Grsecurity: Configure RHEL5/6 Kernel for Grsecurity

Grsecurity


Grsecurity is a set of patches for the Linux kernel with an emphasis on enhancing security. It allows the system administrator to, among other things, define a least privilege policy for the system, in which every process and user have only the lowest privileges needed to function.

Security is a prime concern for an Linux Administrator, specially for Internet facing systems or websites where a vulnerability can make intruder’s day. Grsecurity is a set of patches which can be useful to mitigate kernel security loopholes and provide a more reliable and secure system. Developed by Brad Spengle licensed under GNU General Public License available only for Linux kernel. Grsecurity is a Free Software.

PAX:

A major component of GrSecurity is bundeled with PaX, the patch flags data memory, for example , as non-executable and program memory as non-writable. The aim is to prevent memory from being overwritten, which can help to prevent many types of security vulnerabilities.
PaX is a Patch for Linux kernel that implements least privilege protection for memory pages. The least privilages protection is a mechanism which allows computer programme to specifically perform tasks which are needed to accomplish task and nothing more than that.PaX flags data memory as non-executable, program memory as non-writable and randomly arranges the program memory, which effectively prevents may security exploits such as buffer overflow etc.

Another feature of GrSEC is that it provides Role Based Access Control (RBAC).  RBAC is intended to restrict access to the system further than what is normally provided by Unix access control lists, with the aim of creating a fully least-privilege system, where users and processes have the absolute minimum privileges to work correctly and nothing more. 



Configure/Install GrSecurity:

Step#1: To enable a linux system, it needs to be compile with Linux Kernel source.
Linux kernel source : Download it from  https://www.kernel.org/
Also, GCC, Curl and dependencies will be required to compile kernel, which might be already present with your linux distribution source.

Grsecurity official website is http://www.grsecurity.net 
Detaild documentation can be found at website.

Following are the patches available for linux Kernel Branch 2.6.XX and 3.2.XX

Above two patches are compatible with Linux kernel 2.6.32 and 3.2.51, So be careful while downloading kernel that It must matches above version, other kernel version will need extra efforts.

Lets go with
for RHEL5 or CentOS5 installation

 # tar -xJvf linux-2.6.32.61.tar.xz  

Note: -J will only work with newer "tar".

Extract kernel in any temporary location and Grsecurity patch on same location.

and Patch with following command:


# patch -p1 < grsecurity-2.9.1-2.6.32.61-201309281101.patch 


It should work smoothly, if kernel version and grsecurity patches are identical. A version mismatch may lead to patching failure and It will need extra efforts.

After successful patch kernel source is ready to compile.


Next, we need to create .cfg file for kernel and GrSecurity needs to be enable there.

Steps to Compile Kernel from Source.
 Now you can start kernel configuration by typing any one of the command:
      • $ make menuconfig - Text based color menus, radiolists & dialogs. This option also useful on remote server if you wanna compile kernel remotely.
      • $ make xconfig - X windows (Qt) based configuration tool, works best under KDE desktop
      • $ make gconfig - X windows (Gtk) based configuration tool, works best under Gnome Dekstop.


Navigate to Security Options in menu and press Enter to see available options there.


If patch has done successfully without any error GrSecurity option should appear there.



Further place an [*] mark by pressing Enter/return to consider GrSEC for kernel compilation.



save and start kernel compilation by following steps:
 Start compiling to create a compressed kernel image, enter:
$ make
Start compiling to kernel modules:
$ make modules
Install kernel modules (become a root user, use su command):
$ su -
# make modules_install

 Install kernel

So far we have compiled kernel and installed kernel modules. It is time to install kernel itself.
# make install
It will install three files into /boot directory as well as modification to your kernel grub configuration file:
  • System.map-2.6.25
  • config-2.6.25
  • vmlinuz-2.6.25

Create an initrd image

Type the following command at a shell prompt:
# cd /boot
# mkinitrd -o initrd.img-2.6.25 2.6.25
initrd images contains device driver which needed to load rest of the operating system later on. Not all computer requires initrd, but it is safe to create one.

Modify Grub configuration file - /boot/grub/menu.lst

Open file using vi:
# vi /boot/grub/menu.lst
title           Debian GNU/Linux, kernel 2.6.32-grsec Default
root            (hd0,0)
kernel          /boot/vmlinuz root=/dev/hdb1 ro
initrd          /boot/initrd.img-2.6.25
savedefault
boot
Remember to setup correct root=/dev/hdXX device. Save and close the file. If you think editing and writing all lines by hand is too much for you, try out update-grub command to update the lines for each kernel in /boot/grub/menu.lst file. Just type the command:
# update-grub

Reboot computer and boot into your new Grsecurity kernel

Just issue reboot command:
# reboot
Enhanced by Zemanta

Popular posts from this blog

How to check Perl Module version in Linux

Linux Command line tips and Bash stuff