Results 1 to 16 of 16
Thread: Compile 2.6.5 + GrSecurity
-
04-20-2004, 03:08 AM #1Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Compile 2.6.5 + GrSecurity
Tested on Rh7.3, 9, fedora
Today i will be discussing how to compile a 2.6.5 kernel with GrSecurity patch. Before we go any further, any thing bad happens is your fault not mine. Now that we got tha over and done with lets talk about GrSecurity and what it is. GrSecurity is a patch applied to your kernel and acts as a multi-layered detection, prevention, and containment model. A complete list of its features can be located at
Lets get started (as root):
1.) Change to an directory to work in, for today we are going to choose /usr/src:
cd /usr/src
( Please not if you do not have "patch" you can use up2date on an up2date enabled server to install it up2date -f patch )
patch -p0 < grsecurity-2.0-2.6.5.patch
make clean
make mrproper
5.) Grab that old kernel config and make a new config from it
cp /boot/config-`uname -r` .config
make oldconfig
http://www.webhostingtalk.com/showth...hreadid=232664
6.) Time to build the kernel up.
( please note "make dep" is not required in 2.6.x kernels any longer. )
make bzImage
(wait for this to complete and ensure no errors)
make modules
(wait for this to complete and ensure no errors)
make modules_install
(wait for this to complete and ensure no errors)
cp .config /boot/config-2.6.5-grsec
cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.5-grsec
cp System.map /boot/System.map-2.6.5-grsec
mkinitrd /boot/initrd-2.6.5-grsec.img 2.6.5-grsec
WHICH BOOTLOADER DO I HAVE?!! OH NO!
There are a few ways to figure this out.
Solution 1:
/sbin/grubby --bootloader-probe
dd if=/dev/hda bs=512 count=1 2>&1 | grep GRUB
dd if=/dev/hda bs=512 count=1 2>&1 | grep LILO
one of them will kick back something like:
root@w00t [~]# dd if=/dev/hda bs=512 count=1 2>&1 | grep GRUB
Binary file (standard input) matches
root@w00t [~]#
Now that we have figured out the bootloader lets add the kernel to the bootloader:
LILO
add the following to the lilo.conf ( make sure you follow the format of your own bootloader settings)
image=/boot/vmlinuz-2.6.5-grsec
label=2.6.5-grsec
initrd=/boot/initrd-2.6.5-grsec.img
read-only
append="root=LABEL=/"
Before you set it to boot as default lets make it boot the next time only. Save your config and do the following:
/sbin/lilo -v -v
/sbin/lilo -R 2.6.5-grsec
GRUB
add the following to the grub.conf ( make sure you follow the format of your own bootloader settings)
title Red Hat Linux (2.6.5-grsec)
root (hd0,0)
kernel (hd0,0)/vmlinuz-2.6.5-grsec root=/dev/hda3
initrd (hd0,0)/initrd-2.6.5-grsec.img
Info on grubs failsafe is located here:
http://www.webhostingtalk.com/showth...hreadid=235241
Reboot the box and hope for the best, be sure to check dmesg for anything werid.
This post was inspired by choons post on 2.4.x kernels.
Thank you,
Steve
<<< Signature removed >>>Last edited by choon; 05-27-2004 at 11:12 AM.
-
04-20-2004, 03:11 AM #2Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
if anyone has a spare rhe cpanel box i can try on let me know =)
<<< Signature removed >>>Last edited by choon; 05-27-2004 at 11:13 AM.
-
04-20-2004, 09:17 PM #3Disabled
- Join Date
- Feb 2004
- Posts
- 179
Works on any Linux distro
Before you even touch 2.6 kernel you need to :
Download the latest version of module-init-tools
module-init-tools-3.0-pre10.tar.gz and modutils-2.4.21-2x.src.rpm
http://www.kernel.org/pub/linux/kern...rusty/modules/
Install module-init-tools
This will replace depmod [/sbin/depmod] and
other tools.
tar -zxvf module-init-tools-3.0-pre10.tar.gz
cd module-init-tools-3.0-pre10
./configure --prefix=/sbin
make
make install
./generate-modprobe.conf /etc/modprobe.conf
Install modutils-2.4.21-23.src.rpm
You'll may get warnings about user
rusty and group rusty not existing. Also, yes, you'll have to force the
install. If you don't do these steps for both Redhat 9 and Redhat 8, you'll
have problems with the make modules_install.
rpm -i modutils-2.4.21-23.src.rpm
rpmbuild -bb /usr/src/redhat/SPECS/modutils.spec
rpm -Fi /usr/src/redhat/RPMS/i386/modutils-2.4.21-23.i386.rpm
Important
Make sure that while configuring the kernel you compile EXT3 filesystem support into the kernel, otherwise if you compile it as a module you'll get such error upon bootup:
pivotroot: pivot_root(/sysroot,/sysroot/initrd) failed
This is because Redhat 9.0 and 8.0 use the ext3 filesystem for /boot
Configure and compile the kernel
make menuconfig
make bzImage
make modules
make modules_install
make install
After compilation
/etc/rc.sysinit needs to be modified. Look for the following line
action $"Mounting proc filesystem: " mount -n -t proc /proc /proc
and after this line enter the following:
action $"Mounting sysfs filesystem: " mount -n -t sysfs /sys /sys
Reboot....
<<< Signature removed >>>Last edited by choon; 05-27-2004 at 11:13 AM.
