Page 1 of 5 1234 ... LastLast
Results 1 to 25 of 116
  1. #1
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,889

    Compile kernel 2.4.31 from Source with GRSECURITY Patch for Red Hat Linux

    Hi everyone,

    I am going to list down those steps that I used to compile my own kernel version 2.4.31 with grsecuirty 2.1.6-2.4.31-200506141150 patch. This is mainly for Red Hat Linux and will work on version 7.2, 7.3, 8.0 & 9. I have also used these steps for Fedora Core 1 and CentOS 3.x. Actually some of these steps can be used for any linux distributions provided you know what you are doing

    Before you try these steps, you must have some experiences to compile your own kernel from source and have some basic understanding about LILO or GRUB. I am using LILO as an example here.

    It is a good idea that you update your system first using up2date before this. Here is my little up2date HOWTO.

    FOLLOW THIS GUIDE AT YOUR OWN RISK AS I AM NOT RESPONSIBLE IN ANY DAMAGES CAUSED! YOU HAVE BEEN WARNED!!!

    BEFORE YOU BEGIN

    Before we build our custom kernel, you'll need to know what's in your server. Issue the following command as root to get the necessary names of your hardware, their PCI addresses, and their IRQs:
    Code:
    lspci
    An example result for one of my server:
    00:00.0 Host bridge: Intel Corp.: Unknown device 2578 (rev 02)
    00:01.0 PCI bridge: Intel Corp.: Unknown device 2579 (rev 02)
    00:03.0 PCI bridge: Intel Corp.: Unknown device 257b (rev 02)
    00:1d.0 USB Controller: Intel Corp. 82801EB USB (Hub #1) (rev 02)
    00:1d.1 USB Controller: Intel Corp. 82801EB USB (Hub #2) (rev 02)
    00:1d.2 USB Controller: Intel Corp. 82801EB USB (Hub #3) (rev 02)
    00:1d.3 USB Controller: Intel Corp. 82801EB USB EHCI Controller #2 (rev 02)
    00:1d.7 USB Controller: Intel Corp. 82801EB USB EHCI Controller (rev 02)
    00:1e.0 PCI bridge: Intel Corp. 82801BA/CA/DB PCI Bridge (rev c2)
    00:1f.0 ISA bridge: Intel Corp. 82801EB ISA Bridge (LPC) (rev 02)
    00:1f.1 IDE interface: Intel Corp. 82801EB ICH5 IDE (rev 02)
    00:1f.2 RAID bus controller: Intel Corp.: Unknown device 24df (rev 02)
    00:1f.3 SMBus: Intel Corp. 82801EB SMBus (rev 02)
    02:01.0 Ethernet controller: Intel Corp.: Unknown device 1019
    03:06.0 VGA compatible controller: ATI Technologies Inc Rage XL (rev 27)
    03:08.0 Ethernet controller: Intel Corp. 82801EB (ICH5) PRO/100 VE Ethernet Controller (rev 01)
    Now you can find more information related to the hardware shown above by issuing the following command:
    Code:
    lspci -s 03:08.0 -vv
    The output for the above as below:
    03:08.0 Ethernet controller: Intel Corp. 82801EB (ICH5) PRO/100 VE Ethernet Controller (rev 01)
    Subsystem: Intel Corp.: Unknown device 342a
    Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR+ FastB2B-
    Status: Cap+ 66Mhz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR-
    Latency: 32 (2000ns min, 14000ns max), cache line size 08
    Interrupt: pin A routed to IRQ 20
    Region 0: Memory at feafe000 (32-bit, non-prefetchable) size=4K
    Region 1: I/O ports at bc00 size=64
    Capabilities: [dc] Power Management version 2
    Flags: PMEClk- DSI+ D1+ D2+ AuxCurrent=0mA PME(D0+,D1+,D2+,D3hot+,D3cold+)
    Status: D0 PME-Enable- DSel=0 DScale=2 PME-
    You can use lsmod and cat /proc/interrupts to find out more about your current modules etc...
    After you have all the necessary information, you can search for it at Google with a query such as linux 82801EB to know which modules name to use for your hardware.

    Ok, here we start... ...

