Tedi Heriyanto
19 Januari 2004
Pastikan Anda telah mendownload beberapa software berikut ini :
Silakan ambil patch grsecurity-1.9.13-2.4.23.patch dari www.grsecurity.net
Bongkarlah kernel Linux yang telah anda download ke dalam direktori /usr/src/
Berikut ini adalah perintah untuk membongkar kernel Linux ke dalam direktori /usr/src, file kernelnya berada di dalam direktori /home/tedi/software/kernel/ :
# tar xvjpf /home/tedi/software/kernel/linux-2.4.24.tar.bz2 -C /usr/src/
Jika berhasil maka akan terbentuk sebuah direktori /usr/src/linux-2.4.24.
Ganti nama direktori tersebut menjadi linux-2.4.23 agar kita dapat melakukan patch dengan grsecurity 2.4.23
Kemudian lakukan patch dengan grsecurity. Perhatikan bahwa saya menaruh file patch grsecurity di home direktori saya, sesuaikan dengan situasi anda :
patch -d /usr/src/linux-2.4.23 -p1 < /home/tedi/grsecurity-1.9.13-2.4.23.patch
Setelah tidak ada kesalahan dalam proses patch, selanjutnya kita dapat melakukan konfigurasi kernel. Namun terlebih dulu ubahlah nama direktori linux-2.4.23 menjadi linux-2.4.24 kemudian buatlah simbolik link. (Diasumsikan kita bekerja di dalam direktori /usr/src).
# mv linux-2.4.23 linux-2.4.24 # ln -s linux-2.4.24 linux
Konfigurasi kernel dapat dilakukan dengan menjalankan salah satu perintah di bawah ini. Pastikan bahwa anda adalah root dan berada di dalam direktori /usr/src/linux :
# make menuconfig
atau
# make config
atau
# make xconfig
Lakukanlah konfigurasi yang sesuai dengan kebutuhan Anda.
Berikut ini saya sertakan, daftar konfigurasi kernel untuk mesin saya. Anda dapat pula mendownloadnya dari http://www.tedi-h.com/download/kernel.config.
# # Automatically generated by make menuconfig: don't edit # CONFIG_X86=y CONFIG_UID16=y # # Loadable module support # CONFIG_MODULES=y CONFIG_MODVERSIONS=y CONFIG_KMOD=y # # Processor type and features # CONFIG_MPENTIUMIII=y CONFIG_X86_WP_WORKS_OK=y CONFIG_X86_INVLPG=y CONFIG_X86_CMPXCHG=y CONFIG_X86_XADD=y CONFIG_X86_BSWAP=y CONFIG_X86_POPAD_OK=y CONFIG_RWSEM_XCHGADD_ALGORITHM=y CONFIG_X86_L1_CACHE_SHIFT=5 CONFIG_X86_ALIGNMENT_16=y CONFIG_X86_HAS_TSC=y CONFIG_X86_GOOD_APIC=y CONFIG_X86_PGE=y CONFIG_X86_USE_PPRO_CHECKSUM=y CONFIG_X86_F00F_WORKS_OK=y CONFIG_X86_MCE=y CONFIG_NOHIGHMEM=y CONFIG_X86_TSC=y # # General setup # CONFIG_NET=y CONFIG_PCI=y CONFIG_PCI_GOANY=y CONFIG_PCI_BIOS=y CONFIG_PCI_DIRECT=y CONFIG_ISA=y CONFIG_PCI_NAMES=y CONFIG_HOTPLUG=y # # PCI Hotplug Support # CONFIG_SYSVIPC=y CONFIG_BSD_PROCESS_ACCT=y CONFIG_SYSCTL=y CONFIG_KCORE_ELF=y CONFIG_BINFMT_AOUT=y CONFIG_BINFMT_ELF=y CONFIG_BINFMT_MISC=y CONFIG_PM=y CONFIG_APM=y # # Plug and Play configuration # CONFIG_PNP=y # # Block devices # CONFIG_BLK_DEV_FD=y CONFIG_BLK_DEV_LOOP=y # # Networking options # CONFIG_PACKET=y CONFIG_NETFILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y # # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_FTP=m CONFIG_IP_NF_IRC=m CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_LIMIT=m CONFIG_IP_NF_MATCH_MAC=m CONFIG_IP_NF_MATCH_PKTTYPE=m CONFIG_IP_NF_MATCH_MARK=m CONFIG_IP_NF_MATCH_MULTIPORT=m CONFIG_IP_NF_MATCH_TOS=m CONFIG_IP_NF_MATCH_RECENT=m CONFIG_IP_NF_MATCH_ECN=m CONFIG_IP_NF_MATCH_DSCP=m CONFIG_IP_NF_MATCH_AH_ESP=m CONFIG_IP_NF_MATCH_LENGTH=m CONFIG_IP_NF_MATCH_TTL=m CONFIG_IP_NF_MATCH_TCPMSS=m CONFIG_IP_NF_MATCH_STEALTH=m CONFIG_IP_NF_MATCH_HELPER=m CONFIG_IP_NF_MATCH_STATE=m CONFIG_IP_NF_MATCH_CONNTRACK=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_NAT=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_REDIRECT=m CONFIG_IP_NF_NAT_LOCAL=y CONFIG_IP_NF_NAT_IRC=m CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_ULOG=m CONFIG_IP_NF_TARGET_TCPMSS=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_ARP_MANGLE=m # # ATA/IDE/MFM/RLL support # CONFIG_IDE=y # # IDE, ATA and ATAPI Block devices # CONFIG_BLK_DEV_IDE=y CONFIG_BLK_DEV_IDEDISK=y CONFIG_IDEDISK_MULTI_MODE=y CONFIG_BLK_DEV_IDECD=y CONFIG_BLK_DEV_IDESCSI=m CONFIG_BLK_DEV_CMD640=y CONFIG_BLK_DEV_IDEPCI=y CONFIG_IDEPCI_SHARE_IRQ=y CONFIG_BLK_DEV_IDEDMA_PCI=y CONFIG_IDEDMA_PCI_AUTO=y CONFIG_BLK_DEV_IDEDMA=y CONFIG_BLK_DEV_PIIX=y CONFIG_BLK_DEV_RZ1000=y CONFIG_IDEDMA_AUTO=y CONFIG_BLK_DEV_IDE_MODES=y # # SCSI support # CONFIG_SCSI=y CONFIG_BLK_DEV_SD=y CONFIG_SD_EXTRA_DEVS=40 CONFIG_BLK_DEV_SR=m CONFIG_SR_EXTRA_DEVS=2 CONFIG_CHR_DEV_SG=m CONFIG_SCSI_DEBUG_QUEUES=y CONFIG_SCSI_MULTI_LUN=y CONFIG_SCSI_CONSTANTS=y # # SCSI low-level drivers # CONFIG_SCSI_SYM53C8XX=y CONFIG_SCSI_NCR53C8XX_DEFAULT_TAGS=4 CONFIG_SCSI_NCR53C8XX_MAX_TAGS=32 CONFIG_SCSI_NCR53C8XX_SYNC=20 # # Network device support # CONFIG_NETDEVICES=y # # ARCnet devices # CONFIG_DUMMY=m # # Ethernet (10 or 100Mbit) # CONFIG_NET_ETHERNET=y CONFIG_NET_VENDOR_3COM=y CONFIG_VORTEX=m # # Character devices # CONFIG_VT=y CONFIG_VT_CONSOLE=y CONFIG_SERIAL=y CONFIG_UNIX98_PTYS=y CONFIG_UNIX98_PTY_COUNT=256 # # Mice # CONFIG_MOUSE=y CONFIG_PSMOUSE=y # # Ftape, the floppy tape device driver # CONFIG_AGP=y CONFIG_AGP_INTEL=y CONFIG_AGP_I810=y # # File systems # CONFIG_QUOTA=y CONFIG_QFMT_V2=y CONFIG_AUTOFS_FS=y CONFIG_AUTOFS4_FS=y CONFIG_EXT3_FS=y CONFIG_JBD=y CONFIG_TMPFS=y CONFIG_RAMFS=y CONFIG_ISO9660_FS=y CONFIG_PROC_FS=y CONFIG_DEVPTS_FS=y CONFIG_EXT2_FS=y # # Network File Systems # CONFIG_NFS_FS=y CONFIG_NFSD=y CONFIG_SUNRPC=y CONFIG_LOCKD=y CONFIG_SMB_FS=m # # Partition Types # CONFIG_MSDOS_PARTITION=y CONFIG_SMB_NLS=y CONFIG_NLS=y # # Native Language Support # CONFIG_NLS_DEFAULT="iso8859-1" # # Console drivers # CONFIG_VGA_CONSOLE=y # # Sound # CONFIG_SOUND=y CONFIG_SOUND_CMPCI=y CONFIG_SOUND_CMPCI_FM=y CONFIG_SOUND_CMPCI_FMIO=388 CONFIG_SOUND_CMPCI_FMIO=388 