Results 1 to 25 of 116
-
02-03-2004, 01:11 AM #1Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
Compile kernel 2.4.31 from Source with GRSECURITY Patch for Red Hat Linux
Hi everyone,
I am going to list down those steps that I used to compile my own kernel version 2.4.31 with grsecuirty 2.1.6-2.4.31-200506141150 patch. This is mainly for Red Hat Linux and will work on version 7.2, 7.3, 8.0 & 9. I have also used these steps for Fedora Core 1 and CentOS 3.x. Actually some of these steps can be used for any linux distributions provided you know what you are doing
Before you try these steps, you must have some experiences to compile your own kernel from source and have some basic understanding about LILO or GRUB. I am using LILO as an example here.
It is a good idea that you update your system first using up2date before this. Here is my little up2date HOWTO.
FOLLOW THIS GUIDE AT YOUR OWN RISK AS I AM NOT RESPONSIBLE IN ANY DAMAGES CAUSED! YOU HAVE BEEN WARNED!!!
BEFORE YOU BEGIN
Before we build our custom kernel, you'll need to know what's in your server. Issue the following command as root to get the necessary names of your hardware, their PCI addresses, and their IRQs:
Code:lspci
00:00.0 Host bridge: Intel Corp.: Unknown device 2578 (rev 02)
00:01.0 PCI bridge: Intel Corp.: Unknown device 2579 (rev 02)
00:03.0 PCI bridge: Intel Corp.: Unknown device 257b (rev 02)
00:1d.0 USB Controller: Intel Corp. 82801EB USB (Hub #1) (rev 02)
00:1d.1 USB Controller: Intel Corp. 82801EB USB (Hub #2) (rev 02)
00:1d.2 USB Controller: Intel Corp. 82801EB USB (Hub #3) (rev 02)
00:1d.3 USB Controller: Intel Corp. 82801EB USB EHCI Controller #2 (rev 02)
00:1d.7 USB Controller: Intel Corp. 82801EB USB EHCI Controller (rev 02)
00:1e.0 PCI bridge: Intel Corp. 82801BA/CA/DB PCI Bridge (rev c2)
00:1f.0 ISA bridge: Intel Corp. 82801EB ISA Bridge (LPC) (rev 02)
00:1f.1 IDE interface: Intel Corp. 82801EB ICH5 IDE (rev 02)
00:1f.2 RAID bus controller: Intel Corp.: Unknown device 24df (rev 02)
00:1f.3 SMBus: Intel Corp. 82801EB SMBus (rev 02)
02:01.0 Ethernet controller: Intel Corp.: Unknown device 1019
03:06.0 VGA compatible controller: ATI Technologies Inc Rage XL (rev 27)
03:08.0 Ethernet controller: Intel Corp. 82801EB (ICH5) PRO/100 VE Ethernet Controller (rev 01)
Code:lspci -s 03:08.0 -vv
03:08.0 Ethernet controller: Intel Corp. 82801EB (ICH5) PRO/100 VE Ethernet Controller (rev 01)
Subsystem: Intel Corp.: Unknown device 342a
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR+ FastB2B-
Status: Cap+ 66Mhz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR-
Latency: 32 (2000ns min, 14000ns max), cache line size 08
Interrupt: pin A routed to IRQ 20
Region 0: Memory at feafe000 (32-bit, non-prefetchable) size=4K
Region 1: I/O ports at bc00 size=64
Capabilities: [dc] Power Management version 2
Flags: PMEClk- DSI+ D1+ D2+ AuxCurrent=0mA PME(D0+,D1+,D2+,D3hot+,D3cold+)
Status: D0 PME-Enable- DSel=0 DScale=2 PME-
After you have all the necessary information, you can search for it at Google with a query such as linux 82801EB to know which modules name to use for your hardware.
Ok, here we start... ...
As root, do the following steps in order:
INSTALL DEPENDENCIES PACKAGES
Step 1: Install gcc and all its dependencies packages
We need gcc to compile kernel. Simply run this command to install if it is not installed gcc and all its dependencies:
Code:up2date gcc
Code:yum install gcc
ncurses-devel package is needed while compiling kernel from source specially for running make menuconfig:
Code:up2date ncurses-devel
Code:yum install ncurses-devel
You need patch package to be install so that you can use it to patch the kernel source:
Code:up2date patch
Code:yum install patch
Step 1: Change your current working directory
For me, I choose to download the kernel to /usr/local/src but you are free to choose a directory to store and build/compile your kernel.
