diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
index 2645296..2d6e3a8 100644
--- a/grsecurity/Kconfig
+++ b/grsecurity/Kconfig
@@ -1,214 +1,12 @@
 #
 # grecurity configuration
 #
-
-menu "Grsecurity"
-
-config GRKERNSEC
-	bool "Grsecurity"
-	select CRYPTO
-	select CRYPTO_SHA256
-	help
-	  If you say Y here, you will be able to configure many features
-	  that will enhance the security of your system.  It is highly
-	  recommended that you say Y here and read through the help
-	  for each option so that you fully understand the features and
-	  can evaluate their usefulness for your machine.
-
-choice
-	prompt "Security Level"
-	depends on GRKERNSEC
-	default GRKERNSEC_CUSTOM
-
-config GRKERNSEC_LOW
-	bool "Low"
-	select GRKERNSEC_LINK
-	select GRKERNSEC_FIFO
-	select GRKERNSEC_RANDNET
-	select GRKERNSEC_DMESG
-	select GRKERNSEC_CHROOT
-	select GRKERNSEC_CHROOT_CHDIR
-
-	help
-	  If you choose this option, several of the grsecurity options will
-	  be enabled that will give you greater protection against a number
-	  of attacks, while assuring that none of your software will have any
-	  conflicts with the additional security measures.  If you run a lot
-	  of unusual software, or you are having problems with the higher
-	  security levels, you should say Y here.  With this option, the
-	  following features are enabled:
-
-	  - Linking restrictions
-	  - FIFO restrictions
-	  - Restricted dmesg
-	  - Enforced chdir("/") on chroot
-	  - Runtime module disabling
-
-config GRKERNSEC_MEDIUM
-	bool "Medium"
-	select PAX
-	select PAX_EI_PAX
-	select PAX_PT_PAX_FLAGS
-	select PAX_HAVE_ACL_FLAGS
-	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-	select GRKERNSEC_CHROOT
-	select GRKERNSEC_CHROOT_SYSCTL
-	select GRKERNSEC_LINK
-	select GRKERNSEC_FIFO
-	select GRKERNSEC_DMESG
-	select GRKERNSEC_RANDNET
-	select GRKERNSEC_FORKFAIL
-	select GRKERNSEC_TIME
-	select GRKERNSEC_SIGNAL
-	select GRKERNSEC_CHROOT
-	select GRKERNSEC_CHROOT_UNIX
-	select GRKERNSEC_CHROOT_MOUNT
-	select GRKERNSEC_CHROOT_PIVOT
-	select GRKERNSEC_CHROOT_DOUBLE
-	select GRKERNSEC_CHROOT_CHDIR
-	select GRKERNSEC_CHROOT_MKNOD
-	select GRKERNSEC_PROC
-	select GRKERNSEC_PROC_USERGROUP
-	select PAX_RANDUSTACK
-	select PAX_ASLR
-	select PAX_RANDMMAP
-	select PAX_REFCOUNT if (X86 || SPARC64)
-	select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
-
-	help
-	  If you say Y here, several features in addition to those included
-	  in the low additional security level will be enabled.  These
-	  features provide even more security to your system, though in rare
-	  cases they may be incompatible with very old or poorly written
-	  software.  If you enable this option, make sure that your auth
-	  service (identd) is running as gid 1001.  With this option, 
-	  the following features (in addition to those provided in the 
-	  low additional security level) will be enabled:
-
-	  - Failed fork logging
-	  - Time change logging
-	  - Signal logging
-	  - Deny mounts in chroot
-	  - Deny double chrooting
-	  - Deny sysctl writes in chroot
-	  - Deny mknod in chroot
-	  - Deny access to abstract AF_UNIX sockets out of chroot
-	  - Deny pivot_root in chroot
-	  - Denied reads/writes of /dev/kmem, /dev/mem, and /dev/port
-	  - /proc restrictions with special GID set to 10 (usually wheel)
-	  - Address Space Layout Randomization (ASLR)
-	  - Prevent exploitation of most refcount overflows
-	  - Bounds checking of copying between the kernel and userland
-
-config GRKERNSEC_HIGH
-	bool "High"
-	select GRKERNSEC_LINK
-	select GRKERNSEC_FIFO
-	select GRKERNSEC_DMESG
-	select GRKERNSEC_FORKFAIL
-	select GRKERNSEC_TIME
-	select GRKERNSEC_SIGNAL
-	select GRKERNSEC_CHROOT
