Kernel hardening is one of the most important security part in linux server management. In this article, I am showing how to install grsec kernel with Centos.
Grsec is powerful linux kernel with security enhancement. Following are the features for grsec kernel.
- An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
- Change root (chroot) hardening
- Extensive auditing
- /tmp race prevention
- Protection against exploitable null-pointer dereference bugs in the kernel
- Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
- A restriction that allows a user to only view his/her processes
- Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
- Prevention of arbitrary code execution in the kernel
- Randomization of the stack, library, and heap bases
- Kernel stack base randomization
- Security alerts and audits that contain the IP address of the person causing the alert
First you need to download the linux kernal that you would like to patch with grsec. You can download linux kernel from www.kernel.org . You can download grsec kernal patch from their website at grsecurity.net
Pre-requisite packages :
# yum groupinstall "Development Tools" -y
# yum install ncurses-devel -y
Download latest kernel, grsec patch and apply the patch
# yum groupinstall "Development Tools" -y
# yum install ncurses-devel -y
Download latest kernel, grsec patch and apply the patch
# wget https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.2.52.tar.xz
# wget http://grsecurity.net/stable/grsecurity-2.9.1-3.2.52-201311071633.patch
# tar -xvf linux-3.2.52.tar.xz
# cd linux-3.2.52.tar.xz
# patch -p1 ../grsecurity-2.9.1-3.2.52-201311071633.patch
Compile the patched code and install it. Before compiling, you need to copy the boot config to the source code directort
Now you can reboot your server into new grsec kernel.
