Wednesday, June 2, 2010

Installing a grsec-patched kernel on a CentOS 5 or RHEL 5 server

SkyHi @ Wednesday, June 02, 2010

How to configure grsec on a Cpanel box

First lets start by moving into the correct directory

cd /usr/src

Now let's download the kernel from kernel.org

wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.27.10.tar.gz

Let's open the tar file now

tar zxvf linux-2.6.27.10.tar.gz

We need to also create a symlink

ln -s linux-2.6.27.10 linux

Let's grab the grsec patch

wget http://grsecurity.net/grsecurity-2.1.12-2.6.27.10-200812271347.patch.gz

Let's open the grsec patch

gzip -d grsecurity-2.1.12-2.6.27.10-200812271347.patch.gz

Let's apply the patch now

patch -p0 < grsecurity-2.1.12-2.6.27.10-200812271347.patch

We will need to move a current config into the new config directory

cd /boot

Let's look at the contents

ls

Now the current config should look something like this

config-2.6.18-x

Let's move it to the new kernel location and rename it to .conf (Don't forget to change the "x" to the correct name)

cp config-2.6.18-x /usr/src/linux/.config

Now we need to move back to our new kernel directory

cd /usr/src/linux

Let's go ahead and start configuring it

make menuconfig

Note: If you get an error saying "Please upgrade your binutils to 2.18 or newer" please go to this link

Now for cpanel to continue working without errors lets use these settings

arrow down to "Security options" and press enter
Press enter on "Grsecurity"
Now in the new window press spacebar on "Grsecurity"
arrow down to "Security Level (Custom)" and press enter
Then arrow to "Medium" and press the spacebar
Then use the "" until it asks you do you want to save and click yes

Once the kernel is saved we need to start compiling it

make bzImage; make modules; make modules_install; make install

Note: If you get an error saying "Please upgrade your binutils to 2.18 or newer" please go to this link

Now it should be added to /boot/grub/menu.lst you can check by doing the following

cat /boot/grub/menu.1st

It should look something like this

# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00
# initrd /initrd-version.img
#boot=/dev/sda
default=1
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.27.10-grsec)
root (hd0,0)
kernel /vmlinuz-2.6.27.10 ro root=/dev/VolGroup00/LogVol00
initrd /initrd-2.6.27.10.img
title CentOS (2.6.18-92.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-92.el5 ro root=/dev/VolGroup00/LogVol00
initrd /initrd-2.6.18-92.el5.img

Please note that the locations of the kernel and initrd might not be the same as ours. This is just giving you and idea of how the kernel will be added above the current one.

Now you will want to change it to look like this one. ( We change the default=1 to default=0 which is the new kernel)

# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00
# initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.27.10-grsec)
root (hd0,0)
kernel /vmlinuz-2.6.27.10 ro root=/dev/VolGroup00/LogVol00
initrd /initrd-2.6.27.10.img
title CentOS (2.6.18-92.el5)
root (hd0,0)
kernel /vmlinuz-2.6.18-92.el5 ro root=/dev/VolGroup00/LogVol00
initrd /initrd-2.6.18-92.el5.img

Now reboot the machine and it should come up with the new kernel!


REFERENCES
http://www.dufault.info/blog/installing-a-grsec-patched-kernel-on-a-centos-5-or-rhel-5-server/