Results 1 to 16 of 16
  1. #1
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681

    Compile 2.6.5 + GrSecurity

    Tested on Rh7.3, 9, fedora

     

    Today i will be discussing how to compile a 2.6.5 kernel with GrSecurity patch. Before we go any further, any thing bad happens is your fault not mine. Now that we got tha over and done with lets talk about GrSecurity and what it is. GrSecurity is a patch applied to your kernel and acts as a multi-layered detection, prevention, and containment model. A complete list of its features can be located at

    Lets get started (as root):

    1.) Change to an directory to work in, for today we are going to choose /usr/src:

    cd /usr/src
    2.) lets download the kernel and the grsecurity patch that matches the kernel version:

    3.) Extract and patch the kernel sources with the grsecurity patch:

    ( Please not if you do not have "patch" you can use up2date on an up2date enabled server to install it up2date -f patch )


    patch -p0 < grsecurity-2.0-2.6.5.patch
    4.) Lets clean up the kernel source:


    make clean
    make mrproper
     
    5.) Grab that old kernel config and make a new config from it

    cp /boot/config-`uname -r` .config
    make oldconfig
    During this stage it will come to a part asking if you want to enable grsecurity, select yes and on the next screen i usually select medium. More info on the levels here:
    http://www.webhostingtalk.com/showth...hreadid=232664

    6.) Time to build the kernel up.

    ( please note "make dep" is not required in 2.6.x kernels any longer. )


    make bzImage
    (wait for this to complete and ensure no errors)

    make modules
    (wait for this to complete and ensure no errors)

    make modules_install
    (wait for this to complete and ensure no errors)
    7.) After everything is done compiling, it will take a while get some coffee or something:


    cp .config /boot/config-2.6.5-grsec
    cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.5-grsec
    cp System.map /boot/System.map-2.6.5-grsec
    mkinitrd /boot/initrd-2.6.5-grsec.img 2.6.5-grsec

    WHICH BOOTLOADER DO I HAVE?!! OH NO!


    There are a few ways to figure this out.

    Solution 1:


    /sbin/grubby --bootloader-probe
    Solution 2:


    dd if=/dev/hda bs=512 count=1 2>&1 | grep GRUB
    dd if=/dev/hda bs=512 count=1 2>&1 | grep LILO

    one of them will kick back something like:

    root@w00t [~]# dd if=/dev/hda bs=512 count=1 2>&1 | grep GRUB
    Binary file (standard input) matches
    root@w00t [~]#
     

    Now that we have figured out the bootloader lets add the kernel to the bootloader:

    LILO

    add the following to the lilo.conf ( make sure you follow the format of your own bootloader settings)


    image=/boot/vmlinuz-2.6.5-grsec
            label=2.6.5-grsec
            initrd=/boot/initrd-2.6.5-grsec.img
            read-only
            append="root=LABEL=/"

    Before you set it to boot as default lets make it boot the next time only. Save your config and do the following:
    /sbin/lilo -v -v
    /sbin/lilo -R 2.6.5-grsec

     

    GRUB

    add the following to the grub.conf ( make sure you follow the format of your own bootloader settings)


    title Red Hat Linux (2.6.5-grsec)
            root (hd0,0)
            kernel (hd0,0)/vmlinuz-2.6.5-grsec root=/dev/hda3
            initrd (hd0,0)/initrd-2.6.5-grsec.img

    Info on grubs failsafe is located here:

    http://www.webhostingtalk.com/showth...hreadid=235241

     

    Reboot the box and hope for the best, be sure to check dmesg for anything werid.


    This post was inspired by choons post on 2.4.x  kernels.


    Thank you,
    Steve

    <<< Signature removed >>>
    Last edited by choon; 05-27-2004 at 11:12 AM.

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    if anyone has a spare rhe cpanel box i can try on let me know =)

    <<< Signature removed >>>
    Last edited by choon; 05-27-2004 at 11:13 AM.

  3. #3
    Works on any Linux distro

    Before you even touch 2.6 kernel you need to :

    Download the latest version of module-init-tools
    module-init-tools-3.0-pre10.tar.gz and modutils-2.4.21-2x.src.rpm

    http://www.kernel.org/pub/linux/kern...rusty/modules/

    Install module-init-tools
    This will replace depmod [/sbin/depmod] and
    other tools.

    tar -zxvf module-init-tools-3.0-pre10.tar.gz
    cd module-init-tools-3.0-pre10
    ./configure --prefix=/sbin
    make
    make install
    ./generate-modprobe.conf /etc/modprobe.conf

    Install modutils-2.4.21-23.src.rpm
    You'll may get warnings about user
    rusty and group rusty not existing. Also, yes, you'll have to force the
    install. If you don't do these steps for both Redhat 9 and Redhat 8, you'll
    have problems with the make modules_install.

    rpm -i modutils-2.4.21-23.src.rpm
    rpmbuild -bb /usr/src/redhat/SPECS/modutils.spec
    rpm -Fi /usr/src/redhat/RPMS/i386/modutils-2.4.21-23.i386.rpm

    Important
    Make sure that while configuring the kernel you compile EXT3 filesystem support into the kernel, otherwise if you compile it as a module you'll get such error upon bootup:

    pivotroot: pivot_root(/sysroot,/sysroot/initrd) failed

    This is because Redhat 9.0 and 8.0 use the ext3 filesystem for /boot

    Configure and compile the kernel
    make menuconfig
    make bzImage
    make modules
    make modules_install
    make install

    After compilation
    /etc/rc.sysinit needs to be modified. Look for the following line
    action $"Mounting proc filesystem: " mount -n -t proc /proc /proc
    and after this line enter the following:
    action $"Mounting sysfs filesystem: " mount -n -t sysfs /sys /sys

    Reboot....

