How-To: Compile a monolithic 2.6.10 kernel with grsecurity and secfix patch
Note 2.6.10 is an old version of the kernel however, this guide will work with the latest 2.6.11.7 and grsecurity if you get those instead of the files described. If you go that route the patch described below for a specific vulnerability is not requied.
This guide was designed for the ev1 configurated poweredge servers. I have
tested it on the the 2.0 and 2.4 Ghz Xeons, and 2.0 and 3.0 Ghz celeron. It
should also work fine with the P4 2.0 Ghz + but I have personally not tested
one yet.
I do not have any plans to test this kernel on any older systems though as
long
as they network card support is built in it will probably work. If you post
here with specific problems on boot I can try to add the needed modules to
my config. I started this as a project to increase the performance and security
of my servers.
The
2.6.x
kernel has many improvements that have dramatically dropped the load on the
servers I have tested this on so far. In addition to that the kernel does not
support loadable modules, the definiation of monolithic, which removes one
method of possible vulnerabilities as well as more efficient. Though there
are no studies directly linking grsecurity to increased security it only adds
additional security to your system with very few negative drawbacks. I think
that is worth the extra time to configure in grsecurity in the chance that
it may possibly block a possible cracker.
This kernel is patched against the following vulerability: http://www.isec.pl/vulnerabilities/isec-0021-uselib.txt.
This
is the root level exploit that was release January 7th. It is *HIGHLY* suggested
that you upgrade ASAP. This particular exploit along with a worm much like the
phpBB worm could be disasterous yeilding full root access.
Updated Feb 6th for instructions on updating grub
Updated Feb 2nd for rpm problems with RH9
***This guide is to be used completely at your own risk! ***
I have tested it on three different systems and all came up without any problems. If the server does not come up you can simply reboot it and it will come back online with an older version that works. If you have any comments about the .config posted please post them I am always interested in making improvements!
Now that is done the guide is below, good luck!
Unlike the other kernel the module-init tools are not needed because there
are no modules to be loaded.
First we will check the server has the correct modules. Changes are very good
that if it has the correct ethernet drives your system will be able to boot
up even if it is not a system posted above. Please post if you try it and
it works on other configurations.
Look at the loaded modules for your current kernel
-----command-----
cat /etc/modules.conf |grep eth
-----command-----
If you have any one of the lines below you should be fine. The eth* does
not mater as long as it matches. A lable of eth0 means it is the main
NIC while eth1
refers to the pnet NIC. *WARNING* If you do not have one of the modules listed below
for your network card your server is not going to boot! Please post what you have below
and I can try to help you out or you can look on google for the correct module.
alias eth0 8139too
alias eth0 e1000
alias eth0 e100
alias eth0 tg3
alias eth0 eth100
alias eth0 natsemi
Now we will download the 2.6.10 kernel along with the grescurity patch and
apply the patch.
-----command-----
cd /usr/local/src/
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.10.tar.gz
tar -zxf linux-2.6.10.tar.gz
wget http://grsecurity.net/grsecurity-2.1.0-2.6.10-200501071049.patch
patch -p0 < grsecurity-2.1.0-2.6.10-200501071049.patch
wget http://grsecurity.net/linux-2.6.10-secfix-200501071130.patch
patch -p0 < linux-2.6.10-secfix-200501071130.patch
-----command-----
If you are already running one of my 2.6.9 kernels run the following command
to copy the old config to your new kernel to ensure you have the same configuration:
-----command-----
cp linux-2.6.9/.config linux-2.6.10/
cd linux-2.6.10
-----command-----
When you run make it will ask some questions, just press and hold enter for
them as you do not need any of the modules it asks about.
If you do not have one of my kernels running run this command.
-----command-----
cd linux-2.6.10
wget http://eth0.us/2.6.10/.config
-----command-----
At this stage you can configure the kernel how you like it. By running "make
menuconfig" you will be presented by a huge menu of options that you can
try to comile into your kernel. After you do your changes click exit and continue.
I have already removed just about everything extra and no changes are necessary.
Please note that if you do add features you need to add them statically into
the kernel
as this kernel does not support loadable modules. If you do add module support
and modules your server will not boot using the directions below. If you add
anything but module support it will automatically be added statically in menuconfig.
Now to actually compile the kernel.
