Securing and Optimizing Linux:RedHat Edition | All about OS

Securing the kernel

Категория: Securing and Optimizing

The secure Linux kernel patches from the Openwall Project are a great way to prevent attacks like Stack Buffer Overflows, and others. The Openwall patch is a collection of security-related features for the Linux kernel, all configurable via the new “‘Security options” configuration section that will be added to your new Linux kernel. This patch may change from version to version, and some may contain various other security fixes.
New features of patch version Iinux-2_2_14-ow2_tar.gz are:
Non-executable user stack area
Restricted links in /tmp
Restricted FIFOs in /tmp
Restricted /proc
Special handling of fd 0, 1, and 2
Enforce RLIMIT_NPROC on execve(2)
Destroy shared memory segments not in use
NOTE: When applying the Iinux-2_2_14-ow2 patch, a new “Security options” section will be added at the end of your kernel configuration. For more information and description of the different
features available with this patch, see the README file that come with the source code of the patch.
Applying the patch
[root@deep /]# cp Iinux-2_2_14-ow2_tar.gz /usr/src/
[root@deep /]# cd /usr/src/
[root@deep src]# tar xzpf Iinux.2_2_14-ow2_tar.gz
[root@deep src]# cd Iinux-2.2.14-ow2/
[root@deep Iinux-2.2.14-ow2]# mv Iinux-2.2.14-ow2.diff/usr/src/
[root@deep Iinux-2.2.14-ow2]#cd ..
[root@deep src]# patch -pO < Iinux-2.2.14-ow2.diff
[root@deep src]# rm -rf Iinux-2.2.14-ow2
[root@deep src]# rm -f Iinux-2.2.14-ow2.diff
[root@deep src]# rm -f Iinux-2_2_14-ow2_tar.gz
First we copy the program archive to the 7usr/src” directory, then we move to the 7usr/src” directory and decompress the Iinux-2_2_14ow2_tar.gz archive. We then move to the new uncompressed Linux patch, move the file Iinux-2.2.14-ow2.diff containing the patch to the 7usr/src”, return to 7usr/src” and patch our kernel with the file Iinux-2.2.14-ow2.diff. Afterwards, we remove all files related to the patch.
NOTE: All security messages related to the Iinux-2.2.14-ow2 patch, like the non-executable stack part, should be logged to the log file 7var/log/messages”.
The step of patching your new kernel is completed. Now follow the rest of this installation to build the Linux kernel and reboot.
Compilation
It is important to be sure that your 7usr/include/asm”, 7usr/include/linux”, and 7usr/include/scsi” subdirectories are just sym links to the kernel sources.

Страниц: 1 2

« Configuring and Building a secure, optimized Kernels
Kernel configurationa »