Language Selection

English French German Italian Portuguese Spanish

HOWTO: Installing Grsecurity patched kernel in debian/ubuntu

Filed under


This is based on the same walkthrough I posted for grsecurity on red hat based kernels except this is for debian based kernels. The current stable debian kernel is vulnerable to about all of the new local exploits and if you are running the 2.4 kernel you are vulnerable to even more. Debian even had one of their servers hacked with the local root exploits, they only released a patched kernel for the testing branch to my knowledge.
The PDF version can be found HERE.
Ok so here goes.

If you have not done any compiling or built any kernels you must get the packages needed.

sudo apt-get install build-essential bin86 kernel-package

sudo apt-get install libqt3-headers libqt3-mt-dev (needed for make xconfig)

First get what is needed and patch the kernel.

cd /usr/src



tar -xjvf linux-

gunzip < grsecurity-2.1.9- | patch -p0

mv linux- linux-

ln -s linux- linux

cd linux

copy your current config over

do uname -r to see what kernel your running and copy it, example:

cp /boot/config-2.6.15-26-686L .config

*Configure the kernel:

sudo make xconfig

if you are doing this on a server use makeconfig

make sure you select the basic stuff that is needed, iptables, your processor type, and then go in Security Options and to grsecurity, select which level of security you want and any other options you may want.

*In a terminal make sure you are in /usr/src/linux with full root access.

We will build a ".deb" file that can be installed in our Ubuntu system, using make-kpkg.

*In a terminal type:

make-kpkg clean

make-kpkg -initrd --revision=ck2 kernel_image

If there wasn't errors this will build the kernel and a ".deb" file will be created at /usr/src.
*To install it:

sudo dpkg -i kernel-image-2.6.17*.deb

Now reboot and if you did everything correctly it should boot back up and you will be using the new grsecurity kernel.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

hmm, sorry about the bbcode

hmm, sorry about the bbcode errors, you should still know what to copy

re: bbcode

I fixed it best I could using html.

You talk the talk, but do you waddle the waddle?


for who ever does this walkthrough, I copied the deb package making off my ck tutorial and left that in one place
make-kpkg -initrd --revision=ck2 kernel_image

when you do that you can make it whatever you want, even that would work just remember that kernel is grsecurity.

Also on the installing on server, use make menuconfig to make your config

I was too worried about the bbcode and made a few typos, couldnt find a way to edit.

More in Tux Machines

Alpine Linux 3.4.5 Released with Linux Kernel 4.4.27 LTS, Latest Security Fixes

A new maintenance update of the server-oriented Alpine Linux 3.4 operating system has been released, bringing a new Linux kernel version from the long-term supported 4.4 series and the latest security patches. Read more

DebEX Distro Now Lets You Create an Installable Debian 9 Live DVD with Refracta

After informing us of the release of Exton|OS Light Build 161021, today, October 26, 2016, GNU/Linux developer Arne Exton sent an email to announce the availability of DebEX Barebone Build 161025. The latest version of the DebEX Barebone GNU/Linux distribution, build 161025, is here, based on the soon-to-be-released Debian GNU/Linux 9 "Stretch" (Debian Testing) operating system and kernel 4.8.0-21-exton, a specially crafted Linux kernel package based on the latest stable Linux 4.8 kernel. Read more Just released: KNOPPIX 7.7.1 Public Release

Linux Kernel News

  • BUS1 Kernel Message Bus Posted For Review
    David Herrmann has posted the initial patches for review of the BUS1 kernel message bus, the successor to KDBUS as an in-kernel IPC mechanism. Herrmann announced, "This proposal introduces bus1.ko, a kernel messaging bus. This is not a request for inclusion, yet. It is rather an initial draft and a Request For Comments. While bus1 emerged out of the kdbus project, bus1 was started from scratch and the concepts have little in common. In a nutshell, bus1 provides a capability-based IPC system, similar in nature to Android Binder, Cap'n Proto, and seL4. The module is completely generic and does neither require nor mandate a user-space counter-part."
  • Linux 4.9 Is Going To Be The “Biggest Ever” Linux Release
    The next Linux kernel release, i.e., Linux 4.9, could be the biggest ever Linux release in terms of the commits. Linus Torvalds shared this news in the release announcement of Linux 4.9-rc2. He also hinted at the possibility of turning 4.9 into an LTS release. The final build of the kernel is expected to arrive in December.

Quirky 8.1 Linux Is Built with Ubuntu 16.04 Binary DEBs, Supports Raspberry Pi 3

Puppy Linux developer Barry Kauler was happy to announce the general availability of his Quirky 8.1 "Xerus" GNU/Linux distribution built with binary DEB packages from the Ubuntu 16.04 LTS (Xenial Xerus) operating system. Quirky 8.1 "Xerus" is here to replace the old "April" series, and while it is indeed built using the binary DEBs of Ubuntu 16.04 LTS, it stays true to being a distro from the Puppy Linux family and not an Ubuntu clone. However, it lets users install packages from the official Ubuntu 16.04 LTS (Xenial Xerus) software repositories, a feature that was not available in the Quirky "April" releases. Read more