-----command-----
make
-----command-----
Make sure there are *NO* errors after this! If you do get errors the below
is not going to work.
If you go back and try to recompile your kernel after you have copied the
files to /boot you will first need to delete or overwrite the files the files.
Go ahead and delete them.
-----command-----
rm -rf /boot/config-2.6.10-grsec-eth00
rm -rf /boot/vmlinuz-2.6.10-grsec-eth00
rm -rf /boot/System.map-2.6.10-grsec-eth00
-----command-----
Copy the new files into your /boot directory.
-----command-----
cp .config /boot/config-2.6.10-grsec-eth00
cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.10-grsec-eth00
cp System.map /boot/System.map-2.6.10-grsec-eth00
-----command-----
To boot the server a bootloader must be used. The two major bootloaders are
grub and lilo. If you do not appear to not have any you may not...some datacenters
do not install any which makes it a pain to upgrade the kernel. For the most
part if you have an ev1 box you have lilo but if you have any other datacenter
grub is usually used. As of right now grub is the default bootloader for RHEL.
To check which you have type
-----command-----
dd if=/dev/hda bs=512 count=1 2>&1 | grep GRUB
dd if=/dev/hda bs=512 count=1 2>&1 | grep LILO
-----command-----
One of those should return something, that is your bootloader.
If you have lilo follow the below, if you do not skip down to the grub section.
All of he ev1 servers I have worked on have lilo installed so below is what
you
need to add to the file to allow you to boot. The append elavator deadline should
help with the IO of your server which will in turn lower your server loads.
If after recompiling you have trouble with the
IO remove the line and reboot to see if that is what is causing the trouble.
-----command-----
pico -w /etc/lilo.conf
-----command-----
Now scroll to the bottom and add these lines:
image=/boot/vmlinuz-2.6.10-grsec-eth00
label=2.6.10-eth00
append="root=/dev/sda3 elevator=deadline"
read-only
Note where it says sda3 you need to replace with your / partition. If you look
at df -h you will see something like this:
Filesystem Size Used Avail Use% Mounted on
/dev/hda3 72G 15G 54G 22% /
That shows that /dev/hda3 is the / and in this instance we would put root=/dev/hda3
Make sure when you run this lilo command that you can see no errors. If
there are something is configured wrong and the server is not going to boot.
-----command-----
lilo -v -v
-----command-----
If you do not see "Writing boot sector." after this command something
is wrong!
Now we are going to set the server to reboot into the kernel. By using -R the
server will only try to boot once into the new kernel. If any problems are encountered
the server will boot to your old kernel the next time it is rebooted.
-----command-----
lilo -R 2.6.10-eth00
-----command-----
If you have grub you are going to want to read this section.
-----command-----
pico -w /etc/grub.conf
-----command-----
If you look there are a series of repeated lines. Each one of these is a different
kernel that can be booted. Paste the above into the top section of the grub config. ***PLEASE
NOTE*** You need to modify the root (hdx,x) and root=/dev/sda1 to look like the
previous configs. The drive will be different depending on the individual server
drive and partition configuration. Make sure and change the default= one number
higher then before since you added one at the very top. If it is 0 and you leave
it at 0 and you have trouble with your server you will not be able to boot it.
title Red Hat Linux (2.6.10)
root (hd0,0)
kernel /vmlinuz-2.6.10-grsec-eth00 ro root=/dev/sda1
After that save out and run grub
-----command-----
grub
-----command-----
Once it is done probing the drives enter:
savedefault --default=0 --once
quit
That will make the new kernel boot once and reboot into the old kernel if you
have any issues on the reboot. Once you are done rebooting and the new kernel
comes up fine you can edit the /etc/grub.conf again and change the default to
0 so you will keep booting to 2.6.10.
Ok you are ready to reboot and test it out. Go ahead and shutdown via "shutdown
-r now". If it does not come up after 10 minutes you are going to have to
get the server rebooted. Since we used the -R it will boot back to the old kernel
last time. If it fails you can check the logs to see if anything is shown but
many times nothing does and the only way to do it is have a tech look at the
screen or use a kvm/drac. If it does work for you change the default= in the
lilo.conf to your new kernel.
Save and you are all done.
