This book is dedicated to OpenNA staff. Thanks, guys (no-gender)!!

--Gerhard Mourani

This book is printed on acid-free paper with 85% recycled content, 15% post-consumer waste.
Open Network Architecture is commited to using paper with the highest recycled content
available consistent with high quality.

Copyright © 2002 by Gerhard Mourani and Open Network Architecture, Inc.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or
transmitted in any form or by any means, electronic, mechanical, photocopying, recording,
scanning or otherwise, except as permitted by Canada Copyright Act, without either the prior
written permission of the Publisher, or authorization through payment of the appropriate per-copy
fee to the copyright holders Gerhard Mourani and Open Network Architecture, Inc. 11090
Drouart, Montreal, PQ H3M 2S3, (514) 978-6183, fax (514) 333-0236. Requests to the Publisher
for permission should be addressed to the Publishing Manager, at Open Network Architecture,
Inc., E-mail: [email protected]

This publication is designed to provide accurate and authoritative information in regard to the
subject matter covered. It is sold with the understanding that some grammatical mistakes could
have occurred but this won’t jeopardize the content or the issue raised herewith.

Title: Securing and Optimizing Linux: The Hacking Solution

Page Count: 1208
Version: 3.0
Last Revised: 2002-06-26
Publisher: Open Network Architecture, Inc.
Editor: Ted Nackad
Text Design & Drawings (Graphics): Bruno Mourani
Printing History: June 2000: First Publication.

Author's: Gerhard Mourani

Mail: [email protected]
Website: http://www.openna.com/

National Library Act. R.S., c. N-11, s. 1.

Legal Deposit, 2002

Securing and Optimizing Linux: The Hacking Solution / Open Network Architecture, Inc.
Published by Open Network Architecture, Inc., 11090 Drouart, Montreal, H3M 2S3, Canada.

Includes Index.
ISBN 0-9688793-1-4

Printed in Canada

1
Overview
Part I Installation Security
Chapter 1 Introduction
Chapter 2 Installation Issues

Part II System Security & Optimization

Chapter 3 General Security
Chapter 4 Pluggable Authentication Modules
Chapter 5 General Optimization
Chapter 6 Kernel Security & Optimization
Chapter 7 Process File System Management

Part III Network Security

Chapter 8 TCP/IP Network Management
Chapter 9 Firewall Basic Concept
Chapter 10 GIPTables Firewall
Chapter 11 Squid Proxy Server
Chapter 12 SquidGuard Filter
Chapter 13 FreeS/WAN VPN

Part IV Cryptography & Authentication

Chapter 14 GnuPG
Chapter 15 OpenSSL
Chapter 16 OpenSSH
Chapter 17 Sudo

Part V Monitoring & System Integrity

Chapter 18 sXid
Chapter 19 LogSentry
Chapter 20 HostSentry
Chapter 21 PortSentry
Chapter 22 Snort
Chapter 23 Tripwire

Part VI Super-Server
Chapter 24 UCSPI-TCP
Chapter 25 Xinetd

Part VII Management & Limitation

Chapter 26 NTP
Chapter 27 Quota

Part VIII Domain Name System & Dynamic Host Protocol

Chapter 28 ISC BIND & DNS
Chapter 29 ISC DHCP

Part IX Mail Transfer Agent Protocol

Chapter 30 Exim
Chapter 31 Qmail

2
Part X Internet Message Access Protocol
Chapter 32 tpop3d
Chapter 33 UW IMAP
Chapter 34 Qpopper

Part XI Anti-Spam & Anti-Virus

Chapter 35 SpamAssassin
Chapter 36 Sophos
Chapter 37 AMaViS

Part XII Database Server

Chapter 38 MySQL
Chapter 39 PostgreSQL
Chapter 40 OpenLDAP

Part XIII File Transfer Protocol

Chapter 41 ProFTPD
Chapter 42 vsFTPD

Part XIV Hypertext Transfer Protocol

Chapter 43 Apache
Chapter 44 PHP
Chapter 45 Mod_Perl

Part XV NetBios Protocol

Chapter 46 Samba

Part XVI Backup

Chapter 47 Tar & Dump

Part XVII Appendixes

Appendix A
Tweaks, Tips and Administration Tasks

Appendix B
Port list

3
Contents
Steps of installation 13
Author note 13
Audience 14
These installation instructions assume 15
Obtaining the example configuration files 15
Problem with Securing & Optimizing Linux 15
Acknowledgments 15

Introduction 19
What is Linux? 21
Some good reasons to use Linux 21
Let's dispel some of the fear, uncertainty, and doubt about Linux 21
Why choose pristine source? 22
Compiling software on your system 22
Build & install software on your system 23
Editing files with the vi editor tool 24
Recommended software to include in each type of servers 25

Installation Issues 29
Know your Hardware! 31
Creating the Linux Boot Disk 31
Beginning the installation of Linux 33
Installation Class and Method (Install Options) 34
Partition your system for Linux 35
Disk Partition (Manual Partitioning) 39
Selecting Package Groups 50
Boot Disk Creation 53
How to use RPM Commands 53
Starting and stopping daemon services 56
Software that must be uninstalled after installation of the server 57
Remove unnecessary documentation files 65
Remove unnecessary/empty files and directories 66
Software that must be installed after installation of the server 66

General Security 73
BIOS 75
Unplug your server from the network 75
Security as a policy 76
Choose a right password 76
The root account 77
Set login time out for the root account 77
Shell logging 78
The single-user login mode of Linux 79
Disabling Ctrl-Alt-Delete keyboard shutdown command 79
Limiting the default number of started ttys on the server 80
The LILO and /etc/lilo.conf file 80
The GRUB and /boot/grub/grub.conf file 82
The /etc/services file 84

4
 The /etc/securetty file 85
Special accounts 85
Control mounting a file system 88
Mounting the /usr directory of Linux as read-only 89
Tighten scripts under /etc/init.d 91
Tighten scripts under /etc/cron.daily/ 91
Bits from root-owned programs 91
Don’t let internal machines tell the server what their MAC address is 93
Unusual or hidden files 94
Finding Group and World Writable files and directories 95
Unowned files 96
Finding .rhosts files 96
Physical hard copies of all-important logs 97
Getting some more security by removing manual pages 99
System is compromised! 100

Pluggable Authentication Modules 101

The password length 103
Disabling console program access 105
Disabling all console access 105
The Login access control table 106
Tighten console permissions for privileged users 107
Putting limits on resource 109
Controlling access time to services 111
Blocking; su to root, by one and sundry 112
Using sudo instead of su for logging as super-user 113

General Optimization 116

Static vs. shared libraries 118
The Glibc 2.2 library of Linux 119
Why Linux programs are distributed as source 120
Some misunderstanding in the compiler flags options 121
The gcc specs file 122
Striping all binaries and libraries files 127
Tuning IDE Hard Disk Performance 128

Kernel Security & Optimization 133

Difference between a Modularized Kernel and a Monolithic Kernel 135
Making an emergency boot floppy 138
Preparing the Kernel for the installation 139
Applying the Grsecurity kernel patch 141
Obtaining and Installing Grsecurity 141
Tuning the Kernel 142
Cleaning up the Kernel 143
Configuring the Kernel 145
Compiling the Kernel 190
Installing the Kernel 190
Verifying or upgrading your boot loader 192
Reconfiguring /etc/modules.conf file 194
Rebooting your system to load the new kernel 195
Delete programs, edit files pertaining to modules 195

5
 Making a new rescue floppy for Modularized Kernel 196
Making a emergency boot floppy disk for Monolithic Kernel 196

Process file system management 199

What is sysctl? 202
/proc/sys/vm: The virtual memory subsystem of Linux 202
/proc/sys/fs: The file system data of Linux 209
/proc/sys/net/ipv4: IPV4 settings of Linux 211
Other possible optimization of the system 219

TCP/IP Network Management 225

TCP/IP security problem overview 228
Installing more than one Ethernet Card per Machine 232
Files-Networking Functionality 233
Testing TCP/IP Networking 237
The last checkup 240

Firewall Basic Concept 241

What is the IANA? 243
The ports numbers 243
What is a Firewall? 245
Packet Filter vs. Application Gateway 245
What is a Network Firewall Security Policy? 247
The Demilitarized Zone 248
Linux IPTables Firewall Packet Filter 249
The Netfilter Architecture 249

GIPTables Firewall 255

Building a kernel with IPTables support 259
Compiling - Optimizing & Installing GIPTables 262
Configuring GIPTables 263
/etc/giptables.conf: The GIPTables Configuration File 263
/etc/rc.d/rc.giptables.blocked: The GIPTables Blocked File 274
/etc/init.d/giptables: The GIPTables Initialization File 275
The GIPTables Firewall Module Files 276
How GIPTables parameters work? 277
Running the type of GIPTables firewall that you need 283
The GIPTables configuration file for a Gateway/Proxy Server 284
GIPTables-Firewall Administrative Tools 302

Squid Proxy Server 305

Compiling - Optimizing & Installing Squid 309
Configuring Squid 313
Running Squid with Users Authentication Support 326
Securing Squid 330
Optimizing Squid 333
Squid Administrative Tools 333
The cachemgr.cgi program utility of Squid 335

6
SquidGuard Filter 337
Compiling - Optimizing & Installing SquidGuard 340
Configuring SquidGuard 342
Testing SquidGuard 350
Optimizing SquidGuard 351

FreeS/WAN VPN 355

Compiling - Optimizing & Installing FreeS/WAN 360
Configuring FreeS/WAN 363
Configuring RSA private keys secrets 367
Requiring network setup for IPSec 372
Testing the FreeS/WAN installation 374

GnuPG 379
Compiling - Optimizing & Installing GnuPG 382
Using GnuPG under Linux terminal 384

OpenSSL 391
Compiling - Optimizing & Installing OpenSSL 396
Configuring OpenSSL 398
OpenSSL Administrative Tools 404
Securing OpenSSL 409

OpenSSH 411
Compiling - Optimizing & Installing OpenSSH 414
Configuring OpenSSH 417
Running OpenSSH in a chroot jail 427
Creating OpenSSH private & public keys 432
OpenSSH Users Tools 434

Sudo 437
Compiling - Optimizing & Installing Sudo 440
Configuring Sudo 442
A more complex sudoers configuration file 444
Securing Sudo 447
Sudo Users Tools 447

sXid 451
Compiling - Optimizing & Installing sXid 454
Configuring sXid 455
sXid Administrative Tools 457

LogSentry 459

7
 Compiling - Optimizing & Installing LogSentry 462
Configuring LogSentry 466

HostSentry 467
Compiling - Optimizing & Installing HostSentry 470
Configuring HostSentry 474

PortSentry 481
Compiling - Optimizing & Installing PortSentry 484
Configuring PortSentry 487
Removing hosts that have been blocked by PortSentry 494

Snort 495
Compiling - Optimizing & Installing Snort 499
Configuring Snort 501
Running Snort in a chroot jail 507

Tripwire 511
Compiling - Optimizing & Installing Tripwire 514
Configuring Tripwire 517
Running Tripwire for the first time 526
Securing Tripwire 528
Tripwire Administrative Tools 528

ucspi-tcp 533
Compiling - Optimizing & Installing ucsip-tcp 536
Using ucsip-tcp 538

Xinetd 541
Compiling - Optimizing & Installing Xinetd 544
Configuring Xinetd 546
The /etc/xinetd.d directory 547

NTP 559
Compiling - Optimizing & Installing NTP 564
Configuring NTP 566
Running NTP in Client Mode 566
Running NTP in Server Mode 572
Running NTP in a chroot jail 574
NTP Administrative Tools 578

Quota 581
Build a kernel with Quota support enable 584
Compiling - Optimizing & Installing Quota 584

8
 Modifying the /etc/fstab file 586
Creating the aquota.user and aquota.group files 587
Assigning Quota for Users and Groups 587
Quota Administrative Tools 590

ISC BIND & DNS 593

Compiling - Optimizing & Installing ISC BIND & DNS 598
Configuring ISC BIND & DNS 600
Running ISC BIND & DNS as Caching-Only Name Server 601
Running ISC BIND & DNS as Primary Master Name Server 610
Running ISC BIND & DNS as Secondary Slave Name Server 615
Running ISC BIND & DNS in a chroot jail 617
Securing ISC BIND & DNS 621
Optimizing ISC BIND & DNS 638
ISC BIND & DNS Administrative Tools 641
ISC BIND & DNS Users Tools 643

ISC DHCP 645

Building a kernel with ISC DHCP support 649
Compiling - Optimizing & Installing ISC DHCP 650
Configuring ISC DHCP 654
Testing the DHCP server 662
Running ISC DHCP in a chroot jail 664
Securing ISC DHCP 675
Running the DHCP client for Linux 676

Exim 683
Compiling - Optimizing & Installing Exim 688
Configuring Exim 693
Testing Exim 716
Allowing Users to authenticate with Exim before relaying 719
Running Exim with SSL support 722
Running Exim with Virtual Hosts support 729
Running Exim with Maildir support 732
Running Exim with mail quota support 734
Running Exim as a Null Client Mail Server 735
Exim Administrative Tools 738

Qmail 741
Compiling, Optimizing & Installing Qmail 745
Configuring Qmail 751
Testing Qmail 755
Allowing Users to authenticate with Qmail before relaying 756
Running Qmail with SSL support 760
Running Qmail with Virtual Hosts support 765
Running Qmail as a Null Client Mail Server 769
Running Qmail as a Mini-Qmail Mail Server 773
Running qmail-pop3d with SSL support 777

9
 Qmail Administrative Tools 780
Qmail Users Tools 781

tpop3d 785
Compiling - Optimizing & Installing tpop3d 790
Configuring tpop3d 791
Securing tpop3d 795

UW IMAP 797
Compiling - Optimizing & Installing UW IMAP 801
Configuring UW IMAP 805
Enable IMAP or POP services via UCSPI-TCP 807
Enable IMAP or POP services via Xinetd 808
Securing UW IMAP 810
Running UW IMAP with SSL support 811

Qpopper 815
Compiling - Optimizing & Installing Qpopper 819
Configuring Qpopper 821
Securing Qpopper 825
Running Qpopper with SSL support 827

SpamAssassin 835
Compiling - Optimizing & Installing SpamAssassin 839
Configuring SpamAssassin 840
Testing SpamAssassin 842
Running SpamAssassin with Exim 843
Running SpamAssassin with Qmail 844

Sophos 849
Compiling & Installing Sophos 853
Configuring Sophos 854
Testing Sophos 855

AMaViS 857
Verifying & installing all the additional prerequisites to run AMaViS 860
Compiling - Optimizing & Installing AMaViS 872
Running AMaViS with Exim 875
Running AMaViS with Qmail 877
Testing AMaViS 878

MySQL 881
Compiling - Optimizing & Installing MySQL 886
Configuring MySQL 888
Securing MySQL 893

10
 Optimizing MySQL 894
MySQL Administrative Tools 899

PostgreSQL 907
Compiling - Optimizing & Installing PostgreSQL 910
Configuring PostgreSQL 913
Running PostgreSQL with SSL support 918
Securing PostgreSQL 924
Optimizing PostgreSQL 928
PostgreSQL Administrative Tools 929

OpenLDAP 935
Compiling - Optimizing & Installing OpenLDAP 940
Configuring OpenLDAP 945
Running OpenLDAP with TLS/SSL support 950
Running OpenLDAP in a chroot jail 954
Securing OpenLDAP 961
Optimizing OpenLDAP 962
OpenLDAP Administrative Tools 963
OpenLDAP Users Tools 967

ProFTPD 971
Compiling - Optimizing & Installing ProFTPD 976
Configuring ProFTPD 980
Creating an account for FTP client to connect to the FTP server 992
Setup an anonymous FTP server 993
Allow anonymous users to upload to the FTP server 997
Running ProFTPD with SSL support 1000
Securing ProFTPD 1005
ProFTPD Administrative Tools 1006

vsFTPd 1009
Compiling - Optimizing & Installing vsFTPd 1014
Configuring vsFTPd 1015
Creating an account for FTP client to connect to the FTP server 1021
Setup an anonymous FTP server 1022
Allow anonymous users to upload to the FTP server 1024

Apache 1029
Compiling - Optimizing & Installing Apache 1034
Configuring Apache 1040
Running Apache with TLS/SSL support 1051
Running Apache in a chroot jail 1055
Running Apache with users authentication support 1063
Caching frequently requested static files 1065
Some statistics about Apache and Linux 1066

11
PHP 1069
Compiling - Optimizing & Installing PHP 1073
Configuring PHP 1076
Running PHP in a chroot jail 1084
Running PHP with the PHP Accelerator program 1085

Mod_Perl 1089
Compiling - Optimizing & Installing Mod_Perl 1093
Configuring Mod_Perl 1094
Running Mod_Perl in a chroot jail 1095

Samba 1099
Compiling - Optimizing & Installing Samba 1104
Configuring Samba 1106
Running Samba with TLS/SSL support 1116
Securing Samba 1121
Optimizing Samba 1123
Samba Administrative Tools 1125
Samba Users Tools 1126

Tar & Dump 1129

The tar backup program 1131
Making backups with tar 1132
Automating tasks of backups made with tar 1134
Restoring files with tar 1136
The dump backup program 1138
Making backups with dump 1139
Restoring files with dump 1141
Backing up and restoring over the network 1143

APPENDIX A 1151
APPENDIX B 1157

12
 Preface

Steps of installation
Depending of your level of knowledge in Linux, you can read this book from the beginning
through to the end of the chapters that interest you. Each chapter and section of this book
appears in a manner that lets you read only the parts of your interest without the need to
schedule one day of reading. Too many books on the market take myriad pages to explain
something that can be explained in two lines, I’m sure that a lot of you agree with my opinion.
This book tries to be different by talking about only the essential and important information that
the readers want to know by eliminating all the nonsense.

