[HOWTO] 2.6.17.7 GrSecurity Patched Kernel on Redhat, Centos..

F

felosi

Verified User
Joined
Jun 17, 2006
Messages
152
In recent days there has been quite a few dangerous exploits found in linux kernels, all the while grsecurity and selinux was not vuln. Both can be difficult to configure but in my opinion grsecurity is easier as its compiled in the kernel and you can select between three different levels of security among other custom optimizations.

grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GPL.
It offers among many other features:

* An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
* Change root (chroot) hardening
* /tmp race prevention
* Extensive auditing
* Prevention of entire classes of exploits related to address space bugs (from the PaX project)
* Additional randomness in the TCP/IP stack
* A restriction that allows a user to only view his/her processes
* Every security alert or audit contains the IP address of the person that caused the event

Here I will explain in copy and paste format how to compile and install the Grsecurity patch for the latest kernel.

First get what is needed
Code: 
cd /usr/src
Code: 
wget [url]http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.17.7.tar.bz2[/url]

Code: 
wget [url]http://grsecurity.org/grsecurity-2.1.9-2.6.17.7-200607261817.patch.gz[/url]

Code: 
tar -xjvf linux-2.6.17.7.tar.bz2
Code: 
gunzip < grsecurity-2.1.9-2.6.17.7-200607261817.patch.gz | patch -p0
Code: 
mv linux-2.6.17.7 linux-2.6.17.7-grsec

Code: 
ln -s linux-2.6.17.7-grsec linux

Code: 
cd linux

copy your current config over

do uname -r to see what kernel your running and copy it, example:
Code: 
cp /boot/config-2.6.9-22.0.2.EL .config

Code: 
make menuconfig

ok make sure you select the basic stuff that is needed, iptables, your processor type, and then go in Security Options and to grsecurity, select which level of security you want and any other options you may want.

Code: 
make bzImage

Code: 
make modules

Code: 
make modules_install

Code: 
make install


Check your /boot/grub/grub.conf and make sure default is 1, then

Code: 
grub
savedefault --default=0 --once
quit

In case something goes wrong and you have to have your datacenter reboot. If you do everything right it should be fine. And there ya go. you know have a security patched kernel that protects against all known exploits, rootkits, and unkown exploits. This is ideal for any machine whether you have shell access allowed or not and will help prevent local exploits.
 
Last edited:
Hello felosi,

I would also post here another way to do, with make oldconfig.

I had problem with make menuconfig, so let's go ahead.

Use this at your own risk.

Remark

- If while you compile you see an error, you may prefer to try to fix it rather than reboot to avoid kernel panic.

- Iptables, since few release in the past, iptables modules is no more as iptables but as x... something, I don't remember by heart.

Let's go

1° - Check for the latest kernel version

"The latest stable version of the Linux kernel is:" <- the number here is the latest.

2° - Check if your old config file exist

# ll /boot/config-`uname -r`

(if the file does not exist you can already forget to use this way).

3° - Download the kernel

# cd /usr/local/src
# rm -rf linux-`uname -r` (in case that the kernel is already there)
# wget -q http://www.fht.lkams.kernel.org/pub/linux/kernel/v2.6/linux-2.6.17.6.tar.bz2


4° - Untar all

# tar xvfj linux-2.6.17.6.tar.bz2
# cd linux-2.6.17.6

5° - Clean && configure && compile

# make clean && make mrproper
(you can apply here your grsec patch if you want, as felosi wrote, according to the right version...)
# cp /boot/config-`uname -r` .config
# make oldconfig
# make bzImage
# make modules
# make modules_install
# make install

6° - Check grub/lilo config file

Make sure that your config file is ready to boot on the new kernel.

Cheers
 
I succesfully booted into that grsec patched kernel on a fedora box, havent booted into it on centos yet because of ircds running on my box but Im sure it will be ok.
Im currently running the vanilla 2.6.17. The centos kernel now, latest version is still vulnerable to the /proc race yet all centos team tells you is to turn on selinux, I have never ran it so I was afraid it would interfere.

There is a workaround though,

first if you cant reboot right away do

Code: 
 mount -o remount,nosuid /proc

Then edit /etc/fstab and add nosuid to the proc mount after defaults
 
You must log in or register to reply here.
Back
Top