Grsecurity on Debian Jessie (Linux 4.1.7)

The preferred version of Grsecurity for server is the stable patches. But, you need subscription to get them (for kernel 3.2.71 and 3.14.53). Here's the link to the announcement https://grsecurity.net/announce.php\ For this documentation, i'm going to use the test version.

$ cat arch-grsec.txt
https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.1.tar.xz
https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.1.tar.sign
https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.1.7.xz
https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.1.7.sign
https://grsecurity.net/test/grsecurity-3.1-4.1.7-201509201149.patch
https://grsecurity.net/test/grsecurity-3.1-4.1.7-201509201149.patch.sig
https://grsecurity.net/spender-gpg-key.asc
$ cat arch-grsec.txt | xargs wget
$ sudo apt-get install fakeroot kernel-package linux-source-2.6 build-essential
$ gpg --import spender-gpg-key.asc
$ gpg --verify grsecurity-3.1-4.1.7-201509201149.patch.sig
$ gpg --keyserver hkp://keys.gnupg.net --recv-keys 6092693E
$ gpg --verify linux-4.1.tar.sign
$ tar xvf linux-4.1.tar.xz
$ xz -d patch-4.1.7.xz
$ cd linux-4.1
$ patch -p1 < ../patch-4.1.7
$ patch -p1 < ../grsecurity-3.1-4.1.7-201509201149.patch
$ cp /boot/config-3.16.0-4-amd64 ./.config
$ make olddefconfig
$ make menuconfig
###enable Grsecurity, Either automatic or manual.
# fakeroot make -j3 deb-pkg
###My Mini-ITX board is dual-core (2+1)
###wait for compiling to finish
$ cd ..
# dpkg -i *.deb

###Done, now reboot.

What I haven't tested:

• gradm
• paxctl
• RBAC
• sysctl settings
• removing bloat (unneeded features, such as tomoyo, apparmor, selinux, etc)