Dustin Larmeir's tech blog.
How to install grsec enabled kernel on Redhat 5.2 ES
Per http://en.wikipedia.org/wiki/Grsec – grsecurity is a set of patches for the Linux kernel with an emphasis on enhancing security. Its typical application is in web servers and systems that accept remote connections from untrusted locations, such as systems offering shell access to its users.
Notes from my GRSEC kernel installation.
cd into your /usr/src directory
cd /usr/src/
Download the kernel source from kernel.org
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.5.tar.bz2
Extract the kernel archive
tar jxvf linux-2.6.24.5.tar.bz2
Get the latest grsec security patch
wget http://www.grsecurity.net/grsecurity-2.1.11-2.6.24.5-200804211829.patch.gz
Extract the patch
gunzip http://www.grsecurity.net/grsecurity-2.1.11-2.6.24.5-200804211829.patch.gz
Apply the patch to the kernel
patch -p0 grsecurity-2.1.11-2.6.24.5-200804211829.patch
Cd into the kernel directory
cd /usr/src/linux-2.6.24.5
Get the kernel source prepared
make clean
make mrproper
Make a menu.config
make menuconfig
note: if you are using an old .config file, then copy it to /usr/scr/linux-2.6.24.5 and do the following:
make oldconfig
Ensure all to the proper kernel modules are selected.
People commonly forget iptables support, dont forget about this! Also, usb support is important if you are hosted with a dedicated hosting provider. You can find the grsec options under security. Also, iptables support can be found under network options –> network packet filtering
Compile the kernel
make
Install the kernel modules
make modules_install
Install the kernel
make install
Setup the grub.conf
Your entry should look something like this
title Red Hat Enterprise Linux Server (2.6.24.5-grsec)
root (hd0,0)
kernel /vmlinuz-2.6.24.5-grsec ro root=LABEL=/ console=tty0 console=ttyS1,19200n8
initrd /initrd-2.6.24.5-grsec.img
Reboot the server.
If you have remote console or kvm service like those provided at SoftLayer this is the time to use it. If the kernel was compiled wrong or you have any issues this can result in a kernel panic that will take the server offline. If you are using a company without these features, have a local tech reboot it and if it fails, have them boot you back into your original kernel.
This howto is 100% working, tested and accurate.
Helpful external links
| Print article | This entry was posted by dlarmeir on December 27, 2008 at 12:44 pm, and is filed under Past Blogs. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |
about 1 year ago
larmeir.com – now in my rss reader)))
————————
sponsored link: http://dewat.ru/