Grsecurity is a collection of security patches meant to harden Linux at the kernel level. It is perhaps a light-weight variant of the NSA Enhanced Linux, because it does not require the modification or reconfiguration of systems, respectively system binaries. Gresecurity focuses on memory protections through PaX, rather than system-wide enhancements - although, it does bundle several network security related patches, RBAC-style filesystem protections and even chroot enforcements.

In this tutorial, we are going to compile a kernel, meant to be used with Debian and apply a grsecurity patch. Ideally, the kernel chosen, is as close as possible to the distribution's kernel level, in order to avoid implementation mismatch problems.

• The kernel can be fetched from the source while paying attention that the download version is as close as possible to the current distribution's kernel.
• The grsecurity patch can be obtained from Grsecurity.

cd /usr/src/
wget -c https://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/linux-2.6.32.61.tar.xz
tar -Jxf linux-2.6.32.61.tar.xz
cd linux-2.6.32.61
wget -c http://grsecurity.net/stable/grsecurity-2.9.1-2.6.32.61-201308052140.patch
cat grsecurity-2.9.1-2.6.32.61-201308052140.patch | patch -p1 --dry-run

if the patch applies without any rejects, finally apply it on the source:

cat grsecurity-2.9.1-2.6.32.61-201308052140.patch | patch -p1

Next, you can recompile the kernel by using:

make menuconfig

and selecting the most common options for grsecurity (the automatic configuration will suffice).

When the configuration is done, use:

make-kpkg --initrd kernel_image

to create the new kernel image and then install the image with:

cd /usr/src/
dpkg -i linux-image-2.6.32-grsec_2.6.32-grsec-10.00.Custom_amd64.deb

depending what version of the kernel has been compiled.

grsecurity hardcodes a few groups that are meant to allow processes to work under certain restrictions. These can be found in: Security→Grsecurity→Default Special Groups→ during the configuration of the kernel.

On Debian, we can create the matching GIDs using:

groupadd -g 1001 ...

After the groups are added, and the kernel is recompiled, it is safe to reboot and start fortifying the system binaries with PaX.

PaX offers binary-level protections, for example the prevention of executing stack (for buffer overflows), etc… These can be enabled per-binary but they may have to be converted first. Some of the most important binaries that make use of stack-based execution are, for example:

• mono - obviously, for CIL,
• java - its VM

To convert a binary, first issue:

paxctl -C /usr/bin/mono

and then to disable the memory protection, issue:

paxctl -m /usr/bin/mono

Which will allow mono binaries to be executed.

On Debian, limits can be configured in /etc/security/limits.conf and they will be enforced by grsecurity system-wide (as opposed to on-login).

As with any other ACL-driven security, it is a good idea to keep ACLs disabled since they seem to interfere with many major daemons.

The same principle is followed by mod_security, in Apache, where, in order to secure a system, you must build a long list of carefully tuned permissions.

To be more precise, ACL restrictions impose a behavior and given any deviation from that behavior the enforcement procedures will block the deviation in some way.

grsecurity benefits from gradm which is able to monitor processes and then generate a template to be enforced which sort of alleviates the user from having to manually generate a template.

To start gradm in learning mode, issue:

gradm -F -L /etc/grsec/learning.log

gradm will then monitor the usage of the system and generate /etc/grsec/learning.log. It is a good idea to maintain a good uptime for the duration of gradm's learning process so that all possible actions of the installed daemons can be captured.

The log file /etc/grsec/learning.log can then be used to generate access lists. This can be done by stopping gradm first:

gradm -D

and then issuing:

gradm -F -L /etc/grsec/learning.log -O /etc/grsec/policy

On Debian, the gradm2 package is supplied. However, if you have been following this guide, then gradm2 will fail to work because the kernel will generate /dev/grsec instead of /dev/grsec2. This leads to a whole series of errors and various confusion.

To avoid this, you will need to recompile gradm2. First download the gradm2 sources and dependencies using:

apt-get source gradm2
apt-get build-dep gradm2

after which, change into the gradm2 directory and issue the following commands:

find . -type f -exec sed -i 's/\/etc\/grsec2/\/etc\/grsec/g' '{}' \;
find . -type f -exec sed -i 's/\/dev\/grsec2/\/dev\/grsec/g' '{}' \;

This will replace the paths for grsec2 with grsec which is what the kernel expects it to be.

Finally, the package can be built as usual, by issuing:

dpkg-buildpackage -rfakeroot -b

and then installed.

Once all necessary settings have been performed, the following line can be added to /etc/sysctl.d/local.conf:

kernel.grsecurity.grsec_lock = 1

so that they cannot be changed until the system is restarted.