Results 1 to 16 of 16

Threaded View

  1. #1
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681

    Compile 2.6.5 + GrSecurity

    Tested on Rh7.3, 9, fedora

     

    Today i will be discussing how to compile a 2.6.5 kernel with GrSecurity patch. Before we go any further, any thing bad happens is your fault not mine. Now that we got tha over and done with lets talk about GrSecurity and what it is. GrSecurity is a patch applied to your kernel and acts as a multi-layered detection, prevention, and containment model. A complete list of its features can be located at

    Lets get started (as root):

    1.) Change to an directory to work in, for today we are going to choose /usr/src:

    cd /usr/src
    2.) lets download the kernel and the grsecurity patch that matches the kernel version:

    3.) Extract and patch the kernel sources with the grsecurity patch:

    ( Please not if you do not have "patch" you can use up2date on an up2date enabled server to install it up2date -f patch )


    patch -p0 < grsecurity-2.0-2.6.5.patch
    4.) Lets clean up the kernel source:


    make clean
    make mrproper
     
    5.) Grab that old kernel config and make a new config from it

    cp /boot/config-`uname -r` .config
    make oldconfig
    During this stage it will come to a part asking if you want to enable grsecurity, select yes and on the next screen i usually select medium. More info on the levels here:
    http://www.webhostingtalk.com/showth...hreadid=232664

    6.) Time to build the kernel up.

    ( please note "make dep" is not required in 2.6.x kernels any longer. )


    make bzImage
    (wait for this to complete and ensure no errors)

    make modules
    (wait for this to complete and ensure no errors)

    make modules_install
    (wait for this to complete and ensure no errors)
    7.) After everything is done compiling, it will take a while get some coffee or something:


    cp .config /boot/config-2.6.5-grsec
    cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.5-grsec
    cp System.map /boot/System.map-2.6.5-grsec
    mkinitrd /boot/initrd-2.6.5-grsec.img 2.6.5-grsec

    WHICH BOOTLOADER DO I HAVE?!! OH NO!


    There are a few ways to figure this out.

    Solution 1:


    /sbin/grubby --bootloader-probe
    Solution 2:


    dd if=/dev/hda bs=512 count=1 2>&1 | grep GRUB
    dd if=/dev/hda bs=512 count=1 2>&1 | grep LILO

    one of them will kick back something like:

    root@w00t [~]# dd if=/dev/hda bs=512 count=1 2>&1 | grep GRUB
    Binary file (standard input) matches
    root@w00t [~]#
     

    Now that we have figured out the bootloader lets add the kernel to the bootloader:

    LILO

    add the following to the lilo.conf ( make sure you follow the format of your own bootloader settings)


    image=/boot/vmlinuz-2.6.5-grsec
            label=2.6.5-grsec
            initrd=/boot/initrd-2.6.5-grsec.img
            read-only
            append="root=LABEL=/"

    Before you set it to boot as default lets make it boot the next time only. Save your config and do the following:
    /sbin/lilo -v -v
    /sbin/lilo -R 2.6.5-grsec

     

    GRUB

    add the following to the grub.conf ( make sure you follow the format of your own bootloader settings)


    title Red Hat Linux (2.6.5-grsec)
            root (hd0,0)
            kernel (hd0,0)/vmlinuz-2.6.5-grsec root=/dev/hda3
            initrd (hd0,0)/initrd-2.6.5-grsec.img

    Info on grubs failsafe is located here:

    http://www.webhostingtalk.com/showth...hreadid=235241

     

    Reboot the box and hope for the best, be sure to check dmesg for anything werid.


    This post was inspired by choons post on 2.4.x  kernels.


    Thank you,
    Steve

    <<< Signature removed >>>
    Last edited by choon; 05-27-2004 at 11:12 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •