Hi everyone,
I am going to list down those steps that I used to compile my own kernel version 2.4.31 with grsecuirty 2.1.6-2.4.31-200506141150 patch. This is mainly for Red Hat Linux and will work on version 7.2, 7.3, 8.0 & 9. I have also used these steps for Fedora Core 1 and CentOS 3.x. Actually some of these steps can be used for any linux distributions provided you know what you are doing
Before you try these steps, you must have some experiences to compile your own kernel from source and have some basic understanding about
LILO or
GRUB. I am using LILO as an example here.
It is a good idea that you update your system first using up2date before this. Here is my little
up2date HOWTO.
FOLLOW THIS GUIDE AT YOUR OWN RISK AS I AM NOT RESPONSIBLE IN ANY DAMAGES CAUSED! YOU HAVE BEEN WARNED!!!
BEFORE YOU BEGIN
Before we build our custom kernel, you'll need to know what's in your server. Issue the following command as root to get the necessary names of your hardware, their PCI addresses, and their IRQs:
An example result for one of my server:
Quote:
00:00.0 Host bridge: Intel Corp.: Unknown device 2578 (rev 02)
00:01.0 PCI bridge: Intel Corp.: Unknown device 2579 (rev 02)
00:03.0 PCI bridge: Intel Corp.: Unknown device 257b (rev 02)
00:1d.0 USB Controller: Intel Corp. 82801EB USB (Hub #1) (rev 02)
00:1d.1 USB Controller: Intel Corp. 82801EB USB (Hub #2) (rev 02)
00:1d.2 USB Controller: Intel Corp. 82801EB USB (Hub #3) (rev 02)
00:1d.3 USB Controller: Intel Corp. 82801EB USB EHCI Controller #2 (rev 02)
00:1d.7 USB Controller: Intel Corp. 82801EB USB EHCI Controller (rev 02)
00:1e.0 PCI bridge: Intel Corp. 82801BA/CA/DB PCI Bridge (rev c2)
00:1f.0 ISA bridge: Intel Corp. 82801EB ISA Bridge (LPC) (rev 02)
00:1f.1 IDE interface: Intel Corp. 82801EB ICH5 IDE (rev 02)
00:1f.2 RAID bus controller: Intel Corp.: Unknown device 24df (rev 02)
00:1f.3 SMBus: Intel Corp. 82801EB SMBus (rev 02)
02:01.0 Ethernet controller: Intel Corp.: Unknown device 1019
03:06.0 VGA compatible controller: ATI Technologies Inc Rage XL (rev 27)
03:08.0 Ethernet controller: Intel Corp. 82801EB (ICH5) PRO/100 VE Ethernet Controller (rev 01)
|
Now you can find more information related to the hardware shown above by issuing the following command:
Code:
lspci -s 03:08.0 -vv
The output for the above as below:
Quote:
03:08.0 Ethernet controller: Intel Corp. 82801EB (ICH5) PRO/100 VE Ethernet Controller (rev 01)
Subsystem: Intel Corp.: Unknown device 342a
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR+ FastB2B-
Status: Cap+ 66Mhz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR-
Latency: 32 (2000ns min, 14000ns max), cache line size 08
Interrupt: pin A routed to IRQ 20
Region 0: Memory at feafe000 (32-bit, non-prefetchable) size=4K
Region 1: I/O ports at bc00 size=64
Capabilities: [dc] Power Management version 2
Flags: PMEClk- DSI+ D1+ D2+ AuxCurrent=0mA PME(D0+,D1+,D2+,D3hot+,D3cold+)
Status: D0 PME-Enable- DSel=0 DScale=2 PME-
|
You can use
lsmod and
cat /proc/interrupts to find out more about your current modules etc...
After you have all the necessary information, you can search for it at
Google with a query such as
linux 82801EB to know which modules name to use for your hardware.
Ok, here we start... ...