-	select GRKERNSEC_CHROOT_SHMAT
-	select GRKERNSEC_CHROOT_UNIX
-	select GRKERNSEC_CHROOT_MOUNT
-	select GRKERNSEC_CHROOT_FCHDIR
-	select GRKERNSEC_CHROOT_PIVOT
-	select GRKERNSEC_CHROOT_DOUBLE
-	select GRKERNSEC_CHROOT_CHDIR
-	select GRKERNSEC_CHROOT_MKNOD
-	select GRKERNSEC_CHROOT_CAPS
-	select GRKERNSEC_CHROOT_SYSCTL
-	select GRKERNSEC_CHROOT_FINDTASK
-	select GRKERNSEC_SYSFS_RESTRICT
-	select GRKERNSEC_PROC
-	select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
-	select GRKERNSEC_HIDESYM
-	select GRKERNSEC_BRUTE
-	select GRKERNSEC_PROC_USERGROUP
-	select GRKERNSEC_KMEM
-	select GRKERNSEC_RESLOG
-	select GRKERNSEC_RANDNET
-	select GRKERNSEC_PROC_ADD
-	select GRKERNSEC_CHROOT_CHMOD
-	select GRKERNSEC_CHROOT_NICE
-	select GRKERNSEC_SETXID if (X86 || SPARC64 || PPC || ARM || MIPS)
-	select GRKERNSEC_AUDIT_MOUNT
-	select GRKERNSEC_MODHARDEN if (MODULES)
-	select GRKERNSEC_HARDEN_PTRACE
-	select GRKERNSEC_PTRACE_READEXEC
-	select GRKERNSEC_VM86 if (X86_32)
-	select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC)
-	select PAX
-	select PAX_RANDUSTACK
-	select PAX_ASLR
-	select PAX_RANDMMAP
-	select PAX_NOEXEC
-	select PAX_MPROTECT
-	select PAX_EI_PAX
-	select PAX_PT_PAX_FLAGS
-	select PAX_HAVE_ACL_FLAGS
-	select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
-	select PAX_MEMORY_UDEREF if (X86 && !XEN)
-	select PAX_RANDKSTACK if (X86_TSC && X86)
-	select PAX_SEGMEXEC if (X86_32)
-	select PAX_PAGEEXEC
-	select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
-	select PAX_EMUTRAMP if (PARISC)
-	select PAX_EMUSIGRT if (PARISC)
-	select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
-	select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
-	select PAX_REFCOUNT if (X86 || SPARC64)
-	select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
-	help
-	  If you say Y here, many of the features of grsecurity will be
-	  enabled, which will protect you against many kinds of attacks
-	  against your system.  The heightened security comes at a cost
-	  of an increased chance of incompatibilities with rare software
-	  on your machine.  Since this security level enables PaX, you should
-	  view <http://pax.grsecurity.net> and read about the PaX
-	  project.  While you are there, download chpax and run it on
-	  binaries that cause problems with PaX.  Also remember that
-	  since the /proc restrictions are enabled, you must run your
-	  identd as gid 1001.  This security level enables the following 
-	  features in addition to those listed in the low and medium 
-	  security levels:
-
-	  - Additional /proc restrictions
-	  - Chmod restrictions in chroot
-	  - No signals, ptrace, or viewing of processes outside of chroot
-	  - Capability restrictions in chroot
-	  - Deny fchdir out of chroot
-	  - Priority restrictions in chroot
-	  - Segmentation-based implementation of PaX
-	  - Mprotect restrictions
-	  - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
-	  - Kernel stack randomization
-	  - Mount/unmount/remount logging
-	  - Kernel symbol hiding
-	  - Hardening of module auto-loading
-	  - Ptrace restrictions
-	  - Restricted vm86 mode
-	  - Restricted sysfs/debugfs
-	  - Active kernel exploit response
-
-config GRKERNSEC_CUSTOM
-	bool "Custom"
-	help
-	  If you say Y here, you will be able to configure every grsecurity
-	  option, which allows you to enable many more features that aren't
-	  covered in the basic security levels.  These additional features
-	  include TPE, socket restrictions, and the sysctl system for
-	  grsecurity.  It is advised that you read through the help for
-	  each option to determine its usefulness in your situation.
-
-endchoice
-
 menu "Memory Protections"
 depends on GRKERNSEC
 
