hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Web Hosting Talk Tutorials : Hosting Security and Technology Tutorials : Compile 2.6.5 + GrSecurity
Reply

Forum Jump

Compile 2.6.5 + GrSecurity

Reply Post New Thread In Hosting Security and Technology Tutorials Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 04-20-2004, 03:08 AM
Steven Steven is online now
Problem Solver
 
Join Date: Mar 2003
Location: California USA
Posts: 12,925

Compile 2.6.5 + GrSecurity


Tested on Rh7.3, 9, fedora

 

Today i will be discussing how to compile a 2.6.5 kernel with GrSecurity patch. Before we go any further, any thing bad happens is your fault not mine. Now that we got tha over and done with lets talk about GrSecurity and what it is. GrSecurity is a patch applied to your kernel and acts as a multi-layered detection, prevention, and containment model. A complete list of its features can be located at

Lets get started (as root):

1.) Change to an directory to work in, for today we are going to choose /usr/src:

Quote:
cd /usr/src
2.) lets download the kernel and the grsecurity patch that matches the kernel version:

3.) Extract and patch the kernel sources with the grsecurity patch:

( Please not if you do not have "patch" you can use up2date on an up2date enabled server to install it up2date -f patch )

Quote:

patch -p0 < grsecurity-2.0-2.6.5.patch
4.) Lets clean up the kernel source:

Quote:

make clean
make mrproper
 
5.) Grab that old kernel config and make a new config from it
Quote:

cp /boot/config-`uname -r` .config
make oldconfig
During this stage it will come to a part asking if you want to enable grsecurity, select yes and on the next screen i usually select medium. More info on the levels here:
http://www.webhostingtalk.com/showth...hreadid=232664

6.) Time to build the kernel up.

( please note "make dep" is not required in 2.6.x kernels any longer. )

Quote:

make bzImage
(wait for this to complete and ensure no errors)

make modules
(wait for this to complete and ensure no errors)

make modules_install
(wait for this to complete and ensure no errors)
7.) After everything is done compiling, it will take a while get some coffee or something:

Quote:

cp .config /boot/config-2.6.5-grsec
cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.5-grsec
cp System.map /boot/System.map-2.6.5-grsec
mkinitrd /boot/initrd-2.6.5-grsec.img 2.6.5-grsec

WHICH BOOTLOADER DO I HAVE?!! OH NO!


There are a few ways to figure this out.

Solution 1:

Quote:

/sbin/grubby --bootloader-probe
Solution 2:

Quote:

dd if=/dev/hda bs=512 count=1 2>&1 | grep GRUB
dd if=/dev/hda bs=512 count=1 2>&1 | grep LILO

one of them will kick back something like:

root@w00t [~]# dd if=/dev/hda bs=512 count=1 2>&1 | grep GRUB
Binary file (standard input) matches
root@w00t [~]#
 

Now that we have figured out the bootloader lets add the kernel to the bootloader:

LILO

add the following to the lilo.conf ( make sure you follow the format of your own bootloader settings)

Quote:

image=/boot/vmlinuz-2.6.5-grsec
        label=2.6.5-grsec
        initrd=/boot/initrd-2.6.5-grsec.img
        read-only
        append="root=LABEL=/"

Before you set it to boot as default lets make it boot the next time only. Save your config and do the following:
/sbin/lilo -v -v
/sbin/lilo -R 2.6.5-grsec

 

GRUB

add the following to the grub.conf ( make sure you follow the format of your own bootloader settings)

Quote:

title Red Hat Linux (2.6.5-grsec)
        root (hd0,0)
        kernel (hd0,0)/vmlinuz-2.6.5-grsec root=/dev/hda3
        initrd (hd0,0)/initrd-2.6.5-grsec.img

Info on grubs failsafe is located here:

http://www.webhostingtalk.com/showth...hreadid=235241

 

Reboot the box and hope for the best, be sure to check dmesg for anything werid.


This post was inspired by choons post on 2.4.x  kernels.


Thank you,
Steve

<<< Signature removed >>>


Last edited by choon; 05-27-2004 at 11:12 AM.


