Posts Tagged ‘grsecurity’

How to improve Linux kernel security with GrSecurity / Maximum Linux kernel security with GrSecurity

Tuesday, May 3rd, 2011

In short I’ll explain here what is Grsecurity http://www.grsecurity.net/ for all those who have not used it yet and what kind of capabilities concerning enhanced kernel security it has.

Grsecurity is a combination of patches for the Linux kernel accenting at the improving kernel security.

The typical application of GrSecurity is in the field of Linux systems which are administered through SSH/Shell, e.g. (remote hosts), though you can also configure grsecurity on a normal Linux desktop system if you want a super secured Linux desktop ;).

GrSecurity is used heavily to protect server system which require a multiple users to have access to the shell.

On systems where multiple user access is required it’s a well known fact that (malicious users, crackers or dumb script kiddies) get administrator (root) privileges with a some just poped in 0 day root kernel exploit.
If you’re an administrator of a system (let’s say a web hosting) server with multiple users having access to the shell it’s also common that exploits aiming at hanging in certain daemon service is executed by some of the users.
In other occasions you have users which are trying to DoS the server with some 0 day Denial of Service exploit.
In all this cases GrSecurity having a kernel with grsecurity is priceless.

Installing grsecurity patched kernel is an easy task for Debian and Ubuntu and is explained in one of my previous articles.
This article aims to explain in short some configuration options for a GrSecurity tightened kernel, when one have to compile a new kernel from source.

I would skip the details on how to compile the kernel and simply show you some picture screens with GrSecurity configuration options which are working well and needs to be set-up before a make command is issued to compile the new kernel.

After preparing the kernel source for compilation and issuing:

linux:/usr/src/kernel-source$ make menuconfig

You will have to select options like the ones you see in the pictures below:

[nggallery id=”8″]

After completing and saving your kernel config file, continue as usual with an ordinary kernel compilation, e.g.:

linux:/usr/src/kernel-source$ make
linux:/usr/src/kernel-source$ make modules
linux:/usr/src/kernel-source$ su root
linux:/usr/src/kernel-source# make modules_install
linux:/usr/src/kernel-source# make install
linux:/usr/src/kernel-source# mkinitrd -o initrd.img-2.6.xx 2.6.xx

Also make sure the grub is properly configured to load the newly compiled and installed kernel.

After a system reboot, if all is fine you should be able to boot up the grsecurity tightened newly compiled kernel, but be careful and make sure you have a backup solution before you reboot, don’t blame me if your new grsecurity patched kernel fails to boot! You’re on your own boy 😉
This article is written thanks to based originally on his article in Bulgarian. If you’re a Bulgarian you might also checkout static’s blog

Install grsecurity kernel security from binary package (without kernel recompile) on Debian and Ubuntu

Monday, July 26th, 2010

GRsecurity is since long time known that it is a next generation armouring agains 0 day local kernel exploits as well as variousof other cracker attacks.
Grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GNU GPL.
GRSecurity is linux kernel patch which has to be applied to the kernel before compile time. However we’ve been lucky and somebody has taken the time and care to prepare linux image binary deb packages for Debian and Ubuntu .

Some of the key grsecurity features are :

  • An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
  • Change root (chroot) hardening
  • /tmp race prevention
  • Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
  • Prevention of arbitrary code execution in the kernel
  • Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
  • A restriction that allows a user to only view his/her processes
  • Security alerts and audits that contain the IP address of the person causing the alert

To install from the http://debian.cr0.org/ grsecurity patched kernel image repository use the following steps:

1. Include in your /etc/apt/sources.list

deb http://ubuntu.cr0.org/repo/ kernel-security/
deb http://debian.cr0.org/repo/ kernel-security/

Directly from the bash command line execute:

debian:~# echo "deb http://ubuntu.cr0.org/repo/ kernel-security/" >> /etc/apt/sources.list
debian:~# echo "deb http://debian.cr0.org/repo/ kernel-security/" >> /etc/apt/sources.list

2. Add the debian.cr0.org repository gpg key to the trusted repositories key ring

Download the repository’s gpg key , check it (it has been signed with the repository owner GPG key )

Thence from to include the gpg key to the trusted repos key issue:

debian:~# apt-key add kernel-security.asc

3. Install the linux-image-grsec package itself

Currently to install on my x86_amd64 Debian Squeeze/Sid and possibly on Debian Lenny I’ve issued:


debian:~# apt-get update
debian:~# apt-get install linux-image-2.6.32.15-1-grsec

Now simply restarting your system and choosing the Linux kernel patched with the GRsecurity kernel patch from Grub should enable you to start using the grsecurity patched kernel.
Though this tutorial is targetting Debian it’s very likely that the grsecurity hardened kernel installation on Debian will be analogous.