Although you can read this book in the order you want, there is a particular order that you could
follow if something seems to be confusing you. The steps shown below are what I recommend:

Setup Linux in your computer.

Remove all the unnecessary RPM’s packages.
Install the necessary RPM’s packages for compilation of software (if needed).
Secure the system in general.
Optimize the system in general.
Reinstall, recompile and customize the Kernel to fit your specific system.
Configure firewall script according to which services will be installed in your system.
Install OpenSSL to be able to use encryption with the Linux server.
Install OpenSSH to be able to make secure remote administration tasks.
Install Sudo.
Install sXid.
Install LogSentry.
Install PortSentry.
Install Tripwire.
Install ICS BIND/DNS.
Install Exim or Qmail.
Install any software you need after to enable specific services into the server.

Author note
According to some surveys on the Internet, Linux will be the number one operating system for a
server platform in year 2003. Presently it is number two and no one at one time thought that it
would be in this second place. Many organizations, companies, universities, governments, and
the military, etc, kept quiet about it. Crackers use it as the operating system by excellence to
crack computers around the world. Why do so many people use it instead of other well know
operating systems? The answer is simple, Linux is free and the most powerful, reliable, and
secure operating system in the world, providing it is well configured. Millions of programmers,
home users, hackers, developers, etc work to develop on a voluntary basis, different programs
related to security, services, and share their work with other people to improve it without
expecting anything in return. This is the revolution of the Open Source movement that we see
and hear about so often on the Internet and in the media.

13
If crackers can use Linux to penetrate servers, security specialists can use the same means to
protect servers (to win a war, you should at least have equivalent weapons to what your enemy
may be using). When security holes are encountered, Linux is the one operating system that has
a solution and that is not by chance. Now someone may say: with all these beautiful features why
is Linux not as popular as other well know operating system? There are many reasons and
different answers on the Internet. I would just say that like everything else in life, anything that we
are to expect the most of, is more difficult to get than the average and easier to acquire. Linux
and *NIX are more difficult to learn than any other operating system. It is only for those who want
to know computers in depth and know what they doing. People prefer to use other OS’s, which
are easy to operate but hard to understand what is happening in the background since they only
have to click on a button without really knowing what their actions imply. Every UNIX operating
system like Linux will lead you unconsciously to know exactly what you are doing because if you
pursue without understanding what is happening by the decision you made, then nothing will
surely work as expected. This is why with Linux; you will know the real meaning of a computer
and especially a server environment where every decision warrants an action which will closely
impact on the security of your organization and employees.

Many Web sites are open to all sorts of "web hacking." According to the Computer Security
Institute and the FBI's joint survey, 90% of 643 computer security practitioners from government
agencies, private corporations, and universities detected cyber attacks last year. Over
$265,589,940 in financial losses was reported by 273 organizations.

Many readers of the previous version of this book told me that the book was an easy step by step
guide for newbie’s, I am flattered but I prefer to admit that it was targeting for a technical audience
and I assumed the reader had some background in Linux, UNIX systems. If this is not true in your
case, I highly recommend you to read some good books in network administration related to
UNIX and especially to Linux before venturing into this book. Remember talking about security
and optimization is a very serious endeavor. It is very important to be attentive and understand
every detail in this book and if difficulties arise, try to go back and reread the explanation will save
a lot of frustration. Once again, security is not a game and crackers await only one single error
from your part to enter your system. A castle has many doors and if just one stays open, will be
enough to let intruders into your fortress. You have been warned.

Many efforts went into the making of this book, making sure that the results were as accurate as
possible. If you find any abnormalities, inconsistent results, errors, omissions or anything else that
doesn't look right, please let me know so I can investigate the problem and/or correct the error.
Suggestions for future versions are also welcome and appreciated. A web site dedicated to this
book is available on the Internet for your convenience. If you any have problem, question,
recommendation, etc, please go to the following URL: http://www.openna.com/. We made this
site for you.

Audience
This book is intended for a technical audience and system administrators who manage Linux
servers, but it also includes material for home users and others. It discusses how to install and
setup a Linux server with all the necessary security and optimization for a high performance Linux
specific machine. It can also be applied with some minor changes to other Linux variants without
difficulty. Since we speak of optimization and security configuration, we will use a source
distribution (tar.gz) program for critical server software like Apache, ISC BIND/DNS, Samba,
Squid, OpenSSL etc. Source packages give us fast upgrades; security updates when necessary,
and better compilation, customization, and optimization options for specific machines that often
aren’t available with RPM packages.

14
 Preface

These installation instructions assume

You have a CD-ROM drive on your computer and the Official Red Hat Linux or OpenNA Linux
CD-ROM. Installations were tested on the Official Red Hat Linux version 7.3 and OpenNA Linux.

You should familiarize yourself with the hardware on which the operating system will be installed.
After examining the hardware, the rest of this document guides you, step-by-step, through the
installation process.

Obtaining the example configuration files

In a true server environment and especially when Graphical User Interface is not installed, we will
often use text files, scripts, shell, etc. Throughout this book we will see shell commands, script
files, configuration files and many other actions to execute on the terminal of the server. You can
enter them manually or use the compressed archive file that I made which contains all
configuration examples and paste them directly to your terminal. This seems to be useful in many
cases to save time.

The example configuration files in this book are available electronically via HTTP from this URL:
http://www.openna.com/products/books/securing-optimizing-linux/3rdedition/index.htm

• In either case, extract the files into your Linux server from the archive by typing:
[root@deep /]# cd /var/tmp
[root@deep tmp]# tar xzpf floppy-3.0.tgz

If you cannot get the examples from the Internet, please contact the author at this email address:
[email protected]

Problem with Securing & Optimizing Linux

When you encounter a problem in "Securing & Optimizing Linux" we want to hear about it. Your
reports are an important part in making the book more reliable, because even with the utmost
care we cannot guarantee that every part of the book will work on every platform under every
circumstance.

We cannot promise to fix every error right away. If the problem is obvious, critical, or affects a lot
of users, chances are that someone will look into it. It could also happen that we tell you to
update to a newer version to see if the problem persists there. Or we might decide that the
problem cannot be fixed until some major rewriting has been done. If you need help immediately,
consider obtaining a commercial support contract or try our Q&A archive from the mailing list for
an answer.

Below are some important links:

OpenNA web site: http://www.openna.com/

Mailing list: http://www.openna.com/support/mailing/
Support: http://www.openna.com/support/
RPM Download: http://www.openna.com/download/

Acknowledgments
I would like to thank all the OpenNA staff for their hard works and patience. A special gratitude
and many thanks to Colin Henry who made tremendous efforts to make this book grammatically
and orthographically sound in a professional manner. Adrian Pascalau for its time and help in the
open source community and all Linux users around the world who have participated by providing
good comments, ideas, recommendations and suggestions.

15
Introduction
IN THIS CHAPTER

1. What is Linux?
2. Some good reasons to use Linux
3. Let's dispel some of the fear, uncertainty, and doubt about Linux
4. Why choose Pristine source?
5. Compiling software on your system
6. Build, Install software on your system
7. Editing files with the vi editor tool
8. Recommended software to include in each type of servers

19
 Introduction 0
CHAPTER 1

Introduction

What is Linux?
Linux is an operating system that was first created at the University of Helsinki in Finland by a
young student named Linus Torvalds. At this time the student was working on a UNIX system that
was running on an expensive platform. Because of his low budget, and his need to work at home,
he decided to create a copy of the UNIX system in order to run it on a less expensive platform,
such as an IBM PC. He began his work in 1991 when he released version 0.02 and worked
steadily until 1994 when version 1.0 of the Linux Kernel was released.

The Linux operating system is developed under the GNU General Public License (also known as
GNU GPL) and its source code is freely available to everyone who downloads it via the Internet.
The CD-ROM version of Linux is also available in many stores, and companies that provide it will
charge you for the cost of the media and support. Linux may be used for a wide variety of
purposes including networking, software development, and as an end-user platform. Linux is
often considered an excellent, low-cost alternative to other more expensive operating systems
because you can install it on multiple computers without paying more.

Some good reasons to use Linux

There are no royalty or licensing fees for using Linux and the source code can be modified to fit
your needs. The results can be sold for profit, but the original authors retain copyright and you
must provide the source to your modifications.

Because it comes with source code to the kernel, it is quite portable. Linux runs on more CPUs
and platforms than any other computer operating system.

The recent direction of the software and hardware industry is to push consumers to purchase
faster computers with more system memory and hard drive storage. Linux systems are not
affected by those industries’ orientation because of its capacity to run on any kind of computer,
even aging x486-based computers with limited amounts of RAM.

Linux is a true multi-tasking operating system similar to its brother, UNIX. It uses sophisticated,
state-of-the-art memory management techniques to control all system processes. That means
that if a program crashes you can kill it and continue working with confidence.

Another benefit is that Linux is practically immunized against all kinds of viruses that we find in
other operating systems. To date we have found only two viruses that were effective on Linux
systems - well, actually they are Trojan Horses.

Let's dispel some of the fear, uncertainty, and doubt about Linux
It's a toy operating system
Fortune 500 companies, governments, and consumers more and more use Linux as a cost-
effective computing solution. It has been used, and is still used, by big companies like IBM,
Amtrak, NASA, and others.

There's no support
Every Linux distribution comes with more than 12,000 pages of documentation. Commercial
Linux distributions offer initial support for registered users, and small business and corporate
accounts can get 24/7 supports through a number of commercial support companies. As an Open
Source operating system, there's no six-month wait for a service release, plus the online Linux
community fixes many serious bugs within hours.

21
Why choose pristine source?
All the programs in Red Hat and OpenNA distributions of Linux are provided as RPM files. An RPM
file, also known, as a “package”, is a way of distributing software so that it can be easily installed,
upgraded, queried, and deleted. However, in the Unix world, the defacto-standard for package
distribution continues to be by way of so-called “tarballs”. Tarballs are simply compressed files
that can be readable and uncompressed with the “tar” utility. Installing from tar is usually
significantly more tedious than using RPM. So why would we choose to do so?

1) Unfortunately, it takes a few weeks for developers and helpers to get the latest version of
a package converted to RPM’s because many developers first release them as tarballs.

2) When developers and vendors release a new RPM, they include a lot of options that often
aren’t necessary. Those organizations and companies don’t know what options you will
need and what you will not, so they include the most used to fit the needs of everyone.

3) Often RPMs are not optimized for your specific processors; companies like Red Hat Linux
build RPM’s based on a standard PC. This permits their RPM packages to be installed on
all sorts of computers since compiling a program for an i386 machine means it will work
on all systems.

4) Sometimes you download and install RPM’s, which other people around the world are
building and make available for you to use. This can pose conflicts in certain cases
depending how this individual built the package, such as errors, security and all the other
problems described above.

Compiling software on your system

A program is something a computer can execute. Originally, somebody wrote the "source code"
in a programming language he/she could understand (e.g., C, C++). The program "source code"
also makes sense to a compiler that converts the instructions into a binary file suited to whatever
processor is wanted (e.g. a 386 or similar). A modern file format for these "executable" programs
is ELF. The programmer compiles his source code on the compiler and gets a result of some sort.
It's not at all uncommon that early attempts fail to compile, or having compiled, fail to act as
expected. Half of programming is tracking down and fixing these problems (debugging).

For the beginners there are more aspect and new words relating to the compilation of source
code that you must know, these include but are not limited to:

Multiple Files (Linking)

One-file programs are quite rare. Usually there are a number of files (say *.c, *.cpp, etc) that
are each compiled into object files (*.o) and then linked into an executable. The compiler is
usually used to perform the linking and calls the 'ld' program behind the scenes.

Makefiles
Makefiles are intended to aid you in building your program the same way each time. They also
often help with increasing the speed of a program. The “make” program uses “dependencies” in
the Makefile to decide what parts of the program need to be recompiled. If you change one
source file out of fifty you hope to get away with one compile and one link step, instead of starting
from scratch.

22
 Introduction 0
CHAPTER 1

Libraries
Programs can be linked not only to object files (*.o) but also to libraries that are collections of
object files. There are two forms of linking to libraries: static, where the code goes in the
executable file, and dynamic, where the code is collected when the program starts to run.

Patches
It was common for executable files to be given corrections without recompiling them. Now this
practice has died out; in modern days, people change a small portion of the source code, putting
a change into a file called a “patch”. Where different versions of a program are required, small
changes to code can be released this way, saving the trouble of having two large distributions.

Errors in Compilation and Linking

Errors in compilation and linking are often due to typos, omissions, or misuse of the language.
You have to check that the right “includes file” is used for the functions you are calling.
Unreferenced symbols are the sign of an incomplete link step. Also check if the necessary
development libraries (GLIBC) or tools (GCC, DEV86, MAKE, etc) are installed on your system.

Debugging
Debugging is a large topic. It usually helps to have statements in the code that inform you of what
is happening. To avoid drowning in output you might sometimes get them to print out only the first
3 passes in a loop. Checking that variables have passed correctly between modules often helps.
Get familiar with your debugging tools.

Build & install software on your system

You will see in this book that we use many different compile commands to build and install
programs on the server. These commands are UNIX compatible and are used on all variants of
*NIX machines to compile and install software.

The procedures to compile and install software tarballs on your server are as follows:

1. First of all, you must download the tarball from your trusted software archive site. Usually
from the main site of the software you hope to install.

2. After downloading the tarball, change to the /var/tmp directory (note that other paths
are possible, at personal discretion) and untar the archive by typing the commands (as
root) as in the following example:

[root@deep /]# tar xzpf foo.tar.gz

The above command will extract all files from the example foo.tar.gz compressed archive and
will create a new directory with the name of the software from the path where you executed the
command.

The “x” option tells tar to extract all files from the archive.
The “z” option tells tar that the archive is compressed with gzip utility.
The “p” option maintains the original permissions the files had when the archive was created.
The “f” option tells tar that the very next argument is the file name.