Code:cd /usr/local/src
Code:wget -c http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.31.tar.bz2
Code:wget -c http://www.grsecurity.net/grsecurity-2.1.6-2.4.31-200506141150.patch.gz
Code:tar xvfj linux-2.4.31.tar.bz2
Code:gunzip < grsecurity-2.1.6-2.4.31-200506141150.patch.gz | patch -p0
Code:cd linux-2.4.31
Code:make clean && make mrproper
You might want to backup your current kernel modules and configuration.
Code:cp /boot/config-`uname -r` .config make oldconfig make menuconfig
Low additional security
If you choose this option, several of the grsecurity options will be enabled that will give you greater protection against a number of attacks, while assuring that none of your software will have any conflicts with the additional security measures. If you run a lot of unusual software, or you are having problems with the higher security levels, you should say Y here. With this option, the following features are enabled:
linking restrictions
fifo restrictions
random pids
enforcing nproc on execve()
restricted dmesg
random ip ids
enforced chdir("/") on chroot
Medium additional security
If you say Y here, several features in addition to those included in the low additional security level will be enabled. These features provide even more security to your system, though in rare cases they may be incompatible with very old or poorly written software. If you enable this option, make sure that your auth service (identd) is running as gid 10 (usually group wheel). With this option the following features (in addition to those provided in the low additional security level) will be enabled:
random tcp source ports
failed fork logging
time change logging
signal logging
deny mounts in chroot
deny double chrooting
deny sysctl writes in chroot
deny mknod in chroot
deny access to abstract AF_UNIX sockets out of chroot
deny pivot_root in chroot
denied writes of /dev/kmem, /dev/mem, and /dev/port
/proc restrictions with special gid set to 10 (usually wheel)
address space layout randomization
removal of addresses from /proc/<pid>/[maps|stat]
High additional security
If you say Y here, many of the features of grsecurity will be enabled, that will protect you against many kinds of attacks against your system. The heightened security comes at a cost of an increased chance of incompatibilities with rare software on your machine. Since this security level enables PaX, you should view <http://pax.grsecurity.net> and read about the PaX project. While you are there, download chpax and run it on binaries that cause problems with PaX. Also remember that since the /proc restrictions are enabled, you must run your identd as group wheel (gid 10). This security level enables the following features in addition to those listed in the low and medium security levels:
additional /proc restrictions
chmod restrictions in chroot
no signals, ptrace, or viewing processes outside of chroot
capability restrictions in chroot
deny fchdir out of chroot
priority restrictions in chroot
segmentation-based implementation of PaX
mprotect restrictions
kernel stack randomization
mount/unmount/remount logging
kernel symbol hiding
If you need to customized the Grsecurity options, you will need to run make menuconfig then go to Grsecurity option there and set the Security level to Customized and you are on your own since I am not a grsecurity guru
Many thanks to BigGorilla for more information about grsecurity configuration:
Spender's directory - includes a quickstart guide to grsecurity.
Grsecurity Config Help - list of all the grsec config options and what they do.
It is also a good idea for you to run make menuconfig so that you can disable one or more of the following which you have to make sure you really don't need it:
- Telephony Support
- Fusion MPT device support
- IEEE 1394 (FireWire) support (EXPERIMENTAL)
- Amateur Radio support
- IrDA (infrared) support
- ISDN subsystem
- Multimedia devices
- Sound
- USB support
- Old CD-ROM drivers (not SCSI, not IDE)
- Bluetooth support
- Library routines
Step 9: make dep
Code:make dep
Code:nohup make bzImage &
nohup: appending output to `nohup.out'
Just press ENTER then issue this command to view the nohup.out
Code:tail -f nohup.out
Check for any errors and when in doubts do not continue. Use the error message as the search terms to do your search at google might helps you.
Step 11: make modules & make modules_install
Bring up another new xterm shell window and follow these steps: This step is required ONLY if you had enabled Loadable module support in step "Configure Step" above. Loadable module are located in /lib/modules. You MUST do this step if you enabled or disabled any modules, otherwise you will get 'unresolved symbols' errors during or after kernel boot.
Code:nohup make modules 1> modules.out 2> modules.err &
Step 12: Check
Make modules will take several minutes depending on your server specs. If you are curious about whether did make modules finish, issue ps auwx|grep make to check. Once you know that make modules finishes, check all the previous make...
Code:less nohup.out less modules.err less modules.out
Step 13: Install the modules
After checking and there is no error for make bzImage and make modules, it is time to install your newly build modules.