One *VERY IMPORTANT*
thing to know is that if you are using APF firewall it will not function correctly
unless you reconfigure it. This kernel does not support loadable modules which
is a good thing for security. However, by default APF does not know how to work
with a kernel that does not support loadable modules. Edit the /etc/apf/conf.apf
file and change
MONOKERN="0"
to
MONOKERN="1"
Save and then APF will start correctly.
If you are running Redhat 9 (RH9) you are going to have to upgrade your version
of rpm. Simply run:
export LD_ASSUME_KERNEL=2.4.1; rpm -Uvh ftp://ftp.rpm.org/pub/rpm/dist/rpm-4.2.x/rpm-4.2-1.i386.rpm
The export command is a workaround so you can actually install the rpm. If you
still have trouble you can use the export command to allow rpm to function.
Hopefully it will come up fine for you, I have used it many times and it
always works :)
Feel free to link to this guide but please do not copy it as your own!
The original version of this guide walked though how to compile a 2.6.9 monolithic
kernel with grsecurity.
APF Restart
Hi, all ok, but when i restart apf, i receive this message:
root@matrix [/etc]# service apf restart
Stopping APF:[ OK ]
Starting APF:/etc/apf/firewall: line 1: /sbin/lsmod: No such file or directory
[ OK ]
It is any problem?
Another question, i tryed a newer kernel but i couldnĀ“t so i compile this 2.6.10. Do u think in make a tutorial for a newer kernel?
tank you.
kernel guide
Yeah I am working on posting a new guide I have just changed the way that I do kernels. I have a perfectly working 2.6.12.4 kernel I actually compiled earlier tonight.
The above information should work ok.
As far as APF make sure to enable the monolithic option.
And this new guide for
And this new guide for 2.6.12.4 is with Grsecurity ?
When will you launch it ?
tank you!
2.6.12.4
grsec does not have a 2.6.12.4 patch yet. I will get to it when I have time. Right now my company, totalserversolutions.com, is consuming a lot of my free time. The basic idea with what I have above works ok if you are familiar with compiling kernels.
Troble in 2.6.12
Hi, i tried compile the 2.6.12 i use your .config, whell, after reboot the server didnt come back so i have to ask for thepalnet reboot the server and back the 2.6.10 kernel. look the answer of suport:
(wlovell-08/10/2005 23:38:19):
The server failed to boot on kernel 2.6.12. It failed on the following:
Kernel Panic - Not synching: VFS unable to mount root FS on unknown block (0,0)
I was able to get the server to boot in kernel 2.6.10.
maybe the problem is in grub.conf? i did this grub.conf:
default=0
timeout=10
splashimage=(hd0,0)/grub/splash.xpm.gz
title Red Hat Linux (2.6.12)
root (hd0,0)
kernel /vmlinuz-2.6.12-eth00 ro root=/dev/sda6
title Red Hat Linux (2.6.10)
root (hd0,0)
kernel /vmlinuz-2.6.10-grsec-eth00 ro root=/dev/sda6
title Red Hat Enterprise Linux ES (2.4.21-32.0.1.ELsmp)
root (hd0,0)
kernel /vmlinuz-2.4.21-32.0.1.ELsmp ro root=LABEL=/
initrd /initrd-2.4.21-32.0.1.ELsmp.img
after the make in kernel, i receive this message:
Root device is (8, 6)
Boot sector 512 bytes.
Setup is 6895 bytes.
System is 1509 kB
Kernel: arch/i386/boot/bzImage is ready
did i make anithing wrong?
tank you.
kernel
That looks correct, maybe you do not have the correct drivers? What does lspci show? Also the 2.6.12 kernel does not have functioning hyperthreading code so if you need it do to 2.6.11.12
LSI Logic SCSI Problems, and a solution
Hi,
After talking to eth00 on irc last night I figured out why my SCSI controller
wasn't being recognised on bootup, and I was getting subsequent kernel panic in the form of:
The reason was conflicting device drivers, and the system picking the one which doesn't work and bombing. For this controller you must use the Fusion MPT drivers in the Device Drivers menu of menuconfig, and NOT the LSI Logic drivers in the SCSI Low Level Drivers menu. You probably should not have any SCSI Low Level Drivers at all if you have an EV1 Dell Poweredge 1600sc server with only this SCSI adapter.
After spending all weekend on this, I hope it will help someone else.
I was installing Gentoo-2.6.11-hardened-r15.
