dufault.info

Here’s my little guide for upgrading a CentOS server to a grsec-patched kernel. At the time of this writing, this was the latest stable grsec patch available.

Fetch the sources:
wget http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.5.tar.bz2
wget http://grsec.linux-kernel.at/grsecurity-2.1.11-2.6.24.5-200804211829.patch.gz

Extract:
tar xjf linux-2.6.24.5.tar.gz
gzip -d grsecurity-2.1.11-2.6.24.5-200804211829.patch.gz

Patch the kernel:
patch -p0 < grsecurity-2.1.11-2.6.24.5-200804211829.patch
cd linux-2.6.24.5 && make clean && make mrproper

Copy the previous kernel config to use:
cp /boot/config-`uname -r` .config

Edit your kernel:
make menuconfig

Here’s a few of the things I disable (there’s a lot more I could do, but I find the more restrictive I am, the less well things work) :
Networking > Amateur Radio support
Networking > IrDA (infrared) support
Networking > Bluetooth subsystem support
Networking > Wireless
Device Drivers > ISDN support
Device Drivers > Telephony support
Device Drivers > Multimedia devices
Device Drivers > Sound

Also, don’t forget to configure the Grsecurity option under Security Options.

Compile your kernel and install it:
make && make modules && make modules_install && make install

Make sure it’s working ok
depmod 2.6.24.5-grsec

Edit /boot/grub/menu.lst with your text editor of choice, add in your kernel:
$EDITOR /boot/grub/menu.lst

Lastly, you reboot:
shutdown -r now