grsecurity is powerful and easy to use Linux kernel security enhancement. It gives you a lot of security features:
- An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
- Change root (chroot) hardening
- /tmp race prevention
- Extensive auditing
- Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
- Prevention of arbitrary code execution in the kernel
- Randomization of the stack, library, and heap bases
- Kernel stack base randomization
- Protection against exploitable null-pointer dereference bugs in the kernel
- Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
- A restriction that allows a user to only view his/her processes
- Security alerts and audits that contain the IP address of the person causing the alert
Downloading linux kernel and grsecurity patch
At the first we need to download grsecurity patch and the right version of Linux kernel source code. In this page you can find the latest stable version of grsecurity patch (At the time of writing this post, it's for linux 2.6.32 stable tree).Before we start make sure to install all the necessary packages that you'll need to build the kernel:
# yum groupinstall "Development Tools"
# yum install ncurses-devel
# cd /usr/src/kernels
# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.32.23.tar.bz2
# wget http://grsecurity.net/stable/grsecurity-2.2.0-2.6.32.23-201009271837.patch
Patching the kernel
After downloading linux kernel source code and grsecurity patch we are going to unpack and patch the kernel.# tar xjf linux-2.6.32.23.tar.bz2
# patch -p0 < grsecurity-2.2.0-2.6.32.23-201009271837.patch
# mv linux-2.6.32.23 linux-2.6.32.23-grsec
grsecurity configuration
Now we need to configure the new kernel. The easiest way is to use your current kernel configuration file and then modify it.# cd linux-2.6.32.23-grsec
# cp /boot/config-`uname -r` .config
# make menuconfig
You can find grsecurity options under Security options » Grsecurity menu. Select the security level and any other options you want. I suggest you checkout this page to find more details about grsecurity options.
Building and installing grsecurity kernel
All you need to do now is compiling the kernel and install it on your system.# make bzImage && make modules
# make modules_install && make install
Note: If you get message like this "2.6 PaX kernels no longer build correctly with old versions of binutils. Please upgrade your binutils to 2.18 or newer." then you have to upgrade binutils by installing it manually from the source.
# cd /usr/src
# wget http://ftp.gnu.org/gnu/binutils/binutils-2.20.1.tar.bz2
# tar xjf binutils-2.20.1.tar.bz2
# cd binutils-2.20.1
# ./configure && make && make install
After that go back to the kernel directory and compile it. When it finish reboot your server into linux-2.6.32.23-grsec.
Cheers!
So, what about SELinux? Is it still works as with CentOS distribution kernel?
ReplyDeleteNo, it does not.
ReplyDeletewhat we should do when it prompts as
ReplyDelete"file to patch:"
what to do..........?
Just use "patch -p1 < ./grsecurity-*.*-*.*.*-*****.patch" instead.
ReplyDeleteYour contents are completely awesome and share worthy. I really appreciate your efforts that you put on this. Keep sharing. For more olympia sec related information visit Olympia Secure
ReplyDeleteThe purpose of operating system hardening is to eliminate as many security risks as possible. It is done by removing all non-essential utilities and software programs from the computer. Operating system hardening helps minimizing the security vulnerabilities. Thank you for sharing this informative article.
ReplyDelete