Code:make modules_install
Code:cp .config /boot/config-2.4.31-grsec cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.31-grsec cp System.map /boot/System.map-2.4.31-grsec mkinitrd /boot/initrd-2.4.31-grsec.img 2.4.31-grsec
Code:image=/boot/vmlinuz-2.4.31-grsec label=2.4.31-grsec append="root=LABEL=/" read-only initrd=/boot/initrd-2.4.31-grsec.img
Code:title Red Hat Linux (2.4.31-grsec) root (hd0,0) kernel /vmlinuz-2.4.31-grsec ro root=LABEL=/ initrd /initrd-2.4.31-grsec.img
If you are using LILO, use the following command to check errors and update your LILO:
Code:lilo -v -v lilo
Code:lilo -R 2.4.31-grsec
Assume your default boot kernel is in the first entry among the rest of the kernels.
Add your new kernel in the first entry among the rest of the kernels (on top of your first original kernel which is the first entry before changes). You just change default=1 and fallback=2.
Code:grub shell grub> savedefault --default=0 --once grub> quit
Code:reboot
If the system is able to boot to your new kernel, please use lsmod, dmesg, cat /var/log/boot.log etc... to check any errors. Leave the system there running with this new kernel at least for a week to test for any errors before setting it as the default kernel.
Again, NEVER set your new kernel as default boot kernel until you have tested it and run FINE for a period of time like a week or so to make sure that your kernel is stable with no error.
References:
Grsecurity
Grsecurity Features
Kernel
Kernel HOW TO
Kernel Trap
Kernel Newbies
Upgrading the Linux Kernel on Red Hat Linux systems
Grsecurity at SecurityFocus.com
Hope this helps
Thanks.
Kindest regards,
Choon
P.S. I might be wrong in certain steps but these steps as listed above work for me
P.P.S. Suggestions or addons are very welcomeLast edited by choon; 07-07-2005 at 11:31 PM.
-
02-03-2004, 01:12 AM #2Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
UPDATED and Leaders please keep this post just in case in future I have more to add where the above post cannot withstand the amount of characters I posted
ThanksLast edited by choon; 04-21-2004 at 06:22 PM.
-
02-23-2004, 02:53 AM #3Junior Guru
- Join Date
- Feb 2004
- Posts
- 181
Hi
It's great that you're posting this, but hope you don't mind giving additional help.
At step 5 it says this to me
-bash patch: command not found
[1] 11755
nohup: appending output to `nohup.out'
Also, for the other command, this
[root@aries linux-2.4.24]# tail -f nohup.out
rm -f $tmppiggy $tmppiggy.gz $tmppiggy.lnk
ld -m elf_i386 -Ttext 0x100000 -e startup_32 -o bvmlinux head.o misc.o piggy.o
make[2]: Leaving directory `/usr/local/src/linux-2.4.24/arch/i386/boot/compressed'
objcopy -O binary -R .note -R .comment -S compressed/bvmlinux compressed/bvmlinux.out
tools/build -b bbootsect bsetup compressed/bvmlinux.out CURRENT > bzImage
Root device is (3, 2)
Boot sector 512 bytes.
Setup is 4840 bytes.
System is 914 kB
make[1]: Leaving directory `/usr/local/src/linux-2.4.24/arch/i386/boot'
-
02-23-2004, 02:57 AM #4Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
I will update this HOWTO as the kernel for 2.4.x series is 2.4.25 when I have time but right now you should follow this HOWTO to get your system up2date if you are using Red Hat Linux 9.
-
02-23-2004, 04:46 AM #5Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
Ok, updated so that it is for kernel version 2.4.25 instead of 2.4.24. Thanks
-
02-23-2004, 07:35 AM #6Junior Guru
- Join Date
- Feb 2004
- Posts
- 181
Hi
This is great, wonderful.
But from step 15, i am using grub, how should i test it and set it to boot to the new kernel from the next reboot?
thanks!
-
02-23-2004, 05:54 PM #7Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
Show us your grub.conf content and also:
Code:ls -al /boot ls /lib/modules df -H
-
02-24-2004, 01:06 AM #8Junior Guru
- Join Date
- Feb 2004
- Posts
- 181
Hi
This is my/etc/grub.conf
default=0
timeout=10
splashimage=(hd0,0)/grub/splash.xpm.gz
title Red Hat Linux (2.4.25-grsec)
root (hd0,0)
kernel /vmlinuz-2.4.25-grsec ro root=LABEL=/
initrd /initrd-2.4.25-grsec.img
title Red Hat Linux (2.4.20-30.9)
root (hd0,0)
kernel /vmlinuz-2.4.20-30.9 ro root=LABEL=/
initrd /initrd-2.4.20-30.9.img
title Red Hat Linux (2.4.20-8)
root (hd0,0)
kernel /vmlinuz-2.4.20-8 ro root=LABEL=/
initrd /initrd-2.4.20-8.img
-
02-24-2004, 01:15 AM #9Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
Ops...
