This is a quick post for users of Ubuntu trying to get a grsec hardened kernel up and running ASAP. Basically, to sum up what Grsec (with PaX) is (mind you grsecurity and Pax are a very large patch written by some of the world's best security researchers) - It's a set of patches for stock Linux kernel that focuses on kernel security. It provides (together with PaX), a role-based access control, address space layout randomisation (ALSR), NX stack segment protection, privilege escalation vulnerability protection, system call and chroot hardening and a lot of other good stuffs *including* protection against zero-day vulnerabilities.

If you are serious about Linux kernel hardening and exploit mitigation, I recommend you use Grsec (and PaX) patches. The installation is pretty straight forward. I am writing it today so as to be able to help new Ubuntu users who want to secure their system. The steps should get you a fully functional hardened kernel up and running. Give yourself couple of hours for the full procedure to complete (well, this totally depends on the number of CPU cores you have running there :-). Without further aduie, here is the note that I've got used to over the years (essentially by reading wiki pages, forums, manuals and having discussions with grsec devs):

 

1. Go to Grsecurity website http://grsecurity.net. You must make sure that a corresponding Grsec patch exists for a given kernel release. Take note of the matching Linux release with grsecurity patch. Download a matching kernel from http://kernel.org and the corresponding Grsecurity patch.

 

2. Extract the kernel:

$ tar xf linux-3.2.2.tar.bz2

 

3. Patch the kernel (I am using 3.2.2) using corresponding grsec patch:

$ cd linux-3.2.2

$ patch --p1 < ../grsecurity-2.2.2-3.2.2-201201302345.patch

[.... a lot of patching ...]

 

4. Configure & customise your kernel. Pay special attention to Grsecurity & PaX section. PaX provides your system with Non-executable page protection and ALSR amongst other things. Essentially, it makes classes of buffer overflow exploits very hard to accomplish because with PaX enabled, the kernel randomises the memory addresses so exploit code(s) can't just jump to a known address(in advance) and start executing the code at that location to achieve whatever the aim are. Ok enough theory. Let's build our grsec hardened kernel!

$ make menuconfig

 

5. If you don't get any error in step 3, then everything should be fine. If you do get errors, make sure you check the matching kernel against the grsec patch. They *should* match or else you'll have hard time building the kernel. 

It's time to build our Ubuntu kernel package since we've already configured it in step 4.

$ cd linux-3.2.2

$ make-kpkg clean

$ sed -rie 's/echo "\+"/#echo "\+"/' scripts/setlocalversion

$ rm localversion-grsec

$ fakeroot make-kpkg --initrd kernel_image kernel_headers

[.... make yourself a coffee ...]

 

6. Install the newly build kernel

$ cd ../linux-3.2.2

$ dpkg -i *.deb (there should be -header and -image deb packages).

 

7. Reboot into the newly installed hardened kernel. After booting into the kernel, existing applications could fail to execute. Do not panic. This is due to PaX flags set on the binary. In this case, "paxctl" and a good search engine is your friend. paxctl is a tool that sets the appropriate PaX flags for a given executable so it will have those permissions enabled/disabled when it loads into the systems memory. If a binary fails to execute, you should read paxctl manual and also use a good search engine to search for PaX flags for that software. Recommended keywords to use are "grsec <application>", "pax flags <application>" and so on. Also, you can ask any specific question(s) in #grsecurity irc channel hosted on irc.freenode.net.

 

Congratulations! You have a hardened kernel up and running.