grsecurity+AppArmor hardened kernel with Trusted Path Execution enabled.
As OS i will use a fresh install of the latest xubuntu with xfce4 desktop and ext2/ext3
filesystem.The purpose of configuring TPE later on is to prevent a non root user from
executing executable files other than the ones installed by root himself.So any
executable and scripts will not execute from /home/username
You could also first add a least privilege user right after a fresh install of xubuntu
and start from there.
ubuntu-least-privilege-instead-of-power
For indepth documentation regarding grsecurity i gladly refer to the exellent Grsecurity website:
http://grsecurity.net
From there you will need to download the grsec patch for the vanilla 3.2.28 kernel
From http://www.kernel.org/pub/linux/kernel/v3.x/ you will to download
linux-3.2.28.tar.bz2 and copy the package as root to: /usr/src
eg:
#cp /home/username/Downloads/linux-3.2.28.tar.bz2 /usr/src
now unpack the package:
#tar -xvjpf linux-3.2.28.tar.bz2
copy the downloaded grsec patch as well to the /usr/src directory
#cp /home/username/Downloads/grsecurity-2.9.1-3.2.28-201209062131.patch /usr/src
change directory to the just unpacked kernel:
#cd /usr/src/linux-3.2.28
patch the 3.2.28 vanilla kernel with the grsecurity patch,
while in the /usr/src/linux-3.2.28 dir
# patch -p1 < ../grsecurity-2.9.1-3.2.28-201209062131.patch
Before we can actually configure and compile the hardened kernel we have to
install some needed packages.And we need to know the group ID of the sudo or
least privilege user in order to configure a grsec option later on.
# apt-get install git-core kernel-package fakeroot build-essential ncurses-dev gcc-4.6-plugin-dev
Open a second terminal and enter id:
$id
remember the number after gid=
you can close the second terminal now
Now configure the kernel while in de linux-3.2.28 kernel-source directory in first
terminal.Make sure to compile the ext2 and or ext3 filesystem within the kernel instead of as module
(*) instead of (M)
By pressing the space bar you can select the options in case you didn't know
Configure the options as in the pictures.
#make menuconfig
The RBAC system (grsec's equivalent of AppArmor) is disabled.
AppArmor selected as default RBAC
Notice the gid 1001
Now let's compile the kernel:
#make && make modules_install && make install