GRsecurity is since long time known that it is a next generation armouring agains 0 day local kernel exploits as well as variousof other cracker attacks.
Grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GNU GPL.
GRSecurity is linux kernel patch which has to be applied to the kernel before compile time. However we’ve been lucky and somebody has taken the time and care to prepare linux image binary deb packages for Debian and Ubuntu .
Some of the key grsecurity features are :
- An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
- Change root (chroot) hardening
- /tmp race prevention
- Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
- Prevention of arbitrary code execution in the kernel
- Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
- A restriction that allows a user to only view his/her processes
- Security alerts and audits that contain the IP address of the person causing the alert
To install from the http://debian.cr0.org/ grsecurity patched kernel image repository use the following steps:
1. Include in your /etc/apt/sources.list
deb http://ubuntu.cr0.org/repo/ kernel-security/
deb http://debian.cr0.org/repo/ kernel-security/
Directly from the bash command line execute:
debian:~# echo "deb http://ubuntu.cr0.org/repo/ kernel-security/" >> /etc/apt/sources.list
debian:~# echo "deb http://debian.cr0.org/repo/ kernel-security/" >> /etc/apt/sources.list
2. Add the debian.cr0.org repository gpg key to the trusted repositories key ring
Download the repository’s gpg key , check it (it has been signed with the repository owner GPG key )
Thence from to include the gpg key to the trusted repos key issue:
debian:~# apt-key add kernel-security.asc
3. Install the linux-image-grsec package itself
Currently to install on my x86_amd64 Debian Squeeze/Sid and possibly on Debian Lenny I’ve issued:
debian:~# apt-get update
debian:~# apt-get install linux-image-2.6.32.15-1-grsec
Now simply restarting your system and choosing the Linux kernel patched with the GRsecurity kernel patch from Grub should enable you to start using the grsecurity patched kernel.
Though this tutorial is targetting Debian it’s very likely that the grsecurity hardened kernel installation on Debian will be analogous.
More helpful Articles
Tags: alertTo, arbitrary code execution, audits, care, containment, cracker, deb packages, entire system, generation, gnu gpl, grsecurity, heap, heap corruption, image repository, information, Install, Install grsecurity kernel security from binary package (without kernel recompile) on Debian and Ubuntu, kernel image, kernel patch, kernelReduction, package, person, prevention, preventionPrevention, privilege, race, rbac, repo, repositories, restriction, role based access control, root, smashing, technique, time, tmp, tmp race, Ubuntu, variousof
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
I tried to follow your advice but was unable to install and got this instead http://forums.debian.net/viewtopic.php?f=10&t=64843. Any help appreciated. Thanks.
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Hi thanks for pointing,
I forgot one command in the tutorial: apt-get update now it’s included in the tutorial.
In the mean time just in case if you don’t read this comment I also posted the command on forums.debian.net.
Please drop me a line fruther if all wents fine with the grsec kernel install.
View CommentView CommentBest
Georgi
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Hello after adding your sources to mine and installing grsec on debian via apt-get i went to reboot and picked grsec for some reason when it goes to boot into gdm it doesn’t display anything it just shows the background wallpaper
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Hi, it might be some module in the kernel missing which you use for your graphic adapter check if all your modules with the normal kernel are properly loaded.
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
I mean make a comparison between the loaded kernel modules with grsec kernel and the other normal kernel you used before.
Best!
View CommentView CommentGeorgi
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110921 Ubuntu/10.04 (lucid) Firefox/3.6.23
Only installing linux-patch-grsecurity2 package onto Squeeze will_not_ work. Did you test this?
View CommentView CommentAccording to http://packages.debian.org/squeeze/all/ … 2/filelist, this only installs a patch file, which you should apply against kernel source tree.
1. Download kernel sources, patch them with this patch and rebuild kernel.
2. After rebooting with grsecurity-enabled kernel "uname -r" will show kernel version with appended "-grsec".
Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Hi simon,
Unfortunately I didn’t have the time to test it with Debian Squeeze. I’ve heard that it will be not working with Squeeze from debian mailing lists also.
best!
View CommentView CommentGeorgi
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110921 Ubuntu/10.04 (lucid) Firefox/3.6.23
//EDIT I missed off the full URL in my post above:
View CommentView Commenthttp://packages.debian.org/squeeze/all/linux-patch-grsecurity2/filelist
Mozilla/5.0 (X11; Linux x86_64; rv:10.0.12) Gecko/20100101 Firefox/10.0.12 Iceweasel/10.0.12
I couldn't install it on last week's wheezy testing branch.
View CommentView CommentAm trying on this week's testing branch as soon I finish downloading.
Any new experience there?
Been trying hard and just can't make it:…
See:
http://forums.debian.net/viewtopic.php?f=5&t=103302
Any advice?