grsecurity is powerful and easy to use Linux kernel security enhancement. It gives you a lot of security features:
- An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
- Change root (chroot) hardening
- /tmp race prevention
- Extensive auditing
- Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
- Prevention of arbitrary code execution in the kernel
- Randomization of the stack, library, and heap bases
- Kernel stack base randomization
- Protection against exploitable null-pointer dereference bugs in the kernel
- Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
- A restriction that allows a user to only view his/her processes
- Security alerts and audits that contain the IP address of the person causing the alert
Downloading linux kernel and grsecurity patchAt the first we need to download grsecurity patch and the right version of Linux kernel source code. In this page you can find the latest stable version of grsecurity patch (At the time of writing this post, it's for linux 2.6.32 stable tree).
Before we start make sure to install all the necessary packages that you'll need to build the kernel:
# yum groupinstall "Development Tools"
# yum install ncurses-devel
# cd /usr/src/kernels
# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-184.108.40.206.tar.bz2
# wget http://grsecurity.net/stable/grsecurity-2.2.0-220.127.116.11-201009271837.patch
Patching the kernelAfter downloading linux kernel source code and grsecurity patch we are going to unpack and patch the kernel.
# tar xjf linux-18.104.22.168.tar.bz2
# patch -p0 < grsecurity-2.2.0-22.214.171.124-201009271837.patch
# mv linux-126.96.36.199 linux-188.8.131.52-grsec
grsecurity configurationNow we need to configure the new kernel. The easiest way is to use your current kernel configuration file and then modify it.
# cd linux-184.108.40.206-grsec
# cp /boot/config-`uname -r` .config
# make menuconfig
You can find grsecurity options under Security options » Grsecurity menu. Select the security level and any other options you want. I suggest you checkout this page to find more details about grsecurity options.
Building and installing grsecurity kernelAll you need to do now is compiling the kernel and install it on your system.
# make bzImage && make modules
# make modules_install && make install
Note: If you get message like this "2.6 PaX kernels no longer build correctly with old versions of binutils. Please upgrade your binutils to 2.18 or newer." then you have to upgrade binutils by installing it manually from the source.
# cd /usr/src
# wget http://ftp.gnu.org/gnu/binutils/binutils-2.20.1.tar.bz2
# tar xjf binutils-2.20.1.tar.bz2
# cd binutils-2.20.1
# ./configure && make && make install
After that go back to the kernel directory and compile it. When it finish reboot your server into linux-220.127.116.11-grsec.