CONFIG_SOUND_CMPCI_MIDI=y CONFIG_SOUND_CMPCI_MPUIO=330 CONFIG_SOUND_CMPCI_CM8738=y CONFIG_SOUND_CMPCI_SPDIFINVERSE=y CONFIG_SOUND_CMPCI_SPDIFLOOP=y CONFIG_SOUND_CMPCI_SPEAKERS=2 CONFIG_SOUND_OSS=m # # USB support # CONFIG_USB=y CONFIG_USB_DEVICEFS=y CONFIG_USB_UHCI=m CONFIG_USB_UHCI_ALT=m CONFIG_USB_STORAGE=y # # Kernel hacking # CONFIG_LOG_BUF_SHIFT=0 # # Cryptographic options # CONFIG_CRYPTO=y CONFIG_CRYPTO_SHA256=y # # Grsecurity # CONFIG_GRKERNSEC=y CONFIG_CRYPTO=y CONFIG_CRYPTO_SHA256=y CONFIG_GRKERNSEC_CUSTOM=y # # Address Space Protection # CONFIG_GRKERNSEC_PAX_ASLR=y CONFIG_GRKERNSEC_PAX_RANDUSTACK=y CONFIG_GRKERNSEC_PAX_RANDMMAP=y CONFIG_GRKERNSEC_PROC_MEMMAP=y # # ACL options # CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 # # Filesystem Protections # CONFIG_GRKERNSEC_PROC=y CONFIG_GRKERNSEC_PROC_USERGROUP=y CONFIG_GRKERNSEC_PROC_GID=10 CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_FIFO=y CONFIG_GRKERNSEC_CHROOT=y CONFIG_GRKERNSEC_CHROOT_MOUNT=y CONFIG_GRKERNSEC_CHROOT_DOUBLE=y CONFIG_GRKERNSEC_CHROOT_PIVOT=y CONFIG_GRKERNSEC_CHROOT_CHDIR=y CONFIG_GRKERNSEC_CHROOT_CHMOD=y CONFIG_GRKERNSEC_CHROOT_FCHDIR=y CONFIG_GRKERNSEC_CHROOT_MKNOD=y CONFIG_GRKERNSEC_CHROOT_SHMAT=y CONFIG_GRKERNSEC_CHROOT_UNIX=y CONFIG_GRKERNSEC_CHROOT_FINDTASK=y CONFIG_GRKERNSEC_CHROOT_NICE=y CONFIG_GRKERNSEC_CHROOT_SYSCTL=y CONFIG_GRKERNSEC_CHROOT_CAPS=y # # Kernel Auditing # CONFIG_GRKERNSEC_RESLOG=y CONFIG_GRKERNSEC_AUDIT_MOUNT=y CONFIG_GRKERNSEC_SIGNAL=y CONFIG_GRKERNSEC_FORKFAIL=y CONFIG_GRKERNSEC_TIME=y # # Executable Protections # CONFIG_GRKERNSEC_EXECVE=y CONFIG_GRKERNSEC_DMESG=y CONFIG_GRKERNSEC_RANDPID=y CONFIG_GRKERNSEC_TPE=y CONFIG_GRKERNSEC_TPE_ALL=y CONFIG_GRKERNSEC_TPE_GID=1005 # # Network Protections # CONFIG_GRKERNSEC_RANDNET=y CONFIG_GRKERNSEC_RANDISN=y CONFIG_GRKERNSEC_RANDID=y CONFIG_GRKERNSEC_RANDSRC=y CONFIG_GRKERNSEC_RANDRPC=y # # Sysctl support # CONFIG_GRKERNSEC_SYSCTL=y # # Logging options # CONFIG_GRKERNSEC_FLOODTIME=10 CONFIG_GRKERNSEC_FLOODBURST=4
Setelah konfigurasi, lakukan :
# make dep # make bzImage modules modules_install
Kemudian salinkan file /usr/src/linux/arch/i386/boot/bzImage ke /boot/vmlinuz-2.4.24 :
# cp /usr/src/linux/arch/i386/boot/bzImage /boot/vmlinuz-2.4.24
Kemudian buatlah initrd image :
# /sbin/mkinitrd -v -f /boot/initrd-2.4.24.img 2.4.24
Karena saya menggunakan GRUB, selanjutnya saya menambahkan entri berikut ke dalam file /etc/grub.conf :
title Linux 2.4.24 + grsec
root (hd0,0)
kernel /vmlinuz-2.4.24 ro root=/dev/hda3
initrd /initrd-2.4.24.img
Keterangan:
Biasanya sering terjadi kernel panic karena kita salah menempatkan root. entri tersebut diset ke partisi di mana root filesystem berada (/), bukan partisi tempat /boot berada :
# df Filesystem 1K-blocks Used Available Use% Mounted on /dev/hda3 4032124 308020 3519276 9% / ...