo "deb http://debian.cr0.org/repo/ kernel-security/" >> /etc/apt/sources.list

2. Add the debian.cr0.org repository gpg key to the trusted repositories key ring

Download the repository’s gpg key , check it (it has been signed with the repository owner GPG key )

Thence from to include the gpg key to the trusted repos key issue:

debian:~# apt-key add kernel-security.asc

3. Install the linux-image-grsec package itself

Currently to install on my x86_amd64 Debian Squeeze/Sid and possibly on Debian Lenny I’ve issued:


debian:~# apt-get update
debian:~# apt-get install linux-image-2.6.32.15-1-grsec

Now simply restarting your system and choosing the Linux kernel patched with the GRsecurity kernel patch from Grub should enable you to start using the grsecurity patched kernel.
Though this tutorial is targetting Debian it’s very likely that the grsecurity hardened kernel installation on Debian will be analogous.

Share this on:

Download PDFDownload PDF

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

10 Responses to “Install grsecurity kernel security from binary package (without kernel recompile) on Debian and Ubuntu”

  1. Jeremy says:
    Firefox 4.0.1 Firefox 4.0.1 Windows Server 2003 x64 Edition Windows Server 2003 x64 Edition
    Mozilla/5.0 (Windows NT 5.2; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

    I tried to follow your advice but was unable to install and got this instead http://forums.debian.net/viewtopic.php?f=10&t=64843. Any help appreciated. Thanks.

    View CommentView Comment
    • admin says:
      Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

      Hi thanks for pointing,
      I forgot one command in the tutorial: apt-get update now it’s included in the tutorial.
      In the mean time just in case if you don’t read this comment I also posted the command on forums.debian.net.

      Please drop me a line fruther if all wents fine with the grsec kernel install.
      Best
      Georgi

      View CommentView Comment
  2. x says:
    Firefox 7.0.1 Firefox 7.0.1 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1

    Hello after adding your sources to mine and installing grsec on debian via apt-get i went to reboot and picked grsec for some reason when it goes to boot into gdm it doesn’t display anything it just shows the background wallpaper

    View CommentView Comment
    • admin says:
      Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

      Hi, it might be some module in the kernel missing which you use for your graphic adapter check if all your modules with the normal kernel are properly loaded.

      View CommentView Comment
      • admin says:
        Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
        Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

        I mean make a comparison between the loaded kernel modules with grsec kernel and the other normal kernel you used before.

        Best!
        Georgi

        View CommentView Comment
  3. simon says:
    Firefox 3.6.23 Firefox 3.6.23 Ubuntu 10.04 x64 Ubuntu 10.04 x64
    Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110921 Ubuntu/10.04 (lucid) Firefox/3.6.23

    Only installing linux-patch-grsecurity2 package onto Squeeze will_not_ work.  Did you test this?
    According to http://packages.debian.org/squeeze/all/ … 2/filelist, this only installs a patch file, which you should apply against kernel source tree.
    1. Download kernel sources, patch them with this patch and rebuild kernel.
    2. After rebooting with grsecurity-enabled kernel "uname -r" will show kernel version with appended "-grsec".

    View CommentView Comment
    • admin says:
      Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

      Hi simon,

      Unfortunately I didn’t have the time to test it with Debian Squeeze. I’ve heard that it will be not working with Squeeze from debian mailing lists also.

      best!
      Georgi

      View CommentView Comment
  4. simon says:
    Firefox 3.6.23 Firefox 3.6.23 Ubuntu 10.04 x64 Ubuntu 10.04 x64
    Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110921 Ubuntu/10.04 (lucid) Firefox/3.6.23

    //EDIT I missed off the full URL in my post above:
    http://packages.debian.org/squeeze/all/linux-patch-grsecurity2/filelist

    View CommentView Comment
  5. Timbgo says:
    IceWeasel 10.0.12 IceWeasel 10.0.12 GNU/Linux x64 GNU/Linux x64
    Mozilla/5.0 (X11; Linux x86_64; rv:10.0.12) Gecko/20100101 Firefox/10.0.12 Iceweasel/10.0.12

    I couldn't install it on last week's wheezy testing branch.
    Am trying on this week's testing branch as soon I finish downloading.
    Any new experience there?
    Been trying hard and just can't make it:…
    See:
    http://forums.debian.net/viewtopic.php?f=5&t=103302
    Any advice?

    View CommentView Comment

Leave a Reply

CommentLuv badge