OS: Patching the linux kernel with grsecurity patch

I have been wanted to do linux kernel hardening a long time ago. I first heard about grsecurity from my friend William who is a security enthusiast. I have read several guides on how to patch the kernel source code but by far this article is the best.

I am using CentOS 6.4 for the kernel hardening, before compiling and install the patched kernel the kernel version is 2.6.32-358.el6.i686.

Pre-requisite packages
Download the development tools and ncurses from yum repos.

yum groupinstall "Development Tools" -y
yum install ncurses-devel -y

ncurses is for the menu for configuring the kernel source code to be compiled after the source code was patched by grsecurity.

Steps to patch the kernel source code
grsecurity does not keep old patches, you can only find latest updated patch from grsecurity download page.

Step 1: Go to the directory /usr/src/kernels
cd /usr/src/kernels

Step 2: Grab the patch file using wget.
wget http://grsecurity.net/stable/grsecurity-2.9.1-2.6.32.60-201303252031.patch

Take note on the grsecurity patch version, it says 2.6.32.60 which means this patch is for kernel 2.6.32.60. Go to kernel.org and download linux-2.6.32.60.

Step 3: Use wget to download the kernel from kernel.org.
wget https://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/linux-2.6.32.60.tar.xz

Step 4: Use tar to decompress the kernel which I downloaded from kernel.org.
tar -Jxvf linux-2.6.32.60.tar.xz

Step 5: Go to the directory of the decompressed kernel.
cd linux-2.6.32.60

Step 6: Patch the kernel source code with grsecurity patch.
patch -p1 < ../grsecurity-2.9.1-2.6.32.60-201303252031.patch

Compile the patched source code

Step 1: Make clean.
make clean && make mrproper
If you interrupt the compiling it will start all over again because of make clean

Step 2: Copy the boot config to the source code directory.
cp /boot/config-`uname -r` .config
The menu uses the .config.

Step 3: Make the menu, this is why you need ncurses.
make menuconfig

The menu

The menu of the configuration before compiling.

The menu of the configuration before compiling.

scroll down until you see security options then press space bar to access.

scroll down until you see security options then press space bar to access.

Select grsecurity and either press space bar or press Y.

Select grsecurity and press space bar.

Either press space bar or press Y to access the options.

Either press space bar or press Y to access the options.

These are the available options. You can either use automatic or custom config.

These are the available options. You can either use automatic or custom config.

Default uses custom configuration, but if you want to select automatic select Configuration Method and press enter.

Default uses custom configuration, but if you want to select automatic select Configuration Method and press enter.

Choose automatic and press space bar you will see a lot of options.

Choose automatic and press space bar you will see a lot of options.

You can customize the options to suit you needs the current is fine with me for testing.

You can customize the options to suit you needs the current is fine with me for testing.

For more information on the customizable options read this.

Exit until you see a prompt to prompt you to save the configuration to .config.

Install the new grsec patched kernel
The following will compile and make the kernel.

make -j4 bzImage modules

This make -j4 will use 4 threads to compile the kernel source, previously I was using these commands make bzImage && make modules but my friend William told me not necessary and single threading was too slow, indeed it was sooo slow that it took a 2 hours to finish compiling…

The modules must be made first before you can use make modules_install command.

The next is to install the grsec patched kernel.

make -j4 modules_install install

The installation will also update the kernel to the grub menu.lst file, just make sure you reboot and choose the grsec patched kernel.

Disabling SElinux
grsec will deny sysroot from loading any policy, in centos selinux is enforced by default, you have to disable it because if policy failed to load your kernel will not be initialized and will be in kernel panic state.

kernel panic

I do not need SElinux when using a grsec patched kernel. To disable SElinux permanently change the selinux config in this path /etc/selinux/config with your favourite text editor.

selinux1

the patched kernel is named as grsec as its suffix.

the patched kernel is named as grsec as its suffix.

Source code configuration in automatic mode
grsec config

Advertisements
This entry was posted in Linux, Security and tagged , , , , . Bookmark the permalink.

2 Responses to OS: Patching the linux kernel with grsecurity patch

  1. Robert says:

    Would you advise the Grsecurity patch for home users who want to be safe against malware, or is SE-Linux already sufficient for that?

  2. Pingback: Security News #0x3B | CyberOperations

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s