Welcome to Kuwait Linux User Group - OpenSource free stuff

Search   in  

 Create an AccountHome | Gallery | Submit News | Your Account | Content | Topics | Top 10  

Modules
· Home
· Advertising
· Downloads
· FAQ
· Forums
· PHP-Nuke Tools
· Stories Archive
· Submit News
· Surveys
· Top 10
· Topics
· Tutorials
· Web Links
· Your Account

Search
Google
Web q8linux.net

  

How to install Grsecurity patched kernel

How to install Grsecurity patched kernel (Slackware)



How to install Grsecurity patched kernel (Slackware)

1- cd /usr/src/

2- wget http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.33.3.tar.bz2 or just install the kernel source that located in slackware.com

3- tar –xjvf linux-2.4.33.3.tar.bz2 then cd linux-2.4.33.3

4- wget http://grsecurity.org/grsecurity-2.1.9-2.4.33.3-200609031224.patch.gz

5- gunzip grsecurity-2.1.9-2.4.33.3-200609031224.patch.gz

6- patch –p1 < grsecurity-2.1.9-2.4.33.3-200609031224.patch

7- make mrproper

   8- for slackware cp /boot/config /usr/src/linux-2.4.33.3/.config
    or cp config .config
 
8-    make oldconfig
9-    choose Y beside Grsecurity (config_GRKERNSEC)[N/y/?](NEW) Y
   choose Medium for security level to achieve best security. scroll down to know more)
 
Now before you do make dep you have to make this step:
 
pico .config  then scroll down till you see: CONFIG_CRYPTO=Y 
and put Y beside CONFIG_CRYPTO_SHA256=Y that's very important.
 
 
10 - make dep
11 - make bzImage
12 - make modules && make modules_install
13 - cp /usr/src/linux-2.4.33.3/arch/i386/boot/bzImage /boot/mykernel-2.4.33.3
14 - edit lilo  : pico /etc/lilo.conf add:
# Linux bootable partition config begins
image = /boot/mykernel-2.4.33.3
root = /dev/hda1
label = Linux
read-only

image = /boot/vmlinuz
root = /dev/hda1
label = Linux2
read-only

now do : lilo -v to save it.

Security level :

Low additional security

If you choose this option, several of the grsecurity options will be enabled that will give you greater protection against a number of attacks, while assuring that none of your software will have any conflicts with the additional security measures. If you run a lot of unusual software, or you are having problems with the higher security levels, you should say Y here. With this option, the following features are enabled:

linking restrictions

fifo restrictions

random pids

enforcing nproc on execve()

restricted dmesg

random ip ids

enforced chdir("/") on chroot

Medium additional security

If you say Y here, several features in addition to those included in the low additional security level will be enabled. These features provide even more security to your system, though in rare cases they may be incompatible with very old or poorly written software. If you enable this option, make sure that your auth service (identd) is running as gid 10 (usually group wheel). With this option the following features (in addition to those provided in the low additional security level) will be enabled:

random tcp source ports

failed fork logging

time change logging

signal logging

deny mounts in chroot

deny double chrooting

deny sysctl writes in chroot

deny mknod in chroot

deny access to abstract AF_UNIX sockets out of chroot

deny pivot_root in chroot

denied writes of /dev/kmem, /dev/mem, and /dev/port

/proc restrictions with special gid set to 10 (usually wheel)

address space layout randomization

removal of addresses from /proc//[maps|stat]

High additional security

If you say Y here, many of the features of grsecurity will be enabled, that will protect you against many kinds of attacks against your system. The heightened security comes at a cost of an increased chance of incompatibilities with rare software on your machine. Since this security level enables PaX, you should view and read about the PaX project. While you are there, download chpax and run it on binaries that cause problems with PaX. Also remember that since the /proc restrictions are enabled, you must run your identd as group wheel (gid 10). This security level enables the following features in addition to those listed in the low and medium security levels:

additional /proc restrictions

chmod restrictions in chroot

no signals, ptrace, or viewing processes outside of chroot

capability restrictions in chroot

deny fchdir out of chroot

priority restrictions in chroot

segmentation-based implementation of PaX

mprotect restrictions

kernel stack randomization

mount/unmount/remount logging

kernel symbol hiding

Customized additional security

If you say Y here, you will be able to configure every grsecurity option, which allows you to enable many more features that aren't covered in the basic security levels. These additional features include TPE, socket restrictions, and the sysctl system for grsecurity. It is advised that you read through the help for each option to determine its usefulness in your situation.



http://www.grsecurity.net

Q8linux

Copyright © by Kuwait Linux User Group - OpenSource free stuff All Rights Reserved.

Published on: 2006-09-18 (340 reads)

[ Go Back ]

All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest ©2004-2008 by Q8linux.ßæíÊ áíäßÓ
PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.19 Seconds