Grsecurity is a set of patches and options that works to help increase the security of a server at the kernel level. Here is a very basic guide of how to download it and patch your kernel. This guide is meant to be used alongside of my generic 2.6.10 kernel guide if you are not familiar with the process of compiling a kernel. This guide can also be adapted to the latest 2.6.11.7 and version of grsecurity just fine.



cd /usr/local/src
wget http://www.acm.cs.rpi.edu/~dilinger/patches/2.6.10/as2/patch-2.6.10-as2.gz
wget http://grsecurity.net/grsecurity-2.1.1-2.6.10-as2-200501242254.patch
gzip -d patch-2.6.10-as2.gz
patch -p0 < patch-2.6.10-as2
patch -p0 < grsecurity-2.1.1-2.6.10-as2-200501242254.patch
cd linux-2.6.10
make menuconfig



Security options
--Grsecurity- Enable
-- -- Address Space Protection
-- -- -- Deny writing to /dev/kmem, /dev/mem, and /dev/port - Enable
-- -- -- Disable privileged I/O - Enable
-- -- -- Remove addresses from /proc/<pid>/[maps|stat] - Enable
-- -- -- Hide kernel symbols - Enable
-- -- Filesystem Protections
-- -- -- Proc restrictions - Enable
-- -- -- -- Restrict /proc to user only -Enable
-- -- -- Additional restrictions -Enable
-- -- -- Linking restrictions - Enable
-- -- -- FIFO restrictions - Enable
-- -- -- Chroot jail restrictions - Enable IF you are not running ensim. This will cause the ensim chroot system to mess up.
-- -- -- Enable all options below. Note this may cause some issues with different software that may be running. If you run into problems with chrooting reompile without these.
-- -- Kernel Auditing
-- -- -- /proc/<pid>/ipaddr support - Enable, this will let you see the IP address that created a process
-- -- Executable Protections
-- -- -- Dmesg(8) restriction - Enable
-- -- -- Destroy unused shared memory -Enable
-- -- -- Randomized PIDs - Enable
-- -- Network Protections
-- -- -- Larger entropy pools - Enable
-- -- -- Truly random TCP ISN selection - Enable
-- -- -- Randomized IP IDs - Enable
-- -- -- Randomized TCP source ports - Enable

Now exit out and save. I am in the process of modifying these rules to an optimal configuration. If you have any comments about them please post, as always I welcome input! After you are done with this compile the kernel linux normally, or use my generic 2.6.10 kernel guide.