    As root, do the following steps in order:

    INSTALL DEPENDENCIES PACKAGES

    Step 1: Install gcc and all its dependencies packages

    We need gcc to compile kernel. Simply run this command to install if it is not installed gcc and all its dependencies:
    Code:
    up2date gcc
    OR if you are using Fedora you can use up2date or yum:
    Code:
    yum install gcc
    Step 2: Install ncurses-devel and all its dependencies packages

    ncurses-devel package is needed while compiling kernel from source specially for running make menuconfig:
    Code:
    up2date ncurses-devel
    OR if you are using Fedora you can use up2date or yum:
    Code:
    yum install ncurses-devel
    Step 3: Install patch package

    You need patch package to be install so that you can use it to patch the kernel source:
    Code:
    up2date patch
    OR if you are using Fedora you can use up2date or yum:
    Code:
    yum install patch
    HERE WE REALLY BEGIN

    Step 1: Change your current working directory

    For me, I choose to download the kernel to /usr/local/src but you are free to choose a directory to store and build/compile your kernel.
    Code:
    cd /usr/local/src
    Step 2: Download the latest stable kernel version 2.4.x series which is 2.4.31
    Code:
    wget -c http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.31.tar.bz2
    Step 3: Download the grsecurity patch
    Code:
    wget -c http://www.grsecurity.net/grsecurity-2.1.6-2.4.31-200506141150.patch.gz
    Step 4: Unpack the kernel source
    Code:
    tar xvfj linux-2.4.31.tar.bz2
    Step 5: Patch the kernel source with grsecurity patch
    Code:
    gunzip < grsecurity-2.1.6-2.4.31-200506141150.patch.gz | patch -p0
    Step 6: Change your current working directory to the kernel source directory
    Code:
    cd linux-2.4.31
    Step 7: Clean your kernel source configuration etc...
    Code:
    make clean && make mrproper
    Step 8: Use your current configuration to configure your new kernel

    You might want to backup your current kernel modules and configuration.
    Code:
    cp /boot/config-`uname -r` .config
    make oldconfig
    make menuconfig
    When you configure your kernel configuration using make oldconfig to use the current booted kernel configuration, please set CONFIG_CRYPTO=y and CONFIG_CRYPTO_SHA256=y within the CRYPTO option and nothing else within it. Then when you come to GRSECURITY option, set it to y and in Security level option can be set to Low, Medium or High. I set mine to Medium. The following are the explanation for each option:

    Low additional security

    If you choose this option, several of the grsecurity options will be enabled that will give you greater protection against a number of attacks, while assuring that none of your software will have any conflicts with the additional security measures. If you run a lot of unusual software, or you are having problems with the higher security levels, you should say Y here. With this option, the following features are enabled:

    linking restrictions
    fifo restrictions
    random pids
    enforcing nproc on execve()
    restricted dmesg
    random ip ids
    enforced chdir("/") on chroot

    Medium additional security

    If you say Y here, several features in addition to those included in the low additional security level will be enabled. These features provide even more security to your system, though in rare cases they may be incompatible with very old or poorly written software. If you enable this option, make sure that your auth service (identd) is running as gid 10 (usually group wheel). With this option the following features (in addition to those provided in the low additional security level) will be enabled:

    random tcp source ports
    failed fork logging
    time change logging
    signal logging
    deny mounts in chroot
    deny double chrooting
    deny sysctl writes in chroot
    deny mknod in chroot
    deny access to abstract AF_UNIX sockets out of chroot
    deny pivot_root in chroot
    denied writes of /dev/kmem, /dev/mem, and /dev/port
    /proc restrictions with special gid set to 10 (usually wheel)
    address space layout randomization
    removal of addresses from /proc/<pid>/[maps|stat]

    High additional security

    If you say Y here, many of the features of grsecurity will be enabled, that will protect you against many kinds of attacks against your system. The heightened security comes at a cost of an increased chance of incompatibilities with rare software on your machine. Since this security level enables PaX, you should view <http://pax.grsecurity.net> and read about the PaX project. While you are there, download chpax and run it on binaries that cause problems with PaX. Also remember that since the /proc restrictions are enabled, you must run your identd as group wheel (gid 10). This security level enables the following features in addition to those listed in the low and medium security levels:

    additional /proc restrictions
    chmod restrictions in chroot
    no signals, ptrace, or viewing processes outside of chroot
    capability restrictions in chroot
    deny fchdir out of chroot
    priority restrictions in chroot
    segmentation-based implementation of PaX
    mprotect restrictions
    kernel stack randomization
    mount/unmount/remount logging
    kernel symbol hiding


