Translation(s): none


grsecurity is a set of patches for the Linux kernel with an emphasis on enhancing security.

The official wiki of grsecurity: https://en.wikibooks.org/wiki/Grsecurity

Wikipedia: grsecurity

Using in Debian

Not in official Debian

Sadly it seems Debian Kernel team will not include grsecurity kernel into official Debian, because of amount of work related to grsecurity not being part of Linux upstream

You can build kernel yourself

http://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-kernel-org-package

You can use Corsac repository

Corsac, the security researcher working with Debian, provides grsecurity patched kernels for Debian in own repository http://molly.corsac.net/~corsac/debian/kernel-grsec/packages/

You can use Mempo work

icon/ver8.png this work is in beta-testing, but is usable right now :) ! ?Mempo project brings grsecurity enhanced, reproducible kernel to Debian and works on entire hardened-Debian system.

Installation - follow this instructions: ?/Mempo#install for entire Mempo, or just SameKernel#grsecurity for just the grsecurity-kernel.

Compatibility

Grsecurity has many options

Depending on thoes settings you get various speed and compatibility. See ?Mempo#variants for the options provided by ?Mempo in their kernel.

In general following things could be blocked:

Things that work:

Performance

Comparing performance

2014-03-03

Test on Wheezy, amd64, no RBAC, Mempo 0.1.28 (kernel 3.2.55) on ?good variant (high security - almost all grsecurity options).

In conclusion, in general usage expect 70-100% performance, while benefiting from the very high security of kernel and protection for applications.

Performance old version (could be less correct)

Time of Nano compilation (CPU and disk usage). Debian with default kernel and kernel with Grsecurity (Mempo).

https://p.suchdig.com/p/cwm-Performance_compare_pdf-perf_comp.pdf

Conclusions: with Grsecurity hardened kernel, on security setting -good, General tasks like compilation seem to be 30-40% slower, disk usage speed seems to be the same and compilation time requires to be benchmarked more.

In ?near future we plant to release other settings, allowing user to choose a bit lower security while gaining performance, or even higher one for most paranoid setup.