Hardening CentOS kernel with grsecurity

2010-10-14T03:29:00.000+01:00

Hardening the server's kernel is one of the most important things we need to consider when speaking about OS hardening. This is mini-howto install and configure grsecurity on CentOS server.

grsecurity is powerful and easy to use Linux kernel security enhancement. It gives you a lot of security features:

An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
Change root (chroot) hardening
/tmp race prevention
Extensive auditing
Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
Prevention of arbitrary code execution in the kernel
Randomization of the stack, library, and heap bases
Kernel stack base randomization
Protection against exploitable null-pointer dereference bugs in the kernel
Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
A restriction that allows a user to only view his/her processes
Security alerts and audits that contain the IP address of the person causing the alert

Take a look at grsecurity features for more details.

Downloading linux kernel and grsecurity patch

At the first we need to download grsecurity patch and the right version of Linux kernel source code. In this page you can find the latest stable version of grsecurity patch (At the time of writing this post, it's for linux 2.6.32 stable tree).

Before we start make sure to install all the necessary packages that you'll need to build the kernel:

# yum groupinstall "Development Tools"
# yum install ncurses-devel

# cd /usr/src/kernels
# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.32.23.tar.bz2
# wget http://grsecurity.net/stable/grsecurity-2.2.0-2.6.32.23-201009271837.patch

Patching the kernel

After downloading linux kernel source code and grsecurity patch we are going to unpack and patch the kernel.

# tar xjf linux-2.6.32.23.tar.bz2
# patch -p0 < grsecurity-2.2.0-2.6.32.23-201009271837.patch
# mv linux-2.6.32.23 linux-2.6.32.23-grsec

grsecurity configuration

Now we need to configure the new kernel. The easiest way is to use your current kernel configuration file and then modify it.

# cd linux-2.6.32.23-grsec
# cp /boot/config-`uname -r` .config
# make menuconfig

You can find grsecurity options under Security options » Grsecurity menu. Select the security level and any other options you want. I suggest you checkout this page to find more details about grsecurity options.

Building and installing grsecurity kernel

All you need to do now is compiling the kernel and install it on your system.

# make bzImage && make modules
# make modules_install && make install

Note: If you get message like this "2.6 PaX kernels no longer build correctly with old versions of binutils. Please upgrade your binutils to 2.18 or newer." then you have to upgrade binutils by installing it manually from the source.

# cd /usr/src
# wget http://ftp.gnu.org/gnu/binutils/binutils-2.20.1.tar.bz2
# tar xjf binutils-2.20.1.tar.bz2
# cd binutils-2.20.1
# ./configure && make && make install

After that go back to the kernel directory and compile it. When it finish reboot your server into linux-2.6.32.23-grsec.

Cheers!

Here we go!

2010-09-15T03:23:00.001+01:00