Sponsored Links
  #2  
Old 04-20-2004, 03:11 AM
Steven Steven is online now
Problem Solver
 
Join Date: Mar 2003
Location: California USA
Posts: 12,925
if anyone has a spare rhe cpanel box i can try on let me know =)

<<< Signature removed >>>


Last edited by choon; 05-27-2004 at 11:13 AM.
  #3  
Old 04-20-2004, 09:17 PM
KingAdmin KingAdmin is offline
WHT Addict
 
Join Date: Feb 2004
Posts: 163
Works on any Linux distro

Before you even touch 2.6 kernel you need to :

Download the latest version of module-init-tools
module-init-tools-3.0-pre10.tar.gz and modutils-2.4.21-2x.src.rpm

http://www.kernel.org/pub/linux/kern...rusty/modules/

Install module-init-tools
This will replace depmod [/sbin/depmod] and
other tools.

tar -zxvf module-init-tools-3.0-pre10.tar.gz
cd module-init-tools-3.0-pre10
./configure --prefix=/sbin
make
make install
./generate-modprobe.conf /etc/modprobe.conf

Install modutils-2.4.21-23.src.rpm
You'll may get warnings about user
rusty and group rusty not existing. Also, yes, you'll have to force the
install. If you don't do these steps for both Redhat 9 and Redhat 8, you'll
have problems with the make modules_install.

rpm -i modutils-2.4.21-23.src.rpm
rpmbuild -bb /usr/src/redhat/SPECS/modutils.spec
rpm -Fi /usr/src/redhat/RPMS/i386/modutils-2.4.21-23.i386.rpm

Important
Make sure that while configuring the kernel you compile EXT3 filesystem support into the kernel, otherwise if you compile it as a module you'll get such error upon bootup:

pivotroot: pivot_root(/sysroot,/sysroot/initrd) failed

This is because Redhat 9.0 and 8.0 use the ext3 filesystem for /boot

Configure and compile the kernel
make menuconfig
make bzImage
make modules
make modules_install
make install

After compilation
/etc/rc.sysinit needs to be modified. Look for the following line
action $"Mounting proc filesystem: " mount -n -t proc /proc /proc
and after this line enter the following:
action $"Mounting sysfs filesystem: " mount -n -t sysfs /sys /sys

Reboot....

<<< Signature removed >>>


Last edited by choon; 05-27-2004 at 11:13 AM.
Sponsored Links
  #4  
Old 04-23-2004, 05:45 PM
Pheaton Pheaton is offline
Web Hosting Master
 
Join Date: Oct 2003
Location: Georgetown, Ontario
Posts: 1,761
Quote:
Originally posted by KingAdmin
Works on any Linux distro

Even RHEL?

<<< Signature removed >>>


Last edited by choon; 05-27-2004 at 11:14 AM.
  #5  
Old 04-25-2004, 05:54 PM
null null is offline
Web Hosting Master
 
Join Date: Sep 2002
Location: Illinois
Posts: 2,305
Does this work for Daul Xeon?

<<< Signature removed >>>


Last edited by choon; 05-27-2004 at 11:14 AM.
  #6  
Old 04-25-2004, 09:33 PM
Steven Steven is online now
Problem Solver
 
Join Date: Mar 2003
Location: California USA
Posts: 12,925
Quote:
Originally posted by KingAdmin
Works on any Linux distro

Before you even touch 2.6 kernel you need to :

Download the latest version of module-init-tools
module-init-tools-3.0-pre10.tar.gz and modutils-2.4.21-2x.src.rpm

http://www.kernel.org/pub/linux/kern...rusty/modules/

Install module-init-tools
This will replace depmod [/sbin/depmod] and
other tools.

tar -zxvf module-init-tools-3.0-pre10.tar.gz
cd module-init-tools-3.0-pre10
./configure --prefix=/sbin
make
make install
./generate-modprobe.conf /etc/modprobe.conf

Install modutils-2.4.21-23.src.rpm
You'll may get warnings about user
rusty and group rusty not existing. Also, yes, you'll have to force the
install. If you don't do these steps for both Redhat 9 and Redhat 8, you'll
have problems with the make modules_install.

rpm -i modutils-2.4.21-23.src.rpm
rpmbuild -bb /usr/src/redhat/SPECS/modutils.spec
rpm -Fi /usr/src/redhat/RPMS/i386/modutils-2.4.21-23.i386.rpm

Important
Make sure that while configuring the kernel you compile EXT3 filesystem support into the kernel, otherwise if you compile it as a module you'll get such error upon bootup:

pivotroot: pivot_root(/sysroot,/sysroot/initrd) failed

This is because Redhat 9.0 and 8.0 use the ext3 filesystem for /boot

Configure and compile the kernel
make menuconfig
make bzImage
make modules
make modules_install
make install

After compilation
/etc/rc.sysinit needs to be modified. Look for the following line
action $"Mounting proc filesystem: " mount -n -t proc /proc /proc
and after this line enter the following:
action $"Mounting sysfs filesystem: " mount -n -t sysfs /sys /sys

Reboot....
&nbsp;

Why are you downgrading your modutils?