 config GRKERNSEC_KMEM
 	bool "Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port"
+	default y if GRKERNSEC_CONFIG_AUTO
 	select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
 	help
 	  If you say Y here, /dev/kmem and /dev/mem won't be allowed to
@@ -230,6 +28,7 @@ config GRKERNSEC_KMEM
 
 config GRKERNSEC_VM86
 	bool "Restrict VM86 mode"
+	default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER)
 	depends on X86_32
 
 	help
@@ -243,6 +42,7 @@ config GRKERNSEC_VM86
 
 config GRKERNSEC_IO
 	bool "Disable privileged I/O"
+	default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER)
 	depends on X86
 	select RTC_CLASS
 	select RTC_INTF_DEV
@@ -262,7 +62,7 @@ config GRKERNSEC_IO
 
 config GRKERNSEC_PROC_MEMMAP
 	bool "Harden ASLR against information leaks and entropy reduction"
-	default y if (PAX_NOEXEC || PAX_ASLR)
+	default y if (GRKERNSEC_CONFIG_AUTO || PAX_NOEXEC || PAX_ASLR)
 	depends on PAX_NOEXEC || PAX_ASLR
 	help
 	  If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
@@ -282,6 +82,7 @@ config GRKERNSEC_PROC_MEMMAP
 
 config GRKERNSEC_BRUTE
 	bool "Deter exploit bruteforcing"
+	default y if GRKERNSEC_CONFIG_AUTO
 	help
 	  If you say Y here, attempts to bruteforce exploits against forking
 	  daemons such as apache or sshd, as well as against suid/sgid binaries
@@ -302,6 +103,7 @@ config GRKERNSEC_BRUTE
 
 config GRKERNSEC_MODHARDEN
 	bool "Harden module auto-loading"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on MODULES
 	help
 	  If you say Y here, module auto-loading in response to use of some
@@ -323,6 +125,7 @@ config GRKERNSEC_MODHARDEN
 
 config GRKERNSEC_HIDESYM
 	bool "Hide kernel symbols"
+	default y if GRKERNSEC_CONFIG_AUTO
 	help
 	  If you say Y here, getting information on loaded modules, and
 	  displaying all kernel symbols through a syscall will be restricted
@@ -348,11 +151,12 @@ config GRKERNSEC_HIDESYM
 
 config GRKERNSEC_KERN_LOCKOUT
 	bool "Active kernel exploit response"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on X86 || ARM || PPC || SPARC
 	help
 	  If you say Y here, when a PaX alert is triggered due to suspicious
 	  activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
-	  or an OOPs occurs due to bad memory accesses, instead of just
+	  or an OOPS occurs due to bad memory accesses, instead of just
 	  terminating the offending process (and potentially allowing
 	  a subsequent exploit from the same user), we will take one of two
 	  actions:
@@ -411,6 +215,7 @@ depends on GRKERNSEC
 
 config GRKERNSEC_PROC
 	bool "Proc restrictions"
+	default y if GRKERNSEC_CONFIG_AUTO
 	help
 	  If you say Y here, the permissions of the /proc filesystem
 	  will be altered to enhance system security and privacy.  You MUST
@@ -432,6 +237,7 @@ config GRKERNSEC_PROC_USER
 
 config GRKERNSEC_PROC_USERGROUP
 	bool "Allow special group"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
 	help
 	  If you say Y here, you will be able to select a group that will be
@@ -447,6 +253,7 @@ config GRKERNSEC_PROC_GID
 
 config GRKERNSEC_PROC_ADD
 	bool "Additional restrictions"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
 	help
 	  If you say Y here, additional restrictions will be placed on
@@ -455,6 +262,7 @@ config GRKERNSEC_PROC_ADD
 
