Grsecurity on Debian Jessie (Linux 4.1.7)

The preferred version of Grsecurity for server is the stable patches. But, you need subscription to get them (for kernel 3.2.71 and 3.14.53). Here's the link to the announcement\ For this documentation, i'm going to use the test version.

$ cat arch-grsec.txt
$ cat arch-grsec.txt | xargs wget
$ sudo apt-get install fakeroot kernel-package linux-source-2.6 build-essential
$ gpg --import spender-gpg-key.asc
$ gpg --verify grsecurity-3.1-4.1.7-201509201149.patch.sig
$ gpg --keyserver hkp:// --recv-keys 6092693E
$ gpg --verify linux-4.1.tar.sign
$ tar xvf linux-4.1.tar.xz
$ xz -d patch-4.1.7.xz
$ cd linux-4.1
$ patch -p1 < ../patch-4.1.7
$ patch -p1 < ../grsecurity-3.1-4.1.7-201509201149.patch
$ cp /boot/config-3.16.0-4-amd64 ./.config
$ make olddefconfig
$ make menuconfig
###enable Grsecurity, Either automatic or manual.
# fakeroot make -j3 deb-pkg
###My Mini-ITX board is dual-core (2+1)
###wait for compiling to finish
$ cd ..
# dpkg -i *.deb

###Done, now reboot.

What I haven't tested:

  • gradm
  • paxctl
  • RBAC
  • sysctl settings
  • removing bloat (unneeded features, such as tomoyo, apparmor, selinux, etc)