Building bastard Linux kernels

[trm]

It's been a few years since I've had the need to build a specifically hardened box (ergo minimal kernel) so I've been spending many of the recent weekends/weekday nights getting this sorted. I've finally found a set of glibc, kernel and userspace tools which all seem compatible and have no known security holes and have finally got the box built.

And now I've got all the crap out of the way, it's time to run some automatic vulnerability checkers against it as well as fuzzing the networking stack. Neverending process!

Anyway, that is all. I just wanted to get that off my chest

btw if anybody has recommendations for any security scanner tools or fuzzers then I'd receive them very welcomly!

cheers

tim

 

[cools]

Userspace tools? Strange man.

I normally install a distro in a VM and use that to build with. Compiling the thing is the easy part!

 

[trm]

Userspace tools? Strange man.

What's the point of a kernel if there's nothing on the filesystem to run

? Unless you thought I was talking about the FUSE stuff? This is just about finding compatible sourceballs versions of glibc, gcc + binutils, httpd, php and the rest and making sure they're all either -latest or are have all the known issues patched but are compatible with each other.

There's no existing distro out there that I'd want to run on a box like this without auditing the distro so I figure it's easier to roll my own from a basic but well known distribution - Slackware (aka the best Linux distro evar!)

e.g. I don't want loadable modules as that makes it easier for somebody to rootkit it, but I need to compile the vmware guest code into the kernel as it normally insmod's it. It's all the little bits like that, plus that there are now 3500 kernel build options, that made it so tedious. But now it's pretty much done and just needs pen testing.

cheers

tim

 

[Alpha1]

we use Nessus here

 

[trm]

Cheers Oll. That was on my shortlist so I'll defo give it a try now.

 

[cools]

Oh right, you're on about the stuff you want to run ON the kernel. Thought you were just on about building the thing.

 

[trm]

I was part moaning about building the kernel (the 3500+ options to choose from) because I want it to include support for just the exact hardware it'll be running on, and just the kernel services I need e.g. no need for IPSEC so compile it out, so if a hole is discovered in the IPSEC implementation then this kernel isn't at risk.

But I was also moaning about the apps too Can't just go with -latest for everything as things need specific versions, so it's a case of chasing down CVE reports, finding and applying the patches then repeating for all the other userspace apps. So much fun!

ps I'm shocked that you thought me such a n00b. I'll be crying into my Ovaltine (tm) tonight