    If you need to customized the Grsecurity options, you will need to run make menuconfig then go to Grsecurity option there and set the Security level to Customized and you are on your own since I am not a grsecurity guru

    Many thanks to BigGorilla for more information about grsecurity configuration:
    Spender's directory - includes a quickstart guide to grsecurity.
    Grsecurity Config Help - list of all the grsec config options and what they do.

    It is also a good idea for you to run make menuconfig so that you can disable one or more of the following which you have to make sure you really don't need it:
    • Telephony Support
    • Fusion MPT device support
    • IEEE 1394 (FireWire) support (EXPERIMENTAL)
    • Amateur Radio support
    • IrDA (infrared) support
    • ISDN subsystem
    • Multimedia devices
    • Sound
    • USB support
    • Old CD-ROM drivers (not SCSI, not IDE)
    • Bluetooth support
    • Library routines

    Step 9: make dep
    Code:
    make dep
    Setp 10: make bzImage
    Code:
    nohup make bzImage &
    You will see something like:
    nohup: appending output to `nohup.out'
    Just press ENTER then issue this command to view the nohup.out
    Code:
    tail -f nohup.out
    To exit from the above, use CTRL+C keys.
    Check for any errors and when in doubts do not continue. Use the error message as the search terms to do your search at google might helps you.

    Step 11: make modules & make modules_install

    Bring up another new xterm shell window and follow these steps: This step is required ONLY if you had enabled Loadable module support in step "Configure Step" above. Loadable module are located in /lib/modules. You MUST do this step if you enabled or disabled any modules, otherwise you will get 'unresolved symbols' errors during or after kernel boot.
    Code:
    nohup make modules 1> modules.out 2> modules.err  &
    HAVE A BREAK

    Step 12: Check
    Make modules will take several minutes depending on your server specs. If you are curious about whether did make modules finish, issue ps auwx|grep make to check. Once you know that make modules finishes, check all the previous make...
    Code:
    less nohup.out
    less modules.err
    less modules.out
    Again check for any errors and when in doubts do not continue. Use the error message as the search terms to do your search at google might helps you.

    Step 13: Install the modules
    After checking and there is no error for make bzImage and make modules, it is time to install your newly build modules.
    Code:
    make modules_install
    Step 14: Bootloader and others
    Code:
    cp .config /boot/config-2.4.31-grsec
    cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.31-grsec
    cp System.map /boot/System.map-2.4.31-grsec
    mkinitrd /boot/initrd-2.4.31-grsec.img 2.4.31-grsec
    If you are using LILO as your bootloader, edit your /etc/lilo.conf file to add this new kernel but do not set it as default boot kernel. An example as below:

    Code:
    image=/boot/vmlinuz-2.4.31-grsec
    	label=2.4.31-grsec
    	append="root=LABEL=/"
    	read-only
    	initrd=/boot/initrd-2.4.31-grsec.img
    If you are using GRUB as your bootloader, edit /boot/grub/grub.conf file to add this new kernel but do not set it as default boot kernel. An example as below:
    Code:
    title Red Hat Linux (2.4.31-grsec)
    	root (hd0,0)
    	kernel /vmlinuz-2.4.31-grsec ro root=LABEL=/
    	initrd /initrd-2.4.31-grsec.img
    Step 15: Test your new kernel
    If you are using LILO, use the following command to check errors and update your LILO:
    Code:
    lilo -v -v
    lilo
    Then set LILO to boot to the new kernel for the next reboot:
    Code:
    lilo -R 2.4.31-grsec
    If you are using GRUB, check out this thread

    Assume your default boot kernel is in the first entry among the rest of the kernels.
    Add your new kernel in the first entry among the rest of the kernels (on top of your first original kernel which is the first entry before changes). You just change default=1 and fallback=2.
    Code:
    grub shell
    grub> savedefault --default=0 --once
    grub> quit
    Then reboot:
    Code:
    reboot
    If your system unable to boot up to the new kernel or causing all type of errors, then you have to reboot the server back to its default/old kernel. Thus it is good to have Remote Reboot Port (RRP) or APC MasterSwitch or similiar so that you don't have to call up your provider just for a reboot. Alternatively you can ask your provider to test your new kernel for you.

    If the system is able to boot to your new kernel, please use lsmod, dmesg, cat /var/log/boot.log etc... to check any errors. Leave the system there running with this new kernel at least for a week to test for any errors before setting it as the default kernel.

    Again, NEVER set your new kernel as default boot kernel until you have tested it and run FINE for a period of time like a week or so to make sure that your kernel is stable with no error.

    References:
    Grsecurity
    Grsecurity Features
    Kernel
    Kernel HOW TO
    Kernel Trap
    Kernel Newbies
    Upgrading the Linux Kernel on Red Hat Linux systems
    Grsecurity at SecurityFocus.com

    Hope this helps

    Thanks.

    Kindest regards,
    Choon
    P.S. I might be wrong in certain steps but these steps as listed above work for me
    P.P.S. Suggestions or addons are very welcome
    Last edited by choon; 07-07-2005 at 11:31 PM.

  2. #2
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,889
    UPDATED and Leaders please keep this post just in case in future I have more to add where the above post cannot withstand the amount of characters I posted

    Thanks
    Last edited by choon; 04-21-2004 at 06:22 PM.

  3. #3
    Hi

    It's great that you're posting this, but hope you don't mind giving additional help.

    At step 5 it says this to me
    -bash patch: command not found
    At step 10, it says this to me
    [1] 11755
    nohup: appending output to `nohup.out'
    Is this right?

    Also, for the other command, this
    [root@aries linux-2.4.24]# tail -f nohup.out
    rm -f $tmppiggy $tmppiggy.gz $tmppiggy.lnk
    ld -m elf_i386 -Ttext 0x100000 -e startup_32 -o bvmlinux head.o misc.o piggy.o
    make[2]: Leaving directory `/usr/local/src/linux-2.4.24/arch/i386/boot/compressed'
    objcopy -O binary -R .note -R .comment -S compressed/bvmlinux compressed/bvmlinux.out
    tools/build -b bbootsect bsetup compressed/bvmlinux.out CURRENT > bzImage
    Root device is (3, 2)
    Boot sector 512 bytes.
    Setup is 4840 bytes.
    System is 914 kB
    make[1]: Leaving directory `/usr/local/src/linux-2.4.24/arch/i386/boot'
    It stops here, system not hang, but didn't go back. Any problem here?

  4. #4
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,889
    I will update this HOWTO as the kernel for 2.4.x series is 2.4.25 when I have time but right now you should follow this HOWTO to get your system up2date if you are using Red Hat Linux 9.

  5. #5
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,889
    Ok, updated so that it is for kernel version 2.4.25 instead of 2.4.24. Thanks

  6. #6
    Hi

    This is great, wonderful.

    But from step 15, i am using grub, how should i test it and set it to boot to the new kernel from the next reboot?

    thanks!

  7. #7
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,889
    Show us your grub.conf content and also:
    Code:
    ls -al /boot
    ls /lib/modules
    df -H
    If you are sure that your grub entry for the new kernel is alright, you can ask your provider to test boot to the new kernel.

  8. #8
    Hi

    This is my/etc/grub.conf
    default=0
    timeout=10
    splashimage=(hd0,0)/grub/splash.xpm.gz
    title Red Hat Linux (2.4.25-grsec)
    root (hd0,0)
    kernel /vmlinuz-2.4.25-grsec ro root=LABEL=/
    initrd /initrd-2.4.25-grsec.img
    title Red Hat Linux (2.4.20-30.9)
    root (hd0,0)
    kernel /vmlinuz-2.4.20-30.9 ro root=LABEL=/
    initrd /initrd-2.4.20-30.9.img
    title Red Hat Linux (2.4.20-8)
    root (hd0,0)
    kernel /vmlinuz-2.4.20-8 ro root=LABEL=/
    initrd /initrd-2.4.20-8.img

  9. #9
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,889
    Ops...
    default=0
    And the first title is Red Hat Linux (2.4.25-grsec)
    You have set that as your default boot kernel

  10. #10
    Join Date
    May 2003
    Posts
    483
    Choon,

    Thank you for the guide, worked quite well. Like Choon said, if you dont have much kernel experience this will be difficult to understand. New kernel is working perfectly.

