GRSec Full Automation

You are here: Home » Operating Systems » GRSec Full Automation

 

GRSecurity is a set of patches for the Linux kernel which emphasizes security enhancements. These are 3rd party patches not included in the vanilla Linux kernel. This means if you run an industry standard Linux OS like CentOS or Ubuntu you will need to compile your own package or get it from a 3rd party. This script aims to automate the process and make it easier to implement and administer.

GFA v1.0 is hard coded for 64bit OS’s and only tested on CentOS 6. If there is interest, APT (Debian/Ubuntu) compatible systems could be added.

  • Easy to use
  • Easy to update to latest supported GRSec and kernel versions
  • Documented groups for easier management
  • RPM creation capability for easier implementation and reproducible results
  • Open source
  • All sources from verifiable upstream locations
  • Text based GUI for easy configurability and remote deployment

New Groups you will need to know about:

Group GID 2000 grs-proc This group is for non-root users that need access to the /proc system. Anyone that isn’t root and not in this group will not be able to even see other users processes or who else is logged in.
Group GID 2001 grs-tpe All users in this group are only able to exec files in root owned dirs writable by root, nothing more. Not even ~/bin/
Group GID 2002 grs-sock-all Group to disable all socket access.
Group GID 2003 grs-sock-client Group to disable all client only socket access.
Group GID 2004 grs-sock-sever Group to disable all server only socket access.
Group GID 2005 grs-audit Group to enforce full auditing through syslog. Logs exec, ptrace, mount, sig, and chdir of these users.

 Installation / Implementation:

[root@colo3 src]# ./BryanAndrews.org-GFA.sh 

This script is an automation tool for downloading, patching, and compiling the Linux kernel with GRSec 
security patches. Supplemental GRSec related tools like gradm and paxctl are included. Optional RPM 
packaging and RPM .SPEC creation is done. These RPM and .SPEC files are saved in the current users 
home directory. This is hard coded for 64bit systems only. If you later install the produced kernel 
RPM package you will need to create the groups specified below. These are also adjustable in the 
sysctl settings before the system is locked.
The following groups will be created for you:

Group GID 2000  grs-proc        This group is for non-root users that need access to the /proc system.
Group GID 2001  grs-tpe         All users in this group are only able to exec files in root owned dirs 
writable by root, nothing more.
Group GID 2002  grs-sock-all    Group to disable all socket access.
Group GID 2003  grs-sock-client Group to disable all client only socket access.
Group GID 2004  grs-sock-sever  Group to disable all server only socket access.
Group GID 2005  grs-audit       Group to enforce full auditing through syslog. Logs exec, ptrace, mount, 
sig, and chdir. 

Build root directory: /usr/src
GRSEc version: 3.0
GRSec Release: 201407151835
GRAdmin Release: 201407162022
Linux Kernel version: 3.2.61
PAXctl version: 0.8
Make RPMs?: y
This RPM release number: 7

BUILD ROOT               /usr/src
RPM RELEASE              7
KERNEL Version           3.2.61
GRSEC Version            3.0
GRSEC RELEASE            201407151835
GRADMN RELEASE           201407162022
CPU CORES                8
LOG File                 /usr/src/bryans_grsec-201407172043.log
BOOT PATH                /boot/
PAX URL                  http://pax.grsecurity.net/paxctl-0.8.tar.gz
GRSEC URL                http://grsecurity.net/stable/grsecurity-3.0-3.2.61-201407151835.patch
GRADM URL                http://grsecurity.net/stable/gradm-3.0-201407162022.tar.gz
KERNEL URL               https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.2.61.tar.xz
KERNEL TARBALL           linux-3.2.61.tar.xz
DESTINATION PACKAGE DIR  /root

This will download, install, and compile the Linux GRSec kernel on this system. If you do not want to do 
this press CTRL+C now to quit.
Press any key to continue... 
Installing prereq tools to build the kernel... OK
Downloading kernel 3.2.61 and GRSec patch 3.0... OK
Creating GRSec kernel configs in grsec_kernel_config.cfg with defaults OK
Using live kernel config to create a compatible new GRSec 3.0 config... OK
Building paxctl RPM... OK
Building gradm RPM... OK
Hacking the kernel repos generated spec file to install the kernel in grub when you install the RPM... OK
Setting the kernel RPM release to 7... OK
Building kernel 3.2.61-grsec RPM using 8 threads... OK
Checking for Kernel SRC RPM... OK
Checking for Kernel RPM... OK
Checking for Kernel headers RPM... OK
---------------------------------------------------------------------------------

RUN COMPLETED SUCCESSFULLY

Created /root/paxctl-0.8-7.x86_64.rpm
Created /root/gradm-3.0-7.x86_64.rpm
Created /root/kernel-3.2.61_grsec-7.src.rpm
Created /root/kernel-3.2.61_grsec-7.x86_64.rpm
Created /root/kernel-headers-3.2.61_grsec-7.x86_64.rpm

---------------------------------------------------------------------------------
[root@colo3 src]#

 

DOWNLOAD LINK

 

Creative Commons License
GRSec Full Automation by Bryan Andrews is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.