Configuring and Building a secure, optimized Kernels
Linux Kernel
Overview
Well, our Linux server seems to be getting in shape now! But wait, what is the most important part of our server? Yes, it’s the kernel. The Linux kernel is the core of our operating system, and without it there is no Linux at all. So we must take care of our kernel and configure it to fit our needs and compile just features we really need. The first thing to do next is to build a kernel that best suits your system. It’s very simple to do but, in any case, refer to the README file in the 7usr/src/linux/” directory. When configuring your kernel only compile in code that you need and use. Four main reasons come to mind; the Kernel will be faster (less code to run), you will have more memory (Kernel parts are NEVER swapped to the virtual memory), more stable (Ever probed for a non-existent card?), and unnecessary parts can be used by an attacker to gain access to the machine or other machines on the network. Modules are also slower than support compiled directly in the kernel.
In our configuration and compilation we will build a monolithic kernel. Monolithic kernel means to only answer Yes or No to the questions (don’t make anything modular) and omit the steps: makejTiodules and make_modules_install. Also, we will patch our new kernel with the buffer overflow protection from kernel patches. Patches for the Linux kernel exist, like Solar Designer’s non-executable stack patch, which disallows the execution of code on the stack, making a number of buffer overflow attacks harder - and defeating completely a number of current exploits used by “script kiddies” worldwide.
Remember to only answer Yes or No to the questions when configuring your new kernel if you’re intending to build a monolithic kernel. If you intend to use firewall masquerading functions or a dial-up ppp connection, you cannot build a monolithic kernel, since these function require the build of some modules, by default. Build, instead, a modularized kernel.
A new kernel is very specific to your computer hardware, in the kernel configuration part; we assume the following hardware for our example. Of course you must change them to fit your system components.
1 Pentium II 400 MHz (i686) processor
1 Motherboard SCSI
1 Hard Disk SCSI
1 SCSI Controler Adaptec AIC 7xxx
1 CD-ROM ATAPI IDE
1 Floppy Disk
2 Ethernet Cards Intel EtherExpressPro 10/100
1 Mouse PS/2
These installation instructions assume
Commands are Unix-compatible.
The source path is /usr/src.
Installations were tested on Red Hat Linux 6.1 and 6.2.
All steps in the installation will happen in super-user account “root”.
Latest Kernel version number is 2.2.14
Latest Secure Linux Kernel Patches version number is 2 2 14-ow2
Packages
Kernel Homepage: http://www.kernelnotes.org/ You must be sure to download: linux-2_2_14_tar.gz
Kernel FTP Site: 139.142.90.113
Secure Linux Kernel Patches Homepage: http://www.openwall.com/linux/
You must be sure to download: Iinux-2_2_14-ow2_tar.gz
Secure Linux Kernel Patches FTP Site: 195.42.162.180