frank2.net

How to setup Grsec on Xen

Published by Frank Solli on

Grsec on Xen

Frank Solli

GRsecurity and Xen This guide will show you how to install grsecurity and build and customize a kernel on a Xen based VPS. This setup has been tested on the Norwegian provider http://www.cloud1.no and on http://www.linode.com

This guide has been tested on Debian 6.0 64-bit Linux.

Prerequisites Create a snapshot of your VM Make sure your system packages is up to date You will need packages kernel-package build-essential bzip2 ncurses-dev Download Navigate your browser to https://grsecurity.net/download_stable.php and grab the latest stable release

Download the kernel source tree that matches the latest stable release of grsecurity from http://www.kernel.org, in this example it is version grsecurity-2.9.1-3.2.33.

Unpack the kernel source:

root@testvm:/usr/src# tar xfj linux-3.2.33.tar.bz2 Create a symlink called linux that points to the current source tree

root@testvm:/usr/src# ln -s linux-3.2.33 linux Now, patch your kernel

root@testvm:/usr/src/linux# patch -p1 < ../grsecurity-2.9.1-3.2.33-201211042155.patch The next step is to configure your kernel, I have made an attempt for a minimal kernel, but more canbe done in order to make it smaller, you can find it here:

http://frank2.net/files/grsec.config Enter the kernel configuration

root@testvm:/usr/src/linux# make menuconfig Load the grsec.config, exit and save.

Clean up

root@testvm:/usr/src/linux# make-kpkg clean Set the amount of cores, not necessary if you only have one core

export CONCURRENCY_LEVEL=2 Make the kernel

root@testvm:/usr/src/linux# make-kpkg –rootcmd fakeroot –initrd –revision=grsec.1 kernelimage kernelheaders Install the kernel

root@testvm:/usr/src/linux# dpkg -i ../linux-image-3.2.33-grsecgrsec.1amd64.deb root@testvm:/usr/src/linux# dpkg -i ../linux-headers-3.2.33-grsecgrsec.1amd64.deb Reboot and test!

root@testvm:/usr/src/linux# reboot root@testvm:~# uname -r 3.2.33-grsec Next you might want to install and configure gradm

Sources:

http://www.debianadmin.com/step-by-step-tutorial-howto-compile-kernel-in-debian-5-0-lenny.html Kernel build http://www.grsecurity.net Grsecurity http://www.kernel.org Kernel sources https://secure.wikimedia.org/wikibooks/en/wiki/Grsecurity EDIT

It now looks like grsec has an option to choose which virt. technology you are using and autoconfigures based on that.

Tags: xen,grsec,security.