Testing the GRSEC kernel
Posted: Tue May 07, 2013 12:35 am
Hello Everyone. I am sure you have noticed, I like to build kernels. So, I am going to write a tutorial on compilling and installing the Grsecurity kernel. The Grsecurity kernel is a "Hardened kernel" that is designed to be "Even more hack resistant". It uses the PaX kernel patches, with memory security features and other security protection techniques. Now please be aware that this is for Experienced Kernel Users Only. Not only is this hard to get right on most systems, but I am using TESTING patches. So with the waring out of the way, lets get started. First off, you will need to make a directory to build in. For example:
With the src directory made, we need to download the files. As of this tutorial the kernel used is 3.8.11. The patches are from grsecurity.net (aria2c can be substituted with wget)
and now the patche:
With that done we can extract the kernel source, and patch it.
Now this is where it gets tricky, we need to setup the config file. If you have a 3.8 kernel on your system I would use the newest version of that and cp it to .config.
Now we have to menuconfig:
Now go to Security Options --> Grsecurity --> Configuration Method --> Now you have 2 options Automatic and Custom. I have been using Automatic and then double checking the options.
After selecting Automatic go through the rest of the options and configure to your tastes. DOUBLE CHECK THE MEMORY RELATED OPTIONS. I have to admit that I am recompiling the kernel because firefox and chromium won't start. My bad.
With the configuration done, you have two more options to choose from.
A.) make a .deb to install from
B.) normal make and make install.
For A.)
for B.)
After installing reboot. Hopefully you can get to your desktop. Then open the terminal again and install the grsecurity administration tools.
1.) gradm2: either
2.)paxctl: download from http://pax.grsecurity.net/
3.)pspax:
Once all is installed make sure to update the kernel modules with dkms, and to read the wiki http://en.wikibooks.org/wiki/Grsecurity
- Code: Select all
mkdir /build/PAX-kernel
With the src directory made, we need to download the files. As of this tutorial the kernel used is 3.8.11. The patches are from grsecurity.net (aria2c can be substituted with wget)
- Code: Select all
aria2c https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.8.11.tar.xz
and now the patche:
- Code: Select all
aria2c http://grsecurity.net/test/grsecurity-2.9.1-3.8.11-201305011917.patch
With that done we can extract the kernel source, and patch it.
- Code: Select all
tar xpvf linux-3.8.11.tar.xz && cd linux-3.8.11
- Code: Select all
patch -p1 < ../grsecurity-2.9.1-3.8.11-201305011917.patch
- Code: Select all
cd linux-3.8.11 && make mrproper
Now this is where it gets tricky, we need to setup the config file. If you have a 3.8 kernel on your system I would use the newest version of that and cp it to .config.
Now we have to menuconfig:
- Code: Select all
make menuconfig
Now go to Security Options --> Grsecurity --> Configuration Method --> Now you have 2 options Automatic and Custom. I have been using Automatic and then double checking the options.
After selecting Automatic go through the rest of the options and configure to your tastes. DOUBLE CHECK THE MEMORY RELATED OPTIONS. I have to admit that I am recompiling the kernel because firefox and chromium won't start. My bad.
With the configuration done, you have two more options to choose from.
A.) make a .deb to install from
B.) normal make and make install.
For A.)
- Code: Select all
fakeroot make deb-pkg
- Code: Select all
cd .. && sudo dpkg -i *.deb
for B.)
- Code: Select all
make -j3
- Code: Select all
sudo make modules_install install
After installing reboot. Hopefully you can get to your desktop. Then open the terminal again and install the grsecurity administration tools.
1.) gradm2: either
- Code: Select all
sudo apt-get install gradm2
2.)paxctl: download from http://pax.grsecurity.net/
3.)pspax:
- Code: Select all
sudo apt-get install pax-utils
Once all is installed make sure to update the kernel modules with dkms, and to read the wiki http://en.wikibooks.org/wiki/Grsecurity