Kuwait Linux User Group

Welcome to the Kuwait Linux User Group, thats dedicated to talk about Linux, BSD, and the use of open source
specially for Kuwait community & others as well -- beside encouraging them to use it.
Follow Us:

September 18, 2006 01:30 AM EDT

How to install Grsecurity patched kernel

How to install Grsecurity patched kernel (Slackware)

Author: . 4655 Reads
  Print this page   Export to PDF format   Mail to a friend


How to install Grsecurity patched kernel (Slackware)

1- cd /usr/src/

2- wget http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.33.3.tar.bz2 or just install the kernel source that located in slackware.com

3- tar xjvf linux-2.4.33.3.tar.bz2 then cd linux-2.4.33.3

4- wget http://grsecurity.org/grsecurity-2.1.9-2.4.33.3-200609031224.patch.gz

5- gunzip grsecurity-2.1.9-2.4.33.3-200609031224.patch.gz

6- patch p1 < grsecurity-2.1.9-2.4.33.3-200609031224.patch

7- make mrproper

   8- for slackware cp /boot/config /usr/src/linux-2.4.33.3/.config
    or cp config .config
 
8-    make oldconfig
9-    choose Y beside Grsecurity (config_GRKERNSEC)[N/y/?](NEW) Y
   choose Medium for security level to achieve best security. scroll down to know more)
 
Now before you do make dep you have to make this step:
 
pico .config  then scroll down till you see: CONFIG_CRYPTO=Y 
and put Y beside CONFIG_CRYPTO_SHA256=Y that's very important.
 
 
10 - make dep
11 - make bzImage
12 - make modules && make modules_install
13 - cp /usr/src/linux-2.4.33.3/arch/i386/boot/bzImage /boot/mykernel-2.4.33.3
14 - edit lilo  : pico /etc/lilo.conf add:
# Linux bootable partition config begins
image = /boot/mykernel-2.4.33.3
root = /dev/hda1
label = Linux
read-only

image = /boot/vmlinuz
root = /dev/hda1
label = Linux2
read-only
now do : lilo -v to save it.
 

Security level :

Low additional security

If you choose this option, several of the grsecurity options will be enabled that will give you greater protection against a number of attacks, while assuring that none of your software will have any conflicts with the additional security measures. If you run a lot of unusual software, or you are having problems with the higher security levels, you should say Y here. With this option, the following features are enabled:

linking restrictions

fifo restrictions

random pids

enforcing nproc on execve()

restricted dmesg

random ip ids

enforced chdir("/") on chroot

Medium additional security

If you say Y here, several features in addition to those included in the low additional security level will be enabled. These features provide even more security to your system, though in rare cases they may be incompatible with very old or poorly written software. If you enable this option, make sure that your auth service (identd) is running as gid 10 (usually group wheel). With this option the following features (in addition to those provided in the low additional security level) will be enabled:

random tcp source ports

failed fork logging

time change logging

signal logging

deny mounts in chroot

deny double chrooting

deny sysctl writes in chroot

deny mknod in chroot

deny access to abstract AF_UNIX sockets out of chroot

deny pivot_root in chroot

denied writes of /dev/kmem, /dev/mem, and /dev/port

/proc restrictions with special gid set to 10 (usually wheel)

address space layout randomization

removal of addresses from /proc//[maps|stat]

High additional security

If you say Y here, many of the features of grsecurity will be enabled, that will protect you against many kinds of attacks against your system. The heightened security comes at a cost of an increased chance of incompatibilities with rare software on your machine. Since this security level enables PaX, you should view and read about the PaX project. While you are there, download chpax and run it on binaries that cause problems with PaX. Also remember that since the /proc restrictions are enabled, you must run your identd as group wheel (gid 10). This security level enables the following features in addition to those listed in the low and medium security levels:

additional /proc restrictions

chmod restrictions in chroot

no signals, ptrace, or viewing processes outside of chroot

capability restrictions in chroot

deny fchdir out of chroot

priority restrictions in chroot

segmentation-based implementation of PaX

mprotect restrictions

kernel stack randomization

mount/unmount/remount logging

kernel symbol hiding

Customized additional security

If you say Y here, you will be able to configure every grsecurity option, which allows you to enable many more features that aren't covered in the basic security levels. These additional features include TPE, socket restrictions, and the sysctl system for grsecurity. It is advised that you read through the help for each option to determine its usefulness in your situation.



http://www.grsecurity.net


Q8linux

Copyright © by Kuwait Linux User Group
All rights reserved.


Category: howto
Tags: None
Bookmark: Share/Save/Bookmark

[ Go Back ]
Content ©

Survey

What's your Favorite Mail Server(smtp)?

Sendmail
Qmail
Postfix
Exchange
Lotus Notes



Results
Polls

Votes: 102
Comments: 65