LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Help with hardening Kernel (http://www.linuxquestions.org/questions/linux-security-4/help-with-hardening-kernel-266389/)

slug420 12-14-2004 03:43 PM

Help with hardening Kernel
 
I am looking to harden an install of Mandrake for corporate use.

My plan was to recompile the kernel excluding unneccesary drivers and other unneeded modules, and then to run Bastille and/or Chroot to really lock down what the user is able to do.

My question is, how do I go about removing things from the kernel? I found a pretty good tutorial online for recompiling the kernel itself ( http://www.pgshopping.com/mdkxp/?c=ttrls/mdkkernel ) and have gone through it once basically recompiling without modifying the kernel. I am up to the point where I run "make menuconfig" which I believe is where I add and remove things to/from the kernel. Basically, how do I know what CAN be removed?

Is there a way to list all of the actual hardware on my PC so that I can just go through and remove any modules or drivers not on that list? Are there things other than hardware drivers that should be removed while im recompiling to make it more secure?

TIA

gcombe74 12-14-2004 06:32 PM

well yes....

look in proc... that is where your hardware is.

/proc/devices

or type in dmesg ... that is your boot info.

usually /usr/src/linux is where the kernel default is.

go there and run make menuconfig

deselect the modules/hardware you dont have.

save and exit.

from that same dir you should be able to run

make dep && make bzImage modules modules_install

as well this will help some..

http://www.freeos.com/articles/2589/

jtshaw 12-14-2004 06:55 PM

Another thing to check out if security is really important for you is www.grsecurity.net. It provides patches for RBACL's and a bunch of other features that block users from seeing processes they don't own and things of that nature.

slug420 12-15-2004 09:57 AM

when in menuconfig, I can set any item to * (built-in) M (module) < > Module Capable

Do I want to set everything to * so that it is built in and then set Kernel Module Loader (Under Loadable Module Support) to empty.

If I understand it correctly then this would make it so the kernel does not load any modules, and any modules it needs are already built in, im my mind making it more secure.... is this at all accurate?

Also, goes GRSecurity replace or work along with Bastille?

Thanks again,

jtshaw 12-15-2004 10:16 AM

grsecurity is specifically for the linux-kernel. Bastille should work along side with it.

slug420 12-20-2004 08:52 AM

having a ton of problems getting the kernel to compile....

I have tried to simplify things by forgetting about grsecurity for now....and while I am able to recompile a duplicate of the kernel, once I make any changes in 'make menuconfig' it errors out. The only change I am really trying to do right now is to disable module support.

I just go to loadable module support, then uncheck the box for "enable loadable module support"

I even tried downloaded a newer version of the kernel to compile and that gives me the same problems when module support is disabled.

I am following the instructions on the link given above ( http://www.pgshopping.com/mdkxp/?c=ttrls/mdkkernel )
initially I was following them exactly but now since I am disabling module support I have been using 'make dep clean bzImage && make -j3' instead of the reccomended 'make dep clean bzImage && make -j3 modules'

thanks for any help..

slug420 12-20-2004 09:45 AM

just to add to that...

It appears to have just compile with module support disabled. What I had been doing is going in and disabling every area that it errored on. For example if it errored on something to do with SCSI, I went in and disabled support for SCSI drivers. A question this raises in my mind is, when compiling the kernel with all the drivers built in and module support disabled, will the kernel have trouble compiling including drivers for hardware not presently on the computer? Logically I didnt this this was true but it was a passing thought seeing the problems I have had.

So now it looks to have compiled ok and I am proceeding with the rest of the process but when I try to do the following:
mkinitrd /boot/initrd-2.4.21-1custom.img 2.4.21-1custom
I get this error:
/lib/modules/2.4.21-1custom is not a directory

I am guessing that either because I was compiling without module support or because I excluded the word modules off the end of the make command that it did not create the modules directory. So why is this initrd command looking for it, and how do I get it to not look for /lib/modules?

thanks again :D

slug420 12-21-2004 10:46 AM

bueller.....bueller?

jtshaw 12-21-2004 11:41 AM

If you have no modules then you don't need an initrd... since the only thing that provides is the ability to load your modules before the root file system is mounted. Don't bother with it, and don't but a initrd line in your boot loader for this kernel.

What you do need to do when disabling modules is make sure things like support for your root filesystem (probably ext3 or reiserfs) are included in the kernel with the *. No options anywhere should have an M in your menuconfig. The errors you got before were a result of running make modules with no module support. The error you get about the directory not being there on mkinitrd is a result of you not having run make modules_install which creates that directory and puts the modules in there.

