maandag 10 september 2012

Compile a stable 3.2.28 grsecurity kernel with AppArmor and TPE trusted patch execution enabled

I noticed i had a spare pentium4 with 384MB RAM left and decided to install a
grsecurity+AppArmor hardened kernel with Trusted Path Execution enabled.
As OS i will use a fresh install of the latest xubuntu with xfce4 desktop and ext2/ext3
filesystem.The purpose of configuring TPE later on is to prevent a non root user from
executing executable files other than the ones installed by root himself.So any
executable and scripts will not execute from /home/username
You could also first add a least privilege user right after a fresh install of xubuntu
and start from there.
 ubuntu-least-privilege-instead-of-power



For indepth documentation regarding grsecurity i gladly refer to the exellent Grsecurity website:

http://grsecurity.net

From there you will need to download the grsec patch for the vanilla 3.2.28 kernel
From http://www.kernel.org/pub/linux/kernel/v3.x/ you will to download
linux-3.2.28.tar.bz2 and copy the package as root to: /usr/src
eg:
#cp /home/username/Downloads/linux-3.2.28.tar.bz2 /usr/src

now unpack the package:

#tar -xvjpf linux-3.2.28.tar.bz2

copy the downloaded grsec patch as well to the /usr/src directory

#cp  /home/username/Downloads/grsecurity-2.9.1-3.2.28-201209062131.patch /usr/src

change directory to the just unpacked kernel:

#cd /usr/src/linux-3.2.28
 
patch the 3.2.28 vanilla kernel with the grsecurity patch,
while in the  /usr/src/linux-3.2.28 dir

# patch -p1 < ../grsecurity-2.9.1-3.2.28-201209062131.patch

Before we can actually configure and compile the hardened kernel we have to
install some needed packages.And we need to know the group ID of the sudo or
least privilege user in order to configure a grsec option later on.

# apt-get install git-core kernel-package fakeroot build-essential ncurses-dev gcc-4.6-plugin-dev
 
Open a second terminal and enter id:
 
$id 


remember the number after gid=




you can close the second terminal now


 


Now configure the kernel while in de linux-3.2.28 kernel-source directory in first


terminal.Make sure to compile the ext2 and or ext3 filesystem within the kernel instead of as module


(*) instead of (M)


 






 


By pressing the space bar you can select the options in case you didn't know


Configure the options as in the pictures. 


#make menuconfig 













 The RBAC system (grsec's equivalent of AppArmor) is disabled.





 AppArmor selected as default RBAC





 Notice the gid 1001










 Now let's compile the kernel:


 


#make && make modules_install && make install 












Gepost door



op







































Geen opmerkingen:















Een reactie posten


















        

      









Abonneren op:
Reacties posten (Atom)