-
04-23-2004, 05:45 PM #4Web Hosting Master
- Join Date
- Oct 2003
- Location
- Georgetown, Ontario
- Posts
- 1,771
Originally posted by KingAdmin
Works on any Linux distro
Even RHEL?
<<< Signature removed >>>Last edited by choon; 05-27-2004 at 11:14 AM.
-
04-25-2004, 05:54 PM #5Web Hosting Master
- Join Date
- Sep 2002
- Location
- Illinois
- Posts
- 2,307
Does this work for Daul Xeon?
<<< Signature removed >>>Last edited by choon; 05-27-2004 at 11:14 AM.
-
04-25-2004, 09:33 PM #6Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Originally posted by KingAdmin
Works on any Linux distro
Before you even touch 2.6 kernel you need to :
Download the latest version of module-init-tools
module-init-tools-3.0-pre10.tar.gz and modutils-2.4.21-2x.src.rpm
http://www.kernel.org/pub/linux/kern...rusty/modules/
Install module-init-tools
This will replace depmod [/sbin/depmod] and
other tools.
tar -zxvf module-init-tools-3.0-pre10.tar.gz
cd module-init-tools-3.0-pre10
./configure --prefix=/sbin
make
make install
./generate-modprobe.conf /etc/modprobe.conf
Install modutils-2.4.21-23.src.rpm
You'll may get warnings about user
rusty and group rusty not existing. Also, yes, you'll have to force the
install. If you don't do these steps for both Redhat 9 and Redhat 8, you'll
have problems with the make modules_install.
rpm -i modutils-2.4.21-23.src.rpm
rpmbuild -bb /usr/src/redhat/SPECS/modutils.spec
rpm -Fi /usr/src/redhat/RPMS/i386/modutils-2.4.21-23.i386.rpm
Important
Make sure that while configuring the kernel you compile EXT3 filesystem support into the kernel, otherwise if you compile it as a module you'll get such error upon bootup:
pivotroot: pivot_root(/sysroot,/sysroot/initrd) failed
This is because Redhat 9.0 and 8.0 use the ext3 filesystem for /boot
Configure and compile the kernel
make menuconfig
make bzImage
make modules
make modules_install
make install
After compilation
/etc/rc.sysinit needs to be modified. Look for the following line
action $"Mounting proc filesystem: " mount -n -t proc /proc /proc
and after this line enter the following:
action $"Mounting sysfs filesystem: " mount -n -t sysfs /sys /sys
Reboot....
Why are you downgrading your modutils?
<<< Signature removed >>>Last edited by choon; 05-27-2004 at 11:14 AM.
-
04-27-2004, 12:37 PM #7Disabled
- Join Date
- Feb 2004
- Posts
- 179
Originally posted by thelinuxguy
Why are you downgrading your modutils?
<<< Signature removed >>>Last edited by choon; 05-27-2004 at 11:15 AM.
-
05-11-2004, 12:53 AM #8Junior Guru Wannabe
- Join Date
- May 2004
- Posts
- 34
worked great!
-
05-12-2004, 10:57 AM #9Temporarily Suspended
- Join Date
- Oct 2003
- Location
- Manchester, UK
- Posts
- 115
Surely the address for the kernel is wrong, you've given a patch file and then said to make clean etc etc.
You cant do that with a patch file
<<< Signature removed >>>Last edited by choon; 05-27-2004 at 11:15 AM.
-
05-15-2004, 03:51 PM #10Web Hosting Master
- Join Date
- Aug 2002
- Location
- Illinois
- Posts
- 848
He did this on my server and it worked great, always great steve!
<<< Signature removed >>>Last edited by choon; 05-27-2004 at 11:16 AM.
-
05-17-2004, 02:50 PM #11Web Hosting Evangelist
- Join Date
- May 2003
- Posts
- 483
Anyone know how to get iptables working under 2.6.6 ?
Whether I compile iptables into kernel or as a module, I always get the same error when APF starts:
------
iptables v1.2.7a: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
------
I've also built IPtables 1.2.9 from source using the 2.6.6 kernel path however it results in the same error as above.
Looks like this happens to many people with the 2.6 kernel: http://www.google.com/search?hl=en&i...6+and+iptables
<<< Signature removed >>>Last edited by choon; 05-27-2004 at 11:16 AM.
-
05-20-2004, 06:58 PM #12Web Hosting Evangelist
- Join Date
- May 2003
- Posts
- 483
Figured it out, problem with APF, you need to turn 'MONOKERN' to 1 while in the 2.6 series kernel.
<<< Signature removed >>>Last edited by choon; 05-27-2004 at 11:17 AM.
-
05-27-2004, 11:21 AM #13Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
thelinuxguy, Please check through your HOWTO and if you need any changes please use the report to CL and state what you intend to change. For your Step 2...
Code:wget -c http://www.kernel.org/pub/linux/kernel/v2.6/patch-2.6.5.bz2
-
05-27-2004, 08:31 PM #14Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
ok, i'll have it fixed soon
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
06-20-2004, 05:51 PM #15Web Hosting Evangelist
- Join Date
- Apr 2003
- Location
- Portland, OR, USA
- Posts
- 484
Great Howto
Thank you The Linux Guy
Thanks
- James
-
06-20-2004, 09:58 PM #16Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
This is the updated grsec patch link: http://www.grsecurity.net/grsecurity-2.0-2.4.26.patch
This is the updated Kernel source direct link: http://www.kernel.org/pub/linux/kern...-2.4.26.tar.gz••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••