Product Name : Grsecurity Kernel Patch ( Linux Environment Security )
Homepage : http://www.grsecurity.com/
Description : grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GPL.
It offers among many other features:
* An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
* Change root (chroot) hardening
* /tmp race prevention
* Extensive auditing
* Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
* Prevention of arbitrary code execution in the kernel
* Randomization of the stack, library, and heap bases
* Kernel stack base randomization
* Protection against exploitable null-pointer dereference bugs in the kernel
* Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
* A restriction that allows a user to only view his/her processes
* Security alerts and audits that contain the IP address of the person causing the alert
REMEMBER THIS IS AT YOUR OWN RISK, THIS MUST NOT BE DONE ON A LIVE SERVER
Step 1: Downloading and patching kernel with grsecurity
cd /usr/local/src
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.26.5.tar.gz
wget http://www.grsecurity.com/test/grsecurity-2.1.12-2.6.26.5-200809141715.patch
tar xzvf linux-2.6.26.5.tar.gz
patch -p0 < grsecurity-2.1.12-2.6.26.5-200809141715.patch
mv linux-2.6.26.5 linux-2.6.26.5-grsec
ln -s linux-2.6.26.5-grsec/ linux
cd linux
You should use the newest kernel and grsecurity patch, but i can´t guarante it work with the .config file under here. So if your unsure about using the patch file from my server. get latest at www.grsecurity.com
Step 2: Copying a custom kernel from securecentos (32Bit and 64Bit)
(32Bit) wget --output-document=.config http://www.securecentos.com/files/grsec/config32
(64Bit) wget --output-document=.config http://www.securecentos.com/files/grsec/config64
Step 3: Then start up the config menu
make menuconfig
Step 4: Customize your Kernel
Change CPU - Processor type and features - Processor Family (CHOOSE YOURS) IMPORTANT!
Grsecurity Settings:
Grsecurity: You find it under Security Options - Grsecurity (Enable)
Change Grsecurity Level - Security Level (Low/Medium/High/Custom)
Hide Kernel Processes - Role Based Access Control Options - Choose Hide kernel processe
* Change settings so it match your system.
* Change grsecurity settings to your standard
* Any other settings you want to change
Save and Exit
Step 5: Start compiling the kernel
make bzImage
make modules
make modules_install
make install
Step 6: Check your grub loader config, and make sure default is 1
nano -w /boot/grub/grub.conf
Step 7: Then add panic=5 in the end of the kernel /vmlinuz-2.6.26.2 line.. something like this
title CentOS (2.6.26.5-grsec)
root (hd0,0)
kernel /vmlinuz-2.6.26.5-grsec ro root=LABEL=/ panic=5
initrd /initrd-2.6.26.5-grsec.img
The panic=5 makes the kernel reboot after 5 seconds, if theres a kernel panic
Step 8: Make sure grub only loads the new kernel once, incase of kernel panic
grub
savedefault --default=0 --once
quit
Step 9: Reboot and hope for the best
shutdown -r now
You can etc set your workstation to ping the server. It can take up to 10 min before the server is up.
Step 10: If/when server is up, check kernel version by typing
uname -r
You should get 2.6.26.5-grsec as a answer
if not you still got the same kernel as the original, 2.6.18 something, you probaly got a kernel panic.
Step 11: IF it worked, you can set the new kernel to boot up everytime!, Edit boot file:
nano -w /boot/grub/grub.conf
If the grsecurity is the first one in the list, change default to 0, since the order starts from 0 and up.
SAVE and restart to be sure that it works. Thats all ;)
Step 12: Add kernel exclude in yum.conf (makes sure yum update/upgrade doesnt "overwrite" your new grsec kernel)
nano -w /etc/yum.conf
Add this in the end of [Main] sectionexclude=kernel*
Tags