Install GRSECURITY on CentOS 5

Written by sdx Thursday, 04 April 2013 09:31

Attention: open in a new window. PDFPrintE-mail

What is Gr Security ?

Grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GPL.
It offers among many other features:

* An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
* Change root (chroot) hardening
* /tmp race prevention
* Extensive auditing
* Prevention of entire classes of exploits related to address space bugs (from the PaX project)
* Additional randomness in the TCP/IP stack
* A restriction that allows a user to only view his/her processes
* Every security alert or audit contains the IP address of the person that caused the event

Here we go

1. Login to your server via ssh and yum update

2. Lets move to this directory :

Code:
cd /usr/src

3. Now we are going download and install gcc :

Code:
yum install gcc

This should install kernel-headers , gcc++ etc.

4 . Download the Kernel :

Code:
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.27.10.tar.gz

5. Lets open this bad boy up :

Code:
tar zxvf linux-2.6.27.10.tar.gz

6. Also we need to create a symlink :

Code:
 ln -s linux-2.6.27.10 linux

7. Now grab the patch :

Code:
 wget http://grsecurity.net/grsecurity-2.1.12-2.6.27.10-200812271347.patch.gz

Also install patch module : " yum install patch "

8. Open the patch

Code:
 gzip -d grsecurity-2.1.12-2.6.27.10-200812271347.patch.gz

9. The good bit now lets patch the kernel :

Code:
patch -p0 < grsecurity-2.1.12-2.6.27.10-200812271347.patch

10. Move to the boot :

Code:
cd /boot

11. look at the dirc by entering this :

Code:
ls

You should see config-xxxx

12. Move the config like this :

Code:
cp config-xxx.xxx-x /usr/src/linux/.config

13. Move back to linux folder :

Code:
cd /usr/src/linux

and compile

Code:
make menuconfig




And choose security level to your liking.

After you compile the kernel please enter this

Code:
make bzImage; make modules; make modules_install; make install

Now do this :

Code:
nano /boot/grub/menu.1st

Should look like this :

Code:
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00
#          initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.27.10-grsec)
       root (hd0,0)
       kernel /vmlinuz-2.6.27.10 ro root=/dev/VolGroup00/LogVol00
       initrd /initrd-2.6.27.10.img
title CentOS (2.6.18-92.el5)
       root (hd0,0)
       kernel /vmlinuz-2.6.18-92.el5 ro root=/dev/VolGroup00/LogVol00
       initrd /initrd-2.6.18-92.el5.img

Your going to have default=1 , you need to change it to default=0. Then reboot , now you have a harden kernel

You can check by this command :

Code:
 uname -r