23
Once the tarball has been decompressed into the appropriate directory, you will almost certainly
find a “README” and/or an “INSTALL” file included with the newly decompressed files, with further
instructions on how to prepare the software package for use. Likely, you will need to enter
commands similar to the following example:

./configure
make
make install

The above commands, ./configure will configure the software to ensure your system has the
necessary libraries to successfully compile the package, make will compile all the source files into
executable binaries. Finally, make install will install the binaries and any supporting files into
the appropriate locations. Other specific commands that you’ll see in this book for compilation
and installation procedure will be:

make depend
strip
chown

The make depend command will build and make the necessary dependencies for different files.
The strip command will discard all symbols from the object files. This means that our binary file
will be smaller in size. This will improve the performance of the program, since there will be fewer
lines to read by the system when it executes the binary. The chown command will set the correct
file owner and group permissions for the binaries. More commands will be explained in the
sections concerning program installation.

Editing files with the vi editor tool

The vi program is a text editor that you can use to edit any text and particularly programs. During
installation of software, the user will often have to edit text files, like Makefiles or configuration
files. The following are some of the more important keystroke commands to get around in vi. I
decided to introduce the vi commands now since it is necessary to use vi throughout this book.

Command Result
=====================================================================
i --------------------------------- Notifies vi to insert text before the cursor
a --------------------------------- Notifies vi to append text after the cursor
dd -------------------------------- Notifies vi to delete the current line
x --------------------------------- Notifies vi to delete the current character
Esc ------------------------------- Notifies vi to end the insert or append mode
u --------------------------------- Notifies vi to undo the last command
Ctrl+f ---------------------------- Scroll up one page
Ctrl+b ---------------------------- Scroll down one page
/string --------------------------- Search forward for string
:f -------------------------------- Display filename and current line number
:q -------------------------------- Quit editor
:q! ------------------------------- Quit editor without saving changes
:wq ------------------------------- Save changes and exit editor
=====================================================================

24
 Introduction 0
CHAPTER 1

Recommended software to include in each type of servers

If you buy binaries, you will not get any equity and ownership of source code. Source code is a
very valuable asset and binaries have no value. Buying software may become a thing of the past.
You only need to buy good hardware; it is worth spending money on the hardware and gets the
software from the Internet. The important point is that it is the computer hardware that is doing the
bulk of the work. The hardware is the real workhorse and the software is just driving it. It is for this
reason that we believe in working with and using Open source software. Much of the software
and services that come with Linux are open source and allow the user to use and modify them in
an undiscriminating way according to the General Public License.

Linux has quickly become the most practical and friendly used platform for e-business -- and with
good reason. Linux offers users stability, functionality and value that rivals any platform in the
industry. Millions of users worldwide have chosen Linux for running their applications, from web
and email servers to departmental and enterprise vertical application servers. To respond to your
needs and to let you know how you can share services between systems I have developed ten
different types of servers, which cover the majority of servers' functions and enterprise demands.

Often companies try to centralize many services into one server to save money, it is well known
and often seen that there are conflicts between the technical departments and purchasing agents
of companies about investment and expenditure when it comes to buying new equipment. When
we consider security and optimization, it is of the utmost importance not to run too many services
on one server, it is highly recommended to distribute tasks and services between multiple
systems. The table below shows you which software and services we recommend to for each
type of Linux server.

The following conventions will explain the interpretations of these tables:

Optional Components: components that may be included to improve the features of the server or
to fit special requirements.

Security Software Required: what we consider as minimum-security software to have installed on

the server to improve security.

Security Software Recommended: what we recommend for the optimal security of the servers.

25
 Mail Server Web Server Gateway Server
Exim or Qmail (SMTP Server) Apache BIND/DNS (Caching)
BIND/DNS (Caching) Qmail Qmail
IPTables Firewall BIND/DNS (Caching) IPTables Firewall
GIPTables IPTables Firewall GIPTables
GIPTables
---------- ----------

IMAP/POP only for Exim Squid

SuidGuard
Optional Components Optional Components Optional Components
Mod_PHP DHCP
Mod_SSL
Mod-Perl
Security Software Required Security Software Required Security Software Required
Grsecurity Grsecurity Grsecurity
OpenSSL OpenSSL OpenSSL
OpenSSH OpenSSH OpenSSH
Tripwire Tripwire Tripwire
Sudo Sudo Sudo
Security Software recommended Security Software recommended Security Software recommended
GnuPG GnuPG GnuPG
sXid sXid sXid
Logcheck Logcheck Logcheck
HostSentry HostSentry HostSentry
PortSentry PortSentry PortSentry

FTP Server Domain Name Server File Sharing Server

ProFTPD Primary BIND/DNS (Server) Samba
Qmail Qmail Qmail
BIND/DNS (Caching) IPTables Firewall BIND/DNS (Caching)
IPTables Firewall GIPTables IPTables Firewall
GIPTables GIPTables
----------

Secondary BIND/DNS (Server)

Optional Components Optional Components Optional Components
Anonymous FTP (Server)
Security Software Required Security Software Required Security Software Required
Grsecurity Grsecurity Grsecurity
OpenSSL OpenSSL OpenSSL
OpenSSH OpenSSH OpenSSH
Tripwire Tripwire Tripwire
Sudo Sudo Sudo
Security Software recommended Security Software recommended Security Software recommended
GnuPG GnuPG GnuPG
sXid sXid sXid
Logcheck Logcheck Logcheck
HostSentry HostSentry HostSentry
PortSentry PortSentry PortSentry

26
 Introduction 0
CHAPTER 1

Database server Backup server VPN Server

PostgreSQL (Client & Server) Amanda FreeS/WAN VPN (Server)
Qmail Qmail Qmail
BIND/DNS (Caching) BIND/DNS (Caching) BIND/DNS (Caching)
IPTables Firewall Dump Utility IPTables Firewall
GIPTables IPTables Firewall GIPTables
GIPTables
----------

MySQL (Client & Server)

----------

OpenLDAP (Client & Servers)

Optional Components Optional Components Optional Components

Security Software Required Security Software Required Security Software Required

Grsecurity Grsecurity Grsecurity
OpenSSL OpenSSL OpenSSL
OpenSSH OpenSSH OpenSSH
Tripwire Tripwire Tripwire
Sudo Sudo Sudo
Security Software recommended Security Software recommended Security Software recommended
GnuPG GnuPG GnuPG
sXid sXid sXid
Logcheck Logcheck Logcheck
HostSentry HostSentry HostSentry
PortSentry PortSentry PortSentry

27
Installation Issues
IN THIS CHAPTER

1. Know your Hardware!

2. Creating the Linux Boot Disk
3. Beginning the installation of Linux
4. Installation Class and Method (Install Options)
5. Partition your system for Linux
6. Disk Partition (Manual Partitioning)
7. Selecting Package Groups
8. Boot Disk Creation
9. How to use RPM Commands
10. Starting and stopping daemon services
11. Software that must be uninstalled after installation of the server
12. Remove unnecessary documentation files
13. Remove unnecessary/empty files and directories
14. Software that must be installed after installation of the server

29
 Installation Issues 0
CHAPTER 2

Linux Installation

Abstract
This part of the book deals with the basic knowledge required to properly install a Linux OS, in
our case this is going to be Red Hat Linux, on your system in the most secure and clean manner
available.

We have structured this chapter in a manner that follows the original installation of the Red Hat
Linux operating system from CD-ROM. Each section below refers to, and will guide you through,
the different screens that appear during the setup of your system after booting from the Red Hat
boot diskette. We promise that it will be interesting to have the machine you want to install Linux
on ready and near you when you follow the steps described below.

You will see that through the beginning of the installation of Linux, there are many options,
parameters, and hacks that you can set before the system boots up for the first time.

Know your Hardware!

Understanding the hardware of your computer is essential for a successful installation of Linux.
Therefore, you should take a moment and familiarize yourself with your computer hardware. Be
prepared to answer the following questions:

1. How many hard drives do you have?

2. What size is each hard drive (eg, 15GB)?
3. If you have more than one hard drive, which is the primary one?
4. What kind of hard drive do you have (eg, IDE ATA/66, SCSI)?
5. How much RAM do you have (eg, 256MB RAM)?
6. Do you have a SCSI adapter? If so, who made it and what model is it?
7. Do you have a RAID system? If so, who made it and what model is it?
8. What type of mouse do you have (eg, PS/2, Microsoft, Logitech)?
9. How many buttons does your mouse have (2/3)?
10. If you have a serial mouse, what COM port is it connected to (eg, COM1)?
11. What is the make and model of your video card? How much video RAM do you have (eg, 8MB)?
12. What kind of monitor do you have (make and model)?
13. Will you be connected to a network? If so, what will be the following:
a. Your IP address?
b. Your netmask?
c. Your gateway address?
d. Your domain name server’s IP address?
e. Your domain name?
f. Your hostname?
g. Your types of network(s) card(s) (makes and model)?
h. Your number of card(s) (makes and model)?

Creating the Linux Boot Disk

The first thing to do is to create an installation diskette, also known as a boot disk. If you have
purchased the official Red Hat Linux CD-ROM, you will find a floppy disk called “Boot Diskette” in
the Red Hat Linux box so you don’t need to create it.

Sometimes, you may find that the installation will fail using the standard diskette image that
comes with the official Red Hat Linux CD-ROM. If this happens, a revised diskette is required in
order for the installation to work properly. In these cases, special images are available via the
Red Hat Linux Errata web page to solve the problem (http://www.redhat.com/errata).

31
Since this, is a relatively rare occurrence, you will save time if you try to use the standard diskette
images first, and then review the Errata only if you experience any problems completing the
installation. Below, we will show you two methods to create the installation Boot Disk, the first
method is to use an existing Microsoft Windows computer and the second using an existing Linux
computer.

Making a Diskette under MS-DOS:

Before you make the boot disk, insert the Official Red Hat Linux CD-ROM Disk 1 in your
computer that runs the Windows operating system. When the program asks for the filename,
enter boot.img for the boot disk. To make the floppies under MS-DOS, you need to use these
commands (assuming your CD-ROM is drive D: and contain the Official Red Hat Linux CD-ROM).

• Open the Command Prompt under Windows: Start | Programs | Command Prompt
C:\> d:
D:\> cd \dosutils
D:\dosutils> rawrite
Enter disk image source file name: ..\images\boot.img
Enter target diskette drive: a:
Please insert a formatted diskette into drive A: and press -ENTER- :

D:\dosutils>exit

The rawrite.exe program asks for the filename of the disk image: Enter boot.img and insert
a blank floppy into drive A. It will then ask for a disk to write to: Enter a:, and when complete,
label the disk “Red Hat boot disk”, for example.

Making a Diskette under a Linux-Like OS:

To make a diskette under Linux or any other variant of Linux-Like operating system, you must
have permission to write to the device representing the floppy drive (known as /dev/fd0H1440
under Linux).

This permission is granted when you log in to the system as the super-user “root”. Once you
have logged as “root”, insert a blank formatted diskette into the diskette drive of your computer
without issuing a mount command on it. Now it’s time to mount the Red Hat Linux CD-ROM on
Linux and change to the directory containing the desired image file to create the boot disk.

• Insert a blank formatted diskette into the diskette drive

Insert the Red Hat Linux CD Part 1 into the CD-ROM drive
[root@deep /]# mount /dev/cdrom /mnt/cdrom
[root@deep /]# cd /mnt/cdrom/images/
[root@deep images]# dd if=boot.img of=/dev/fd0H1440 bs=1440k
1+0 records in
1+0 records out
[root@deep images]# cd /
[root@deep /]# umount /mnt/cdrom

Don’t forget to label the diskette “Red Hat boot disk”, for example.

32
 Installation Issues 0
CHAPTER 2

Beginning the installation of Linux

Now that we have made the boot disk, it is time to begin the installation of Linux. Since we’d start
the installation directly off the CD-ROM, boot with the boot disk. Insert the boot diskette you
create into the drive A: on the computer where you want to install Linux and reboot the computer.
At the boot: prompt, press Enter to continue booting and follow the three simple steps below.

Step 1
The first step is to choose what language should be used during the installation process. In our
example we choose the English language. Once you select the appropriate language, click Next
to continue.

Step 2
Next, the system allows you to choose your keyboard type, layout type for the keyboard, and the
possibility to enable or disable Dead Keys. Once you have made the appropriate selections, click
Next to continue.

33
Step 3
Finally, we choose the kind of mouse type we have and if this mouse has two or three buttons. If
you have a mouse with just two buttons, you can select the option named “Emulate 3 Buttons”
and click both mouse buttons at the same time to act as the middle mouse button.

Once we have completed the above three steps, we are ready to begin the installation of Red Hat
Linux.

Installation Class and Method (Install Options)

Red Hat Linux 7.3 includes four different classes, or type of installation. They are:

Workstation
Server
Laptop
Custom

The first two classes (Workstation and Server) give you the option of simplifying the installation
process with a significant loss of configuration flexibility that we don’t want to lose.

For this reason we highly recommend you select the “Custom” installation. Only the custom-class
installation gives us complete flexibility. During the custom-class installation, it is up to you how
disk space should be partitioned. We also have complete control over the different RPM packages
that will be installed on the system.

The idea is to load the minimum amount of packages, while maintaining maximum efficiency. The
less software that resides on the machine, the fewer potential security exploits or holes may
appear. From the menu that appears on your screen, select the “Custom” installation class and
click Next.

34
 Installation Issues 0
CHAPTER 2

Partition your system for Linux

Partitioning allows you to divide your hard drive into isolated sections, where each section
behaves as its own hard drive. This is a useful security measure and to avoid some possible DoS
attacks because we can create separate partition for specific services that we would like to run on
our Linux server. See later in this book for more information about which partition strategy to use
with security.

The system will show you a new screen from where you can choose the tool you would like to
use to partition the disks for Linux.

From here we have two choices, but before we explain them, it is important to understand
partition strategies first.

35
We assume that you are installing the new Linux server to a new hard drive, with no other
existing file system or operating system installed. A good partition strategy is to create a separate
partition for each major file system. This enhances security and prevents accidental Denial of
Service (DoS) or exploit of SUID programs.

Creating multiple partitions offers you the following advantages:

Protection against Denial of Service attack.

Protection against SUID programs.
Faster booting.
Easy backup and upgrade management.
Ability for better control of mounted file system.
Limit each file system’s ability to grow.
Improve performance of some program with special setup.

WARNING: If a previous file system or operating system exists on the hard drive and computer
where you want to install your Linux system, we highly recommend, that you make a backup of
your current system before proceeding with the disk partitioning.

Partitions Strategy
For performance, stability and security reasons you must create something like the following
partitions listed below on your computer. We suppose for this partition configuration the fact that
you have a SCSI hard drive of 9.1 GB with 256 MB of physical RAM. Of course you will need to
adjust the partition sizes and swap space according to your own needs and disk size.

Minimal recommended partitions that must be created on your system:

This is the minimum number of partitions we recommend creating whatever you want to setup it
for, a Web Server, Mail Server, Gateway or something else.

/boot 5 MB All Kernel images are kept here.

/ 256 MB Our root partition.
/usr 512 MB Must be large, since many Linux binaries programs are installed here.
/home 5700 MB Proportional to the number of users you intend to host.
(i.e. 100 MB per users * by the number of users 57 = 5700 MB)
/var 256 MB Contains files that change when the system run normally (i.e. Log files).
/tmp 329 MB Our temporary files partition (must always reside on its own partition).
<Swap> 512 MB Our swap partition. The virtual memory of the Linux operating system.

Additional or optional partitions that can be created on your system:

Depending on what services the Linux system will be assigned to serve or the specific software
requirements, there can be some special partitions you can add to the minimum partitions we
recommend. You can create as many partitions as you want to fit you needs. What we show you
below are partitions related to programs we describe in the book.

/chroot 256 MB If you want to install programs in chroot jail environment (i.e. DNS, Apache).
/var/lib 1000 MB Partition to handle SQL or Proxy Database Server files (i.e. MySQL, Squid).

36
 Installation Issues 0
CHAPTER 2

All major file systems are on separate partitions

As you can see, there are two partitions, which are less common than the others. Let’s explain
each of them in more detail:

The /chroot partition can be used for DNS Server chrooted, Apache web server chrooted and
other chrooted future programs. The chroot() command is a Unix system call that is often used
to provide an additional layer of security when untrusted programs are run. The kernel on Unix
variants which support chroot() maintains a note of the root directory each process on the
system has. Generally this is /, but the chroot() system call can change this. When chroot()
is successfully called, the calling process has its idea of the root directory changed to the
directory given as the argument to chroot().

