Translation(s): none


grsecurity is a set of patches for the Linux kernel with an emphasis on enhancing security.

The official wiki of grsecurity: https://en.wikibooks.org/wiki/Grsecurity

Wikipedia: grsecurity

Using in Debian

grsecurity Packages

There are official Debian packages for the grsecurity kernel patches available: https://packages.debian.org/linux-patch-grsecurity2.

Note that these are not configurable as to security/performance and overhead as usually done with manually building grsec/PaX support for the Linux kernel.

Not in official Debian

For foreseeable future Debian Kernel team will not include grsecurity kernel into official Debian. The reasons is primarily size of the patch.

But there exist easy to use alternatives.

You can use Mempo kernel

There is a Debian Repository with ready to use grsecurity kernels being maintained by Mempo project.

The work is in progress, but it is fully usable as of 2014.06 just follow the install instructions carefully;

This implements SameKernel (also a script created by Mempo) - your kernel is compiled to identical .deb when you build from sources, so you can cross verify with friends to confirm there is no backdoor added at compilation.

You can build kernel yourself

http://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-kernel-org-package

You can use Corsac repository

Corsac, the security researcher working with Debian, provides grsecurity patched kernels for Debian in own repository http://molly.corsac.net/~corsac/debian/kernel-grsec/packages/

This patches seem to be superior in terms of being done the "right way" - though this is important mostly for development of the patched kernel, not so much for resulting kernel image to be used on system.

They are also in form of correct Debian repository (as of 2014-03-26 Mempo is not, but it plans to provide this soon).

Compatibility

Grsecurity has many options

Depending on thoes settings you get various speed and compatibility. See Mempo#variants for the options provided by Mempo in their kernel.

In general following things could be blocked:

Things that work:

Performance

Comparing performance

2014-03-03

Test on Wheezy, amd64, no RBAC, Mempo 0.1.28 (kernel 3.2.55) on good variant (high security - almost all grsecurity options).

In conclusion, in general usage expect 70-100% performance, while benefiting from the very high security of kernel and protection for applications.

Performance old version (could be less correct)

Time of Nano compilation (CPU and disk usage). Debian with default kernel and kernel with Grsecurity (Mempo).

https://p.suchdig.com/p/cwm-Performance_compare_pdf-perf_comp.pdf

Conclusions: with Grsecurity hardened kernel, on security setting -good, General tasks like compilation seem to be 30-40% slower, disk usage speed seems to be the same and compilation time requires to be benchmarked more.

In near future we plant to release other settings, allowing user to choose a bit lower security while gaining performance, or even higher one for most paranoid setup.