|Securing and Optimizing Linux: RedHat Edition -A Hands on Guide
|Chapter 7. Configuring and Building a Secure, Optimized Kernel
Security options. Security options will appear only if you have patched your kernel with the Openwall Project patch.
Non-executable user stack area (CONFIG_SECURE_STACK) Y Autodetect and emulate GCC trampolines (CONFIG_SECURE_STACK_SMART) Y Restricted links in /tmp (CONFIG_SECURE_LINK) Y Restricted FIFOs in /tmp (CONFIG_SECURE_FIFO) Y Restricted /proc (CONFIG_SECURE_PROC) N Y Special handling of fd 0, 1, and 2 (CONFIG_SECURE_FD_0_1_2) Y Enforce RLIMIT_NPROC on execve(2) (CONFIG_SECURE_RLIMIT_NPROC) Y Destroy shared memory segments not in use (CONFIG_SECURE_SHM) N Y
Magic SysRq key (CONFIG_MAGIC_SYSRQ) N/y/?
Now, return to the /usr/src/linux/ directory, if you are not already in it. You need to compile the new kernel. You do so by using the following command:
[root@deep ] /linux# make dep; make clean; make bzImage
The first one, make dep, actually takes your configuration and builds the corresponding dependency tree. This process determines what gets compiled and what doesn't.
The next step, make clean, erase all previous traces of a compilation so as to avoid any mistakes in which version of a feature gets tied into the kernel.
Finally, make bzImage does the full compilation of the kernel.
After the process is complete, the kernel is compressed and ready to be installed on your system. Before we can install the new kernel, we must know if we need to compile the corresponding modules. This is required only if you said Yes to Enable loadable module support CONFIG_MODULES and have compiled some options in the kernel configuration above as a module. In this case, you must execute the following commands:
[root@deep ] /linux#make modules [root@deep ] /linux#make modules_install
: The make modules and make modules_install commands are required only if you say Yes to Enable loadable module support CONFIG_MODULES in your kernel configuration above.