Grsec on Xen

Jun. 21, 2014

GRsecurity and Xen This guide will show you how to install grsecurity and build and customize a kernel on a Xen based VPS. This setup has been tested on the Norwegian provider http://www.cloud1.no and on www.linode.com

This guide has been tested on Debian 6.0 64-bit Linux.

Prerequisites Create a snapshot of your VM Make sure your system packages is up to date You will need packages kernel-package build-essential bzip2 ncurses-dev Download Navigate your browser to https://grsecurity.net/download_stable.php and grab the latest stable release

Download the kernel source tree that matches the latest stable release of grsecurity from http://www.kernel.org, in this example it is version grsecurity-2.9.1-3.2.33.

Unpack the kernel source:

root@testvm:/usr/src# tar xfj linux-3.2.33.tar.bz2 Create a symlink called linux that points to the current source tree

root@testvm:/usr/src# ln -s linux-3.2.33 linux Now, patch your kernel

root@testvm:/usr/src/linux# patch -p1 < ../grsecurity-2.9.1-3.2.33-201211042155.patch The next step is to configure your kernel, I have made an attempt for a minimal kernel, but more canbe done in order to make it smaller, you can find it here:

http://frank2.net/files/grsec.config Enter the kernel configuration

root@testvm:/usr/src/linux# make menuconfig Load the grsec.config, exit and save.

Clean up

root@testvm:/usr/src/linux# make-kpkg clean Set the amount of cores, not necessary if you only have one core

export CONCURRENCY_LEVEL=2 Make the kernel

root@testvm:/usr/src/linux# make-kpkg –rootcmd fakeroot –initrd –revision=grsec.1 kernel_image kernel_headers Install the kernel

root@testvm:/usr/src/linux# dpkg -i ../linux-image-3.2.33-grsec_grsec.1_amd64.deb root@testvm:/usr/src/linux# dpkg -i ../linux-headers-3.2.33-grsec_grsec.1_amd64.deb Reboot and test!

root@testvm:/usr/src/linux# reboot root@testvm:~# uname -r 3.2.33-grsec Next you might want to install and configure gradm

Sources:

http://www.debianadmin.com/step-by-step-tutorial-howto-compile-kernel-in-debian-5-0-lenny.html Kernel build http://www.grsecurity.net Grsecurity http://www.kernel.org Kernel sources https://secure.wikimedia.org/wikibooks/en/wiki/Grsecurity EDIT

It now looks like grsec has an option to choose which virt. technology you are using and autoconfigures based on that.

comments powered by Disqus