Language Selection

English French German Italian Portuguese Spanish

HOWTO: Installing Grsecurity patched kernel in debian/ubuntu

Filed under
Howtos

Source: http://evolution-security.com

This is based on the same walkthrough I posted for grsecurity on red hat based kernels except this is for debian based kernels. The current stable debian kernel is vulnerable to about all of the new local exploits and if you are running the 2.4 kernel you are vulnerable to even more. Debian even had one of their servers hacked with the local root exploits, they only released a patched kernel for the testing branch to my knowledge.
The PDF version can be found HERE.
Ok so here goes.

If you have not done any compiling or built any kernels you must get the packages needed.

sudo apt-get install build-essential bin86 kernel-package

sudo apt-get install libqt3-headers libqt3-mt-dev (needed for make xconfig)

First get what is needed and patch the kernel.

cd /usr/src


wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.17.7.tar.bz2

wget http://grsecurity.org/grsecurity-2.1.9-2.6.17.7-200607261817.patch.gz

tar -xjvf linux-2.6.17.7.tar.bz2


gunzip < grsecurity-2.1.9-2.6.17.7-200607261817.patch.gz | patch -p0


mv linux-2.6.17.7 linux-2.6.17.7-grsec

ln -s linux-2.6.17.7-grsec linux

cd linux

copy your current config over

do uname -r to see what kernel your running and copy it, example:

cp /boot/config-2.6.15-26-686L .config

*Configure the kernel:

sudo make xconfig

if you are doing this on a server use makeconfig

make sure you select the basic stuff that is needed, iptables, your processor type, and then go in Security Options and to grsecurity, select which level of security you want and any other options you may want.

*In a terminal make sure you are in /usr/src/linux with full root access.

We will build a ".deb" file that can be installed in our Ubuntu system, using make-kpkg.

*In a terminal type:

make-kpkg clean

make-kpkg -initrd --revision=ck2 kernel_image

If there wasn't errors this will build the kernel and a ".deb" file will be created at /usr/src.
*To install it:

sudo dpkg -i kernel-image-2.6.17*.deb

Now reboot and if you did everything correctly it should boot back up and you will be using the new grsecurity kernel.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

hmm, sorry about the bbcode

hmm, sorry about the bbcode errors, you should still know what to copy

re: bbcode

I fixed it best I could using html.

----
You talk the talk, but do you waddle the waddle?

Note

for who ever does this walkthrough, I copied the deb package making off my ck tutorial and left that in one place
make-kpkg -initrd --revision=ck2 kernel_image

when you do that you can make it whatever you want, even that would work just remember that kernel is grsecurity.

Also on the installing on server, use make menuconfig to make your config

I was too worried about the bbcode and made a few typos, couldnt find a way to edit.

More in Tux Machines

Shows and Screencasts: Linux Action News, Open Source Security Podcast, GNU World Order and More

  • Linux Action News 142

    The real reason Rocket League is dropping support for Linux, Wine has a massive release, and the potential for Canonical's new Android in the cloud service. Plus, our take on the FSF's Upcycle Windows 7 campaign, and the clever Chrome OS strategy upgrade for education in 2020.

  • Open Source Security Podcast: Episode 180 - A Tale of Two Vulnerabilities

    Josh and Kurt talk about two recent vulnerabilities that have had very different outcomes. One was the Citrix remote code execution flaw. While the flaw is bad, the handling of the flaw was possibly worse than the flaw itself. The other was the Microsoft ECC encryption flaw. It was well handled even though it was hard to understand and it is a pretty big deal. As all these things go, fixing and disclosing vulnerabilities is hard.

  • GNU World Order 337

    The **acct** command from the Slackware **ap** software series.

  • Podcast.__init__: Simplifying Social Login For Your Web Applications

    A standard feature in most modern web applications is the ability to log in or register using accounts that you already own on other sites such as Google, Facebook, or Twitter. Building your own integrations for each service can be complex and time consuming, distracting you from the features that you and your users actually care about. Fortunately the Python social auth library makes it easy to support third party authentication with a large and growing number of services with minimal effort. In this episode Matías Aguirre discusses his motivation for creating the library, how he has designed it to allow for flexibility and ease of use, and the benefits of delegating identity and authentication to third parties rather than managing passwords yourself.

  • Solus 4.1 Budgie Run Through

    In this video, we are looking at Solus 4.1 Budgie.

today's howtos

Linux 5.5

So this last week was pretty quiet, and while we had a late network
update with some (mainly iwl wireless) network driver and netfilter
module loading fixes, David didn't think that warranted another -rc.
And outside of that, it's really been very quiet indeed - there's a
panfrost driver update too, but again it didn't really seem to make
sense to delay the final release by another week.

Outside of those, it's all really tiny, even if some of those tiny
changes touched some core files.

So despite the slight worry that the holidays might have affected the
schedule, 5.5 ended up with the regular rc cadence and is out now.

That means that the merge window for 5.6 will open tomorrow, and I
already have a couple of pull requests pending. The timing for this
next merge window isn't optimal for me - I have some travel and other
things going on during the same two weeks, but hopefully it won't be
all that noticeable.  But there might be random timezones, odd hours,
and random delays because of that. I try to avoid scheduling things
during the merge window, but hey, it doesn't always work out, and I'd
have to delay things by two weeks to avoid the conflicts, which just
doesn't seem worth it.

Particularly since it's not necessarily going to be a problem to begin
with. We'll see.

Anyway. Go out and test 5.5, and start sending me those pull requests
for all the new development that is ready,

                    Linus
Read more Also: Linux 5.5 Released With Many Hardware Support Improvements

Android Leftovers