I found myself administering dozens of machines and in the need for a very generic grsecurity kernel package that would work on every IA32 machine out of the box.
Therefore, I have built a grsecurity-enabled kernel package with some security options disabled (such as MPROTECT restrictions to avoid problems with PT_GNU_STACK).
-- Julien TINNES (The 'contact' link on the left is the prefered way to contact me about this repository).
2010-06-28: Another big update. Updated to kernel 184.108.40.206 (220.127.116.11-1-grsec), grsecurity 2.2.0 and loop-AES 3.4a. Many of you will be pleased to know that I've finally added support for AMD64 architecture!. Note: I didn't update the linux-grsec-image package yet, waiting for more feedback. Install manually with "apt-get install linux-image-18.104.22.168-1-grsec"
2009-08-16: Big update. Updated to kernel 22.214.171.124 (126.96.36.199-4-grsec), grsecurity 2.1.12 final and loop-AES 3.2.g. This notably fixes CVE-2009-2692 and CVE-2009-1895 among others. It's also the first version which enables PaX' UDEREF (use kernel boot option pax_nouderef=1 to disable it). It also gives vm.mmap_min_addr a default value of 32768 to protect those of you without a correct default value in /etc/sysctl.conf (you may want to check you don't override this to zero though). Important: the unrestricted /proc group was moved from gid 112 to gid 504.
2008-07-09: updated to kernel 188.8.131.52 (184.108.40.206-1-grsec), grsecurity 2.1.12 (beta) and loop-AES 3.2c. This fixes several exploitable vulnerabilities in the Linux kernel, including the SCTP vulnerability fixed in 220.127.116.11 for which we have a working exploit.
2008-07-09: packaged paxctl 0.5 because debian/ubuntu were stuck with 0.3
2008-02-11: fixed missing checks in splice() (18.104.22.168-2-grsec) - (CVE-2008-0009, CVE-2008-0010, CVE-2008-0600).
2008-02: creation of this Changelog
2007-06: first version of kernelsec
This package is supported on Ubuntu 8.04 LTS and Debian stable. However it is known to work on other Ubuntu versions and Debian unstable.
Gid 504 is the special group with /proc access, you may want to put yourself in this group if you're an admin or at least check that you don't have a non-admin group with this gid.
Groups 500, 501, 502 and 503 are respectively: TPE restricted users, deny all socket groups, deny client socket group and deny server socket group.
This package enables grsecurity's sysctl feature. Your can change options by using /proc/sys/kernel/grsecurity.
Don't forget to echo 1 > /proc/sys/kernel/grsecurity/grsec_lock after booting (add kernel.grsecurity.grsec_lock=1 at the end of /etc/sysctl.conf)
All the special gids are configurable through /proc/sys/kernel/grsecurity
You may also want to disable module loading to protect against kernel rootkit installation (other protections such as /dev/[k]mem restrictions are enabled by default): echo 1 > /proc/sys/kernel/grsecurity/disable_modules.
You can enable PaX soft mode by using pax_softmode=1 as a kernel parameter. Then, use /proc/sys/kernel/pax to tweak your kernel.
If you run this kernel in a VMWare guest, PaX' UDEREF will be automatically disabled. If you use another virtualization software, you may want to disable it manually for performance or compatibility reasons (pax_nouderef=1 as a kernel parameter).
Virtualisers such as VmWare or Virtualbox should work out of the box (but you might want to paxctl -m in case I decide to enable mprotect restrictions one day).
Wine, Cedega and Crossover Office will work, but you need to disable SEGMEXEC/PAGEXEC with paxctl -smp <wine-preloader> <wineloader>.
I have also included loop-AES in this kernel.
You need to add this repository to your /etc/apt/sources.list:
deb http://ubuntu.cr0.org/repo/ kernel-security/ or deb http://debian.cr0.org/repo/ kernel-security/ (don't forget the trailing /)
Afterwards you can use apt-get update and install the package by using apt-get install linux-image-grsec