Grsecurity + Pax
Grsecurity is a GPL licensed, extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening that generally require no configuration. It has been actively developed and maintained for the past 14 years. Commercial support for Grsecurity is available through Open Source Security, Inc.
Instead of chasing and fixing individual bugs, Grsecurity and PaX end exploitation of entire bug classes and provide kernel self-protection against zero-days.
Grsecurity Kernel Setup
This guide is to get you up and running with the latest Grsecurity kernel inside a KVM Whonix guest or Host. The instructions here are inspired by the official Grsecurity guide but adapted for the command line and includes helpful information not mentioned in the original. It will cover downloading, verifying, configuring, compiling and installing the hardened kernel and how to install and use its admin tools. With minimal changes you can compile another architecture. There are many attempts to automate this and get them in upstream Debian but a solution is yet to exist.
The kernel should be anonymously compiled in Whonix-Workstation. Be sure to add more CPUs to speed up the compilation process before starting.
Import and verify developer keys. Always check the fingerprint for yourself:
pub 4096R/0x44D1C0F82525FE49 2013-11-10 Bradley Spengler (spender) <email@example.com> Key fingerprint = DE94 52CE 46F4 2094 907F 108B 44D1 C0F8 2525 FE49
pub 4096R/0x38DBBDC86092693E 2011-09-23 Key fingerprint = 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E
gpg --recv-keys "DE94 52CE 46F4 2094 907F 108B 44D1 C0F8 2525 FE49"
gpg --recv-keys "647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E"
gpg --list-keys --fingerprint "DE94 52CE 46F4 2094 907F 108B 44D1 C0F8 2525 FE49"
gpg --list-keys --fingerprint "647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E"
By the time you read this the file names may be outdated despite best efforts to keep this guide current so you may have to adjust file names accordingly.
scurl -J -O https://grsecurity.net/test/grsecurity-3.1-4.3.3-201512282134.patch scurl -J -O https://grsecurity.net/test/grsecurity-3.1-4.3.3-201512282134.patch.sig scurl -J -O https://grsecurity.net/stable/gradm-3.1-201507191652.tar.gz scurl -J -O https://grsecurity.net/stable/gradm-3.1-201507191652.tar.gz.sig scurl -J -O https://grsecurity.net/stable/grsecurity-2.2.0-iptables.patch scurl -J -O https://grsecurity.net/stable/grsecurity-2.2.0-iptables.patch.sig scurl -J -O https://grsecurity.net/paxctld/paxctld_1.0-4_i386.deb scurl -J -O https://grsecurity.net/paxctld/paxctld_1.0-4_i386.deb.sig
Look at the matching kernel version number in the patch name grsecurity-3.1-4.2.7-201512092320.patch and fetch the tarball from kernel.org:
scurl -J -O https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.3.3.tar.xz scurl -J -O https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.3.3.tar.sign
The command will verify everything just downloaded in the home directory. Look for file names that passed the check in this part of the output: assuming signed data in `paxctld_1.0-3_i386.deb'. You should see Good signature from "Bradley Spengler (spender) <firstname.lastname@example.org> for each component.
gpg --verify --multifile grsecurity* gradm* paxctld*
The signature is made against the uncompressed version of the archive. This is done so there is only one signature required for .gz, .bz2 and .xz compressed versions of the release. Start by uncompressing the archive, using unxz. You should see Good signature from "Greg Kroah-Hartman:
sudo apt-get install xz-utils unxz linux*.tar.xz gpg --verify linux*.tar.sign
In this document the kernel source archive linux*.tar and the matching grsecurity patch grsecurity*.patch are both files are in the same directory.
tar -xf linux*.tar cd linux* sudo patch -p1 < ../grsecurity-*-*-*.patch
Install the build tools:
sudo apt-get install flex bison libncurses5-dev fakeroot gcc-4.9-plugin-dev libgmp-dev libmpfr-dev libmpc-dev build-essential
See what version of GCC you have installed and install the matching plugin-dev packages for it.