 config GRKERNSEC_LINK
 	bool "Linking restrictions"
+	default y if GRKERNSEC_CONFIG_AUTO
 	help
 	  If you say Y here, /tmp race exploits will be prevented, since users
 	  will no longer be able to follow symlinks owned by other users in
@@ -465,6 +273,7 @@ config GRKERNSEC_LINK
 
 config GRKERNSEC_FIFO
 	bool "FIFO restrictions"
+	default y if GRKERNSEC_CONFIG_AUTO
 	help
 	  If you say Y here, users will not be able to write to FIFOs they don't
 	  own in world-writable +t directories (e.g. /tmp), unless the owner of
@@ -474,6 +283,7 @@ config GRKERNSEC_FIFO
 
 config GRKERNSEC_SYSFS_RESTRICT
 	bool "Sysfs/debugfs restriction"
+	default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER)
 	depends on SYSFS
 	help
 	  If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
@@ -507,6 +317,7 @@ config GRKERNSEC_ROFS
 
 config GRKERNSEC_CHROOT
 	bool "Chroot jail restrictions"
+	default y if GRKERNSEC_CONFIG_AUTO
 	help
 	  If you say Y here, you will be able to choose several options that will
 	  make breaking out of a chrooted jail much more difficult.  If you
@@ -515,6 +326,7 @@ config GRKERNSEC_CHROOT
 
 config GRKERNSEC_CHROOT_MOUNT
 	bool "Deny mounts"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on GRKERNSEC_CHROOT
 	help
 	  If you say Y here, processes inside a chroot will not be able to
@@ -523,6 +335,7 @@ config GRKERNSEC_CHROOT_MOUNT
 
 config GRKERNSEC_CHROOT_DOUBLE
 	bool "Deny double-chroots"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on GRKERNSEC_CHROOT
 	help
 	  If you say Y here, processes inside a chroot will not be able to chroot
@@ -533,6 +346,7 @@ config GRKERNSEC_CHROOT_DOUBLE
 
 config GRKERNSEC_CHROOT_PIVOT
 	bool "Deny pivot_root in chroot"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on GRKERNSEC_CHROOT
 	help
 	  If you say Y here, processes inside a chroot will not be able to use
@@ -545,6 +359,7 @@ config GRKERNSEC_CHROOT_PIVOT
 
 config GRKERNSEC_CHROOT_CHDIR
 	bool "Enforce chdir(\"/\") on all chroots"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on GRKERNSEC_CHROOT
 	help
 	  If you say Y here, the current working directory of all newly-chrooted
@@ -561,6 +376,7 @@ config GRKERNSEC_CHROOT_CHDIR
 
 config GRKERNSEC_CHROOT_CHMOD
 	bool "Deny (f)chmod +s"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on GRKERNSEC_CHROOT
 	help
 	  If you say Y here, processes inside a chroot will not be able to chmod
@@ -571,6 +387,7 @@ config GRKERNSEC_CHROOT_CHMOD
 
 config GRKERNSEC_CHROOT_FCHDIR
 	bool "Deny fchdir out of chroot"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on GRKERNSEC_CHROOT
 	help
 	  If you say Y here, a well-known method of breaking chroots by fchdir'ing
@@ -580,6 +397,7 @@ config GRKERNSEC_CHROOT_FCHDIR
 
 config GRKERNSEC_CHROOT_MKNOD
 	bool "Deny mknod"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on GRKERNSEC_CHROOT
 	help
 	  If you say Y here, processes inside a chroot will not be allowed to
@@ -594,6 +412,7 @@ config GRKERNSEC_CHROOT_MKNOD
 
 config GRKERNSEC_CHROOT_SHMAT
 	bool "Deny shmat() out of chroot"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on GRKERNSEC_CHROOT
 	help
 	  If you say Y here, processes inside a chroot will not be able to attach
@@ -603,6 +422,7 @@ config GRKERNSEC_CHROOT_SHMAT
 
 config GRKERNSEC_CHROOT_UNIX
 	bool "Deny access to abstract AF_UNIX sockets out of chroot"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on GRKERNSEC_CHROOT
 	help
 	  If you say Y here, processes inside a chroot will not be able to
@@ -613,6 +433,7 @@ config GRKERNSEC_CHROOT_UNIX
 
