Script to compile, patch, and fully install grsecurity patched kernel

felosi

Verified User
Joined
Jun 17, 2006
Messages
152
Ok here is the script I wrote for downloading the latest kernel and grsecurity patch, patching the kernel, and then building it. It grabs the config file I made up for single processor pentium 4 based servers. Security setting is set to low with proc restrcitions where users can only see their processes. Also all xtables, iptables and other common features are enabled.
I have tired this on a fedora server and it done great so if everyone else likes it I will make one for amd as well.
I also will be making and updated howto for those who wish to go over their config manually.
If anyone has any feedback or suggestions or to report a problem simply post in the forum or come look for us in IRC.
Here is how to get the script going

Code:
cd /usr/src

Code:
wget [url]www.evolution-security.com/files/grkern.sh[/url]

Code:
chmod 755 grkern.sh

Code:
./grkern.sh

Give it a while to compile and install then when it is done do this

Code:
grub
savedefault --default=0 --once
quit

Then reboot or better yet have your datacenter reboot in case the kernel panics.
You shouldnt have no problems if you are on centos with pentium 4 based server. It took me a few kernel panics and testing various things to get this config right. It is about as much security features as you can use without causing anything to break. So bascially as restrictive as you can get on a hosting server.
 
Well, nice script but...

Any error control ? And any test to make sure you will compile it on a Linux and not on FreeBSD ?

Script seems a bit light to do all...
 
Well the config is done configured for a pentium 4 single processor machine so there is most of the work there. The grsecurity features are about as much as you can go without breaking stuff. I experimented with those a lot, got a few kernel panics and access denied on certain binaries so I just set grsecurity setting on low and enabled proc restrictions. Did not use pax as when I did try it it slowed down the server and brought the load high.

This is all you need for a hosting box, even one with shell accounts. I tried a few public and a few private local root exploits on it and none worked so that is good. And just hacked at it every way I could.

The average server owner who just does web hosting on a cpanel server or whatever will not need this, just to update their kernel. But if you have a server with shell accounts and run directadmin I strongly suggest it. I love directadmin, its fast, has all I need and doesn't take over your server but as I said 100 times before the way it runs apache is dangerous at best and if you get shell on a php site on a da server you can run local root exploits right from the home directory. And even worse you could cd to tmp and wget some more exploits and spamming tools. the list goes on but its not good.

Using directadmin you absolutely have to keep a good php configuration and try to keep everyone on safe mode but even then shells like c99 can still upload to whatever site they are included in. Most people dont worry about it, But I worry worse about people uploading mass mailers and crap like that. Also using mod security with relevant rules from gotroot.com is a must as well for directadmin. If any reason I ever quit using directadmin it is because of this and it doesnt look like they are cosidering changing it. But hey, I guess Im just a security minded person and keep in mind bad things that can happen. I would have to say and lots of people will agree with me that this is something cpanel has by a longshot against DA

But enough about that. Yeah this is already configured for single processor p4 machines and all the script does is download the kernel and the patch, make the patch, download the config I made, then compiles and installs it.

Hmm, The best way I can explain it has the most security features you can do on a live hosting server with websites, irc, and other binaries. Also as secure as you can get it without slowing things down.
 
Last edited:
Q: Does it work also on AMD Athlon ?

Since people that will use such script will certainly be newbies, and will be happy to have their server more secure, let me propose a simple, but at least just a bit more secure system... feel free to use it, or to shout on me.

#!/bin/sh

###################################################
# grkern.sh #
# #
# Author : Name Lastname #
# Email : [email protected] #
# Home : http://www.---------.-- #
# #
# This script is made to install/upgrade to the #
# kernel v2.6.xx.xx and harden it with grsec. #
# #
# !!! USE IT YOUR OWN RISKS !!! #
# #
###################################################

# Define version and variable

OS_TYPE=`uname`;
KERNEL_VERSION=2.6.17.11;
GRSEC_VERSION=2.1.9-2.6.17.11-200609031316;

# Test which os is running

if [ $OS_TYPE = "FreeBSD" ]; then

echo "This system does not work on FreeBSD.";
exit 0;
else

echo "This system works fine on Linux, let's go on !";
fi

# Work hard

cd /usr/src ;

wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-${KERNEL_VERSION}.tar.bz2 ;
wget http://grsecurity.org/grsecurity-${GRSEC_VERSION}.patch.gz ;

tar -xjvf linux-${KERNEL_VERSION}.tar.bz2 ;
gunzip < grsecurity-2.1.9-2.6.17.11-200609031316.patch.gz | patch -p0 ;
mv linux-${KERNEL_VERSION} linux-${KERNEL_VERSION}-grsec ;

cd linux-${KERNEL_VERSION}-grsec ;
wget www.evolution-security.com/grsec-config ;
mv grsec-config .config ;
make bzImage ;
make modules ;
make modules_install ;
make install ;

exit 0;
 
Im working on one for amd now but Im gonna have to use my friends amd system to compile and install it and make sure everything is ok.
If you check one wrong option with this kernel your system will just crash out of nowhere. I had the longest time having trouble wit it
thanks
 
Back
Top