As root, do the following steps in order:
INSTALL DEPENDENCIES PACKAGES
Step 1: Install gcc and all its dependencies packages
We need gcc to compile kernel. Simply run this command to install if it is not installed gcc and all its dependencies:
OR if you are using Fedora you can use up2date or yum:
Step 2: Install ncurses-devel and all its dependencies packages
ncurses-devel package is needed while compiling kernel from source specially for running
make menuconfig:
Code:
up2date ncurses-devel
OR if you are using Fedora you can use up2date or yum:
Code:
yum install ncurses-devel
Step 3: Install patch package
You need patch package to be install so that you can use it to patch the kernel source:
OR if you are using Fedora you can use up2date or yum:
HERE WE REALLY BEGIN
Step 1: Change your current working directory
For me, I choose to download the kernel to /usr/local/src but you are free to choose a directory to store and build/compile your kernel.
Step 2: Download the latest stable kernel version 2.4.x series which is 2.4.31
Code:
wget -c http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.31.tar.bz2
Step 3: Download the grsecurity patch
Code:
wget -c http://www.grsecurity.net/grsecurity-2.1.6-2.4.31-200506141150.patch.gz
Step 4: Unpack the kernel source
Code:
tar xvfj linux-2.4.31.tar.bz2
Step 5: Patch the kernel source with grsecurity patch
Code:
gunzip < grsecurity-2.1.6-2.4.31-200506141150.patch.gz | patch -p0
Step 6: Change your current working directory to the kernel source directory
Step 7: Clean your kernel source configuration etc...
Code:
make clean && make mrproper
Step 8: Use your current configuration to configure your new kernel
You might want to backup your current kernel modules and configuration.
Code:
cp /boot/config-`uname -r` .config
make oldconfig
make menuconfig
When you configure your kernel configuration using
make oldconfig to use the current booted kernel configuration, please set
CONFIG_CRYPTO=y and
CONFIG_CRYPTO_SHA256=y within the
CRYPTO option and nothing else within it. Then when you come to
GRSECURITY option, set it to
y and in
Security level option can be set to
Low,
Medium or
High. I set mine to
Medium. The following are the explanation for each option:
Low additional security
If you choose this option, several of the grsecurity options will be enabled that will give you greater protection against a number of attacks, while assuring that none of your software will have any conflicts with the additional security measures. If you run a lot of unusual software, or you are having problems with the higher security levels, you should say Y here. With this option, the following features are enabled:
linking restrictions
fifo restrictions
random pids
enforcing nproc on execve()
restricted dmesg
random ip ids
enforced chdir("/") on chroot
Medium additional security
If you say Y here, several features in addition to those included in the low additional security level will be enabled. These features provide even more security to your system, though in rare cases they may be incompatible with very old or poorly written software. If you enable this option, make sure that your auth service (identd) is running as gid 10 (usually group wheel). With this option the following features (in addition to those provided in the low additional security level) will be enabled:
random tcp source ports
failed fork logging
time change logging
signal logging
deny mounts in chroot
deny double chrooting
deny sysctl writes in chroot
deny mknod in chroot
deny access to abstract AF_UNIX sockets out of chroot
deny pivot_root in chroot
denied writes of /dev/kmem, /dev/mem, and /dev/port
/proc restrictions with special gid set to 10 (usually wheel)
address space layout randomization
removal of addresses from /proc/<pid>/[maps|stat]
High additional security
If you say Y here, many of the features of grsecurity will be enabled, that will protect you against many kinds of attacks against your system. The heightened security comes at a cost of an increased chance of incompatibilities with rare software on your machine. Since this security level enables PaX, you should view <http://pax.grsecurity.net> and read about the PaX project. While you are there, download chpax and run it on binaries that cause problems with PaX. Also remember that since the /proc restrictions are enabled, you must run your identd as group wheel (gid 10). This security level enables the following features in addition to those listed in the low and medium security levels:
additional /proc restrictions
chmod restrictions in chroot
no signals, ptrace, or viewing processes outside of chroot
capability restrictions in chroot
deny fchdir out of chroot
priority restrictions in chroot
segmentation-based implementation of PaX
mprotect restrictions
kernel stack randomization
mount/unmount/remount logging
kernel symbol hiding
If you need to customized the
Grsecurity options, you will need to run
make menuconfig then go to
Grsecurity option there and set the
Security level to
Customized and you are on your own since I am not a grsecurity guru
Many thanks to BigGorilla for more information about grsecurity configuration:
Spender's directory - includes a quickstart guide to grsecurity.
Grsecurity Config Help - list of all the grsec config options and what they do.
