So, I am good friends with this really cool guy at work who is an excellent Linux Technician but also an extremely gifted pentester and security consultant. He has been telling me about the goodness of grsecurity and what it can do for my Linux Box. He says, even if my box is completely compromised, they probably won’t be able to do anything. Immediately after this I wanted to know what this rare moonshine was, and whether it was worth the trouble of kernel modifications and the whole shebang of configuration. After a day of on and off exploration at work, I have decided it is a most worthwhile endeavor and is probably the most extensive security you could install on a Linux server. That is, if you’re able to install it. For your average user it might be a stretch, so here is a nice little how to about how to achieve patching and compiling a linux Kernel with grsecurity module with PaX and advanced filesystem and kernel structure security. In other words, very darn cool.
For debian you might want to do something like
Step 1. Download Kernel Source (DEBIAN/possibly ubuntu)
apt-get source linux-image-$(uname -r)
Step 1. Download Kernel Source for http://www.kernel.org. In this case I’m compiling a version of 4.1.7
cd /tmp wget https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.1.7.tar.gz
Step 2. Download the latest grsecurity kernel patch, being sure to match your grsecurity patch with the kernel version you want to use on your box
wget https://grsecurity.net/test/grsecurity-3.1-4.1.7-201509201149.patch
Step 3. untar the Linux Kernel, in my case I’m using Linux-4.1.7 Kernel
tar zxvf wget linux-4.1.7.tar.gz
Step 4. Apply the grsecurity patch in the linux-4.1.7 directory we just untarred into /tmp/linux-4.1.7
cd /tmp/linux-4.1.7 patch -p1 < ../grsecurity-3.1-4.1.7-201509201149.patch
Step 5. Ensure that the correct dependancies are installed for both compiling a kernel, and configuring the kernel
# needed for configuring a kernel with make menuconfig apt-get install ncurses-dev # needed for building a kernel with kpkg apt-get install fakeroot kernel-package
Step 6. run make menuconfig within /tmp/linux-4.1.7
cd /tmp/linux-4.1.7 make menuconfig
Step 7. Refer to the grsecurity instructions on how to enable the grsecurity kernel module patches at https://grsecurity.net/quickstart.pdf
Navigate in the make menuconfig graphical interface as follows Security Options -> GrSecurity --> * Ensure that you are using Configuration Method (automatic), this is fine for most non power users. See the image below
Step 8. Compile the Kernel Image, in debian this is something like;
fakeroot make-kpkg --initrd --revision=1 kernel_image
For other operating systems it will be more similar to
make dep bzImage modules modules_install install
For those persons that weren't able to complete this tutorial, maybe they will benefit from the documentation offered by grsecurity wiki, and the quickstart guide pdf they offer;
https://en.wikibooks.org/wiki/Grsecurity/Configuring_and_Installing_grsecurity
https://grsecurity.net/quickstart.pdf
Some more (very helpful) information about compiling kernel in debian:
https://www.debian.org/releases/stable/i386/ch08s06.html.en
https://debian-handbook.info/browse/stable/sect.kernel-compilation.html