<<< Signature removed >>>


Last edited by choon; 05-27-2004 at 11:14 AM.
  #7  
Old 04-27-2004, 12:37 PM
KingAdmin KingAdmin is offline
WHT Addict
 
Join Date: Feb 2004
Posts: 163
Quote:
Originally posted by thelinuxguy
&nbsp;

Why are you downgrading your modutils?
cause otherwise it will not detect new modules (.ko extension) upon bootup.

<<< Signature removed >>>


Last edited by choon; 05-27-2004 at 11:15 AM.
  #8  
Old 05-11-2004, 12:53 AM
TomNiq TomNiq is offline
Junior Guru Wannabe
 
Join Date: May 2004
Posts: 33
worked great!

  #9  
Old 05-12-2004, 10:57 AM
AexiSolutions AexiSolutions is offline
Temporarily Suspended
 
Join Date: Oct 2003
Location: Manchester, UK
Posts: 108
Surely the address for the kernel is wrong, you've given a patch file and then said to make clean etc etc.

You cant do that with a patch file

<<< Signature removed >>>


Last edited by choon; 05-27-2004 at 11:15 AM.
  #10  
Old 05-15-2004, 03:51 PM
maxhest maxhest is offline
Community Guide
 
Join Date: Aug 2002
Location: Illinois
Posts: 847
He did this on my server and it worked great, always great steve!

<<< Signature removed >>>


Last edited by choon; 05-27-2004 at 11:16 AM.
  #11  
Old 05-17-2004, 02:50 PM
stftk stftk is offline
Web Hosting Evangelist
 
Join Date: May 2003
Posts: 472
Anyone know how to get iptables working under 2.6.6 ?

Whether I compile iptables into kernel or as a module, I always get the same error when APF starts:

------
iptables v1.2.7a: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
------

I've also built IPtables 1.2.9 from source using the 2.6.6 kernel path however it results in the same error as above.

Looks like this happens to many people with the 2.6 kernel: http://www.google.com/search?hl=en&i...6+and+iptables

<<< Signature removed >>>


Last edited by choon; 05-27-2004 at 11:16 AM.
  #12  
Old 05-20-2004, 06:58 PM
stftk stftk is offline
Web Hosting Evangelist
 
Join Date: May 2003
Posts: 472
Figured it out, problem with APF, you need to turn 'MONOKERN' to 1 while in the 2.6 series kernel.

<<< Signature removed >>>


Last edited by choon; 05-27-2004 at 11:17 AM.
  #13  
Old 05-27-2004, 11:21 AM
choon choon is offline
Retired Moderator
 
Join Date: Jul 2001
Location: Singapore
Posts: 1,790
thelinuxguy, Please check through your HOWTO and if you need any changes please use the report to CL and state what you intend to change. For your Step 2...
Code:
wget -c http://www.kernel.org/pub/linux/kernel/v2.6/patch-2.6.5.bz2
You are linking to the patch of the kernel not the full source kernel

  #14  
Old 05-27-2004, 08:31 PM
Steven Steven is online now
Problem Solver
 
Join Date: Mar 2003
Location: California USA
Posts: 12,925
ok, i'll have it fixed soon

__________________
Steven Ciaburri | Proactive Linux Server Management - Rack911.com
System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
Managed Servers (AS62710), Server Management, and Security Auditing.
www.HostingSecList.com - Security notices for the hosting community.

  #15  
Old 06-20-2004, 05:51 PM
PHPGeek2k3 PHPGeek2k3 is offline
Web Hosting Evangelist
 
Join Date: Apr 2003
Location: Portland, OR, USA
Posts: 479
Great Howto

Thank you The Linux Guy

Thanks
- James

Reply

Related posts from TheWhir.com
Title Type Date Posted
Name Collisions Could Pose Potential Problem for Web Hosts Web Hosting News 2014-01-13 14:33:48
IaaS Provider Dyn Acquires Trendslide to Offer Mobile Data and Analytics Tool Web Hosting News 2013-05-13 10:56:22
Eight Reasons Why Hosting Companies Fail Blog 2013-04-18 10:00:57
Starting and Running a Successful Web Hosting Affiliate Program Web Hosting News 2012-12-03 13:18:00
Prolexic Quarterly DDoS Report Finds 11 Percent Increase in Average Attack Bandwidth Over Q2 Web Hosting News 2012-10-17 12:29:18


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?