The preferred version of Grsecurity for server is the stable patches. But, you need subscription to get them (for kernel 3.2.71 and 3.14.53). Here’s the link to the announcement https://grsecurity.net/announce.php
For this documentation, i’m going to use the test version.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
$ cat arch-grsec.txt
https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.1.tar.xz
https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.1.tar.sign
https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.1.7.xz
https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.1.7.sign
https://grsecurity.net/test/grsecurity-3.1-4.1.7-201509201149.patch
https://grsecurity.net/test/grsecurity-3.1-4.1.7-201509201149.patch.sig
https://grsecurity.net/spender-gpg-key.asc
$ cat arch-grsec.txt | xargs wget
$ sudo apt-get install fakeroot kernel-package linux-source-2.6 build-essential
$ gpg --import spender-gpg-key.asc
$ gpg --verify grsecurity-3.1-4.1.7-201509201149.patch.sig
$ gpg --keyserver hkp://keys.gnupg.net --recv-keys 6092693E
$ gpg --verify linux-4.1.tar.sign
$ tar xvf linux-4.1.tar.xz
$ xz -d patch-4.1.7.xz
$ cd linux-4.1
$ patch -p1 < ../patch-4.1.7
$ patch -p1 < ../grsecurity-3.1-4.1.7-201509201149.patch
$ cp /boot/config-3.16.0-4-amd64 ./.config
$ make olddefconfig
$ make menuconfig
###enable Grsecurity, Either automatic or manual.
# fakeroot make -j3 deb-pkg
###My Mini-ITX board is dual-core (2+1)
###wait for compiling to finish
$ cd ..
# dpkg -i *.deb
|
###Done, now reboot.
What I haven’t tested:
- gradm
- paxctl
- RBAC
- sysctl settings
- removing bloat (unneeded features, such as
tomoyo, apparmor, selinux, etc)