default=0
And the first title is Red Hat Linux (2.4.25-grsec)
You have set that as your default boot kernel
-
03-21-2004, 01:18 AM #10Web Hosting Evangelist
- Join Date
- May 2003
- Posts
- 483
Choon,
Thank you for the guide, worked quite well. Like Choon said, if you dont have much kernel experience this will be difficult to understand. New kernel is working perfectly.
Dan
<edit>signature removed</edit>Last edited by choon; 03-21-2004 at 02:03 PM.
-
04-10-2004, 11:00 AM #11Web Hosting Master
- Join Date
- Oct 2003
- Location
- Georgetown, Ontario
- Posts
- 1,771
would this work on RH EL v3 as well? Just curious.
<edit>signature removed</edit>Last edited by choon; 04-12-2004 at 08:40 AM.
-
04-10-2004, 04:28 PM #12Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
not really cMark RHE requires nptl patching
<edit>signature removed</edit>Last edited by choon; 04-12-2004 at 08:40 AM.
-
04-16-2004, 09:23 PM #13Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 1,269
Originally posted by thelinuxguy
not really cMark RHE requires nptl patching
<edit>signature removed</edit>
thanks
-
04-21-2004, 04:38 AM #14Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
Just to let anyone interested, there is a new kernel exploit...
Linux kernel setsockopt MCAST_MSFILTER integer overflow
And grsecurity patch for 2.4.26 is available at the author's site
I will update this HOWTO when I have time but please consider to upgrade/update your kernel
-
04-23-2004, 06:32 AM #15WHT Addict
- Join Date
- Jun 2002
- Posts
- 125
You the man, choon!
Thank you, worked like a charm.
Regards,
Matt
-
04-24-2004, 01:09 AM #16Disabled
- Join Date
- Feb 2004
- Posts
- 179
You can also patch the kernel with Openwall security patches since grsecurity site got defaced few weeks ago we don't trust them anymore.
http://www.openwall.com/linux/
<<< Signature removed since it is disallowed in all HOWTO forums >>>Last edited by choon; 04-24-2004 at 05:16 AM.
-
04-24-2004, 05:27 AM #17Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
Didn't notice about openwall support 2.4.x series of kernels... all the while I am thinking of they only support 2.2.x series and below... ok, thanks for the info
I would appreciate anyone posting in this thread to stick your topic to grsecurity as this is the thread all related to grsecurity patch. Anyone is welcome to post a new thread in the Technical forum to discuss while I test that openwall patch in the 2.4.26 kernel in one of my test box or server
Once again, thanks and sorry for my outdated notice about openwall patch
-
04-24-2004, 05:58 PM #18Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Originally posted by KingAdmin
You can also patch the kernel with Openwall security patches since grsecurity site got defaced few weeks ago we don't trust them anymore.
http://www.openwall.com/linux/
<<< Signature removed since it is disallowed in all HOWTO forums >>>
it was an april fools joke
<<< Signature removed since it is disallowed in all HOWTO forums >>>Last edited by choon; 04-24-2004 at 06:20 PM.
-
04-24-2004, 06:24 PM #19Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
As far as believe it or not it is beyond this thread topic and without providing facts... you decide to believe it or not
-
04-25-2004, 09:45 PM #20Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 1,269
no one can really explain how to do it for RHE?
-
04-25-2004, 10:11 PM #21Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
If you let me try
Or pay thelinuxguy and learn from him
-
04-26-2004, 09:14 AM #22Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 1,269
Originally posted by choon
If you let me try
Or pay thelinuxguy and learn from him
-
04-26-2004, 07:52 PM #23Disabled
- Join Date
- Feb 2004
- Posts
- 179
2.4.26 will compile and work on RHEL without problems, 2.6.5 is more difficult but it's do-able.
Last edited by choon; 04-27-2004 at 01:01 PM.
-
04-26-2004, 07:54 PM #24Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
KingAdmin you will experience Segfaults with bind and other programs since the vanilia kernels do not have ntpl
Last edited by choon; 04-27-2004 at 01:01 PM.
-
04-26-2004, 07:58 PM #25Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 1,269
Originally posted by thelinuxguy
KingAdmin you will experience Segfaults with bind and other programs since the vanilia kernels do not have ntpl
or it won't even compile?