 config GRKERNSEC_CHROOT_FINDTASK
 	bool "Protect outside processes"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on GRKERNSEC_CHROOT
 	help
 	  If you say Y here, processes inside a chroot will not be able to
@@ -623,6 +444,7 @@ config GRKERNSEC_CHROOT_FINDTASK
 
 config GRKERNSEC_CHROOT_NICE
 	bool "Restrict priority changes"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on GRKERNSEC_CHROOT
 	help
 	  If you say Y here, processes inside a chroot will not be able to raise
@@ -634,6 +456,7 @@ config GRKERNSEC_CHROOT_NICE
 
 config GRKERNSEC_CHROOT_SYSCTL
 	bool "Deny sysctl writes"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on GRKERNSEC_CHROOT
 	help
 	  If you say Y here, an attacker in a chroot will not be able to
@@ -644,6 +467,7 @@ config GRKERNSEC_CHROOT_SYSCTL
 
 config GRKERNSEC_CHROOT_CAPS
 	bool "Capability restrictions"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on GRKERNSEC_CHROOT
 	help
 	  If you say Y here, the capabilities on all processes within a
@@ -686,6 +510,7 @@ config GRKERNSEC_EXECLOG
 
 config GRKERNSEC_RESLOG
 	bool "Resource logging"
+	default y if GRKERNSEC_CONFIG_AUTO
 	help
 	  If you say Y here, all attempts to overstep resource limits will
 	  be logged with the resource name, the requested size, and the current
@@ -724,6 +549,7 @@ config GRKERNSEC_AUDIT_MOUNT
 
 config GRKERNSEC_SIGNAL
 	bool "Signal logging"
+	default y if GRKERNSEC_CONFIG_AUTO
 	help
 	  If you say Y here, certain important signals will be logged, such as
 	  SIGSEGV, which will as a result inform you of when a error in a program
@@ -741,6 +567,7 @@ config GRKERNSEC_FORKFAIL
 
 config GRKERNSEC_TIME
 	bool "Time change logging"
+	default y if GRKERNSEC_CONFIG_AUTO
 	help
 	  If you say Y here, any changes of the system clock will be logged.
 	  If the sysctl option is enabled, a sysctl option with name
@@ -748,6 +575,7 @@ config GRKERNSEC_TIME
 
 config GRKERNSEC_PROC_IPADDR
 	bool "/proc/<pid>/ipaddr support"
+	default y if GRKERNSEC_CONFIG_AUTO
 	help
 	  If you say Y here, a new entry will be added to each /proc/<pid>
 	  directory that contains the IP address of the person using the task.
@@ -759,6 +587,7 @@ config GRKERNSEC_PROC_IPADDR
 
 config GRKERNSEC_RWXMAP_LOG
 	bool 'Denied RWX mmap/mprotect logging'
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
 	help
 	  If you say Y here, calls to mmap() and mprotect() with explicit
@@ -787,6 +616,7 @@ depends on GRKERNSEC
 
 config GRKERNSEC_DMESG
 	bool "Dmesg(8) restriction"
+	default y if GRKERNSEC_CONFIG_AUTO
 	help
 	  If you say Y here, non-root users will not be able to use dmesg(8)
 	  to view up to the last 4kb of messages in the kernel's log buffer.
@@ -798,6 +628,7 @@ config GRKERNSEC_DMESG
 
 config GRKERNSEC_HARDEN_PTRACE
 	bool "Deter ptrace-based process snooping"
+	default y if GRKERNSEC_CONFIG_AUTO
 	help
 	  If you say Y here, TTY sniffers and other malicious monitoring
 	  programs implemented through ptrace will be defeated.  If you
@@ -814,6 +645,7 @@ config GRKERNSEC_HARDEN_PTRACE
 
 config GRKERNSEC_PTRACE_READEXEC
 	bool "Require read access to ptrace sensitive binaries"
+	default y if GRKERNSEC_CONFIG_AUTO
 	help
 	  If you say Y here, unprivileged users will not be able to ptrace unreadable
 	  binaries.  This option is useful in environments that
@@ -827,6 +659,7 @@ config GRKERNSEC_PTRACE_READEXEC
 
