Thursday, 14 October 2010

Hardening CentOS kernel with grsecurity

Hardening the server's kernel is one of the most important things we need to consider when speaking about OS hardening. This is mini-howto install and configure grsecurity on CentOS server.

grsecurity is powerful and easy to use Linux kernel security enhancement. It gives you a lot of security features:
  • An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
  • Change root (chroot) hardening
  • /tmp race prevention
  • Extensive auditing
  • Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
  • Prevention of arbitrary code execution in the kernel
  • Randomization of the stack, library, and heap bases
  • Kernel stack base randomization
  • Protection against exploitable null-pointer dereference bugs in the kernel
  • Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
  • A restriction that allows a user to only view his/her processes
  • Security alerts and audits that contain the IP address of the person causing the alert
Take a look at grsecurity features for more details.

Downloading linux kernel and grsecurity patch

At the first we need to download grsecurity patch and the right version of Linux kernel source code. In this page you can find the latest stable version of grsecurity patch (At the time of writing this post, it's for linux 2.6.32 stable tree).

Before we start make sure to install all the necessary packages that you'll need to build the kernel:

# yum groupinstall "Development Tools"
# yum install ncurses-devel

# cd /usr/src/kernels
# wget
# wget

Patching the kernel

After downloading linux kernel source code and grsecurity patch we are going to unpack and patch the kernel.

# tar xjf linux-
# patch -p0 < grsecurity-2.2.0-
# mv linux- linux-

grsecurity configuration

Now we need to configure the new kernel. The easiest way is to use your current kernel configuration file and then modify it.

# cd linux-
# cp /boot/config-`uname -r` .config
# make menuconfig

You can find grsecurity options under Security options » Grsecurity menu. Select the security level and any other options you want. I suggest you checkout this page to find more details about grsecurity options.

Building and installing grsecurity kernel

All you need to do now is compiling the kernel and install it on your system.

# make bzImage && make modules
# make modules_install && make install

Note: If you get message like this "2.6 PaX kernels no longer build correctly with old versions of binutils. Please upgrade your binutils to 2.18 or newer." then you have to upgrade binutils by installing it manually from the source.

# cd /usr/src
# wget
# tar xjf binutils-2.20.1.tar.bz2
# cd binutils-2.20.1
# ./configure && make && make install

After that go back to the kernel directory and compile it. When it finish reboot your server into linux-



  1. So, what about SELinux? Is it still works as with CentOS distribution kernel?

  2. No, it does not.

  3. what we should do when it prompts as

    "file to patch:"

    what to do..........?

  4. Just use "patch -p1 < ./grsecurity-*.*-*.*.*-*****.patch" instead.