LINKS
I found myself administering dozens of machines and in the need for a very generic grsecurity kernel package that would work on every IA32 machine out of the box.
Therefore, I have built a grsecurity-enabled kernel package with some security options disabled (such as UDEREF or MPROTECT restrictions) to avoid problems with virtualization or PT_GNU_STACK.
-- Julien TINNES (The 'contact' link on the left is the prefered way to contact me about this repository).
2008-07-09: updated to kernel 2.6.25.10 (2.6.25.10-1-grsec), grsecurity 2.1.12 and loop-AES 3.2c. This fixes several exploitable vulnerabilities in the Linux kernel, including the SCTP vulnerability fixed in 2.6.25.9 for which we have a working exploit.
2008-07-09: packaged paxctl 0.5 because debian/ubuntu were stuck with 0.3
2008-02-11: fixed missing checks in splice() (2.6.21.5-2-grsec) - (CVE-2008-0009, CVE-2008-0010, CVE-2008-0600).
2008-02: creation of this Changelog
2007-06: first version of kernelsec
This package is supported on Ubuntu 6.06 LTS and 8.04 LTS and Debian stable. However it is known to work on other Ubuntu versions and Debian unstable.
Gid 112 is the special group with /proc access, you may want to put yourself in this group if you're an admin or at least check that you don't have a non-admin group with this gid.
This package enables grsecurity's sysctl feature. Your can change options by using /proc/sys/kernel/grsecurity.
Don't forget to echo 1 > /proc/sys/kernel/grsecurity/grsec_lock after booting.
You may also want to disable module loading to protect against kernel rootkit installation (other protections such as /dev/[k]mem restrictions are enabled by default): echo 1 > /proc/sys/kernel/grsecurity/disable_modules.
You can enable PaX soft mode by using pax_softmode=1 as a kernel parameter. Then, use /proc/sys/kernel/pax to tweak your kernel.
Virtualisers such as VmWare or Virtualbox should work out of the box (but you might want to paxctl -m in case I decide to enable mprotect restrictions one day).
Wine, Cedega and Crossover Office will work, but you need to disable SEGMEXEC/PAGEXEC with paxctl -smp <wine-preloader> <wineloader>.
I have also included loop-AES in this kernel.
TBA
You need to add this repository to your /etc/apt/sources.list:
deb http://ubuntu.cr0.org/repo/ kernel-security/ or deb http://debian.cr0.org/repo/ kernel-security/
Download the repository's gpg key, check it (it has been signed with my own GPG key) and use: apt-key add kernel-security.asc
Afterwards you can use apt-get update and install the package by using apt-get install linux-image-grsec