 config GRKERNSEC_SETXID
 	bool "Enforce consistent multithreaded privileges"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on (X86 || SPARC64 || PPC || ARM || MIPS)
 	help
 	  If you say Y here, a change from a root uid to a non-root uid
@@ -841,6 +674,7 @@ config GRKERNSEC_SETXID
 
 config GRKERNSEC_TPE
 	bool "Trusted Path Execution (TPE)"
+	default y if GRKERNSEC_CONFIG_AUTO
 	help
 	  If you say Y here, you will be able to choose a gid to add to the
 	  supplementary groups of users you want to mark as "untrusted."
@@ -897,6 +731,7 @@ depends on GRKERNSEC
 
 config GRKERNSEC_RANDNET
 	bool "Larger entropy pools"
+	default y if GRKERNSEC_CONFIG_AUTO
 	help
 	  If you say Y here, the entropy pools used for many features of Linux
 	  and grsecurity will be doubled in size.  Since several grsecurity
@@ -906,6 +741,7 @@ config GRKERNSEC_RANDNET
 
 config GRKERNSEC_BLACKHOLE
 	bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on NET
 	help
 	  If you say Y here, neither TCP resets nor ICMP
@@ -1005,11 +841,12 @@ config GRKERNSEC_SOCKET_SERVER_GID
 	  option with name "socket_server_gid" is created.
 
 endmenu
-menu "Sysctl support"
+menu "Sysctl Support"
 depends on GRKERNSEC && SYSCTL
 
 config GRKERNSEC_SYSCTL
 	bool "Sysctl support"
+	default y if GRKERNSEC_CONFIG_AUTO
 	help
 	  If you say Y here, you will be able to change the options that
 	  grsecurity runs with at bootup, without having to recompile your
@@ -1040,6 +877,7 @@ config GRKERNSEC_SYSCTL_DISTRO
 
 config GRKERNSEC_SYSCTL_ON
 	bool "Turn on features by default"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on GRKERNSEC_SYSCTL
 	help
 	  If you say Y here, instead of having all features enabled in the
@@ -1075,5 +913,3 @@ config GRKERNSEC_FLOODBURST
 	  raise this value.
 
 endmenu
-
-endmenu
diff --git a/security/Kconfig b/security/Kconfig
index 5effdb4..7356014 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -4,7 +4,137 @@
 
 menu "Security options"
 
-source grsecurity/Kconfig
+menu "Grsecurity"
+
+config GRKERNSEC
+	bool "Grsecurity"
+	select CRYPTO
+	select CRYPTO_SHA256
+	help
+	  If you say Y here, you will be able to configure many features
+	  that will enhance the security of your system.  It is highly
+	  recommended that you say Y here and read through the help
+	  for each option so that you fully understand the features and
+	  can evaluate their usefulness for your machine.
+
+choice
+	prompt "Configuration Method"
+	depends on GRKERNSEC
+	default GRKERNSEC_CONFIG_CUSTOM
+	help
+
+config GRKERNSEC_CONFIG_AUTO
+	bool "Automatic"
+	help
+
+config GRKERNSEC_CONFIG_CUSTOM
+	bool "Custom"
+	help
+
+endchoice
+
+choice
+	prompt "Usage Type"
+	depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO)
+	default GRKERNSEC_CONFIG_SERVER
+	help
+
+config GRKERNSEC_CONFIG_SERVER
+	bool "Server"
+	help
+
+config GRKERNSEC_CONFIG_DESKTOP
+	bool "Desktop"
+	help
+
+endchoice
+
+choice
+	prompt "Virtualization Type"
+	depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO)
+	default GRKERNSEC_CONFIG_VIRT_NONE
+	help
+
+config GRKERNSEC_CONFIG_VIRT_NONE
+	bool "None"
+	help
+
+config GRKERNSEC_CONFIG_VIRT_GUEST
+	bool "Guest"
+	help
+
+config GRKERNSEC_CONFIG_VIRT_HOST
+	bool "Host"
+	help
+
+endchoice
+
+choice
+	prompt "Virtualization Software"
+	depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO && (GRKERNSEC_CONFIG_VIRT_GUEST || GRKERNSEC_CONFIG_VIRT_HOST))
+	help
+
+config GRKERNSEC_CONFIG_VIRT_XEN
+	bool "Xen"
+	help
+
+config GRKERNSEC_CONFIG_VIRT_VMWARE
+	bool "VMWare"
+	help
+
+config GRKERNSEC_CONFIG_VIRT_KVM
+	bool "KVM"
+	help
+
+config GRKERNSEC_CONFIG_VIRT_VIRTUALBOX
+	bool "VirtualBox"
+	help
+
+config GRKERNSEC_CONFIG_VIRT_ANY
+	bool "All"
+	help
+
+endchoice
+
+choice
+	prompt "Required Priorities"
+	depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO)
+	default GRKERNSEC_CONFIG_PRIORITY_PERF
+	help
+
+config GRKERNSEC_CONFIG_PRIORITY_PERF
+	bool "Performance"
+	help
+
+config GRKERNSEC_CONFIG_PRIORITY_SECURITY
+	bool "Security"
+	help
+
+endchoice
+
+menu "Default Special Groups"
+depends on (GRKERNSEC && GRKERNSEC_CONFIG_AUTO)
+
+config GRKERNSEC_PROC_GID
+	int "GID exempted from /proc restrictions"
+	default 1001
+
+config GRKERNSEC_AUDIT_GID
+	int "GID of audited group"
+	default 1007
+
+config GRKERNSEC_TPE_GID
+	int "GID for untrusted users"
+	default 1005
+	help
+	  Setting this GID determines what group TPE restrictions will be
+	  *enabled* for.  If the sysctl option is enabled, a sysctl option
+	  with name "tpe_gid" is created.
+
+endmenu
+
+menu "Customize Configuration"
+depends on GRKERNSEC
 
