[HOWTO] Compiling 2.6.10 +Gresec


Recommended Posts

Bushrat

Source: eth0.us

Compiling 2.6.10 Kernel + Grsecurity

How-To: Compile a monolithic 2.6.10 kernel with grsecurity and secfix patch

This guide was designed for the ev1 configurated poweredge servers. I have tested it on the the 2.0 and 2.4 Ghz Xeons, and 2.0 and 3.0 Ghz celeron. It should also work fine with the P4 2.0 Ghz + but I have personally not tested one yet. I do not have any plans to test this kernel on any older systems though as long as they network card support is built in it will probably work. If you post here with specific problems on boot I can try to add the needed modules to my config. I started this as a project to increase the performance and security of my servers. The 2.6.x kernel has many improvements that have dramatically dropped the load on the servers I have tested this on so far. In addition to that the kernel does not support loadable modules, the definiation of monolithic, which removes one method of possible vulnerabilities as well as more efficient. Though there are no studies directly linking grsecurity to increased security it only adds additional security to your system with very few negative drawbacks. I think that is worth the extra time to configure in grsecurity in the chance that it may possibly block a possible cracker.

This kernel is patched against the following vulerability: http://www.isec.pl/vulnerabilities/isec-0021-uselib.txt. This is the root level exploit that was release January 7th. It is *HIGHLY* suggested that you upgrade ASAP. This particular exploit along with a worm much like the phpBB worm could be disasterous yeilding full root access.

***This guide is to be used completely at your own risk! ***

I have tested it on three different systems and all came up without any problems. If the server does not come up you can simply reboot it and it will come back online with an older version that works. If you have any comments about the .config posted please post them I am always interested in making improvements!

Now that is done the guide is below, good luck!

Unlike the other kernel the module-init tools are not needed because there are no modules to be loaded.

First we will check the server has the correct modules. Changes are very good that if it has the correct ethernet drives your system will be able to boot up even if it is not a system posted above. Please post if you try it and it works on other configurations.

Look at the loaded modules for your current kernel

-----command-----

cat /etc/modules.conf |grep eth

-----command-----

If you have any one of the lines below you should be fine. The eth* does not mater as long as it matches. A lable of eth0 means it is the main NIC while eth1 refers to the pnet NIC. *WARNING* If you do not have one of the modules listed below for your network card your server is not going to boot! Please post what you have below and I can try to help you out or you can look on google for the correct module.

alias eth0 8139too

alias eth0 e1000

alias eth0 e100

alias eth0 tg3

alias eth0 eth100

alias eth0 natsemi

Now we will download the 2.6.10 kernel along with the grescurity patch and apply the patch.

-----command-----

cd /usr/local/src/

wget http://www.kernel.org/pub/linux/kernel/v2....x-2.6.10.tar.gz

tar -zxf linux-2.6.10.tar.gz

wget http://grsecurity.net/grsecurity-2.1.0-2.6...501071049.patch

patch -p0 < grsecurity-2.1.0-2.6.10-200501071049.patch

wget http://grsecurity.net/linux-2.6.10-secfix-200501071130.patch

patch -p0 < linux-2.6.10-secfix-200501071130.patch

-----command-----

If you are already running one of my 2.6.9 kernels run the following command to copy the old config to your new kernel to ensure you have the same configuration:

-----command-----

cp linux-2.6.9/.config linux-2.6.10/

cd linux-2.6.10

-----command-----

When you run make it will ask some questions, just press and hold enter for them as you do not need any of the modules it asks about.

If you do not have one of my kernels running run this command.

-----command-----

cd linux-2.6.10

wget http://eth0.us/2.6.10/.config

-----command-----

At this stage you can configure the kernel how you like it. By running "make menuconfig" you will be presented by a huge menu of options that you can try to comile into your kernel. After you do your changes click exit and continue. I have already removed just about everything extra and no changes are necessary. Please note that if you do add features you need to add them statically into the kernel as this kernel does not support loadable modules. If you do add module support and modules your server will not boot using the directions below. If you add anything but module support it will automatically be added statically in menuconfig.

Now to actually compile the kernel.

-----command-----

make

-----command-----

Make sure there are *NO* errors after this! If you do get errors the below is not going to work.

If you go back and try to recompile your kernel after you have copied the files to /boot you will first need to delete or overwrite the files the files. Go ahead and delete them.

-----command-----

rm -rf /boot/config-2.6.10-grsec-eth00

rm -rf /boot/vmlinuz-2.6.10-grsec-eth00

rm -rf /boot/System.map-2.6.10-grsec-eth00

-----command-----

Copy the new files into your /boot directory.

-----command-----

cp .config /boot/config-2.6.10-grsec-eth00

cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.10-grsec-eth00

cp System.map /boot/System.map-2.6.10-grsec-eth00

-----command-----

All of he ev1 servers I have worked on have lilo installed so below is what you need to add to the file to allow you to boot. The append elavator deadline should help with the IO of your server which will in turn lower your server loads. If after recompiling you have trouble with the IO remove the line and reboot to see if that is what is causing the trouble.

-----command-----

pico -w /etc/lilo.conf

-----command-----

Now scroll to the bottom and add these lines:

image=/boot/vmlinuz-2.6.10-grsec-eth00

label=2.6.10-eth00

append="root=/dev/sda3 elevator=deadline"

read-only

Note where it says sda3 you need to replace with your / partition. If you look at df -h you will see something like this:

Filesystem Size Used Avail Use% Mounted on

/dev/hda3 72G 15G 54G 22% /

That shows that /dev/hda3 is the / and in this instance we would put root=/dev/hda3

Make sure when you run this lilo command that you can see no errors. If there are something is configured wrong and the server is not going to boot.

-----command-----

lilo -v -v

-----command-----

If you do not see "Writing boot sector." after this command something is wrong!

Now we are going to set the server to reboot into the kernel. By using -R the server will only try to boot once into the new kernel. If any problems are encountered the server will boot to your old kernel the next time it is rebooted.

-----command-----

lilo -R 2.6.10-eth00

-----command-----

Ok you are ready to reboot and test it out. Go ahead and shutdown via "shutdown -r now". If it does not come up after 10 minutes you are going to have to get the server rebooted. Since we used the -R it will boot back to the old kernel last time. If it fails you can check the logs to see if anything is shown but many times nothing does and the only way to do it is have a tech look at the screen or use a kvm/drac. If it does work for you change the default= in the lilo.conf to your new kernel.

Save and you are all done.

One *VERY IMPORTANT* thing to know is that if you are using APF firewall it will not function correctly unless you reconfigure it. This kernel does not support loadable modules which is a good thing for security. However, by default APF does not know how to work with a kernel that does not support loadable modules. Edit the /etc/apf/conf.apf file and change

MONOKERN="0"

to

MONOKERN="1"

Save and then APF will start correctly.

Hopefully it will come up fine for you, I have used it many times and it always works :)

Feel free to link to this guide but please do not copy it as your own!

The original version of this guide walked though how to compile a 2.6.9 monolithic kernel with grsecurity.

This guide was copied from eth0.us! Make sure your server is secure!

This is an update of the HOWTO Compile 2.6.9

Link to post
Share on other sites
markjensen

Offtopic hosting discussion moved here:

<<removed>>

I changed my mind and killed the off-topic. Feel free to discuss this in PM, instead of the [HOWTO].

Edited by markjensen
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.