grsecurity forums

Skip to content

Grsec on CentOS6

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

Grsec on CentOS6

Postby melco » Thu Aug 18, 2011 9:11 am

Hi
I've tried to harden CentOS even more and enhance it with grsec-patched kernel.
I've got 2.6.32.45 and applied grsecurity-2.2.2-2.6.32.45-201108172006.patch
Config here
Problems:
1. gradm doesn't work (posted question here)
2. On boot without "selinux=0" kernel option boot fails. Screenshot of KVM machine:
Image
melco
 
Posts: 10
Joined: Thu Aug 18, 2011 8:44 am
Top

Re: Grsec on CentOS6

Postby spender » Thu Aug 18, 2011 9:37 am

It looks like you'll have to enable the sysctl option and then turn the chroot options on at runtime, as your initrd for some reason wants to mount filesystems within a chroot.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top

Re: Grsec on CentOS6

Postby melco » Thu Aug 18, 2011 10:09 am

What is the right way?
1. Recompile kernel with sysctl option for grsec.
2. enable all features of grsec after boot process via sysctl?
melco
 
Posts: 10
Joined: Thu Aug 18, 2011 8:44 am
Top

Re: Grsec on CentOS6

Postby melco » Thu Aug 18, 2011 10:17 am

I'm also wondering if it is too much of work to make grsec-enabled kernels for major distributions like RHEL/CentOS or Debian/Ubuntu in form of (S)RPM/deb respectively?
Is it hard to combine grsec with, say, RedHat patched kernel? I think it would be great to have such option.
melco
 
Posts: 10
Joined: Thu Aug 18, 2011 8:44 am
Top

Re: Grsec on CentOS6

Postby melco » Fri Aug 19, 2011 3:22 am

I've manage to boot system with SELinux enabled by enabling sysctl support for grsec. Looks fine. At least now
melco
 
Posts: 10
Joined: Thu Aug 18, 2011 8:44 am
Top

Re: Grsec on CentOS6

Postby melco » Mon Sep 05, 2011 7:22 am

Faced a problem. Today at night the server was rebooted. Last messages and the only interesting:
Code: Select all
Sep  4 03:38:01 2baksa kernel: PAX: From 66.249.66.51: execution attempt in: (null), 00000000-00000000 00000000
Sep  4 03:38:01 2baksa kernel: PAX: terminating task: /usr/sbin/httpd(httpd):12947, uid/euid: 48/48, PC: 00006aea25ddcaa0, SP: 000077a3439ee338
Sep  4 03:38:01 2baksa kernel: PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
Sep  4 03:38:01 2baksa kernel: PAX: bytes at SP-8: 00000bbf6975ef80 00006aea2ed2fa20 0000000000000000 0000000000000000 0000000000000000 00000bbf00000002 0000000000000000 000000000000000b c08e69804da8f602 00000bbf69867490 00000bbf698d8ec0
Sep  4 03:38:01 2baksa kernel: PAX: From 66.249.66.242: execution attempt in: (null), 00000000-00000000 00000000
Sep  4 03:38:01 2baksa kernel: PAX: terminating task: /usr/sbin/httpd(httpd):10619, uid/euid: 48/48, PC: 00006aea25ddcaa0, SP: 000077a3439eea78
Sep  4 03:38:01 2baksa kernel: PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
Sep  4 03:38:01 2baksa kernel: PAX: bytes at SP-8: 00000bbf6975ef80 00006aea2ed2fa20 0000000000000000 0000000000000000 0000000000000000 00000bbf00000002 0000000000000000 000000000000000b c08e69804da8f602 00000bbf69867490 00000bbf698d8ec0
Sep  4 03:38:02 2baksa rsyslogd: [origin software="rsyslogd" swVersion="4.6.2" x-pid="1349" x-info="http://www.rsyslog.com"] rsyslogd was HUPed, type 'restart'.
Sep  4 03:38:02 2baksa kernel: Kernel logging (proc) stopped.

Could it be that grsec patch forced server to be rebooted? Where to start looking for cause of reboot?

Thanks a lot!
melco
 
Posts: 10
Joined: Thu Aug 18, 2011 8:44 am
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group