 menu "PaX"
 
@@ -29,6 +159,7 @@ menu "PaX"
 	
 config PAX
 	bool "Enable various PaX features"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
 	help
 	  This allows you to enable various PaX features.  PaX adds
@@ -52,6 +183,7 @@ config PAX_SOFTMODE
 
 config PAX_EI_PAX
 	bool 'Use legacy ELF header marking'
+	default y if GRKERNSEC_CONFIG_AUTO
 	help
 	  Enabling this option will allow you to control PaX features on
 	  a per executable basis via the 'chpax' utility available at
@@ -71,6 +203,7 @@ config PAX_EI_PAX
 
 config PAX_PT_PAX_FLAGS
 	bool 'Use ELF program header marking'
+	default y if GRKERNSEC_CONFIG_AUTO
 	help
 	  Enabling this option will allow you to control PaX features on
 	  a per executable basis via the 'paxctl' utility available at
@@ -92,6 +225,7 @@ config PAX_PT_PAX_FLAGS
 
 config PAX_XATTR_PAX_FLAGS
 	bool 'Use filesystem extended attributes marking'
+	default y if GRKERNSEC_CONFIG_AUTO
 	select CIFS_XATTR if CIFS
 	select EXT2_FS_XATTR if EXT2_FS
 	select EXT3_FS_XATTR if EXT3_FS
@@ -153,6 +287,7 @@ menu "Non-executable pages"
 
 config PAX_NOEXEC
 	bool "Enforce non-executable pages"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86
 	help
 	  By design some architectures do not allow for protecting memory
@@ -181,6 +316,7 @@ config PAX_NOEXEC
 
 config PAX_PAGEEXEC
 	bool "Paging based non-executable pages"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
 	select S390_SWITCH_AMODE if S390
 	select S390_EXEC_PROTECT if S390
@@ -203,6 +339,7 @@ config PAX_PAGEEXEC
 
 config PAX_SEGMEXEC
 	bool "Segmentation based non-executable pages"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on PAX_NOEXEC && X86_32
 	help
 	  This implementation is based on the segmentation feature of the
@@ -269,6 +406,7 @@ config PAX_EMUSIGRT
 
 config PAX_MPROTECT
 	bool "Restrict mprotect()"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
 	help
 	  Enabling this option will prevent programs from
@@ -286,8 +424,8 @@ config PAX_MPROTECT
 
 config PAX_MPROTECT_COMPAT
 	bool "Use legacy/compat protection demoting (read help)"
+	default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_DESKTOP)
 	depends on PAX_MPROTECT
-	default n
 	help
 	  The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
 	  by sending the proper error code to the application.  For some broken 
@@ -362,6 +500,7 @@ config PAX_DLRESOLVE
 
