In recent days there has been quite a few dangerous exploits found in linux kernels, all the while grsecurity and selinux was not vuln. Both can be difficult to configure but in my opinion grsecurity is easier as its compiled in the kernel and you can select between three different levels of security among other custom optimizations.
grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GPL.
It offers among many other features:
* An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
* Change root (chroot) hardening
* /tmp race prevention
* Extensive auditing
* Prevention of entire classes of exploits related to address space bugs (from the PaX project)
* Additional randomness in the TCP/IP stack
* A restriction that allows a user to only view his/her processes
* Every security alert or audit contains the IP address of the person that caused the event
Here I will explain in copy and paste format how to compile and install the Grsecurity patch for the latest kernel.
First get what is needed
copy your current config over
do uname -r to see what kernel your running and copy it, example:
ok make sure you select the basic stuff that is needed, iptables, your processor type, and then go in Security Options and to grsecurity, select which level of security you want and any other options you may want.
Check your /boot/grub/grub.conf and make sure default is 1, then
In case something goes wrong and you have to have your datacenter reboot. If you do everything right it should be fine. And there ya go. you know have a security patched kernel that protects against all known exploits, rootkits, and unkown exploits. This is ideal for any machine whether you have shell access allowed or not and will help prevent local exploits.
grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GPL.
It offers among many other features:
* An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
* Change root (chroot) hardening
* /tmp race prevention
* Extensive auditing
* Prevention of entire classes of exploits related to address space bugs (from the PaX project)
* Additional randomness in the TCP/IP stack
* A restriction that allows a user to only view his/her processes
* Every security alert or audit contains the IP address of the person that caused the event
Here I will explain in copy and paste format how to compile and install the Grsecurity patch for the latest kernel.
First get what is needed
Code:
cd /usr/src
Code:
wget [url]http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.17.7.tar.bz2[/url]
Code:
wget [url]http://grsecurity.org/grsecurity-2.1.9-2.6.17.7-200607261817.patch.gz[/url]
Code:
tar -xjvf linux-2.6.17.7.tar.bz2
Code:
gunzip < grsecurity-2.1.9-2.6.17.7-200607261817.patch.gz | patch -p0
Code:
mv linux-2.6.17.7 linux-2.6.17.7-grsec
Code:
ln -s linux-2.6.17.7-grsec linux
Code:
cd linux
copy your current config over
do uname -r to see what kernel your running and copy it, example:
Code:
cp /boot/config-2.6.9-22.0.2.EL .config
Code:
make menuconfig
ok make sure you select the basic stuff that is needed, iptables, your processor type, and then go in Security Options and to grsecurity, select which level of security you want and any other options you may want.
Code:
make bzImage
Code:
make modules
Code:
make modules_install
Code:
make install
Check your /boot/grub/grub.conf and make sure default is 1, then
Code:
grub
savedefault --default=0 --once
quit
In case something goes wrong and you have to have your datacenter reboot. If you do everything right it should be fine. And there ya go. you know have a security patched kernel that protects against all known exploits, rootkits, and unkown exploits. This is ideal for any machine whether you have shell access allowed or not and will help prevent local exploits.
Last edited: