ABHIONLINUX
Site useful for linux administration and web hosting

2013/11/10

Hardening Centos with GrSec Kernel

Kernel hardening is one of the most important security part in linux server management. In this article, I am showing how to install grsec kernel with Centos.

Grsec is powerful linux kernel with security enhancement. Following are the features for grsec kernel.


  • An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
  • Change root (chroot) hardening
  • Extensive auditing
  • /tmp race prevention
  • Protection against exploitable null-pointer dereference bugs in the kernel
  • Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
  • A restriction that allows a user to only view his/her processes
  • Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
  • Prevention of arbitrary code execution in the kernel
  • Randomization of the stack, library, and heap bases
  • Kernel stack base randomization
  • Security alerts and audits that contain the IP address of the person causing the alert

First you need to download the linux kernal that you would like to patch with grsec. You can download linux kernel from www.kernel.org . You can download grsec kernal patch from their website at grsecurity.net

Pre-requisite packages : 
       #  yum groupinstall "Development Tools" -y
       #  yum install ncurses-devel -y

Download latest kernel,  grsec patch and apply the patch


 # wget https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.2.52.tar.xz
 # wget http://grsecurity.net/stable/grsecurity-2.9.1-3.2.52-201311071633.patch
 # tar -xvf linux-3.2.52.tar.xz
 # cd linux-3.2.52.tar.xz
 # patch -p1 ../grsecurity-2.9.1-3.2.52-201311071633.patch

Compile the patched code and install it. Before compiling, you need to copy the boot config to the source code directort

# cd linux-3.2.52.tar.xz
    # cp /boot/config-`uname -r` .config # make clean && make mrproper # make menuconfig # make bzImage # make modules # make modules_install # make install

Now you can reboot your server into new grsec kernel.