 config PAX_KERNEXEC
 	bool "Enforce non-executable kernel pages"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
 	select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
 	select PAX_KERNEXEC_PLUGIN if X86_64
@@ -403,7 +542,8 @@ config PAX_KERNEXEC_PLUGIN_METHOD
 
 config PAX_KERNEXEC_MODULE_TEXT
 	int "Minimum amount of memory reserved for module code"
-	default "4"
+	default "4" if (!GRKERNSEC_CONFIG_AUTO || GRKERNSEC_CONFIG_SERVER)
+	default "12" if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_DESKTOP)
 	depends on PAX_KERNEXEC && X86_32 && MODULES
 	help
 	  Due to implementation details the kernel must reserve a fixed
@@ -428,6 +568,7 @@ menu "Address Space Layout Randomization"
 
 config PAX_ASLR
 	bool "Address Space Layout Randomization"
+	default y if GRKERNSEC_CONFIG_AUTO
 	help
 	  Many if not most exploit techniques rely on the knowledge of
 	  certain addresses in the attacked program.  The following options
@@ -457,6 +598,7 @@ config PAX_ASLR
 
 config PAX_RANDKSTACK
 	bool "Randomize kernel stack base"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on X86_TSC && X86
 	help
 	  By saying Y here the kernel will randomize every task's kernel
@@ -471,6 +613,7 @@ config PAX_RANDKSTACK
 
 config PAX_RANDUSTACK
 	bool "Randomize user stack base"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on PAX_ASLR
 	help
 	  By saying Y here the kernel will randomize every task's userland
@@ -483,6 +626,7 @@ config PAX_RANDUSTACK
 
 config PAX_RANDMMAP
 	bool "Randomize mmap() base"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on PAX_ASLR
 	help
 	  By saying Y here the kernel will use a randomized base address for
@@ -509,6 +653,7 @@ menu "Miscellaneous hardening features"
 
 config PAX_MEMORY_SANITIZE
 	bool "Sanitize all freed memory"
+	default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_PRIORITY_SECURITY)
 	depends on !HIBERNATION
 	help
 	  By saying Y here the kernel will erase memory pages as soon as they
@@ -531,6 +676,7 @@ config PAX_MEMORY_SANITIZE
 
 config PAX_MEMORY_STACKLEAK
 	bool "Sanitize kernel stack"
+	default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_PRIORITY_SECURITY)
 	depends on X86
 	help
 	  By saying Y here the kernel will erase the kernel stack before it
@@ -555,6 +701,7 @@ config PAX_MEMORY_STACKLEAK
 
 config PAX_MEMORY_UDEREF
 	bool "Prevent invalid userland pointer dereference"
+	default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_PRIORITY_SECURITY)
 	depends on X86 && !UML_X86 && !XEN
 	select PAX_PER_CPU_PGD if X86_64
 	help
@@ -574,6 +721,7 @@ config PAX_MEMORY_UDEREF
 
 config PAX_REFCOUNT
 	bool "Prevent various kernel object reference counter overflows"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on GRKERNSEC && ((ARM && (CPU_32v6 || CPU_32v6K || CPU_32v7)) || SPARC64 || X86)
 	help
 	  By saying Y here the kernel will detect and prevent overflowing
@@ -593,6 +741,7 @@ config PAX_REFCOUNT
 
 config PAX_USERCOPY
 	bool "Harden heap object copies between kernel and userland"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on X86 || PPC || SPARC || ARM
 	depends on GRKERNSEC && (SLAB || SLUB || SLOB)
 	help
@@ -622,6 +771,7 @@ config PAX_USERCOPY
 
 config PAX_SIZE_OVERFLOW
 	bool "Prevent various integer overflows in function size parameters"
+	default y if GRKERNSEC_CONFIG_AUTO
 	depends on X86
 	help
 	  By saying Y here the kernel recomputes expressions of function
@@ -638,6 +788,12 @@ endmenu
 
 endmenu
 
+source grsecurity/Kconfig
+
+endmenu
+
+endmenu
+
 config KEYS
 	bool "Enable access key retention support"
 	help
