Language Selection

English French German Italian Portuguese Spanish

HOWTO: Installing Grsecurity patched kernel in debian/ubuntu

Filed under
Howtos

Source: http://evolution-security.com

This is based on the same walkthrough I posted for grsecurity on red hat based kernels except this is for debian based kernels. The current stable debian kernel is vulnerable to about all of the new local exploits and if you are running the 2.4 kernel you are vulnerable to even more. Debian even had one of their servers hacked with the local root exploits, they only released a patched kernel for the testing branch to my knowledge.
The PDF version can be found HERE.
Ok so here goes.

If you have not done any compiling or built any kernels you must get the packages needed.

sudo apt-get install build-essential bin86 kernel-package

sudo apt-get install libqt3-headers libqt3-mt-dev (needed for make xconfig)

First get what is needed and patch the kernel.

cd /usr/src


wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.17.7.tar.bz2

wget http://grsecurity.org/grsecurity-2.1.9-2.6.17.7-200607261817.patch.gz

tar -xjvf linux-2.6.17.7.tar.bz2


gunzip < grsecurity-2.1.9-2.6.17.7-200607261817.patch.gz | patch -p0


mv linux-2.6.17.7 linux-2.6.17.7-grsec

ln -s linux-2.6.17.7-grsec linux

cd linux

copy your current config over

do uname -r to see what kernel your running and copy it, example:

cp /boot/config-2.6.15-26-686L .config

*Configure the kernel:

sudo make xconfig

if you are doing this on a server use makeconfig

make sure you select the basic stuff that is needed, iptables, your processor type, and then go in Security Options and to grsecurity, select which level of security you want and any other options you may want.

*In a terminal make sure you are in /usr/src/linux with full root access.

We will build a ".deb" file that can be installed in our Ubuntu system, using make-kpkg.

*In a terminal type:

make-kpkg clean

make-kpkg -initrd --revision=ck2 kernel_image

If there wasn't errors this will build the kernel and a ".deb" file will be created at /usr/src.
*To install it:

sudo dpkg -i kernel-image-2.6.17*.deb

Now reboot and if you did everything correctly it should boot back up and you will be using the new grsecurity kernel.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

hmm, sorry about the bbcode

hmm, sorry about the bbcode errors, you should still know what to copy

re: bbcode

I fixed it best I could using html.

----
You talk the talk, but do you waddle the waddle?

Note

for who ever does this walkthrough, I copied the deb package making off my ck tutorial and left that in one place
make-kpkg -initrd --revision=ck2 kernel_image

when you do that you can make it whatever you want, even that would work just remember that kernel is grsecurity.

Also on the installing on server, use make menuconfig to make your config

I was too worried about the bbcode and made a few typos, couldnt find a way to edit.

More in Tux Machines

Security Leftovers

  • Security updates for Friday
  • That Nasty Samba Vulnerability Is Now Patched in All Supported Ubuntu Releases
    You might have read the news this morning about a wormable code-execution bug discovered in the Samba free software re-implementation of the SMB/CIFS networking protocol, which existed in Samba for more than 7 years.
  • Why Is Linux More Secure Than Windows?
    When choosing an operating system, there are many different factors that are taken into consideration. However, security is becoming increasingly important. You only need to look at the news to see the increasing number of data breaches that are occurring around the world at present. Choosing an operating system with care is your first step when defending your personal data. With that in mind, read on to discover the reasons why Linux is more secure than Windows.
  • CloudLinux 7 Stable Kernel Security Update Patches Multiple Issues, Update Now
    CloudLinux's Mykola Naugolnyi has announced today the availability of a new stable kernel update for users of the CloudLinux 7 and CloudLinux 6 Hybrid operating systems, addressing multiple security issues and bugs. This new CloudLinux 7 stable kernel comes less than 24 hours after the release of the Beta kernel with the same version number, specifically 3.10.0-614.10.2.lve1.4.50, which replaces kernel-3.10.0-427.36.1.lve1.4.47 and is available for download as we speak from the production repository of CloudLinux 7 operating system series.
  • [Older] E-Health Cyber-DOOOOOOM.

    We know the Australian government has one of the worst record of data breaches in the world. So naturally, rather than addressing their incompetencies, the Australian government has decided to roll out an e-health record for every Australian citizen. And it's opt-out only.

  • Chipotle says 'most' of its restaurants were infected with credit card stealing malware

    We browsed through the tool and found that every state Chipotle operates in had restaurants that were breached, including most major cities. The restaurants were vulnerable in various time frames between March 24th and April 18th, 2017. Chipotle also operates another chain called Pizzeria Locale, which was affected by the hack as well.

  • 'Thousands' of known bugs found in pacemaker code

    The other study of the broader device market found only 17% of manufacturers had taken steps to secure gadgets.

  • Kaspersky says no idea why company targeted by US govt [iophk: "dared to show vista7 in an unfavorable light"]
  • Any website can crash your Windows 7 or 8 PC with these four characters

    Here's how the bug works. All a naughty website has to do is use the character string '$MFT' in the directory name where a website keeps its images. Windows expects to see the four characters $MFT only in a special metadate file on your PC. When it sees those characters as a directory name, however, it causes enough problems that an affected PC will begin to slow down and eventually hang. At that point your only recourse is to reboot the machine. In some cases, the problem may even trigger the dreaded blue screen of death (BSOD).

Android Leftovers

The Past Week in Techrights (Still on Holiday)

First LXQt-Based Lubuntu 17.10 Daily Builds Surface, Here's What It Looks Like

Lubuntu maintainer Simon Quigley was kind enough to inform us today about the availability of the first daily build ISO images of the upcoming Lubuntu 17.10 (Artful Aardvark) operating system, with the LXQt desktop environment. The development cycle of the Ubuntu 17.10 (Artful Aardvark) operating system started two months ago when Canonical's Adam Conrad gave the green light to all maintainers and developers involved in the project, and the first Alpha milestone is now approaching fast. Read more