I hope this helps...

slug420 12-21-2004 01:12 PM

helps a ton, thanks :)


how about these errors:
make[4]: Leaving directory `/usr/src/linux-2.4.21-1custom/3rdparty/atmelwlan/usbvnet_rfmd'
make[3]: Leaving directory `/usr/src/linux-2.4.21-1custom/3rdparty/atmelwlan/usbvnet_rfmd'
make all_targets
make[3]: Entering directory `/usr/src/linux-2.4.21-1custom/3rdparty/atmelwlan'
make[3]: *** No rule to make target `usbvnet_rmfd/usbvnet_rfmd.o', needed by `atmelwlan.o'. Stop.
make[3]: Leaving directory `/usr/src/linux-2.4.21-1custom/3rdparty/atmelwlan'
make[2]: *** [first_rule] Error 2
make[2]: Leaving directory `/usr/src/linux-2.4.21-1custom/3rdparty/atmelwlan'
make[1]: *** [_subdir_atmelwlan] Error 2
make[1]: Leaving directory `/usr/src/linux-2.4.21-1custom/3rdparty'
make: *** [_dir_3rdparty] Error 2

I get them for almost every section. I was getting them for the sound section so I went into harddrake to see what soundcard was in this pc, then disabled all the sound drivers except for the one I was using and I still got the error. I wound up having to disable sound drivers altogether to get past that error. Same for IrDa, amateur radio, firewire, usb etc etc (not that I am using any of these other ones but nevertheless I had to disable support for them in menuconfig). Now in the excerpt above it is giving me an error on the 3rd party drivers section. I just went in and removed the driver in question so we shall see how it goes but why am I getting this error for each section in make menuconfig?


thanks for your help

slug420 12-21-2004 01:32 PM

I just found this:

Code:

Looks to me like you have a problem with which files are being included.
Usually, the Linux kernel is a piece of cake to compile. First, check to
make sure that you have a link in /usr/src called linux that points to
the correct kernel tree, in this case 2.0.30 . Then check to make sure
there is another link in /usr/include called linux that points to
/usr/src/linux/include/linux. Also make sure that the link called asm in
/usr/include points to /usr/src/linux/include/asm. This is actually a
link to a link that probably points to /usr/src/linux/include/asm-i386.
The /usr/src/linux/include/asm link is created by the configure script.
I found out a while ago that you need this link for some other software
to compile too. Try recompiling again but first to a "make mrproper" so
the code is clean. Hope this does the trick.

while searching for "error 2"

Do I really need all those links? the only one I have is the one that was specified in that mandrake tutorial linked above... /usr/src/linux linked to /usr/src/linux-2.yaddayadda/

jtshaw 12-21-2004 03:01 PM

That is all you need. Especially if you are using a 2.6 kernel... you don't want to swap out your include files or you'll have trouble compiling other things....

If you have made major changes to the configuration, doing a make mrproper is often a good idea (save your .config file) to make sure there isn't old stuff laying around that wasn't clean out properly.

slug420 12-21-2004 03:15 PM

When I do a make menuconfig i disable module support and I think it automatically changed everything that was a * or an M to a * (automatically builds in anything that was supposed to be available in a module or built in). I am content with having a huge kernel and leaving all of these extra drivers and features that I dont want built in for simplicity's sake as long as module support is disabled and the drivers I need are there.

So that being said, im not sure if that is considered to be "major changes" or not. If it is you are saying I should do a make mrproper after I complete any changes in make menuconfig?

Ill give that a shot....

any ideas on why I am getting all of these errors?
Code:

how about these errors:
make[4]: Leaving directory `/usr/src/linux-2.4.21-1custom/3rdparty/atmelwlan/usbvnet_rfmd'
make[3]: Leaving directory `/usr/src/linux-2.4.21-1custom/3rdparty/atmelwlan/usbvnet_rfmd'
make all_targets
make[3]: Entering directory `/usr/src/linux-2.4.21-1custom/3rdparty/atmelwlan'
make[3]: *** No rule to make target `usbvnet_rmfd/usbvnet_rfmd.o', needed by `atmelwlan.o'. Stop.
make[3]: Leaving directory `/usr/src/linux-2.4.21-1custom/3rdparty/atmelwlan'
make[2]: *** [first_rule] Error 2
make[2]: Leaving directory `/usr/src/linux-2.4.21-1custom/3rdparty/atmelwlan'
make[1]: *** [_subdir_atmelwlan] Error 2
make[1]: Leaving directory `/usr/src/linux-2.4.21-1custom/3rdparty'
make: *** [_dir_3rdparty] Error 2


bulliver 12-21-2004 10:31 PM

Quote:

are saying I should do a make mrproper after I complete any changes in make menuconfig?
No. mrproper will delete all unneeded object files from the source tree, and also remove your .config file. If you run this after running make manuconfig then you have efectively destroyed all the effort you put in.

Basically make mrproper will make the source clean, as though you had just untarred fresh sources. a "make clean" will remove the object files without removing your .config

edit: is there any particular reason you are using such old kernel sources? 2.4.21 has security holes in it. If you want to use 2.4 series kernel then go to kernel.org and get the newest version (2.4.27 I think)

slug420 12-22-2004 07:50 AM

no particular reason other than I was trying to keep things as simple as possible seeing as how i am having so many problems with this as is....

I tried downloading a newer version of the kernel but when i did a make menuconfig on that one there was no section for 3rd party drivers (which is where the driver for my NIC is located) so that really seemed like a step in the wrong direction...


does anybody know why im getting the errors listed above though?? and why I have to disable almost every single section in menuconfig in order for it to compile?? that seems like the real problem here...


All times are GMT -5. The time now is 01:59 AM.