Thanks again for this great guide.
Sandy.
kernel
Glad you were able to figure it out! Sorry I did not have time to take a look at your config when you were doing it.
2.6.14.2 have HT ?
Hi, do you know if 2.6.14.2 kernel have HT support ? i have a 2.8 HT processor, and after compiling 2.6.14.2, it shows only 1 cpu on service status cpanel.
2.6.14.2
2.6.14 did, though go back into the .config and make sure it is enabled they changed the options aroudn again so an old config won't work
GrSecurity doesn't stop HT
GrSecurity doesn't stop HT from working. The issue is you've forgotten to enable SMP functions for your Kernel. Do that, and the problem will go away.
do you recommend using
do you recommend using grsecurity with ht
grsec
I personally have not used grsecurity in a few months, it should be fine with HT. Though personally I am not that fond of HT from a performance standpoint. I have not seen a huge different with or without it and I have seen a few articles saying it can even hurt performance. I would personally say just leave it off generally.
one more question i have a
one more question i have a dual xeon 3.2 in kernel config i select smp how many processors do i need to select for dual xeon server 2 cpu or 4 cpu
ddx 3.2 config
I usually personally disable HT so 2 processors. That setting in the config is only a max so the default of 16 is fine.
i complied vanilla kernel
i complied vanilla kernel with grsecurity on a dual xeon and scsi machine but it does not boot anyway i am using that config on almost 6 machines but they boot perfect smp option is enabled and scsi modules are selected but it doesnt boot
root@linux [~]# cat /etc/lilo.conf
prompt
timeout=50
default=linux
boot=/dev/sda
map=/boot/map
install=/boot/boot.b
message=/boot/message
linear
image=/boot/vmlinuz-2.4.21-37.ELsmp
label=linux
initrd=/boot/initrd-2.4.21-37.ELsmp.img
read-only
append="root=LABEL=/"
image=/boot/vmlinuz-2.4.21-32.0.1.ELsmp
label=linux-ogy
initrd=/boot/initrd-2.4.21-32.0.1.ELsmp.img
read-only
append="root=LABEL=/"
image=/boot/vmlinuz-2.4.21-27.ELsmp
label=linux-eski
initrd=/boot/initrd-2.4.21-27.ELsmp.img
read-only
append="root=LABEL=/"
image=/boot/vmlinuz-2.4.32-grsec
label=2.4.32-grsec
initrd=/boot/initrd-2.4.32-grsec.img
read-only
append="root=LABEL=/"
is this will be a problem with vanilla kernels
" append="root=LABEL=/""
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda3 68437272 12507848 52452960 20% /
/dev/sda1 101089 23350 72520 25% /boot
none 1027624 0 1027624 0% /dev/shm
/dev/sdb1 70557052 38402252 28570704 58% /backup
/dev/tmpMnt 984248 744 933504 1% /tmp
thank you
vanila
Honestly I am not as familiar with the 2.4 kernels. The append= line could be causing some of the problems I would just do append="root=/dev/sda" which may help. If not I would double check the modules loaded and that you have the correct ones. I know with the 2.6 series there are some times when SMP or HT is enabled and it does not boot with it enabled.
2.6.15.4?
will this work with more recent versions, say the 2.6.15 series, most recent stable is 2.6.15.4. i want to put 2.6 on a few, one is production, one is brand new. So I'm going to try it out on the brand new server (at ev1) first. But was just curious cuz I'd rather not screw something up.
This is an awesome site.
2.6
Yes it will work fine. The only thing you have to watch out for is if you use grsec you need to use whatever the lastest version is that they support. Aside from that the physical kernel guide should work for any recent version.
I am going to try to get some time to make a new guide and/or update my current ones. I am actually doing the kernels a little different nowadays with a method that works better for me but is a little harder to explain. It is just going to take some time to type it all up so that it make sense, basically I start with a basic config and add all the drivers in via menuconfig.
cat /etc/modules.conf |grep eth
I have a new P4 system from Ev1servers, when I try to see what type of NIC I have by using 'cat /etc/modules.conf |grep eth' it is blank? The only line in the modules.conf file is
alias char-major-10-224 off
How else can I figure out what type of NIC I have? Or because it is not in the modules.conf file, does that mean I cannot use this tutorial? Any help you can give would be great. Thanks!