To open the kernel configuration menu run:
sudo make menuconfig
Grsecurity is endlessly customizable and if you have different security requirements feel free to dive in the documentation but be advised very high security settings usually break Xorg server and common packages like Iceweasel and OpenJDK. However for the purposes of compiling a kernel suitable for normal desktop use the Automatic configuration comes with sane defaults. Same for the other usage profiles provided. To have a bootable desktop you will need to disable PaX mprotect at first It can be re-enabled later when an exception list is loaded.
The configuration should look like this. A lack of mention means leave as default:
Networking Support -> Networking options -> Network packet filtering framework (Netfilter) -> IP:Netfilter Configuration -> Enable: IPv4 masquerade support + iptables NAT support Security options -> Grsecurity -> Configuration Method -> Automatic -> Usage Type -> Desktop -> Virtualization Type -> Guest -> Virtualization Software -> KVM -> Required Priorities -> Security -> Customize Configuration -> PaX -> Non-executable pages -> Deselect: Restrict mprotect -> Customize Configuration -> Memory Protections -> Disable privileged I/O -> Customize Configuration -> Role Based Access Control Options -> Hide kernel processes -> Customize Configuration -> Sysctl Support -> Deselect: Sysctl support
To save time you can compile one kernel for both the guest and host . NB This only works if you compiled a custom Whonix x64. A x64 Linux Host/Guest configuration would look like:
64-bit kernel Networking Support -> Networking options -> Network packet filtering framework (Netfilter) -> IP:Netfilter Configuration -> Enable: IPv4 masquerade support + iptables NAT support Security options -> Grsecurity -> Configuration Method -> Automatic -> Usage Type -> Desktop -> Virtualization Type -> Host -> Virtualization Software -> KVM -> Required Priorities -> Security -> Customize Configuration -> PaX -> Non-executable pages -> Deselect: Restrict mprotect -> Customize Configuration -> Memory Protections -> Disable privileged I/O -> Customize Configuration -> Role Based Access Control Options -> Hide kernel processes -> Customize Configuration -> Sysctl Support -> Deselect: Sysctl support
Once you are done select save and keep the .config name then exit out of all menus.
Compile while specifying the number of cores after the -j option. The number should be the number of cores assigned to the VM + 1. This will result in a huge speed up during compilation and reduce compilation time drastically.
sudo fakeroot make -j 5 deb-pkg
Now sit tight. Go make yourself a cup of coffee or read a book until its finished.
To install your new packages including Pax's configuration utility in the guest run:
cd .. sudo dpkg -i linux-image-*-grsec_*-*_*.deb sudo dpkg -i linux-firmware*.deb sudo dpkg -i linux-headers*.deb sudo dpkg -i linux-libc*.deb sudo dpkg -i paxctld*.deb
Move the package to the host via a shared folder and install with dpkg from there.
mv linux-image-*-grsec_*-*_*.deb /mnt/shared mv linux-firmware*.deb /mnt/shared mv linux-headers*.deb /mnt/shared mv linux-libc*.deb /mnt/shared
Done. After installation the system should automatically boot up with the Grsecurity kernel. To inspect the kernel version type:
Upgraded Kernel Builds
Backup your customized kernel configuration file [named .config]. Its available in the root of the kernel source code folder. You may need to enable viewing of hidden files to see it.
To build with newer kernel releases, restore the .config file to the source folder and run:
sudo make oldconfig
Hold 'Enter' to answer questions about new kernel features.
Gradm is the administration tool for RBAC, Grsecurity's intelligent Mandatory Access Control system. Unlike other MACs that require painstaking attention to configuration, RBAC is capable of automatic behavior learning and auto-generating safe program acess policies.
Compilation and Installation
To prepare and compile:
tar xzf gradm*.tar.gz cd gradm
Add the iptables patch:
sudo patch -p1 < ../grsecurity-*-iptables.patch
Compile and install:
sudo make install
For the Host install the required build dependencies (make sure apt-transport-tor is installed on host first) then move the patched extracted and patched gradm directory via the shared folder into your home directory. Then run the same commands as above.
sudo apt-get install bison flex
Its very important you choose a long password that's different from your root account's.
To upgrade to a newer gradm release, re-run the same build commands above.
A detailed guide on generating and enforcing RBAC policy is available on the ArchLinux wiki. Note these instructions apply to all distros.
Impressum | Datenschutz | Haftungsausschluss
Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.