    <<< Signature removed >>>
    Last edited by choon; 05-27-2004 at 11:13 AM.

  4. #4
    Join Date
    Oct 2003
    Location
    Georgetown, Ontario
    Posts
    1,771
    Originally posted by KingAdmin
    Works on any Linux distro

    Even RHEL?

    <<< Signature removed >>>
    Last edited by choon; 05-27-2004 at 11:14 AM.

  5. #5
    Join Date
    Sep 2002
    Location
    Illinois
    Posts
    2,307
    Does this work for Daul Xeon?

    <<< Signature removed >>>
    Last edited by choon; 05-27-2004 at 11:14 AM.

  6. #6
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Originally posted by KingAdmin
    Works on any Linux distro

    Before you even touch 2.6 kernel you need to :

    Download the latest version of module-init-tools
    module-init-tools-3.0-pre10.tar.gz and modutils-2.4.21-2x.src.rpm

    http://www.kernel.org/pub/linux/kern...rusty/modules/

    Install module-init-tools
    This will replace depmod [/sbin/depmod] and
    other tools.

    tar -zxvf module-init-tools-3.0-pre10.tar.gz
    cd module-init-tools-3.0-pre10
    ./configure --prefix=/sbin
    make
    make install
    ./generate-modprobe.conf /etc/modprobe.conf

    Install modutils-2.4.21-23.src.rpm
    You'll may get warnings about user
    rusty and group rusty not existing. Also, yes, you'll have to force the
    install. If you don't do these steps for both Redhat 9 and Redhat 8, you'll
    have problems with the make modules_install.

    rpm -i modutils-2.4.21-23.src.rpm
    rpmbuild -bb /usr/src/redhat/SPECS/modutils.spec
    rpm -Fi /usr/src/redhat/RPMS/i386/modutils-2.4.21-23.i386.rpm

    Important
    Make sure that while configuring the kernel you compile EXT3 filesystem support into the kernel, otherwise if you compile it as a module you'll get such error upon bootup:

    pivotroot: pivot_root(/sysroot,/sysroot/initrd) failed

    This is because Redhat 9.0 and 8.0 use the ext3 filesystem for /boot

    Configure and compile the kernel
    make menuconfig
    make bzImage
    make modules
    make modules_install
    make install

    After compilation
    /etc/rc.sysinit needs to be modified. Look for the following line
    action $"Mounting proc filesystem: " mount -n -t proc /proc /proc
    and after this line enter the following:
    action $"Mounting sysfs filesystem: " mount -n -t sysfs /sys /sys

    Reboot....
    &nbsp;

    Why are you downgrading your modutils?

    <<< Signature removed >>>
    Last edited by choon; 05-27-2004 at 11:14 AM.

  7. #7
    Originally posted by thelinuxguy
    &nbsp;

    Why are you downgrading your modutils?
    cause otherwise it will not detect new modules (.ko extension) upon bootup.

    <<< Signature removed >>>
    Last edited by choon; 05-27-2004 at 11:15 AM.

  8. #8
    Join Date
    May 2004
    Posts
    34
    worked great!

  9. #9
    Join Date
    Oct 2003
    Location
    Manchester, UK
    Posts
    115
    Surely the address for the kernel is wrong, you've given a patch file and then said to make clean etc etc.

    You cant do that with a patch file

    <<< Signature removed >>>
    Last edited by choon; 05-27-2004 at 11:15 AM.

  10. #10
    Join Date
    Aug 2002
    Location
    Illinois
    Posts
    848
    He did this on my server and it worked great, always great steve!

    <<< Signature removed >>>
    Last edited by choon; 05-27-2004 at 11:16 AM.

  11. #11
    Join Date
    May 2003
    Posts
    483
    Anyone know how to get iptables working under 2.6.6 ?

    Whether I compile iptables into kernel or as a module, I always get the same error when APF starts:

    ------
    iptables v1.2.7a: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    ------

    I've also built IPtables 1.2.9 from source using the 2.6.6 kernel path however it results in the same error as above.

    Looks like this happens to many people with the 2.6 kernel: http://www.google.com/search?hl=en&i...6+and+iptables

    <<< Signature removed >>>
    Last edited by choon; 05-27-2004 at 11:16 AM.

  12. #12
    Join Date
    May 2003
    Posts
    483
    Figured it out, problem with APF, you need to turn 'MONOKERN' to 1 while in the 2.6 series kernel.

    <<< Signature removed >>>
    Last edited by choon; 05-27-2004 at 11:17 AM.

  13. #13
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,889
    thelinuxguy, Please check through your HOWTO and if you need any changes please use the report to CL and state what you intend to change. For your Step 2...
    Code:
    wget -c http://www.kernel.org/pub/linux/kernel/v2.6/patch-2.6.5.bz2
    You are linking to the patch of the kernel not the full source kernel

  14. #14
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    ok, i'll have it fixed soon
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  15. #15
    Join Date
    Apr 2003
    Location
    Portland, OR, USA
    Posts
    484
    Great Howto

    Thank you The Linux Guy

    Thanks
    - James

  16. #16
    This is the updated grsec patch link: http://www.grsecurity.net/grsecurity-2.0-2.4.26.patch

    This is the updated Kernel source direct link: http://www.kernel.org/pub/linux/kern...-2.4.26.tar.gz
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •