HostedDB - Dedicated UNIX Servers

Securing-Optimizing-RH-Linux-1_2_80
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 80 · Edit the Makefile file (vi +19 /usr/src/linux/Makefile) and change the line: HOSTCFLAGS = -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer To read: HOSTCFLAGS = -Wall -Wstrict-prototypes -O9 -funroll-loops -ffast-math -malign-double - mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions Which turns on an aggressive optimization tricks that may or may not work with all kernels. Please, if the optimization flags above or the one you have chosen for your CPU architecture doesn’t work for you, don’t try to absolutely force it to work. I don’t want to make your system became unstable like Microsoft Window. Securing the kernel The secure Linux kernel patches from the Openwall Project are a great way to prevent attacks like Stack Buffer Overflows and other. The Openwall patch is a collection of security-related features for the Linux kernel, all configurable via the new '”Security options” configuration section that will be added to your new Linux kernel. Version to version of this patch may change, and some may contain various security fixes. New features of patch version linux-2_2_14-ow2_tar.gz are: Non-executable user stack area Restricted links in /tmp Restricted FIFOs in /tmp Restricted /proc Special handling of fd 0, 1, and 2 Enforce RLIMIT_NPROC on execve(2) Destroy shared memory segments not in use NOTE: When applying the linux-2_2_14-ow2 patch, new “Security options” section will be added at the end of your kernel configuration. For more information and description of the different features available with this patch, see the README file that come with the source code of the patch. Applying the patch [root@deep /]# cp linux-2_2_14-ow2_tar.gz /usr/src/ [root@deep src]# cd /usr/src/ [root@deep src]# tar xzpf linux.2_2_14-ow2_tar.gz [root@deep src]# cd linux-2.2.14-ow2/ [root@deep linux-2.2.14-ow2]# mv linux-2.2.14-ow2.diff /usr/src/ [root@deep linux-2.2.14-ow2]# cd .. [root@deep src]# patch -p0 < linux-2.2.14-ow2.diff [root@deep src]# rm -rf linux-2.2.14-ow2 [root@deep src]# rm -f linux-2.2.14-ow2.diff [root@deep src]# rm -f linux-2_2_14-ow2_tar.gz First we copy the program archive to the “/usr/src” directory, then we move to the “/usr/src” directory and decompress the linux-2_2_14ow2_tar.gz archive, we move to the new uncompressed linux patch, move the file linux-2.2.14-ow2.diff containing the patch to the “/usr/src”, return to the “/usr/src” and patch our kernel with the file linux-2.2.14-ow2.diff. After, we remove all files related to the patch. NOTE: All security messages related to the linux-2.2.14-ow2 patch like non-executable stack part should be logged to the log file “/var/log/messages”. The step of patching your new kernel is completed. Now follow the rest of this installation to build the Linux kernel and reboot.