How to install GRSECUIRTY with vanilla kernel ( Centos 5 )

[Dom]

Hey Guys ,

Here is my Tut ,

What is Gr Security ?

Grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GPL.
It offers among many other features:

* An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
* Change root (chroot) hardening
* /tmp race prevention
* Extensive auditing
* Prevention of entire classes of exploits related to address space bugs (from the PaX project)
* Additional randomness in the TCP/IP stack
* A restriction that allows a user to only view his/her processes
* Every security alert or audit contains the IP address of the person that caused the event

Here we go

1. Login to your server via ssh and yum update

2. Lets move to this directory :

cd /usr/src

3. Now we are going download and install gcc :

yum install gcc

This should install kernel-headers , gcc++ etc.

4 . Download the Kernel :

wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.27.10.tar.gz

5. Lets open this bad boy up :

tar zxvf linux-2.6.27.10.tar.gz

6. Also we need to create a symlink :

 ln -s linux-2.6.27.10 linux

7. Now grab the patch :

 wget http://grsecurity.net/grsecurity-2.1.12-2.6.27.10-200812271347.patch.gz

Also install patch module : " yum install patch "

8. Open the patch

 gzip -d grsecurity2.1.12-2.6.27.10-200812271347.patch.gz

9. The good bit now lets patch the kernel :

patch -p0 < grsecurity-2.1.12-2.6.27.10-200812271347.patch

10. Move to the boot :

cd /boot

11. look at the dirc by entering this :

ls

You should see config-xxxx

12. Move the config like this :

cp config-xxx.xxx-x /usr/src/linux/.config

13. Move back to linux folder :

cd /usr/src/linux

and compile

make menuconfig

And choose security level to your liking.

After you compile the kernel please enter this

make bzImage; make modules; make modules_install; make install

Now do this :

nano /boot/grub/menu.1st

Should look like this :

# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00
#          initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.27.10-grsec)
       root (hd0,0)
       kernel /vmlinuz-2.6.27.10 ro root=/dev/VolGroup00/LogVol00
       initrd /initrd-2.6.27.10.img
title CentOS (2.6.18-92.el5)
       root (hd0,0)
       kernel /vmlinuz-2.6.18-92.el5 ro root=/dev/VolGroup00/LogVol00
       initrd /initrd-2.6.18-92.el5.img

Your going to have default=1 , you need to change it to default=0. Then reboot , now you have a harden kernel

You can check by this command :

 uname -r

 

[bxflow]

Thank you for this, Im sure it will be useful for a lot of people around here.

 

[Shadow008]

Great Share bro,looks very useful :D
Thanks ...

 

[Ash]

Thanks for the tut Dom
It'll surely help many people out there

 

[Dom]

Thanks Guys , I may post one for Debian / RedHat

 

[RT]

Cheers man, gonna give this a try. +rep

 

[Kruno]

Did you really write it? Why would anyone use 2 years old kernel and grsecurity at this time? You do realize there are already multiple exploits for those versions, right?

 

[Dom]

Yes I did write it , its the only kernel I could find that was easy to install for members here

 

[Kruno]

Yes I did write it , its the only kernel I could find that was easy to install for members here

Ok, you are really confusing me now. What exactly is the difference besides different file names? It's a simple kernel installation with patching certain files. What could possibly be different?

How did you compile kernel/grsec without upgrading binutils? Are you sure your server is booted into new grsec kernel? You might want to consider re-checking uname once again, since it's NOT possible to finish the process without upgrading binutils.

 

[Dom]

binutils Should be upgraded when the user did yum update

 

[Kruno]

binutils Should be upgraded when the user did yum update

Really? You might want to re-check that. The newest version isn't included yet. Binutils needs to be compiled and installed from the source(the newest version).

Once again, how did you install it without binutil?

 

[Dom]

I didnt compile the kernel without the binutil , binutil was installed @ version 2.19. If you dont like my thread please say out of them.

 

[Kruno]

I didnt compile the kernel without the binutil , binutil was installed @ version 2.19. If you dont like my thread please say out of them.

Why? You are writting(ripping?) a 2 years old tutorial with old kernel and grsecurity. I don't think you realize there are already a few exploits out for that version so what is the point? Why do you want people to upgrade to a vulnerable version?

*Reported to be deleted for security reasons.

 

[Dom]

I didnt Rip the tutorial.