I have been wanted to do linux kernel hardening a long time ago. I first heard about grsecurity from my friend William who is a security enthusiast. I have read several guides on how to patch the kernel source code but by far this article is the best.
I am using CentOS 6.4 for the kernel hardening, before compiling and install the patched kernel the kernel version is 2.6.32-358.el6.i686.
Download the development tools and ncurses from yum repos.
yum groupinstall "Development Tools" -y yum install ncurses-devel -y
ncurses is for the menu for configuring the kernel source code to be compiled after the source code was patched by grsecurity.
Steps to patch the kernel source code
grsecurity does not keep old patches, you can only find latest updated patch from grsecurity download page.
Step 1: Go to the directory /usr/src/kernels
Step 2: Grab the patch file using wget.
Take note on the grsecurity patch version, it says 220.127.116.11 which means this patch is for kernel 18.104.22.168. Go to kernel.org and download linux-22.214.171.124.
Step 3: Use wget to download the kernel from kernel.org.
Step 4: Use tar to decompress the kernel which I downloaded from kernel.org.
tar -Jxvf linux-126.96.36.199.tar.xz
Step 5: Go to the directory of the decompressed kernel.
Step 6: Patch the kernel source code with grsecurity patch.
patch -p1 < ../grsecurity-2.9.1-188.8.131.52-201303252031.patch
Compile the patched source code
Step 1: Make clean.
make clean && make mrproper
If you interrupt the compiling it will start all over again because of
Step 2: Copy the boot config to the source code directory.
cp /boot/config-`uname -r` .config
The menu uses the .config.
Step 3: Make the menu, this is why you need ncurses.
For more information on the customizable options read this.
Exit until you see a prompt to prompt you to save the configuration to .config.
Install the new grsec patched kernel
The following will compile and make the kernel.
make -j4 bzImage modules
make -j4 will use 4 threads to compile the kernel source, previously I was using these commands
make bzImage && make modules but my friend William told me not necessary and single threading was too slow, indeed it was sooo slow that it took a 2 hours to finish compiling…
The modules must be made first before you can use
make modules_install command.
The next is to install the grsec patched kernel.
make -j4 modules_install install
The installation will also update the kernel to the grub menu.lst file, just make sure you reboot and choose the grsec patched kernel.
grsec will deny sysroot from loading any policy, in centos selinux is enforced by default, you have to disable it because if policy failed to load your kernel will not be initialized and will be in kernel panic state.
I do not need SElinux when using a grsec patched kernel. To disable SElinux permanently change the selinux config in this path
/etc/selinux/config with your favourite text editor.