How-To: Compile a monolithic 2.6.9 kernel with grsecurity

This guide was designed for the ev1 configurated poweredge servers. I have tested it on the the 2.0 and 2.4 Ghz Xeons, and 2.0 Ghz celeron. It should also work fine with the P4 2.0 Ghz + but I have personally not tested one yet. I do not have any plans to test this kernel on any older systems though as long as they network card support is built in it will probably work. I started this as a project to increase the performance and security of my servers. The 2.6.x kernel has many improvements that have dramatically dropped the load on the servers I have tested this on so far. In addition to that the kernel does not support loadable modules, the definiation of monolithic, which removes one method of possible vulnerabilities as well as more efficient. Though there are no studies directly linking grsecurity to increased security it only adds additional security to your system with very few negative drawbacks. I think that is worth the extra time to configure in grsecurity in the chance that it may possibly block a possible cracker.



***This guide is to be used completely at your own risk! ***


***WARNING*** Right now this guide will not work correctly with ensim in high security mode. If you disable the chroot options in menuconfig it will work. I will come out with a workaround shortly for people that use ensim in high security.

I have tested it on three different systems and all came up without any problems. If the server does not come up you can simply reboot it and it will come back online with an older version that works. If you have any comments about the .config posted please post them I am always interested in making improvements!

Now that is done the guide is below, good luck!


Unlike the other kernel the module-init tools are not needed because there are no modules to be loaded.

First we will check the server has the correct modules. Changes are very good that if it has the correct ethernet drives your system will be able to boot up even if it is not a system posted above. Please post if you try it and it works on other configurations.

Look at the loaded modules for your current kernel
-----command-----
cat /etc/modules.conf |grep eth
-----command-----


If you have any one of the lines below you should be fine. The eth* does not mater as long as it matches. A lable of eth0 means it is the main NIC while eth1 refers to the pnet NIC.

alias eth0 8139too
alias eth0 e1000
alias eth0 tg3
alias eth0 natsemi

Now we will download the 2.6.10 kernel along with the grescurity patch and apply the patch.

-----command-----
cd /usr/local/src/
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.9.tar.gz
tar -zxf linux-2.6.9.tar.gz
wget http://www.eth0.us/2.6.9/grsecurity-2.0.3-2.6.9-200412201738.patch
patch -p0 < grsecurity-2.0.3-2.6.9-200412201738.patch
cd linux-2.6.9
wget http://eth0.us/2.6.9/.config
-----command-----

At this stage you can configure the kernel how you like it. By running "make menuconfig" you will be presented by a huge menu of options that you can try to comile into your kernel. After you do your changes click exit and continue. I have already removed just about everything extra and no changes are necessary. Please note that if you do add features you need to add them statically into the kernel as this kernel does not support loadable modules. If you do add module support and modules your server will not boot using the directions below. If you add anything but module support it will automatically be added statically in menuconfig.



Now to actually compile the kernel.
-----command-----
make -j 4
-----command-----
Make sure there are *NO* errors after this! If you do get errors the below is not going to work.


If you go back and try to recompile your kernel after you have copied the files to /boot you will first need to delete or overwrite the files the files. Go ahead and delete them.
-----command-----
rm -rf /boot/config-2.6.9-grsec-eth00
rm -rf /boot/vmlinuz-2.6.9-grsec-eth00
rm -rf /boot/System.map-2.6.9-grsec-eth00
-----command-----


Copy the new files into your /boot directory.
-----command-----
cp .config /boot/config-2.6.9-grsec-eth00
cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.9-grsec-eth00
cp System.map /boot/System.map-2.6.9-grsec-eth00
-----command-----



All of he ev1 servers I have worked on have lilo installed so below is what you need to add to the file to allow you to boot. The append elavator deadline should help with the IO of your server which will in turn lower your server loads. If after recompiling you have trouble with the IO remove the line and reboot to see if that is what is causing the trouble.
-----command-----
pico -w /etc/lilo.conf
-----command-----

Now scroll to the bottom and add these lines:

image=/boot/vmlinuz-2.6.9-grsec-eth00
label=2.6.9-grsec
append="root=/dev/sda3 elevator=deadline"
read-only

If you have a normal IDE drive replace sda3 with hda3

Make sure when you run this lilo command that you can see no errors. If there are something is configured wrong and the server is not going to boot.
-----command-----
lilo -v -v
-----command-----
If you do not see "Writing boot sector." after this command something is wrong!


Now we are going to set the server to reboot into the kernel. By using -R the server will only try to boot once into the new kernel. If any problems are encountered the server will boot to your old kernel the next time it is rebooted.

-----command-----
lilo -R 2.6.9-grsec
-----command-----


Ok you are ready to reboot and test it out. Go ahead and shutdown via "shutdown -r now". If it does not come up after 10 minutes you are going to have to get the server rebooted. Since we used the -R it will boot back to the old kernel last time. If it fails you can check the logs to see if anything is shown but many times nothing does and the only way to do it is have a tech look at the screen or use a kvm/drac. If it does work for you change the default= in the lilo.conf to your new kernel.


Save and you are all done.

Hopefully it will come up fine for you :)
Feel free to link to this guide but please do not copy it as your own!