It is also a good idea for you to run
make menuconfig so that you can disable one or more of the following which you have to make sure you really don't need it:
- Telephony Support
- Fusion MPT device support
- IEEE 1394 (FireWire) support (EXPERIMENTAL)
- Amateur Radio support
- IrDA (infrared) support
- ISDN subsystem
- Multimedia devices
- Sound
- USB support
- Old CD-ROM drivers (not SCSI, not IDE)
- Bluetooth support
- Library routines
Step 9: make dep
Setp 10: make bzImage
Code:
nohup make bzImage &
You will see something like:
nohup: appending output to `nohup.out'
Just press ENTER then issue this command to view the nohup.out
To exit from the above, use CTRL+C keys.
Check for any errors and when in doubts do not continue. Use the error message as the search terms to do your search at google might helps you.
Step 11: make modules & make modules_install
Bring up another new xterm shell window and follow these steps: This step is required ONLY if you had enabled Loadable module support in step "Configure Step" above. Loadable module are located in /lib/modules. You MUST do this step if you enabled or disabled any modules, otherwise you will get 'unresolved symbols' errors during or after kernel boot.
Code:
nohup make modules 1> modules.out 2> modules.err &
HAVE A BREAK
Step 12: Check
Make modules will take several minutes depending on your server specs. If you are curious about whether did make modules finish, issue
ps auwx|grep make to check. Once you know that make modules finishes, check all the previous make...
Code:
less nohup.out
less modules.err
less modules.out
Again check for any errors and when in doubts do not continue. Use the error message as the search terms to do your search at google might helps you.
Step 13: Install the modules
After checking and there is no error for make bzImage and make modules, it is time to install your newly build modules.
Code:
make modules_install
Step 14: Bootloader and others
Code:
cp .config /boot/config-2.4.31-grsec
cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.31-grsec
cp System.map /boot/System.map-2.4.31-grsec
mkinitrd /boot/initrd-2.4.31-grsec.img 2.4.31-grsec
If you are using LILO as your bootloader, edit your /etc/lilo.conf file to add this new kernel but do not set it as default boot kernel. An example as below:
Code:
image=/boot/vmlinuz-2.4.31-grsec
label=2.4.31-grsec
append="root=LABEL=/"
read-only
initrd=/boot/initrd-2.4.31-grsec.img
If you are using GRUB as your bootloader, edit /boot/grub/grub.conf file to add this new kernel but do not set it as default boot kernel. An example as below:
Code:
title Red Hat Linux (2.4.31-grsec)
root (hd0,0)
kernel /vmlinuz-2.4.31-grsec ro root=LABEL=/
initrd /initrd-2.4.31-grsec.img
Step 15: Test your new kernel
If you are using LILO, use the following command to check errors and update your LILO:
Then set LILO to boot to the new kernel for the next reboot:
Code:
lilo -R 2.4.31-grsec
If you are using GRUB, check out this
thread
Assume your default boot kernel is in the first entry among the rest of the kernels.
Add your new kernel in the first entry among the rest of the kernels (on top of your first original kernel which is the first entry before changes). You just change
default=1 and
fallback=2.
Code:
grub shell
grub> savedefault --default=0 --once
grub> quit
Then reboot:
If your system unable to boot up to the new kernel or causing all type of errors, then you have to reboot the server back to its default/old kernel. Thus it is good to have Remote Reboot Port (RRP) or APC MasterSwitch or similiar so that you don't have to call up your provider just for a reboot. Alternatively you can ask your provider to test your new kernel for you.
If the system is able to boot to your new kernel, please use
lsmod, dmesg, cat /var/log/boot.log etc... to check any errors. Leave the system there running with this new kernel at least for a week to test for any errors before setting it as the default kernel.
Again, NEVER set your new kernel as default boot kernel until you have tested it and run FINE for a period of time like a week or so to make sure that your kernel is stable with no error.
References:
Grsecurity
Grsecurity Features
Kernel
Kernel HOW TO
Kernel Trap
Kernel Newbies
Upgrading the Linux Kernel on Red Hat Linux systems
Grsecurity at SecurityFocus.com
Hope this helps
Thanks.
Kindest regards,
Choon
P.S. I might be wrong in certain steps but these steps as listed above work for me
P.P.S. Suggestions or addons are very welcome
Linear Mode