The /var/lib partition can be used to handle SQL or Squid Proxy database files on the Linux
server. This partition can be useful to limit accidental Denial of Service attack and to improve the
performance of the program by tuning the /var/lib file system.

Putting /tmp and /home on separate partitions is pretty much mandatory if users have shell
access to the server (protection against SUID programs), splitting these off into separate
partitions also prevents users from filling up critical file systems (denial of service attack), putting
/var, and /usr on separate partitions is also a very good idea. By isolating the /var partition,
you protect your root partition from overfilling (Denial of Service attack).

In our partition configuration we’ll reserve 256 MB of disk space for chrooted programs like
Apache, DNS and other software. This is necessary because Apache DocumentRoot files and
other binaries, programs related to it will be installed in this partition if you decide to run Apache
web server in a chrooted jail. Note that the size of the Apache chrooted directory on the chrooted
partition is proportional to the size of your DocumentRoot files or number of users.

NOTE: It is for you to decide how much disk space should be reserved and set for each partition
you may need to create on your server. The choice completely depends on you and your
computer hardware. If you have a lot of disk space and know that you will need to run many
services in chroot jail environment, then you can decide to reserve more space for the chroot jail
structure on your system.

37
Swap related issues:
Swap relates to virtual RAM on the system. This special device is needed when you run out of
physical RAM because you don’t have enough MB of RAM available or your applications required
more than what is available on your computer. It is not true that swap space is needed on every
system, but to ensure that you do not run out of swap, it is recommended to create a swap
partition on the server.

The 2.4 kernel of Linux is more aggressive than the 2.2 kernels in its use of swap space and the
optimal sizing of swap space remains dependent on the following:

1. The amount of RAM installed.

2. The amount of disk space available for swap.
3. The applications being run.
4. The mix of applications that are run concurrently.

No rule-of-thumb can possibly take all these points into account. However, we recommend the
following swap sizes:

• Single-user systems with less than 128MB physical RAM: 256MB

• Single-user systems and low-end servers with more than 128MB physical RAM: two
times physical RAM (2xRAM)

• Dedicated servers with more than 512MB physical RAM: highly dependent on
environment and must be determined on a case-by-case basis)

NOTE: Swap is bad and it is recommended that you try to avoid it as much as possible by
installing more physical RAM whenever possible. If you see that your system begin to swap
memory, then consider buying some more RAM. Remember that swap is bad and your rules are
to avoid it as much as possible for optimum performance of your Linux server.

Minimum size of partitions for very old hard disk:

For information purposes only, this is the minimum size in megabytes, which a Linux installation
must have to function properly. The sizes of partitions listed below are really small. This
configuration can fit into a very old hard disk of 512MB in size that you might find in old i486
computers. We show you this partition just to get an idea of the minimum requirements.

/ 35MB
/boot 5MB
/chroot 10MB
/home 100MB
/tmp 30MB
/usr 232MB
/var 25MB

WARNING: Trying to compile programs on a 512 MB hard drive, will fail due to the lack of available
space. Instead, install RPM’s packages.

38
 Installation Issues 0
CHAPTER 2

Disk Partition (Manual Partitioning)

Now that we know exactly what partitions we need to create for our new Linux server, it is time to
choose the partitioning software we will use to make these partitions. With Red Hat Linux two
programs exist to assist you with this step:

• Manually partition with Disk druid

• Manually partition with fdisk [experts only]

Disk Druid is new software used by default in Red Hat Linux to partition your disk drive, this
program is easy to use, and allows you to use a graphical interface to create your partitions
tables.

fdisk was the first partitioning program available on Linux. It is more powerful then Disk
Druid and allows you to create your partition table in exactly the way you want it (if you want to
put your swap partition near the beginning of your drive, then you will need to use fdisk).
Unfortunately, it is also a little more complicated than Disk Druid and many Linux users prefer
to use Disk Druid for this reason.

Personally, I prefer to create the partitions with the fdisk program and I recommend you use
and be familiar with it, because if, in the future you want to add or change some file systems you
will need to use fdisk.

Partitioning with Disk Druid

This section applies only if you chose to use Disk Druid to partition your system. Disk Druid
is a program that partitions your hard drive for you. Choose “New” to add a new partition, “Edit”
to edit a partition, “Delete” to delete a partition and “Reset” to reset the partitions to the original
state. When you add a new partition, a new window appears on your screen and gives you
parameters to choose.

Mount Point: for where you want to mount your new partition in the filesystem.
Filesystem Type: Ext3 for Linux filesystem and Swap for Linux Swap Partition
Size (MB): for the size of your new partition in megabytes.

39
If you have a SCSI disk, the device name will be /dev/sda and if you have an IDE disk it will be
/dev/hda. If you’re looking for high performance and stability, a SCSI disk is highly
recommended.

Linux refers to disk partitions using a combination of letters and numbers. It uses a naming
scheme that is more flexible and conveys more information than the approach used by other
operating systems.

Here is a summary:

First Two Letters – The first two letters of the partition name indicate the type of device on which the
partition resides. You’ll normally see either hd (for IDE disks), or sd (for SCSI disks).

The Next Letter – This letter indicates which device the partition is on. For example: /dev/hda (the first
IDE hard disk) and /dev/hdb (the second IDE disk), etc.

Keep this information in mind, it will make things easier to understand when you’re setting up the
partitions Linux requires.

Now, as an example:
To make the partitions listed below on your system (this is the partition we’ll need for our server
installation example); the commands below are for Disk Druid:

Step 1
Execute all of the following commands with Disk Druid to create the require partitions.

New
Mount Point: /boot
Filesystem Type: ext3
Size (Megs): 24
Ok

New
Mount Point: /
Filesystem Type: ext3
Size (Megs): 256
Ok

New
Mount Point: /usr
Filesystem Type: ext3
Size (Megs): 512
Ok

New
Mount Point: /home
Filesystem Type: ext3
Size (Megs): 4512
Ok

New
Mount Point: /chroot
Filesystem Type: ext3
Size (Megs): 256
Ok

40
 Installation Issues 0
CHAPTER 2

New
Mount Point: /var
Filesystem Type: ext3
Size (Megs): 512
Ok

New
Mount Point: /var/lib
Filesystem Type: ext3
Size (Megs): 1024
Ok

New
Mount Point: /tmp
Filesystem Type: ext3
Size (Megs): 256
Ok

New
Mount Point: swap
Filesystem Type: swap
Size (Megs): 1372
Ok

Step 2
After you have executed the above commands to create and partition your drive with Disk
Druid, press the Next button and continue the installation to choose partitions to format.

Partitioning with fdisk

This section applies only if you chose to use fdisk to partition your system.

The first thing you will want to do is using the p key to check the current partition information. You
need to first add your root partition. Use the n key to create a new partition and then select either
e or p keys for extended or primary partition.

Most likely you will want to create a primary partition. You are asked what partition number should
be assigned to it, at which cylinder the partition should start (you will be given a range – just
choose the lowest number (1)), and the size of the partition. For example, for a 5MB partition,
you would enter +5M for the size when asked.

Next, you need to add your extended partition. Use the n key to create a new partition and then
select the e key for extended partition. You are asked what partition number should be assigned
to it, at which cylinder the partition should start (you will be given a range – just choose the
lowest number (2)), and the size of the partition. You would enter the last number for the size
when asked (or just press Enter).

You will now want to create the swap partition. You need to use the n key for a new partition.
Choose logical; tell it where the first cylinder should be (2). Tell fdisk how big you want your
swap partition. You then need to change the partition type to Linux swap. Enter the t key to
change the type and enter the partition number of your swap partition. Enter the number 82 for
the hex code for the Linux swap partition.

41
Now that you have created your Linux boot and Linux swap partition, it is time to add any
additional partitions you might need. Use the n key again to create a new partition, and enter all
the information just as before. Keep repeating this procedure until all your partitions are created.
You can create up to four primary partitions; then you must start putting extended partitions into
each primary partition.

None of the changes you make take effect until you save then and exit fdisk using the w
NOTE:
command. You may quit fdisk at any time without saving changes by using the q command.

An overview of fdisk

The command for help is m

To list the current partition table, use p
To add a new partition, use n
To delete a partition, use d
To set or changes the partition type, use t
To provide a listing of the different partition types and their ID numbers, use l
To saves your information and quits fdisk, use w

Now, as an example:
To make the partitions listed below on your system (these are the partitions we’ll need for our
server installation example); the commands below are for fdisk:

Step 1
Execute all of the following commands with fdisk to create the require partitions.

Command (m for help): n

Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-1116, default 1): 1
Last cylinder or +size or +sizeM or +sizeK (1-1116, default 1116): +18M

Command (m for help): n

Command action
e extended
p primary partition (1-4)
e
Partition number (1-4): 2
First cylinder (4-1116, default 4): 4
Last cylinder or +size or +sizeM or +sizeK (4-1116, default 1116): 1116

Command (m for help): n

Command action
l logical (5 or over)
p primary partition (1-4)
l
First cylinder (4-1116, default 4): 4
Last cylinder or +size or +sizeM or +sizeK (4-1116, default 1116): +256M

42
 Installation Issues 0
CHAPTER 2

Command (m for help): n

Command action
l logical (5 or over)
p primary partition (1-4)
l
First cylinder (37-1116, default 37): 37
Last cylinder or +size or +sizeM or +sizeK (37-1116, default 1116): +512M

Command (m for help): n

Command action
l logical (5 or over)
p primary partition (1-4)
l
First cylinder (103-1116, default 103): 103
Last cylinder or +size or +sizeM or +sizeK (103-1116, default 1116): +4512M

Command (m for help): n

Command action
l logical (5 or over)
p primary partition (1-4)
l
First cylinder (679-1116, default 679): 679
Last cylinder or +size or +sizeM or +sizeK (679-1116, default 1116): +256M

Command (m for help): n

Command action
l logical (5 or over)
p primary partition (1-4)
l
First cylinder (712-1116, default 712): 712
Last cylinder or +size or +sizeM or +sizeK (712-1116, default 1116): +512M

Command (m for help): n

Command action
l logical (5 or over)
p primary partition (1-4)
l
First cylinder (778-1116, default 778): 778
Last cylinder or +size or +sizeM or +sizeK (778-1116, default 1116): +1024M

Command (m for help): n

Command action
l logical (5 or over)
p primary partition (1-4)
l
First cylinder (909-1116, default 909): 909
Last cylinder or +size or +sizeM or +sizeK (909-1116, default 1116): +256M

Command (m for help): n

Command action
l logical (5 or over)
p primary partition (1-4)
l
First cylinder (942-1116, default 942): 942
Last cylinder or +size or +sizeM or +sizeK (942-1116, default 1116): 1116

Command (m for help): t

Partition number (1-12): 12
Hex code (type L to list codes): 82
Changed system type of partition 12 to 82 (Linux swap)

43
Step 2
Now, use the p command to list the partition that we’ve created, you must see something like the
following information on your screen.

Command (m for help): p

Disk /tmp/sda: 255 heads, 63 sectors, 1116 cylinders

Units = cylinders of 16065 * 512 bytes

Device Boot Start End Blocks Id System

/tmp/sda1 1 3 24066 83 Linux
/tmp/sda2 4 1116 8940172+ 5 Extended
/tmp/sda5 4 36 265041 83 Linux
/tmp/sda6 37 102 530113+ 83 Linux
/tmp/sda7 103 678 4626688+ 83 Linux
/tmp/sda8 679 711 265041 83 Linux
/tmp/sda9 712 777 530113+ 83 Linux
/tmp/sda10 778 908 1052226 83 Linux
/tmp/sda11 909 941 265041 83 Linux
/tmp/sda12 942 1116 1405656 82 Linux Swap

Step 3
If all the partitions look fine and meet your requirements, use the w command to write the table to
disk and exit fdisk program:

Command (m for help): w

The partition table has been altered

Step 4
After you have partitioned your drive with fdisk, press Next and continue the installation with
Disk Druid to choose the mount point of the directories. Disk Druid contains a list of all disk
partitions with file-systems readable by Linux. This gives you the opportunity to assign these
partitions to different parts of your Linux system when it boots. Select the partition you wish to
assign and press Enter; then enter the mount point for that partition, e.g., /var.

44
 Installation Issues 0
CHAPTER 2

Boot Loader Installation

On the next screen you will see the Boot Loader Configuration screen. In order to boot your Linux
system, you usually need to install a boot loader. With new release of Linux, you can choose to
install either GRUB, LILO, or you can choose not to install a boot loader at all.

GRUB is the new and recommended method to boot Linux. You can still decide to use LILO, but
it’s better to go with GRUB now. From this screen, you will see different configurable options
related to GRUB or LILO.

The first option is:

• Use GRUB as the boot loader

This option allows you to use the GRUB software as your boot loader to boot your Linux operating
system on the computer. This is the recommended method to use with Linux. GRUB works in the
same way as LILO work with many additional security and advanced features that LILO cannot
provide you. In our setup, we use this option to boot our Linux server.

The second option is:

• Use LILO as the boot loader

This option allows you to use the LILO software as your boot loader to boot your Linux operating
system on the computer. Remember that LILO is now the old method to boot Linux and I
recommend you to go with GRUB instead if you want to stay up-to-date with latest technology on
the Linux world. In our setup, we don’t choose or use this option.

The third option is:

• Do not install a boot loader

This option allows you to skip installing any type of available boot loader (GRUB or LILO) with
Linux. This is useful if you use a boot disk rather than GRUB or LILO to start your operating
system. This can greatly improve security in some case since you need to have a bootable Linux
floppy with the kernel on it to start the server. But in other hand, you will not be able to restart the
server remotely if something happens. In our setup, we don’t use this option.

The fourth option is:

• Install Boot Loader record on:

Master Boot Record (MBR)

First sector of boot partition

Usually, if Linux is the only operating system on your machine (and this must be the case in a
server installation), you should choose the “Master Boot Record (MBR)” option. The MBR is a
special area on your hard drive that is automatically loaded by your computer's BIOS, and is the
earliest point at which the boot loader can take control of the boot process.

45
The fifth option is:

• Force use of LBA32

This option (if checked) allows you to exceed the 1024 cylinder limit for the /boot partition. If you
have a system which supports the LBA32 extension for booting operating systems above the
1024 cylinder limit, and you want to place your /boot partition above cylinder 1024, you should
select this option but in most case you can live without it and your system will perfectly work. In
our setup of the operating system, we don’t use it.

The GRUB Password

This section applies only if you have selected GRUB as your boot loader. If you are installing GRUB
as your boot loader, you should create a password to protect your system. Without a GRUB
password, users with access to your system can pass options to the kernel which can
compromise your system security. With a GRUB password in place, the password must first be
entered in order to select any non-standard boot options.

46
 Installation Issues 0
CHAPTER 2

Network Configuration
After that, you need to configure your network. If you have multiple Ethernet devices, each device
will have its own configuration screen. You will be answered to enter the IP Address, Netmask,
Network, Broadcast addresses, and the Gateway, Primary DNS (and if applicable the Secondary
DNS and Ternary DNS) addresses. You should know all of the information or you can ask your
system administrator to help you get the correct information.

Firewall Configuration
From this part of the setup installation, we have possibility to configure a Firewall. This is OK for
the average end user but NOT for serious Firewall security. This newly added feature uses the
old IPCHAINS tool of Linux with the help of a small utility named “lokkit” to set up your firewall.

I highly recommend you to deactivate this feature now and see later in this book on how to install
and configure IPTables with GIPTable, which is the new Firewall tool to use with Linux and
kernel 2.4 generation. GIPTables is simply a Firewall software that can help you to configure
IPTables in the most secure and easily way than any other firewall software can provide you.

From the next screen that appears, you will see three different security levels available, choose
the “No firewall” option and click Next.

47
Language Support Selection
With the internalization, a need for different language support has appeared. From here the
installation will ask you to choose the default language that will be used on your Linux system
once the installation is complete. If you are only going to use one language on your system,
selecting only this language will save significant disk space.

48
 Installation Issues 0
CHAPTER 2

Time Zone Selection

On the next screen, you will have the opportunity to set your time zone. Once selected click Next.

Account Configuration
After the clock has been configured, you need to give your system a root password account.

49
Authentication Configuration
Finally, the last stage is the authentication configuration. For Authentication Configuration don’t
forget to select:

Enable MD5 passwords

Enable Shadow passwords

Enable MD5 passwords - allows a long password to be used (up to 256 characters), instead of the
Unix standard eight letters or less.

Enable shadow passwords - provides a very secure method of retaining passwords for you. All
passwords are stored in a file named shadow, which is readable only by the super-user root.

Enable NIS, LDAP, Kerberos and SMB doesn’t need to be selected since we are not configuring
these services on this server right know.

Selecting Package Groups

After your partitions have been configured and selected for formatting and configurations have
been set for your specific system, you are ready to select packages for installation. By default,
Linux is a powerful operating system that runs many useful services. However, many of these
services are unneeded and pose potential security risks.

Ideally, each network service should be on a dedicated, single-purpose host. Many Linux
operating systems are configured by default to provide a wider set of services and applications
than are required to provide a particular network service, so you may need to configure the server
to eliminate unneeded services. Offering only essential services on a particular host can enhance
your network security in several ways:

50
 Installation Issues 0
CHAPTER 2

Other services cannot be used to attack the host and impair or remove desired network
services.

The host can be configured to better suit the requirements of the particular service.
Different services might require different hardware and software configurations, which
could lead to needless vulnerabilities or service restrictions.

By reducing services, the number of logs and log entries is reduced so detecting
unexpected behavior becomes easier.

Different individuals may administer different services. By isolating services so each host
and service has a single administrator you will minimize the possibility of conflicts
between administrators.

A proper installation of your Linux server is the first step to a stable, secure system. From the
screen menu that appears (Selecting Package Groups), you first have to choose which system
components you want to install, in our case; we must DESELECT ALL CHECKED Package
Groups on the list.

Since we are configuring a Linux server, we don’t need to install a graphical interface (XFree86)
on our system (a graphical interface on a server means less processes, less CPU availability, less
memory, security risks, and so on), also computers are subject to the treachery of images as well.
The image on your computer screen is not a computer file -- it's only an image on a computer
screen. Images of files, processes, and network connections are very distant cousins of the
actual bits in memory, in network packets, or on disks.

Layer upon layer of hardware and software produces the images that you see. When an intruder
"owns" a machine, any of those layers could be tampered with. Application software can lie, OS
kernels can lie, boot PROMs can lie, and even hard disk drives can lie. Graphical interfaces are
usually used on only workstations.

Step 1
First of all, it is vital to verify and be SURE to deselect all of the following Package Group:

Printing Support Anonymous FTP Server

Classic X Window System SQL Database Server
X Window System Web Server
Laptop Support Router / Firewall
GNOME DNS Name Server
KDE Network Managed Workstation
Sound and Multimedia Support Authoring and Publishing
Network Support Emacs
Dialup Support Utilities
Messaging and Web Tools Legacy Application Support
Graphics and Image Manipulation Software Development
New Server Kernel Development
NFS File Server Windows Compatibility / Interoperability
Windows File Server Games and Entertainment
Everything

To resume, it is very important and I say VERY IMPORTANT to deselect (none is selected) every
selected Packages Group before clicking on the Next button for continuing the installation.

51
We don’t want and don’t need to install any additional packages. The default install of this Linux
distribution already comes with the most essential programs we need for the base functionality of
the operating system.

Step 2
At this point, the installation program will check dependencies in packages selected for
installation (in our case no packages are selected) and format every partition you selected for
formatting in you system. This can take several minutes depending on the speed of your
machine. Once all partitions have been formatted, the installation program starts to install Linux to
your hard drive.

52
 Installation Issues 0
CHAPTER 2

Boot Disk Creation

From this section of the installation, we have the possibility to create a boot disk for our newly
installed operating system. If you do not want to create a boot disk, you should check the “Skip
boot disk creation” checkbox before you click Next. Creating a boot disk must be made if you
decide to not install GRUB or LILO on the MBR (the Master Boot Record) or if you are not installing
GRUB or LILO at all.

How to use RPM Commands

This section contains an overview of using RPM for installing, uninstalling, upgrading, querying,
listing, and checking RPM packages on your Linux system. You must be familiar with these RPM
commands now because we’ll use them often in this book and especially later in this chapter for
software that must be uninstalled after installation of the server.

Install a RPM package:

Note that RPM packages have a file of names like foo-1.0-2.i386.rpm, which include the
package name (foo), version (1.0), release (2), and architecture (i386).

• To install a RPM package, use the command:

[root@deep /]# rpm -ivh foo-1.0-2.i386.rpm
foo ##################################################

Uninstall a RPM package:

Notice that we used the package name “foo”, not the name of the original package file “foo-
1.0-2.i386.rpm”.

• To uninstall a RPM package, use the command:

[root@deep /]# rpm -e foo

53
Upgrade a RPM package:
With this command, RPM automatically uninstalls the old version of foo package and installs the
new one. Always use “rpm -Uvh” command to install packages, since it works fine even when
there are no previous versions of the package installed. This is the recommended method of
installing package on the system.

• To upgrade a RPM package, use the command:

[root@deep /]# rpm -Uvh foo-1.0-2.i386.rpm
foo ##################################################

Force the installation of a RPM package:

With this command, RPM will force the installation of the specified package even if some conflict
or other kind of problem exists. This command should be used with care and only if you know
what you do. In most case, RPM can correctly guest problem and refuse to install. To bypass RPM
warning, you can use the RPM command below.

• To force the installation of a RPM package, use the command:

[root@deep /]# rpm -Uvh --force foo-1.0-2.i386.rpm
foo ##################################################

Avoid RPM package dependency:

With this command, RPM will not take care of package dependency and will install the RPM
software on your system. Package dependency is an important concept in the RPM world.
Dependency is when some other packages depend of the RPM package you are trying to install.

By default, RPM check if all other RPM packages required for the RPM you try to install are present
before installing the RPM. If some required packages are not present, RPM will inform you. This is
made to avoid problem and be sure that the software you want to install will perfectly work. In
some special case, we don’t need to take care of dependency and can use the option below to
inform it to skip the dependency check when installing the software.

• To avoid RPM package dependency, use the command:

[root@deep /]# rpm -Uvh --nodeps foo-1.0-2.i386.rpm
foo ##################################################

Query a RPM package:

This command will print the package name, version, and release number of installed package
foo. Use this command to verify that a package is or is not installed on your system.

• To query a RPM package, use the command:

[root@deep /]# rpm -q foo
foo-2.3-8

54
 Installation Issues 0
CHAPTER 2

Display RPM package information:

This command displays package information; includes name, version, and description of the
installed program. Use this command to get information about the installed package.

• To display RPM package information, use the command:

[root@deep /]# rpm -qi foo
Name : foo Relocations: none
Version : 2.3 Vendor: OpenNA.com, Inc.
Release : 8 Build Date: Thu 24 Aug 2000 11:16:53 AM EDT
Install date: Mon 12 Feb 2001 01:17:24 AM EST Build Host: openna.com
Group : Applications/Archiving Source RPM: foo-2.3-8.src.rpm
Size : 271467 License: distributable
Packager : OpenNA.com, Inc. <http://www.openna.com/>
Summary : Here will appears summary of the package.
Description : Here will appears the description of the package.

Display RPM package information before installing the program:

This command displays package information; includes name, version, and description of the
program without the need to install the program first. Use this command to get information about
a package before you install it on your system.

• To display package information before installing the program, use the command:
[root@deep /]# rpm -qpi foo-2.3-8.i386.rpm
Name : foo Relocations: none
Version : 2.3 Vendor: OpenNA.com, Inc.
Release : 8 Build Date: Thu 24 Aug 2000 11:16:53 AM EDT
Install date: Mon 12 Feb 2001 01:17:24 AM EST Build Host: openna.com
Group : Applications/Archiving Source RPM: foo-2.3-8.src.rpm
Size : 271467 License: distributable
Packager : OpenNA.com, Inc. <http://www.openna.com/>
Summary : Here will appears summary of the package.
Description : Here will appears the description of the package.

List files in a installed RPM package:

This command will list all files in a installed RPM package. It works only when the package is
already installed on your system.

• To list files in a installed RPM package, use the command:

[root@deep /]# rpm -ql foo
/usr/bin/foo
/usr/bin/foo1
/usr/sbin/foo2

List files in RPM package that is not already installed:

This command will list all files in a RPM package that is not already installed on your system. It is
useful when you want to know which components are included in the package before installing it.

• To list files in RPM package that is not already installed, use the command:
[root@deep /]# rpm -qpl foo
/usr/lib/foo
/usr/bin/foo1
/usr/sbin/foo2

55
Know which files is part of which RPM package:
This command will show you from which RPM package the file comes from. It works only when the
package is already installed on your system and it is very useful when you see some files into
Linux that you do not know about it and want to get more information about its RPM provenance.

• To know which files is part of which RPM package, use the command:
[root@deep /]# rpm -qf /etc/passwd
setup-2.3.4-1

Check RPM signature package:

This command checks the PGP signature of specified package to ensure its integrity and origin.
Always use this command first before installing new RPM package on your system. GnuPG or PGP
software must be already installed on your system before you can use this command. See the
chapter related to GnuPG installation and configuration for more information.

• To check a RPM signature package, use the command:

[root@deep /]# rpm --checksig foo

Examine the md5sum of RPM package:

The RPM md5sum is useful to verify that a package has not been corrupted or tampered with. You
can use it to be sure that the download of your new RPM package was not corrupted during
network transfer.

• To examine only the md5sum of the package, use the command:

[root@deep /]# rpm --checksig --nogpg foo

Starting and stopping daemon services

The init program of Linux (also known as process control initialization) is in charge of starting
all the normal and authorized processes that need to run at boot time on your system. These may
include the APACHE daemons, NETWORK daemons, and anything else that must be running
when your machine boots.

Each of these processes has a script file under the /etc/init.d directory written to accept an
argument, which can be start, stop, restart, etc. As you can imagine, those script are made
to simplify the administration of the server and the way we can start or stop services under Linux.
Of course, we can use the native way to start all required services under our server, but it is much
simple to have some kind of script files that should provide us some easy method to automate
and control the procedures. This is why init program and all initialization script files available
under the /etc/init.d directory exist.

Below are some examples showing you how to execute those scripts by hand.

For example:

• To start the httpd web server daemon manually under Linux, you’ll type:
[root@deep /]# /etc/init.d/httpd start
Starting httpd: [OK]

• To stop the httpd web server daemon manually under Linux, you’ll type:
[root@deep /]# /etc/init.d/httpd stop
Shutting down http: [OK]

56
 Installation Issues 0
CHAPTER 2

• To restart the httpd web server daemon manually under Linux, you’ll type:
[root@deep /]# /etc/init.d/httpd restart
Shutting down http: [OK]
Starting httpd: [OK]

Check inside your /etc/init.d directory for services available and use the commands start |
stop | restart to work around. You will see along this book that we often use initialization
script file to administration and control the way we start, restart, stop, etc services under Linux.

Software that must be uninstalled after installation of the server

Red Hat Linux installs other programs on your system by default and doesn’t give you the choice
to uninstall them during the install setup. For this reason, you must uninstall the following
software after the complete installation of our Linux server.

Below is the list of programs and a short description of their purpose. We must uninstall them for
increased security and to make more space on our server. For more information and an
explanation of their capabilities and uses, please see your Red Hat manual or query the package
by making an “rpm -qi foo” command before uninstalling them.

The anacron package:

The anacron package is similar to the cron package but differ in the way that it does not
assume that the system is running continuously and it is a good command scheduler for system
which doesn’t run 24 hours a day. In server environment, the system should absolutely run 24/24
hours; therefore we simply don’t need to have this kind of package installed on a server.

• To remove the anacron package from your system, use the following commands:
[root@deep /]# /etc/init.d/anacron stop
[root@deep /]# rpm -e anacron
[root@deep /]# rm -rf /var/spool/anacron/

The apmd package:

The apmd package or Advanced Power Management Daemon utilities is used on notebook
computer. It can watch your notebook's battery and warn all users when the battery is low. As you
can imagine, there is no need to have it installed on a server machine.

• To remove the apmd package from your system, use the following commands:
[root@deep /]# /etc/init.d/apmd stop
[root@deep /]# rpm -e apmd

The at package:
The at package is a utility that will do time-oriented job control by scheduling a command to run
later. Unfortunately, it has had a rich history of problems and we can achieve the same
functionality with the more secure vixie-cron package. For this reason I recommend you to
uninstall it.

• To remove the at package from your system, use the following commands:
[root@deep /]# /etc/init.d/atd stop
[root@deep /]# rpm -e at

57
The gpm package:
The gpm package provides mouse support to text-based Linux applications. It’s the software that
allows you to cut-and-paste operations using the mouse on your terminal. If most of your entire
administration of the server is made via remote connection, you can remove this package to save
some processes and memories. We can continue to use cut-and-paste operation via remote
connection to the server without problem. The gpm package is only useful if you stay at the
console terminal of your server to make administration tasks.

• To remove the gpm package from your system, use the following commands:
[root@deep /]# /etc/init.d/gpm stop
[root@deep /]# rpm -e gpm

The dhcpcd package:

The dhcpcd package contains the protocol, which allows systems to get their own network
configuration information from a DHCP server. If you are going to use DHCP on your network, it is
recommended to install the DHCP client included in the pump package, which provides a faster
and simpler DHCP client. For more information about DHCP, see its related chapter in this book.

• To remove the dhcpcd package from your system, use the following command:
[root@deep /]# rpm -e dhcpcd

The eject package:

The eject package contains an eject program that allows the user to eject removable media
(typically CD-ROMs, floppy disks, Iomega Jaz or Zip disks) using software. This is an unneeded
program to have installed in a server environment. You should keep it installed only if you’re
intended to run a tape backup on your system.

• To remove the eject package from your system, use the following command:
[root@deep /]# rpm -e eject

The hotplug package:

The hotplug package is a helper application for loading modules for USB devices. On a server
environment, USB devices are not used at all and are required only on Linux workstation.

• To remove the hotplug package from your system, use the following command:
[root@deep /]# rpm -e hotplug

The lokkit package:

The lokkit package is a Firewall configuration application for an average end user and it is not
designed to configure arbitrary firewalls since it is solely designed to handle typical dialup user
and cable modem set-ups. It is not the answer to a complex firewall configuration, and it is not the
equal of an expert firewall designer. Therefore remove it from your server and read the chapter
related to GIPTables in this book for more information about secure firewall configuration.

• To remove the lokkit package from your system, use the following command:
[root@deep /]# rpm -e lokkit

58
 Installation Issues 0
CHAPTER 2

The ipchains package:

The ipchains package is the old tool used with Linux kernel 2.2 for managing Linux kernel
packet filtering capabilities and to set up firewalling on the network. A new and more powerful tool
called “IPTables” exists and this is the one that we will use later in the book to set up our
firewall on Linux.

• To remove the ipchains package from your system, use the following command:
[root@deep /]# rpm -e ipchains

The ksymoops package:

The ksymoops package is a small tool used to report kernel oops and error message decoder.
This package is useful for developers that work on the Linux kernel and want to debug or for
users that want to report bugs with the kernel. The same result can be achieved with the dmesg
command of Linux. Therefore, you can remove this package from your secure server.

• To remove the ksymoops package from your system, use the following command:
[root@deep /]# rpm -e ksymoops

The kudzu package:

The kudzu package is a hardware-probing tool that runs at system boot time to determine what
hardware has been added or removed from the system. Again, in server environment, we don’t
upgrade, add or remove hardware every time. Therefore, we can safety remove this small
package from our server.

• To remove the kudzu package from your system, use the following command:
[root@deep /]# rpm -e kudzu

The mailcap package:

Metamail is a program that uses the mailcap file to determine how it should display non-text or
multimedia material. We don’t need to have it installed at all. Remove it.

• To remove the mailcap package from your system, use the following command:
[root@deep /]# rpm -e mailcap

The pciutils package:

The pciutils package contains various utilities for inspecting and setting devices connected to
the PCI bus. Keep it installed if you want, but I recommend removing it form the server.

• To remove the pciutils package from your system, use the following command:
[root@deep /]# rpm -e pciutils

The raidtools package:

The raidtools package includes the tools you need to set up and maintain a software RAID
device on a Linux system. You should keep this package only if you have configured your server
to run with RAID support. Otherwise, remove it.

• To remove the raidtools package from your system, use the following command:
[root@deep /]# rpm -e raidtools

59
The redhat-logos package:
The redhat-logos package contains files of the Red Hat "Shadow Man" logo and the RPM logo.

• To remove the redhat-logos package from your system, use the following command:
[root@deep /]# rpm -e redhat-logos

The redhat-release package:

The redhat-release package contains the Red Hat Linux release files. Please note that if you
remove this package, the boot process of the system will generate error messages because it will
look for a file called “redhat-release” which will not be available anymore. To solve this
problem, we recreate the required file under the appropriated directory and add as content of this
file the word “Red Hat Linux”. Of course you can change it for whatever you want.

• To remove the redhat-release package from your system, use the command:
[root@deep /]# rpm -e redhat-release
[root@deep /]# echo Red Hat Linux > /etc/redhat-release

The setserial package:

The setserial package is a basic system utility for displaying or setting serial port information.

• To remove the setserial package from your system, use the command:
[root@deep /]# rpm -e setserial

The hdparm package:

The program hdparm is needed by IDE hard disks but not SCSI hard disks. If you have an IDE
disk on your system you must keep this program (hdparm), but if you don’t have an IDE hard
disk you can remove it safely from your system. hdparm is a small Linux tool used to optimize
your IDE hard drive. SCSI hard drives don’t need to be optimized since they are capable to run at
their full speed (80 Mps to 160 Mps) without modification.

• To remove the hdparm package from your system, use the following command:
[root@deep /]# rpm -e hdparm

The mkinitrd package:

The program mkinitrd is needed by SCSI or RAID hard disk but not IDE hard disks. If you
have a SCSI or RAID disk on your system you must keep this program (mkinitrd), but if you
don’t have a SCSI or RAID hard disk you can safely remove it from your system.

• To remove the mkinitrd package from your system, use the following command:
[root@deep /]# rpm -e --nodeps mkinitrd

The xconfig packages:

Use the programs kbdconfig, mouseconfig, timeconfig, netconfig, authconfig,
ntsysv, and setuptool in order to set your keyboard language and type, your mouse type,
your default time zone, your Ethernet devices, your NIS and shadow passwords, your numerous
symbolic links in /etc/rc.d directory, and text mode menu utility which allow you to access all
of these features.

60
 Installation Issues 0
CHAPTER 2

After those configurations have been set during the installation stage of your Linux server it’s rare
that you would need to change them again. So, you can uninstall them, and if in the future you
need to change your keyboard, mouse, default time, etc again via test mode menu, all you have
to do is to install the program with the RPM from your original CD-ROM.

• To remove all the above programs from your system, use the following command:
[root@deep /]# rpm -e kbdconfig mouseconfig timeconfig netconfig
authconfig ntsysv setuptool

The newt package:

The newt package provides a development library for text mode user interfaces. It’s mainly used
by all the above config packages. Since all the config packages are removed from the server, we
can safety remove newt from our system. If you have decided to keep the above config
packages (kbdconfig, mouseconfig, etc), then you should keep newt, otherwise you should
remove it.

• To remove the newt package from your system, use the following command:
[root@deep /]# rpm -e newt

The lilo package:

The lilo package provides a boot loader for Linux. Remember that during our Linux installation,
we have chosen to go with GRUB instead of LILO as our boot loader for Linux. Therefore, you can
safety remove this package from your system since it’s really not used now.

• To remove the lilo package from your system, use the following command:
[root@deep /]# rpm -e lilo
[root@deep /]# rm -f /etc/lilo.conf.anaconda

The reiserfs-utils package:

The reiserfs-utils package contains a number of utilities for creating, checking, modifying,
and correcting any inconsistencies in ReiserFS file-systems. ReiserFS is another file-system
like Ext3 for Linux. In our configuration of Linux we use Ext3 as our file-system therefore we
don’t need to keep this package installed. Keep this utility package only if you intended to run
ReiserFS instead of Ext3 file-system on your Linux server.

• To remove the reiserfs-utils package from your system, use the command:
[root@deep /]# rpm -e reiserfs-utils

The quota package:

The program quota is a system administration tools for monitoring and limiting user/group disk
usage, per file system. This program must be installed only on servers where the need for
monitoring and restricting amount of disk space in user’s directories is require.

• To remove the quota package from your system, use the following command:
[root@deep /]# rpm -e quota

61
The indexhtml package:
The indexhtml package contains the HTML page and graphics for a welcome page shown by
your browser under graphical interface installation. These HTML pages are information about Red
Hat software. You really don’t need this package under server installation and especially when
GUI is not available. Therefore, you can safety remove this package from your system.

• To remove the indexhtml package from your system, use the following command:
[root@deep /]# rpm -e indexhtml

The usbutils package:

The usbutils package provides Linux USB utilities for inspecting devices connected to a USB
bus on your system. In server environment, we really don’t use any USB devices and can safety
remove this package from our server installation. USB will usually be used only in Linux
workstation installation where you want to plug printer, camera and any other media of this type.

• To remove the usbutils package from your system, use the following command:
[root@deep /]# rpm -e usbutils

The hwdata package:

The hwdata package contains various hardware identification and configuration data mainly
used with USB and XFree86. Remember that XFree86 is related to graphical interface and since
we don’t use any GUI into our Linux server, we can remove this package from our system.

• To remove the hwdata package from your system, use the following command:
[root@deep /]# rpm -e hwdata

The parted package:

The parted package contains various utilities to create, destroy, resize, move and copy hard
disk partitions. It is useful when you need to play with your hard disk structure. In most case, we
partition and set hard disk organization at the installation of the operating system and don’t need
to play or change something once everything are installed and running properly. It’s rare to have
to use this package utility on a production server and this is the reason why I recommend you to
uninstall it. If you prefer to keep it installed for future possible usage, you are free to do it.

• To remove the parted package from your system, use the following command:
[root@deep /]# rpm -e parted

The hesiod package:

The hesiod package is another one that we can uninstall from our Linux server configuration
setup. It’s a system which uses existing DNS functionality to provide access to databases of
information that change infrequently. In most cases, we don’t need it and you should keep it
install only if you think that you will need it for some special configuration of your server.

• To remove the hesiod package from your system, use the following command:
[root@deep /]# rpm -e hesiod

62
 Installation Issues 0
CHAPTER 2

The mt-st package:

The mt-st package provides tools for controlling and managing tape drives on your system. You
should keep it installed only if you have and want to run a tape backup media on your system.

• To remove the mt-st package from your system, use the following command:
[root@deep /]# rpm -e mt-st

The man-pages package:

The man-pages package provides a large collection of additional manual pages (man pages)
from the Linux Documentation Project (LDP). By default many manual pages are installed with
the operating system and the man-pages package provides additional documentation for those
who want to read them on the system. In server environment, I really don’t see the need to have
additional manual pages installed since these manual pages can be read online from the Internet
or even on another computer running as a development or workstation.

• To remove the man-pages package from your system, use the following command:
[root@deep /]# rpm -e man-pages

The sendmail package:

Even if you don’t want to run your system as a full mail server, mailer software is always needed
for potential messages sent to the root user by different software services installed on your
machine.

Sendmail is a Mail Transport Agent (MTA) program that sends mail from one machine to another
and it’s the default mail server program installed on Red Hat Linux. Unfortunately, this software
has a long history of security problem and for this reason I highly recommend you to not use it on
your Linux server. You must uninstall Sendmail and see the part in this book that is related to
Mail Transfer Agent configuration and installation for some good alternative like Exim or Qmail.

• To remove the sendmail package from your system, use the following commands:
[root@deep /]# /etc/init.d/sendmail stop
[root@deep /]# rpm -e sendmail

The procmail package:

Procmail is a mail-processing program, which can be used by Sendmail for all local mail
delivery and filtering. This program is required only if you decide to install and use Sendmail on
your server and only if Sendmail is installed. Since we’ve decided to not go with Sendmail as
our MTA for security reason, we can uninstall procmail from our Linux server.

• To remove the procmail package from your system, use the following command:
[root@deep /]# rpm -e procmail

The openldap package:

The OpenLDAP software is a set of protocols for accessing directory services like phone book
style information and other kinds of information over the Internet. This useful program is not
suitable for everyone and depends of what you want to do with your system. If you want to give it
a try, see later in this book under the chapter related to databases for more information.

• To remove the OpenLDAP package from your system, use the following command:
[root@deep /]# rpm -e --nodeps openldap

63
The cyrus-sasl packages:
The Cyrus SASL implementation is the Simple Authentication and Security Layer, a method for
adding authentication support to connection-based protocols. It is used in conjunction with
Cyrus, which is an electronic messaging program like Sendmail. Since Cyrus SASL is made to
be used with Sendmail that we have removed previously for security reason, we can safety
remove it.

• To remove the Cyrus SASL package from your system, use the following command:
[root@deep /]# rpm -e --nodeps cyrus-sasl cyrus-sasl-md5 cyrus-sasl-plain

The openssl package:

OpenSSL is an SSL encryption mechanism which ensures and provides safe and secure
transactions of data over networks. This piece of software is one of the most important tools for a
Linux server and it is highly recommended that it is installed. Unfortunately, the one that comes
with Red Hat Linux is not up to date and not optimized for our specific server. For this reason, we
will uninstall it now and see later in this book, under the chapters related to security software, how
to install, secure, optimize and use it.

• To remove the OpenSSL package from your system, use the following command:
[root@deep /]# rpm -e --nodeps openssl
[root@deep /]# rm -rf /usr/share/ssl/

The ash package:

The ash package is a smaller version of the bourne shell (sh). Since we already use sh, we can
uninstall this package from our system. If you use this program in your regular administration
task, then keep it installed on your server. In most case, we can remove it.

• To remove the ash package from your system, use the following command:
[root@deep /]# rpm -e ash

The tcsh package:

The tcsh package is an enhanced version of csh, another C shell. We already have bash as our
default shell program on Linux, and I don’t find any reason to keep another variant installed if we
don’t have any program or services that need it to run.

Most services under Linux can easily run with our default bash shell program and if you don’t
have any program that required tcsh to run, then I recommend you to uninstall it. If in the future,
you see that you need to have tcsh installed on your server for some specific program to run,
then all you have to do is to install it from your CD-ROM. In most cases, there is no program that
needs tsch to run, therefore you can remove it.

• To remove the tcsh package from your system, use the following command:
[root@deep /]# rpm -e tcsh

64
 Installation Issues 0
CHAPTER 2

The specspo package:

The specspo package contains the portable object catalogues used to internationalize Red Hat
packages. I don’t think that this kind of package is really required on a production server.

• To remove the specspo package from your system, use the following command:
[root@deep /]# rpm -e specspo

The krb5-libs package:

The krb5-libs package contains the shared libraries needed by Kerberos 5. Because we’re
not using Kerberos, we’ll need to uninstall this package. Kerberos is not secure as you can
think and can be cracked easily with some good knowledge of this program. Anyway it is yours to
decide if you really need it.

• To remove the krb5-libs package from your system, use the following command:
[root@deep /]# rpm -e krb5-libs
[root@deep /]# rm -rf /usr/kerberos/

The MAKEDEV package:

The MAKEDEV package contains the MAKEDEV program, which makes it easier to create and
maintain the files in the /dev directory. Program provided by this package is used for creating
device files in the /dev directory of your server. In general, we use it under development server
when we build new package for our Linux system. On production servers, it’s rare to use it.
Therefore we can remove it from our system without any problem.

• To remove the MAKEDEV package from your system, use the following command:
[root@deep /]# rpm -e MAKEDEV

Remove unnecessary documentation files

By default the majority of each RPM’s packages installed under Linux come with documentation
files related to the software. This documentation contains original files from the program tar
archive like README, FAQ, BUG, INSTALL, NEWS, PROJECTS and more.

Many of them can be easily retrieved from the website where the program has been downloaded
and it makes no sense for them to be kept on your system. I know that hard drives costs have
come down considerably recently, but why keep this kind of documentation on a secure server if
it unlikely they will not be read more than once. Anyway, have a look inside those files and decide
for yourself if you want to remove them or not.

• To remove all documentation files from your system, use the following commands:
[root@deep /]# cd /usr/share/doc/
[root@deep doc]# rm -rf *

65
Remove unnecessary/empty files and directories
There are some files and directories we can remove manually from the file system of Linux to
make a clean install. These files and directories are not needed but still exist after our secure
installation of Linux and can be removed safely. Some are bugs from the Red Hat installation
script and others are created by default even if you don’t use them.

• To remove all unnecessary files and directories from your system, use the commands:
[root@deep /]# rm -f /etc/exports
[root@deep /]# rm -f /etc/printcap
[root@deep /]# rm -f /etc/ldap.conf
[root@deep /]# rm -f /etc/krb.conf
[root@deep /]# rm -f /etc/yp.conf
[root@deep /]# rm -f /etc/hosts.allow
[root@deep /]# rm -f /etc/hosts.deny
[root@deep /]# rm -f /etc/csh.login
[root@deep /]# rm -f /etc/csh.cshrc
[root@deep /]# rm -f /etc/fstab.REVOKE
[root@deep /]# rm -f /etc/pam_smb.conf
[root@deep /]# rm -rf /etc/xinetd.d/
[root@deep /]# rm -rf /etc/opt/
[root@deep /]# rm -rf /etc/X11/
[root@deep /]# rm -rf opt/
[root@deep /]# rm -rf /var/opt/
[root@deep /]# rm -rf /var/nis/
[root@deep /]# rm -rf /var/yp/
[root@deep /]# rm -rf /var/lib/games/
[root@deep /]# rm -rf /var/spool/lpd/
[root@deep /]# rm -rf /usr/lib/python1.5/
[root@deep /]# rm -rf /usr/lib/games/
[root@deep /]# rm -rf /usr/X11R6/
[root@deep /]# rm -rf /usr/etc/
[root@deep /]# rm -rf /usr/games/
[root@deep /]# rm -rf /usr/local/
[root@deep /]# rm -rf /usr/dict/
[root@deep /]# rm -f /usr/bin/X11
[root@deep /]# rm -f /usr/lib/X11

NOTE: If in the future you want to install a program which needs some of the files/directories we
have removed, then the program will automatically recreate the missing files or directories. Good!

Software that must be installed after installation of the server

There are certain programs required to be able to compile programs on your server, for this
reason you must install the following RPM packages. This part of the installation is very important
and requires that you install all the packages described below.

These are on your Red Hat Part 1 and Part 2 CD-ROMs under RedHat/RPMS directory and
represent the necessary base software needed by Linux to compile and install programs. Please
note that if you don’t want to compile software in your server or if you only use RPM’s packages to
update programs or if you use a dedicated server to develop, compile or create your own RPM’s
packages which will be installed later along your network on the servers, then you DON’T need to
install the packages described here.

66
 Installation Issues 0
CHAPTER 2

Step 1
First, we mount the CD-ROM drive and move to the RPMS subdirectory of the CD-ROM.

• To mount the CD-ROM drive and move to RPM directory, use the following commands:
[root@deep /]# mount /dev/cdrom /mnt/cdrom/
had: ATAPI 32X CD-ROM drive, 128kB Cache
mount: block device dev/cdrom is write-protected, mounting read-only
[root@deep /]# cd /mnt/cdrom/RedHat/RPMS/

These are the packages that we need to be able to compile and install programs on the Linux
system. Remember, this is the minimum number of packages that permits you to compile most of
the tarballs available for Linux. Other compiler packages exist on the Linux CD-ROM, so verify
with the README file that came with the tarballs program you want to install if you receive error
messages during compilation of the specific software.

The compiler packages:

Compiler packages contain programs and languages used to build software on the system.
Remember to uninstall the entire following compiler packages after successful installation of all
software required on your Linux server.

binutils-2.11.93.0.2-11.i386.rpm flex-2.5.4a-23.i386.rpm
bison-1.35-1.i386.rpm gcc-2.96-110.i386.rpm
byacc-1.9-19.i386.rpm gcc-c++-2.96-110.i386.rpm
cdecl-2.5-22.i386.rpm glibc-kernheaders-2.4-7.14.i386.rpm
cpp-2.96-110.i386.rpm m4-1.4.1-7.i386.rpm
cproto-4.6-9.i386.rpm make-3.79.1-8.i386.rpm
ctags-5.2.2-2.i386.rpm patch-2.5.4-12.i386.rpm
dev86-0.15.5-1.i386.rpm perl-5.6.1-34.99.6.i386.rpm

The development packages:

Development packages contain header and other files required during compilation of software. In
general, development packages are needed when we want to add some specific functionality to
the program that we want to compile. For example if I want to add PAM support to IMAP, I’ll need
pam-devel, which contains the required header files for IMAP to compile successfully.

As for compiler packages, all development packages must be uninstalled after successful
compilation of all the software that you need on your Linux server. Remember to uninstall them
since they are not needed for proper functionality of the server, but just to compile the programs.

aspell-devel-0.33.7.1-9.i386.rpm libpng-devel-1.0.12-2.i386.rpm
db3-devel-3.3.11-6.i386.rpm libstdc++-devel-2.96-110.i386.rpm
freetype-devel-2.0.9-2.i386.rpm ncurses-devel-5.2-26.i386.rpm
gdbm-devel-1.8.0-14.i386.rpm pam-devel-0.75-32.i386.rpm
gd-devel-1.8.4-4.i386.rpm pspell-devel-0.12.2-8.i386.rpm
glibc-devel-2.2.5-34.i386.rpm zlib-devel-1.1.3-25.7.i386.rpm
libjpeg-devel-6b-19.i386.rpm

67
Dependencies packages:
Dependencies packages are other RPM packages needed by the RPM packages that we want to
install. This happens because some RPM’s are directly linked with others and depend on each
one to function properly. The following packages are required by the above RPM packages and
we will install them to satisfy dependencies. After proper compilation and installation of all needed
software on the Linux server, we can uninstall them safety (if not needed by special program that
we will install).

aspell-0.33.7.1-9.i386.rpm libpng-1.0.12-2.i386.rpm
freetype-2.0.9-2.i386.rpm libtool-libs-1.4.2-7.i386.rpm
gd-1.8.4-4.i386.rpm pspell-0.12.2-8.i386.rpm
libjpeg-6b-19.i386.rpm

Step 2
It is better to install the software described above together if you don’t want to receive
dependencies error messages during the install. Some of the RPMs reside on CD-ROM Part 1
and other on CD-ROM Part2 of Red Hat. For easy installation, I recommend you to copy all of the
required packages (compilers and development) to your hard drive and install them from there.

• These procedures can be accomplished with the following commands:

[root@deep /]# cd /var/tmp/
[root@deep tmp]# rpm -Uvh *.rpm
Preparing... ########################################### [100%]
1:binutils ########################################### [ 2%]
2:bison ########################################### [ 5%]
3:byacc ########################################### [ 8%]
4:cdecl ########################################### [ 11%]
5:cpp ########################################### [ 13%]
6:cproto ########################################### [ 16%]
7:ctags ########################################### [ 19%]
8:db3-devel ########################################### [ 22%]
9:dev86 ########################################### [ 25%]
10:flex ########################################### [ 27%]
11:freetype ########################################### [ 30%]
12:freetype-devel ########################################### [ 33%]
13:gdbm-devel ########################################### [ 36%]
14:glibc-kernheaders ########################################### [ 38%]
15:glibc-devel ########################################### [ 41%]
16:gcc ########################################### [ 44%]
17:libjpeg ########################################### [ 47%]
18:libjpeg-devel ########################################### [ 50%]
19:libpng ########################################### [ 52%]
20:gd ########################################### [ 55%]
21:gd-devel ########################################### [ 58%]
22:libstdc++-devel ########################################### [ 61%]
23:gcc-c++ ########################################### [ 63%]
24:libtool-libs ########################################### [ 66%]
25:m4 ########################################### [ 69%]
26:make ########################################### [ 72%]
27:pam-devel ########################################### [ 75%]
28:patch ########################################### [ 77%]
29:perl ########################################### [ 80%]
30:ncurses-devel ########################################### [ 83%]
31:pspell ########################################### [ 86%]
32:aspell ########################################### [ 88%]
33:pspell-devel ########################################### [ 91%]
34:aspell-devel ########################################### [ 94%]
35:zlib-devel ########################################### [ 97%]
36:libpng-devel ########################################### [100%]

68
 Installation Issues 0
CHAPTER 2

Step 3
After installation and compilation of all programs and services, it’s a good idea to remove all
sharp objects (compilers, etc) described above unless they are required by your system.

A few reasons are:

If a cracker gains access to your server he or she cannot compile or modify binary
programs. Also, this will free a lot of space and will help to improve regular scanning of
the files on your server for integrity checking.

When you run a server, you will give it a special task to accomplish. You will never put all
services you want to offer in one machine or you will lose speed (resources available
divided by the number of process running on the server).

Decrease your security with a lot of services running on the same machine, if a cracker
accesses this server, he or she can attack directly all the others available.

Having different servers doing different tasks will simplify the administration, and
management. You know what task each server is supposed to do, what services should
be available, which ports are open to clients access and which one are closed, you know
what you are supposed to see in the log files, etc, and give you more control and
flexibility on each one (server dedicated for mail, web pages, database, development,
backup, etc.

For example, one server specialized just for development and testing will mean you will
not be compelled to install compiler programs on a server each time you want to compile
and install new software on it, and be obliged afterwards to uninstall the compilers, or
other sharp objects.

69
General Security
IN THIS CHAPTER

1. BIOS
2. Unplug your server from the network
3. Security as a policy
4. Choose a right password
5. The root account
6. Set login time out for the root account
7. Shell logging
8. The single-user login mode of Linux
9. Disabling Ctrl-Alt-Delete keyboard shutdown command
10. Limiting the default number of started ttys on the server
11. The LILO and /etc/lilo.conf file
12. The GRUB and /boot/grub/grub.conf file
13. The /etc/services file
14. The /etc/securetty file
15. Special accounts
16. Control mounting a file system
17. Mounting the /usr directory of Linux as read-only
18. Tighten scripts under /etc/init.d/
19. Tighten scripts under /etc/cron.daily
20. Bits from root-owned programs
21. Don’t let internal machines tell the server what their MAC address is
22. Unusual or hidden files
23. Finding Group and World Writable files and directories
24. Unowned files
25. Finding .rhosts files
26. Physical hard copies of all-important logs
27. Getting some more security by removing manual pages
28. System is compromised!
 General Security 0
CHAPTER 3

Linux General Security

Abstract
A secure Linux server depends on how the administrator makes it. Once we have eliminated the
potential security risk by removing unneeded services, we can start to secure our existing
services and software on our server. Within a few hours of installing and configuring your system,
you can prevent many attacks before they occur. In this chapter we will discuss some of the more
general, basic techniques used to secure your system. The following is a list of features that can
be used to help prevent attacks from external and internal sources.

BIOS
It is recommended to disallow booting from floppy drives and set passwords on BIOS features.
You can check your BIOS manual or look at it thoroughly the next time you boot up your system
to find out how to do this. Disabling the ability to boot from floppy drives and being able to set a
password to access the BIOS features will improve the security of your system.

This will block unauthorized people from trying to boot your Linux system with a special boot disk
and will protect you from people trying to change BIOS features like allowing boot from floppy
drive or booting the server without prompt password. It is important to note that there is a
possibility to bypass this security measure if someone has a physical access to your server since
they can open the computer and unplug the BIOS battery. This will reset all features to their initial
values.

Unplug your server from the network

It is not wise to apply security changes in your newly installed Linux server if you are online. So it
is preferable to deactivate all network interfaces in the system before applying security changes.

• To stop specific network devices manually on your system, use the command:
[root@deep /]# ifdown eth0

• To start specific network devices manually on your system, use the command:
[root@deep /]# ifup eth0

• To shut down all network interfaces, use the following command:

[root@deep /]# /etc/init.d/network stop
Shutting down interface eth0 [OK]
Disabling Ipv4 packet forwarding [OK]

• To start all network interfaces, use the following command:

[root@deep /]# /etc/init.d/network start
Setting network parameters [OK]
Bringing up interface lo [OK]
Bringing up interface eth0 [OK]

75
Security as a policy
It is important to point out that you cannot implement security if you have not decided what needs
to be protected, and from whom. You need a security policy--a list of what you consider allowable
and what you do not consider allowable upon which to base any decisions regarding security.
The policy should also determine your response to security violations. What you should consider
when compiling a security policy will depend entirely on your definition of security. The following
questions should provide some general guidelines:

How do you classify confidential or sensitive information?

Does the system contain confidential or sensitive information?
Exactly whom do you want to guard against?
Do remote users really need access to your system?
Do passwords or encryption provide enough protection?
Do you need access to the Internet?
How much access do you want to allow to your system from the Internet?
What action will you take if you discover a breach in your security?

This list is short, and your policy will probably encompass a lot more before it is completed. Any
security policy must be based on some degree of paranoia; deciding how much you trust people,
both inside and outside your organization. The policy must, however, provide a balance between
allowing your users reasonable access to the information they require to do their jobs and totally
disallowing access to your information. The point where this line is drawn will determine your
policy.

Choose a right password

The starting point of our Linux general security tour is the password. Many people keep their
valuable information and files on a computer, and the only thing preventing others from seeing it
is the eight-character string called a password. An unbreakable password, contrary to popular
belief, does not exist. Given time and resources all passwords can be guessed either by social
engineering or by brute force.

Social engineering of server passwords and other access methods are still the easiest and most
popular way to gain access to accounts and servers. Often, something as simple as acting as a
superior or executive in a company and yelling at the right person at the right time of the day
yields terrific results.

Running a password cracker on a weekly basis on your system is a good idea. This helps to find
and replace passwords that are easily guessed or weak. Also, a password checking mechanism
should be present to reject a weak password when choosing an initial password or changing an
old one. Character strings that are plain dictionary words, or are all in the same case, or do not
contain numbers or special characters should not be accepted as a new password.

We recommend the following rules to make passwords effective:

They should be at least six characters in length, preferably eight characters including at
least one numeral or special character.

They must not be trivial; a trivial password is one that is easy to guess and is usually
based on the user’s name, family, occupation or some other personal characteristic.

They should have an aging period, requiring a new password to be chosen within a
specific time frame.

They should be revoked and reset after a limited number of concurrent incorrect retries.

76
 General Security 0
CHAPTER 3

The root account

The "root" account is the most privileged account on a Unix system. The "root" account has no
security restrictions imposed upon it. This means the system assumes you know what you are
doing, and will do exactly what you request -- no questions asked. Therefore it is easy, with a
mistyped command, to wipe out crucial system files. When using this account it is important to be
as careful as possible. For security reasons, never log in on your server as "root" unless it is
absolutely an instance that necessitates root access. Also, if you are not on your server, never
sign in and leave yourself on as "root"--this is VERY, VERY. VERY BAD.

Set login time out for the root account

Despite the notice to never, if they are not on the server, sign in as “root” and leave it
unattended, administrators still stay on as “root” or forget to logout after finishing their work and
leave their terminals unattended.

Step 1
The answer to solve this problem is to make the bash shell automatically logout after not being
used for a period of time. To do that, you must set the special variable of Linux named “TMOUT” to
the time in seconds of no input before logout.

• Edit your profile file (vi /etc/profile) and add the following line somewhere after
the line that read “HISTSIZE=” on this file:

HOSTNAME=`/bin/hostname`
HISTSIZE=1000
TMOUT=7200

The value we enter for the variable “TMOUT=” is in seconds and represents 2 hours (60 * 60 =
3600 * 2 = 7200 seconds). It is important to note that if you decide to put the above line in your
/etc/profile file, then the automatic logout after two hours of inactivity will apply for all users
on the system. So, instead, if you prefer to control which users will be automatically logged out
and which ones are not, you can set this variable in their individual .bashrc file.

Step 2
Once we have added the above line to the profile file, we must add its definition to the
export line of the same file as follow.

• Edit your profile file (vi /etc/profile) and change the line:

export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE INPUTRC

To read:

export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE TMOUT INPUTRC

After this parameter has been set on your system, you must logout and login again (as root) for
the change to take effect.

77
Shell logging
To make it easy for you to repeat long commands, the bash shell stores up to 500 old commands
in the ~/.bash_history file (where “~/” is your home directory). Each user that has an account
on the system will have this file .bash_history in their home directory. Reducing the number
of old commands the .bash_history files can hold may protect users on the server who enter
by mistake their password on the screen in plain text and have their password stored for a long
time in the .bash_history file.

Step 1
The HISTSIZE line in the /etc/profile file determine the size of old commands the
.bash_history file for all users on your system can hold. For all accounts I would highly
recommend setting the HISTSIZE in /etc/profile file to a low value such as 10.

• Edit the profile file (vi /etc/profile) and change the line:

HISTSIZE=1000

To read:

HISTSIZE=10

This means, the .bash_history file in each user’s home directory can store 10 old commands
and no more. Now, if a cracker tries to see the ~/.bash_history file of users on your server to
find some password typed by mistake in plain text, he or she has less chance to find one.

Step 2
The administrator should also add into the /etc/profile file the “HISTFILESIZE=0” line, so
that each time a user logs out, its .bash_history file will be deleted so crackers will not be
able to use .bash_history file of users who are not presently logged into the system.

• Edit the profile file (vi /etc/profile) and add the following parameter below the
“HISTSIZE=” line:

HISTFILESIZE=0

Step 3
Once we have added the above line to the profile file, we must add its definition to the
export line of the same file as follow.

• Edit your profile file (vi /etc/profile) and change the line:

export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE TMOUT INPUTRC

To read:

export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTFILESIZE TMOUT

INPUTRC

After this parameter has been set on your system, you must logout and login again (as root) for
the change to take effect.

78
 General Security 0
CHAPTER 3

The single-user login mode of Linux

This part applies for those who use LILO as their boot loader. Linux has a special command
(linux single) also known as ‘single-user mode’, which can be entered at the boot prompt
during startup of the system. The single-user mode is generally used for system maintenance.

You can boot Linux in single-user mode by typing at the LILO boot prompt the command:

LILO: linux single

This will place the system in Run level 1 where you'll be logged in as the super-user 'root', and
where you won't even have to type in a password!

Step 1
Requiring no password to boot into root under single-user mode is a bad idea! You can fix this by
editing the inittab file (vi /etc/inittab) and change the following line:

id:3:initdefault:

To read:

id:3:initdefault:
~~:S:wait:/sbin/sulogin

The addition of the above line will require entering the root password before continuing to boot
into single-user mode by making init (8) run the program sulogin (8) before dropping
the machine into a root shell for maintenance.

Step 2
Now, we have to restart the process control initialization of the server for the changes to take
effect.

• This can be done with the following command:

[root@deep /]# /sbin/init q

Disabling Ctrl-Alt-Delete keyboard shutdown command

Commenting out the line (with a “#”) listed below in your /etc/inittab file will disable the
possibility of using the Control-Alt-Delete command to shutdown your computer. This is
pretty important if you don't have the best physical security to the machine.

Step 1
• To do this, edit the inittab file (vi /etc/inittab) and change/comment the line:

ca::ctrlaltdel:/sbin/shutdown -t3 -r now

To read:

#ca::ctrlaltdel:/sbin/shutdown -t3 -r now

79
Step 2
Now, we have to restart the process control initialization of the server for the changes to take
effect.

• This can be done with the following command:

[root@deep /]# /sbin/init q

Limiting the default number of started ttys on the server

Default installed Linux system comes with six virtual consoles in standard run levels. This means
that six mingetty processes will always by available at every time on the server. These virtual
consoles allow you to login with six different virtual consoles on the system.