    Dan

    <edit>signature removed</edit>
    Last edited by choon; 03-21-2004 at 02:03 PM.

  11. #11
    Join Date
    Oct 2003
    Location
    Georgetown, Ontario
    Posts
    1,771
    would this work on RH EL v3 as well? Just curious.

    <edit>signature removed</edit>
    Last edited by choon; 04-12-2004 at 08:40 AM.

  12. #12
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    not really cMark RHE requires nptl patching

    <edit>signature removed</edit>
    Last edited by choon; 04-12-2004 at 08:40 AM.

  13. #13
    Join Date
    Feb 2004
    Posts
    1,269
    Originally posted by thelinuxguy
    not really cMark RHE requires nptl patching

    <edit>signature removed</edit>
    can someone explain this a bit more? ie how to do it

    thanks

  14. #14
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,889
    Just to let anyone interested, there is a new kernel exploit...
    Linux kernel setsockopt MCAST_MSFILTER integer overflow
    And grsecurity patch for 2.4.26 is available at the author's site
    I will update this HOWTO when I have time but please consider to upgrade/update your kernel

  15. #15
    You the man, choon!

    Thank you, worked like a charm.

    Regards,
    Matt

  16. #16
    You can also patch the kernel with Openwall security patches since grsecurity site got defaced few weeks ago we don't trust them anymore.
    http://www.openwall.com/linux/

    <<< Signature removed since it is disallowed in all HOWTO forums >>>
    Last edited by choon; 04-24-2004 at 05:16 AM.

  17. #17
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,889
    Didn't notice about openwall support 2.4.x series of kernels... all the while I am thinking of they only support 2.2.x series and below... ok, thanks for the info

    I would appreciate anyone posting in this thread to stick your topic to grsecurity as this is the thread all related to grsecurity patch. Anyone is welcome to post a new thread in the Technical forum to discuss while I test that openwall patch in the 2.4.26 kernel in one of my test box or server

    Once again, thanks and sorry for my outdated notice about openwall patch

  18. #18
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Originally posted by KingAdmin
    You can also patch the kernel with Openwall security patches since grsecurity site got defaced few weeks ago we don't trust them anymore.
    http://www.openwall.com/linux/

    &lt;&lt;&lt; Signature removed since it is disallowed in all HOWTO forums &gt;&gt;&gt;
    &nbsp;

    it was an april fools joke

    <<< Signature removed since it is disallowed in all HOWTO forums >>>
    Last edited by choon; 04-24-2004 at 06:20 PM.

  19. #19
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,889
    As far as believe it or not it is beyond this thread topic and without providing facts... you decide to believe it or not

  20. #20
    Join Date
    Feb 2004
    Posts
    1,269
    no one can really explain how to do it for RHE?

  21. #21
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,889
    If you let me try
    Or pay thelinuxguy and learn from him

  22. #22
    Join Date
    Feb 2004
    Posts
    1,269
    Originally posted by choon
    If you let me try
    Or pay thelinuxguy and learn from him
    i let you try as long as you stop when you get to make it with no errors and then ***I*** put it on the boot sector

  23. #23
    2.4.26 will compile and work on RHEL without problems, 2.6.5 is more difficult but it's do-able.
    Last edited by choon; 04-27-2004 at 01:01 PM.

  24. #24
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    KingAdmin you will experience Segfaults with bind and other programs since the vanilia kernels do not have ntpl
    Last edited by choon; 04-27-2004 at 01:01 PM.

  25. #25
    Join Date
    Feb 2004
    Posts
    1,269
    Originally posted by thelinuxguy
    KingAdmin you will experience Segfaults with bind and other programs since the vanilia kernels do not have ntpl
    so, the kernel will compile ok, but some programs will not run?

    or it won't even compile?

Page 1 of 5 1234 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •