PDA

View Full Version : GrSecurity Kernel Install Script



felosi
09-07-2006, 04:58 PM
Ok here is the script I wrote for downloading the latest kernel and grsecurity patch, patching the kernel, and then building it. It grabs the config file I made up for single processor pentium 4 based servers. Security setting is set to low with proc restrcitions where users can only see their processes. Also all xtables, iptables and other common features are enabled.
I have tired this on a fedora server and it done great so if everyone else likes it I will make one for amd as well.
I also will be making and updated howto for those who wish to go over their config manually.
If anyone has any feedback or suggestions or to report a problem simply post in the forum or come look for us in IRC.
This is for single processor pentium 4 based machines only with 512mb-2gb ram
Here is how to get the script going

For RedHat Based Servers


cd /usr/src

For Redhat Based Servers (CentOS, Fedora, etc;)


wget www.evolution-security.com/files/grkern.sh


chmod 755 grkern.sh


./grkern.sh

Give it a while to compile and install then when it is done do this


grub
savedefault --default=0 --once
quit



Then reboot or better yet have your datacenter reboot in case the kernel panics.

trocobob
09-12-2006, 05:33 AM
thanks man for the tip

Oracle
05-17-2009, 03:28 AM
After a lil work getting the config right for s hosting/shell server I finally came up with the script that will patch, compile, and install the gresecurity patched kernel. You just run the shell script and it will download the kernel and patch, patch the kernel, download the config, and then compile and install.

The config I got made up is for Pentium4/Xeon/Celeron based servers. It includes all necessary option for an average pentium based server with single processor. The grsecurity level is set to low along with proc restrictions where users can see only their processes, I find the proc restrictions more of a convenience then actual security procedure because shell users do not have to go through all the processes to find theirs nor do they have to do ps -u so it is a pretty handy feature.

All xtables, iptables, and such are enabled. Lots of generic options are selected but nothing that is not needed by at least some machines.

I have ran this script successfully on a fedora and 2 centos servers and it done just fine. As far as stricter security options and pax goes a lot of them do not work well with your typical hosting server. The way it is now it is very secure and protected against local exploits while stoill being totaly functional and not over restrictive..........

lenovohost
10-30-2009, 08:45 AM
Thanks man for the infromation

pinspathad
11-10-2009, 03:40 AM
All xtables, iptables, and such are enabled. Lots of generic options are selected but nothing that is not needed by at least some machines.
:cool: