- Up-to-date OS
-
Always ensure you have the latest set of software (Arch is a rolling release system in case you didn’t know).
# In my case, enable `rw` mount of `/boot` or, if linux updates, will fail due to `ro` mode preventing write to disk partition
sudo pacman -Syy
sudo pacman -Syu- GPG
-
GnuPG is required for signing unknown keys (of Linus Torvalds and other developers). Since Arch manages only its own internal keys (core libraries verification of source) you will need to verify these and manually add them.
|
Note
|
These keys may change at some point, I have no idea, so check this first |
gpg --keyserver pgp.mit.edu --recv-keys 44D1C0F82525FE49
gpg --keyserver pgp.mit.edu --recv-keys 38DBBDC86092693E
gpg --keyserver pgp.mit.edu --recv-keys 79BE3E4300411886The response may look like this:
% gpg --keyserver pgp.mit.edu --recv-keys 44D1C0F82525FE49
gpg: key 2525FE49: public key "Bradley Spengler (spender) <spender@grsecurity.net>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
% gpg --keyserver pgp.mit.edu --recv-keys 38DBBDC86092693E
gpg: key 6092693E: public key "Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
% gpg --keyserver pgp.mit.edu --recv-keys 79BE3E4300411886
gpg: key 00411886: public key "Linus Torvalds <torvalds@linux-foundation.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1- Package Manager
-
Personally I use
packerbut you could do a manual download of thePKGBUILDandtarballyourself, then runmakepkgover it. Just make sure you have enough space (I’d say a gig or so to be safe) to compile the kernel. Personally, nowadays I build either in/home/user/buildor/var/tmp/makepkgmyself. You are free to use any other path of course (/etc/makepkg.conf) just make sure you have proper permissions (/etc/fstaba.o.).
packer -S linux-grsec-lts linux-grsec-lts-headers
# Y to proceed
# Press Y to edit the script-
remove the
i686arch options -
remove the commented
make nconfig# new CLI menu for configuration -
exit vim/emacs/nano/ed/pico/whatevah
You should see something along the lines of:
==> Verifying source file signatures with gpg...
linux-3.14.tar ... Passed
patch-3.14.42 ... Passed
grsecurity-3.1-3.14.42-201505141745.patch ... PassedNow for some kernel hacking. But first, it may help to realize what we are building. The machine installed to, is a headless virtual private machine (unmanaged obviously) but this also means the provider company won’t do jack-squat to stop anyone from attacking you. Our provider doesn’t put the box online when we create the account, and tty1 can be approached through their web interface. Actually, it MUST because this is Arch and it didn’t have anything running/setup yet. But past this point tho, once you do put up public networking e.g. for hosting a site via port 80, and also setting up remote SSH via 22 (I know you can change this) the brute force attacks start coming in. Now how to banish those goes out of the scope, but this is to illustrate that hardening is not really a insanely paranoid thing to do.
As a result of being a headless VPS, we get to disable fun stuff in the custom kernel such as USB or Display support and what not, also sound is not needed. This allows for a much slicker, thinner, more bad-ass kernel trimmed down for this specific config.
We have a fairly new virtual machine with no desire to support ancient hardware. Also its a intel virtual cpu so any AMD support can be removed too. A whole bunch of security algorithms aren’t used, same goes for file systems or specific brands of hardware. No wireless network, infrared or radiosignal support needed either.
(-grsec-lts-{optional_custom_name}) Local version - append to kernel release (1)
[*] Enable system-call auditing support (2)
│ Kernel compression mode (Gzip) (3)
-*- Enable the block layer --> parition types (4)
Processor type and features --->
Processor family (Core 2/newer Xeon) --->
[ ] Old AMD GART IOMMU support
[ ] IBM Calgary IOMMU support
[ ] AMD MCE features
< > Dell laptop support
< > CPU microcode loading support
< > /dev/cpu/*/msr - Model-specific register support
< > /dev/cpu/*/cpuid - CPU information support
[ ] Old style AMD Opteron NUMA detection
Bus options (PCI etc.) --->
< > RapidIO support
< > PCI Stub driver
< > PCCard (PCMCIA/CardBus) support
-*- Networking support --->
[ ] Amateur Radio support
< > IrDA (infrared) subsystem support
< > Bluetooth subsystem support
--- Wireless
< > cfg80211 - wireless configuration API
< > WiMAX Wireless Broadband support
< > RF switch subsystem support
< > Plan 9 Resource Sharing Support (9P2000)
< > CAIF support
< > NFC subsystem support
Generic Driver Options
< > Serial ATA and Parallel ATA drivers
< > Parallel port support
[ ] Macintosh device drivers
[ ] Fusion MPT device support
A bunch of Character devices
Hardware Monitoring support
Generic Thermal sysfs driver (almost all except user-space)
Multimedia support
# We want xvfb support... hmm now which one..
[*] Intel GMA3600/3650 support (Experimental)
<*> DRM Support for bochs dispi vga interface (qemu stdvga)
[*] Bootup logo
# there we go
Support for frame buffer devices
[*] Enable firmware EDID
<*> VGA 16-color graphics support
<M> Userspace VESA VGA graphics support
[*] VESA VGA graphics support
[*] EFI-based Framebuffer Support
#hmmmmm
<*> Virtual Frame Buffer support (ONLY FOR TESTING!)
Console display driver support (select all)
< > Sound card support
HID support
[ ] USB support
< > Ultra Wideband devices
< > MMC/SD/SDIO card support
And a whole bunch more...1) Change to name e.g. -grsec-lts-custom or another to mark this as a custom kernel
2) Security auditing is a good thing and our tools check for this
3) Don’t change this to e.g. xz - you have nothing to gain there, myths and legends
4) Disable all you do not need, quite a few probably