LINKS
I found myself administering dozens of machines and in the need for a very generic grsecurity kernel package that would work on every IA32 machine out of the box.
Therefore, I have built a grsecurity-enabled kernel package with some security options disabled (such as UDEREF or MPROTECT restrictions) to avoid problems with virtualization or PT_GNU_STACK.
-- Julien TINNES (The 'contact' link on the left is the prefered way to contact me about this repository).
2008-02-11: fixed missing checks in splice() (2.6.21.5-2-grsec) - (CVE-2008-0009, CVE-2008-0010, CVE-2008-0600).
This package has been tested on Ubuntu Feisty, Ubuntu Dapper and Debian unstable.
Gid 112 is the special group with /proc access, you may want to put yourself in this group if you're an admin or at least check that you don't have a non-admin group with this gid.
This package enables grsecurity's sysctl feature. Your can change options by using /proc/sys/kernel/grsecurity.
Don't forget to echo 1 > /proc/sys/kernel/grsecurity/grsec_lock after booting.
You may also want to disable module loading to protect against kernel rootkit installation (other protections such as /dev/[k]mem restrictions are enabled by default): echo 1 > /proc/sys/kernel/grsecurity/disable_modules.
You can enable PaX soft mode by using pax_softmode=1 as a kernel parameter. Then, use /proc/sys/kernel/pax to tweak your kernel.
Virtualisers such as VmWare or Virtualbox should work out of the box (but you might want to paxctl -m in case I decide to enable mprotect restrictions one day).
Wine, Cedega and Crossover Office will work, but you need to disable SEGMEXEC/PAGEXEC with paxctl -smp <wine-preloader> <wineloader>.
I have also included loop-AES in this kernel.
TBA
You need to add this repository to your /etc/apt/sources.list:
deb http://ubuntu.cr0.org/repo/ kernel-security/ or deb http://debian.cr0.org/repo/ kernel-security/
Download the repository's gpg key, check it (it has been signed with my own GPG key) and use: apt-key add kernel-security.asc
Afterwards you can use apt-get update and install the package by using apt-get install linux-image-grsec