|Securing and Optimizing Linux: RedHat Edition -A Hands on Guide|
|Prev||Chapter 7. Configuring and Building a Secure, Optimized Kernel||Next|
The secure Linux kernel patches from the Openwall Project are a great way to prevent attacks like Stack Buffer Overflows, and others. The Openwall patch is a collection of security-related features for the Linux kernel, all configurable via the new Security options configuration section that will be added to your new Linux kernel. This patch may change from version to version, and some may contain various other security fixes.
New features of patch version linux-2_2_14-ow2_tar.gz are:
Non-executable user stack area
Restricted links in /tmp
Restricted FIFOs in /tmp
Special handling of fd 0, 1, and 2
Enforce RLIMIT_NPROC on execve(2)
Destroy shared memory segments not in use
: When applying the linux-2_2_14-ow2 patch, a new Security options section will be added at the end of your kernel configuration. For more information and description of the different features available with this patch, see the README file that come with the source code of the patch.
Applying the patch
[root@deep] /#cp linux-2_2_14-ow2_tar.gz /usr/src/ [root@deep] /#cd /usr/src/ [root@deep ]/src#tar xzpf linux.2_2_14-ow2_tar.gz [root@deep ]/src#cd linux-2.2.14-ow2/ [root@deep ] /linux-2.2.14-ow2#mv linux-2.2.14-ow2.diff /usr/src/ [root@deep ] /linux-2.2.14-ow2#cd .. [root@deep ]/src#patch -p0 <linux-2.2.14-ow2.diff [root@deep ]/src#rm -rf linux-2.2.14-ow2 [root@deep ]/src#rm -f linux-2.2.14-ow2.diff [root@deep ]/src#rm -f linux-2_2_14-ow2_tar.gz
: All security messages related to the linux-2.2.14-ow2 patch, like the non-executable stack part, should be logged to the log file /var/log/messages.
The step of patching your new kernel is completed. Now follow the rest of this installation to build the Linux kernel and reboot.