Hardening The Linux Kernel With Grsecurity (Debian)
Security is based on three characteristics: prevention, protection and detection. Grsecurity is a patch for Linux kernel that allows you to increase each of these points.
This howto was performed on a Debian Lenny system. Thus some tools are Debian specific. However, tasks can be performed with other distro specific tools or even with universal tools (make).
Everything will done with root privileges. However, you can perform them with a limited account thanks to sudo and fake-kpkg tools.
1. Preliminary Note
To compile the kernel, you need to install some specific packages:
rom1:/root# aptitude install patch bin86 kernel-package build-essential
If you like to configure your kernel in graphical console mode (make menuconfig), you must install one more package:
rom1:/root# aptitude install libncurses5-dev
Check that iniramfs-tools (used to generated the init ramdisk) is installed (it should be):
rom1:/usr/src# dpkg -l initramfs*
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
ii initramfs-tool 0.85i tools for generating an initramfs
Go to the source folder:
rom1:/root# cd /usr/src
Download the grsecurity patch and the
Linux vanilla kernel:
rom1:/usr/src# wget grsecurity.net/grsecurity-2.1.11-22.214.171.124-200804211829.patch.gz
rom1:/usr/src# wget eu.kernel.org/pub/linux/kernel/v2.6/linux-126.96.36.199.tar.gz
NB: you may need to configure wget in case you are using an HTTP proxy (which may use authentication). You need to edit /root/.wgetrc so it looks like this:
http_proxy=192.168.0.1 proxy-user=foo # Put this line if you need to authenticate against your proxy proxy-passwd=bar # Put this line if you need to authenticate against your proxy
Decompress the archive of the kernel:
rom1:/usr/src# tar xzvf linux-188.8.131.52.tar.gz
Create a symbolic link on the new kernel folder to ease the following tasks:
rom1:/usr/src# ln -s linux-184.108.40.206 linux
Now, the environment is ready. Let's go hardening!
2. Patch the vanilla kernel
Move the grsecurity patch to the new directory:
rom1:/usr/src# mv grsecurity-2.1.11-220.127.116.11-200804211829.patch.gz linux/grsecurity-2.1.11-18.104.22.168-200804211829.patch.gz
Decompress and patch the source of the kernel:
rom1:/usr/src# cd linux
rom1:/usr/src/linux# gunzip < grsecurity-2.1.11-22.214.171.124-200804211829.patch.gz | patch -p1
Now the patch is applied and the source of the kernel was modified. Let's configure the kernel to enable Grsecurity.
3. Configure the hardened kernel
In this example, we will configure the kernel using a console menu (make menuconfig). This is why we installed the libncurses5-dev package. However, you can configure in pure console mode (make config), or in GUI mode (make xconfig).
Grsecurity has predefined levels: low, medium, high. It can also be configured in custom level where you choose to enable or not option by option. See http://www.grsecurity.net/confighelp.php/ for more info on each option. In this HowTo, we will configure Grsecurity in High level.
rom1:/usr/src/linux# make menuconfig
Now, we will enable Grsecurity in the menu.
Go to Security options > Grsecurity > tick Grsecurity. Then, you can go to Security Level and tick High.
You can profit from configuring Grsecurity to optimise your kernel. Eg: On your server you probably don't need support for infrared, blutooth, probably neither wifi, ipx, X25, token ring, ATM, firewire, PCcard, joystick, mouse, sound....
4. Compile the hardened kernel
It is now time to compile your hardened kernel. First, just in case, clean up:
rom1:/usr/src/linux# make-kpkg clean
Launch compilation itself (this may take a while depending on your CPU power and RAM availability!!!):
rom1:/usr/src/linux# make-kpkg --initrd --append-to-version "grsec1.0" kernel_image
In case you are not using a Debian distro, you can compile the classic way with:
5. Install the hardened kernel
Your new kernel is now compiled and a .deb package file has been generated in the /usr/src folder. You need to install your kernel as any .deb package:
rom1:/usr/src# dpkg -i linux-image-126.96.36.199-grsec_grsec1.0_i386.deb
During the installation, an initrd image will be generated. This may take a while depending on your CPU power and RAM availability! You may also check that the new kernel image is really a kernel !
rom1:/usr/src# file vmlinuz-188.8.131.52-grsec
vmlinuz-184.108.40.206-grsec: Linux kernel x86 boot executable RO-rootFS, root_dev 0x801, swap_dev 0x1, Normal VGA
It is now time to restart your system with your new hardened kernel:
rom1:/usr/src/linux# shutdown -r now
Now that your system has restarted, you can check that your new kernel is running:
rom1:~# uname -r
6. Testing the hardened kernel
Except the fact that uname -r is saying your kernel is a grsec one, how do you know you are running a hardened kernel ? This is where we will use paxtest which will simulate an attack on the kernel and show if you are vulnerable or not. Download paxtest:
rom1:/tmp# wget http://www.grsecurity.net/~paxguy1/paxtest-0.9.7-pre5.tar.gz
rom1:/tmp# tar xzvf paxtest-0.9.7-pre5.tar.gz
rom1:/tmp# cd paxtest-0.9.7-pre5
Compile it (type make to have the list of targets):
rom1:/tmp/paxtest-0.9.7-pre5# make generic
Run it (there are 2 differents modes: kiddie and blackhat):
rom1:/tmp/paxtest-0.9.7-pre5# ./paxtest kiddie
NB: unless you are using high grsecurity level or custom level, you will have a vulnerable kernel. Indeed, you are only getting userland ASLR protection in a medium mode.
- Grsecurity home site: http://www.grsecurity.net
- Linux kernel site: http://www.kernel.org
- Wikipedia article on ASLR: http://en.wikipedia.org/wiki/Address_space_layout_randomization