grsecurity is a set of patches for the Linux kernel with an emphasis on enhancing security.

Since 2017-05, new versions of grsecurity have not been publicly available, and so it is no longer found in Debian.

See also:

(Historical) Usage in Debian

grsecurity Packages

There were official Debian packages for grsecurity available:

Note that these are not configurable as to security/performance and overhead, as it's usually done with manually building grsec/PaX support for the Linux kernel.

Maintaining PaX flags

Subgraph wrote a nice toolset called paxrat to maintain and retain PaX flags for binaries. It supports some use cases that paxctld doesn't, e.g. live systems (SquashFS).

However paxctld seems to fill the job, and is an official tool.


See Building a custom kernel from the "pristine" kernel source

Corsac repository

Corsac, a security researcher working with Debian, provided grsecurity patched kernels for Debian in a repository.

These patches seem to be superior in terms of being done the "right way" - though this is important mostly for development of the patched kernel, not so much for resulting kernel image to be used on system.

Mempo repository

See ?Mempo


Grsecurity has many options:

Depending on those settings, you get various levels of speed and compatibility. See ?Mempo#variants for the options provided by ?Mempo in their kernel.

In general following things could be blocked:

Things that work:


Comparing performance


Test on Wheezy, amd64, no RBAC, Mempo 0.1.28 (kernel 3.2.55) on ?good variant (high security - almost all grsecurity options).

In conclusion, in general usage expect 70-100% performance, while benefiting from the very high security of kernel and protection for applications.

Older version

Time of Nano compilation (CPU and disk usage). Debian with default kernel and kernel with Grsecurity (Mempo).

cwm-Performance_compare_pdf-perf_comp.pdf (offline)

Conclusions: with a Grsecurity hardened kernel on security setting -good, general tasks like compilation seem to be 30-40% slower, disk usage speed seems to be the same and compilation time requires to be benchmarked more.

In the ?near future we plan to release other settings, allowing the user to choose a bit lower security while gaining performance, or even higher one for the most paranoid setup.