Step 1
On secure server, we can limit the number to two virtual consoles and save some resources
which may be used for other work by the server when required.

• To do this, edit the inittab file (vi /etc/inittab) and remove/comment the lines:

1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6

To read:

1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6

Step 2
Now, we have to restart the process control initialization of the server for the changes to take
effect.

• This can be done with the following command:

[root@deep /]# /sbin/init q

The LILO and /etc/lilo.conf file

This part applies for those who use LILO as their boot loader. LILO is a boot loader that can be
used to manage the boot process, boot Linux kernel images from floppy disks, hard disks or can
even act as a "boot manager" for other operating systems.

LILO is very important in the Linux system and for this reason, we must protect it the best we
can. The most important configuration file of LILO is the lilo.conf file. It is with this file that we
can configure and improve the security of our LILO program and Linux system. Following are
three important options that will improve the security of our valuable LILO program.

80
 General Security 0
CHAPTER 3

• Adding: timeout=00
This option controls how long (in seconds) LILO waits for user input before booting to the default
selection. One of the requirements of C2 security is that this interval be set to 0 unless the system
dual boots something else.

• Adding: restricted
This option asks for a password only, if parameters are specified on the command line (e.g.
linux single). The option “restricted” can only be used together with the “password”
option. Make sure you use this one on each additional image you may have.

• Adding: password=<password>
This option asks the user for a password when trying to load the image. Actually the effect of
using the password parameter in /etc/lilo.conf will protect the Linux image from booting.
This means, it doesn't matter if you load Linux in single mode or if you just do a normal boot. It
will always ask you for the password.

Now this can have a very bad effect, namely you are not able to reboot Linux remotely any more
since it won't come up until you type in the root password at the console. It is for this reason that
adding “restricted” with “password” is very important since the option "restricted" relaxes
the password protection and a password is required only if parameters are specified at the LILO
prompt, (e.g. single).

Passwords are always case-sensitive, also make sure the /etc/lilo.conf file is no longer
world readable, or any user will be able to read the password. Here is an example of our
protected LILO with the lilo.conf file.

Step 1
• Edit the lilo.conf file (vi /etc/lilo.conf) and add or change the three options
above as show:

boot=/dev/sda
map=/boot/map
install=/boot/boot.b
prompt remove this line if you don’t want to pass options at the LILO prompt.
timeout=00 change this line to 00 to disable the LILO prompt.
linear
message=/boot/message remove this line if you don’t want the welcome screen.
default=linux
restricted add this line to relaxes the password protection.
password=<password> add this line and put your password.

image=/boot/vmlinuz-2.4.2-2
label=linux
initrd=/boot/initrd-2.4.2-2.img
read-only
root=/dev/sda6

Step 2
Because the configuration file /etc/lilo.conf now contains unencrypted passwords, it should
only be readable for the super-user “root”.

• To make the /etc/lilo.conf file readable only by the super-user “root”, use the
following command:
[root@deep /]# chmod 600 /etc/lilo.conf (will be no longer world readable).

81
Step 3
Now we must update our configuration file /etc/lilo.conf for the change to take effect.

• To update the /etc/lilo.conf file, use the following command:

[root@deep /]# /sbin/lilo -v
LILO version 21.4-4, copyright © 1992-1998 Wernerr Almesberger
‘lba32’ extentions copyright © 1999,2000 John Coffman

Reading boot sector from /dev/sda

had : ATAPI 32X CD-ROM drive, 128kB Cache
Merging with /boot/boot.b
Mapping message file /boot/message
Boot image : /boot/vmlinuz-2.2.16-22
Mapping RAM disk /boot/initrd-2.2.16-22.img
Added linux *
/boot/boot.0800 exists – no backup copy made.
Writing boot sector.

Step 4
One more security measure you can take to secure the lilo.conf file is to set it immutable,
using the chattr command.

• To set the file immutable simply, use the following command:

[root@deep /]# chattr +i /etc/lilo.conf

And this will prevent any changes (accidental or otherwise) to the lilo.conf file. If you wish to
modify the lilo.conf file you will need to unset the immutable flag:

• To unset the immutable flag, use the following command:

[root@deep /]# chattr -i /etc/lilo.conf

WARNING: When you use the password option, then LILO will always ask you for the password,
regardless if you pass options at the LILO prompt (e.g. single) or not EXCEPT when you set
the "restricted" option in /etc/lilo.conf.

The option "restricted" relaxes the password protection and a password is required only if
parameters are specified at the LILO prompt, (e.g. single).

If you didn't had this option set "restricted", Linux will always ask you for the password and
you will not be able to remotely reboot your system, therefore don’t forget to add the option
"restricted” with the option "password" into the /etc/lilo.conf file.

The GRUB and /boot/grub/grub.conf file

This part applies for those who use GRUB as their boot loader. GRUB is another boot loader like
LILO but with many more useful feature and power. One of its main advantages compared to
LILO is the fact that it provides a small shell interface to manage the operating system. Also, it
doesn’t need to be updated each time you recompile a new kernel on your server.

82
 General Security 0
CHAPTER 3

GRUB is very important since it is the first software program that runs when the computer starts
and we have to secure it as much as possible to avoid any possible problem. In its default
installation it’s already well protected and below I explain how its configuration file is made. In
regard to LILO, GRUB is really easy to use and configure. Below is a default GRUB configuration
file and security I recommend you to apply. The text in bold are the parts of the configuration file
that must be customized and adjusted to satisfy our needs.

• Edit the grub.conf file (vi /boot/grub/grub.conf) and set your needs. Below is
what we recommend you:

default=0
timeout=0
splashimage=(hd0,0)/grub/splash.xpm.gz
password --md5 $1$oKr0ÝmFo$tPYwkkvQbtqo1erwHj5wb/
title Red Hat Linux (2.4.18-3)
root (hd0,0)
kernel /vmlinuz-2.4.18-3 ro root=/dev/sda5
initrd /initrd-2.4.18-3.img

This tells the grub.conf file to set itself up for this particular configuration with:

default=0
The option “default” is used to define the default entry of the configuration file. The number “0”
mean that the following parameters are the default entry for the configuration of GRUB. In a server
configuration where Linux is the only operating system to boot, the default entry of “0” will be the
only one to use and we don’t need to define any additional entry.

timeout=0
This option “timeout” is used to define the timeout, in sec seconds to wait, before automatically
booting the default entry. As for LILO, one of the requirements of C2 security is that this interval
be set to 0 unless the system dual boots something else. One of the disadvantages to set this
option to “0” is that you will no longer be able to have access at boot time to the shell interface of
the software but this is not really a problem since all we need from the GRUB software is to boot
our operating system.

splashimage=(hd0,0)/grub/splash.xpm.gz
This option “splashimage” is an option added by Red Hat to boot the system with a graphical
image. The value is the path of the compressed image to use when booting GRUB. It’s to you to
keep this parameter on your system or to remove it. If you want to remove it, just delete the
above line with the compressed image from your server.

password --md5 $1$bgGCL/$4yF3t0py.IjU0LU.q7YfB1

This option “password” is used to inform GRUB to ask for a password and disallows any
interactive control, until you press the key <p> and enter a correct password. The option --md5
tells GRUB that a password in MD5 format is required as a value. If it is omitted, GRUB assumes
the specified password is in clear text.

When we have installed the operating system, we have already configured GRUB with a
password protection. This password is what you see here. If you want to change it, you have to
use the “grub-md5-crypt” command to generate a new encrypt password it in MD5 format.

• This can be done with the following command:

[root@dev /]# grub-md5-crypt
Password:
$1$bgGCL/$4yF3t0py.IjU0LU.q7YfB1

83
Once the above command has been issued, you have to cut and paste the encrypted password
to your configuration file.

title Red Hat Linux (2.4.18-3)

This option “title” is used to define a name to the contents of the rest of the line. It is directly
related to the default boot entry. What you enter here is what you will see during boot time. This
option is useful when we have more than one OS to start on our computer and allow us to give
the name that we want to distinguish them. You are free to enter whatever name you like.

root (hd0,0)
This option “root” is one of the most important parameter with GRUB and without it nothing will
work. It is used to define the current root device to use for booting the operating system. Its
definition and configuration is a little bit special as you can see. Here is an explanation of its
meaning. The “hd0” parameter represents using the entire disk and the “hd0,0” represents using
the partition of the disk (or the boot sector of the partition when installing GRUB). Don’t be
confused here because “hd” is valid for IDE and SCSI drives. There is no difference; you always
use “hd” even on SCSI drive.

kernel /vmlinuz-2.4.18-3 ro root=/dev/sda5

This option “kernel” is used to load the primary boot image (our kernel). The parameter to this
option is simply the path where GRUB should find the kernel image from which we want it to boot.
The additional lines are to inform it that kernel image is located on the sda5 partition on our
server and that we want to load it as read only for security reason.

initrd /initrd-2.4.18-3.img
This option “initrd” is optional and will appear into your GRUB configuration file only if you run a
SCSI computer. For IDE computer, this option is not required and should not be defined inside
the configuration file of GRUB. The parameter simply informs GRUB software where our initial ram
disk image is located on the server. GRUB reads this initial ram disk and loads it during startup.

The /etc/services file

The port numbers on which certain "standard" services are offered are defined in the RFC 1700
"Assigned Numbers". The /etc/services file enables server and client programs to convert
service names to these numbers (ports). The list is kept on each host and it is stored in the file
/etc/services. Only the "root" user is allowed to make modifications to this file. It is rare to
edit the /etc/services file since it already contains the more common service names / port
numbers. To improve security, we can set the immutable flag on this file to prevent unauthorized
deletion or modification.

• To immunize the /etc/services file, use the following command:

[root@deep /]# chattr +i /etc/services

84
 General Security 0
CHAPTER 3

The /etc/securetty file

The /etc/securetty file allows you to specify which TTY and VC (virtual console) devices the
“root” user is allowed to login on. The /etc/securetty file is read by the login program
(usually /bin/login). Its format is a list of the tty and vc devices names allowed, and for all
others that are commented out or do not appear in this file, root login is disallowed.

Disable any tty and vc devices that you do not need by commenting them out (# at the
beginning of the line) or by removing them.

• Edit the securetty file (vi /etc/securetty) and comment out or remove the lines:

vc/1 tty1
#vc/2 #tty2
#vc/3 #tty3
#vc/4 #tty4
#vc/5 #tty5
#vc/6 #tty6
#vc/7 #tty7
#vc/8 #tty8
#vc/9 #tty9
#vc/10 #tty10
#vc/11 #tty11

Which means root is allowed to login on only tty1 and vc/1. This is my recommendation,
allowing “root” to log in on only one tty or vc device and use the su or sudo command to
switch to “root” if you need more devices to log in as “root”.

Special accounts
It is important to DISABLE ALL default vendor accounts that you don’t use on your system
(some accounts exist by default even if you have not installed the related services on your
server). This should be checked after each upgrade or new software installation. Linux provides
these accounts for various system activities, which you may not need if the services are not
installed on your server. If you do not need the accounts, remove them. The more accounts you
have, the easier it is to access your system.

We assume that you are using the shadow password suite on your Linux system. If you are not,
you should consider doing so, as it helps to tighten up security somewhat. This is already set if
you’ve followed our Linux installation procedure and selected, under the “Authentication
Configuration”, the option to “Enable Shadow Passwords” (see the chapter related to the
“Installation of your Linux Server” for more information).

• To delete user on your system, use the following command:

[root@deep /]# userdel username

• To delete group on your system, use the following command:

[root@deep /]# groupdel username

85
Step 1
First we will remove all default vendor accounts into the /etc/passwd file that are unnecessary
for the operation of the secure server configuration that we use in this book.

• Type the following commands to delete all default users accounts listed below.
[root@deep /]# userdel adm
[root@deep /]# userdel lp
[root@deep /]# userdel shutdown
[root@deep /]# userdel halt
[root@deep /]# userdel news
[root@deep /]# userdel mailnull
[root@deep /]# userdel operator
[root@deep /]# userdel games
[root@deep /]# userdel gopher
[root@deep /]# userdel ftp
[root@deep /]# userdel vcsa

WARNING: By default, the userdel command will not delete a user’s home directory. If you want
the home directories of accounts to be deleted too, then add the -r option to the userdel
command. Finally, the -r option must be used only when you have added a new user to the
server and want to remove them. It doesn’t need to be used for the removal of the above default
user’s accounts since they do not have a home directory.

Once the above list of users has been deleted from your Linux system, the /etc/passwd file will
look like this:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/mail:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/bin/bash

Step 2
After that we have removed all the unnecessary default vendor accounts into the /etc/passwd
file from our system, we will remove all default vendor accounts into the /etc/group file.

• Type the following commands to delete all default users groups accounts listed below.
[root@deep /]# groupdel adm
[root@deep /]# groupdel lp
[root@deep /]# groupdel news
[root@deep /]# groupdel games
[root@deep /]# groupdel dip

86
 General Security 0
CHAPTER 3

Once the above list of group users has been deleted from your Linux system the /etc/group
file will look like this:

root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin
tty:x:5:
disk:x:6:root
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail
uucp:x:14:uucp
man:x:15:
lock:x:54:
nobody:x:99:
users:x:100:
slocate:x:21:
floppy:x:19:
utmp:x:22:
rpm:x:37:

Step 3
Now, you can add all the necessary and allowed users into the system. Below I show you how
you should add new user into your Linux server. Adding a new user into your server mean that
you have to create the username and assign him/her a password.

• To add a new user on your system, use the following command:

[root@deep /]# useradd username

For example:
[root@deep /]# useradd admin

• To add or change password for user on your system, use the following command:
[root@deep /]# passwd username

For example:
[root@deep /]# passwd admin

The output should look something like this:

Changing password for user admin
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully

Step 4
The immutable bit can be used to prevent accidentally deleting or overwriting a file that must be
protected. It also prevents someone from creating a symbolic link to this file, which has been the
source of attacks involving the deletion of /etc/passwd, /etc/shadow, /etc/group or
/etc/gshadow files.

• To set the immutable bit on the passwords and groups files, use the following commands:
[root@deep /]# chattr +i /etc/passwd
[root@deep /]# chattr +i /etc/shadow
[root@deep /]# chattr +i /etc/group

87
 [root@deep /]# chattr +i /etc/gshadow

WARNING: In the future, if you intend to add or delete users, passwords, user groups, or group
files, you must unset the immutable bit on all those files or you will not be able to make and
update your changes. Also if you intend to install an RPM program that will automatically add a
new user to the different immunized passwd and group files, then you will receive an error
message during the install if you have not unset the immutable bit from those files.

• To unset the immutable bit on the passwords and groups files, use the commands:
[root@deep /]# chattr -i /etc/passwd
[root@deep /]# chattr -i /etc/shadow
[root@deep /]# chattr -i /etc/group
[root@deep /]# chattr -i /etc/gshadow

Control mounting a file system

You can have more control on mounting file systems like /var/lib, /home or /tmp partitions
with some nifty options like noexec, nodev, and nosuid. This can be setup in the /etc/fstab
file. The fstab file contains descriptive information about the various file system mount options;
each line addresses one file system.

Information related to security options in the fstab text file are:

defaults Allow everything (quota, read-write, and suid) on this partition.

noquota Do not set users quotas on this partition.
nosuid Do not set SUID/SGID access on this partition.
nodev Do not set character or special devices access on this partition.
noexec Do not set execution of any binaries on this partition.
quota Allow users quotas on this partition.
ro Allow read-only on this partition.
rw Allow read-write on this partition.
suid Allow SUID/SGID access on this partition.

NOTE: For more information on options that you can set in this file (fstab) see the man pages
about mount (8).

Step 1
• Edit the fstab file (vi /etc/fstab) and change it depending of your needs.

For example change:

LABEL=/home /home ext3 defaults 1 2
LABEL=/tmp /tmp ext3 defaults 1 2
LABEL=/var/lib /var/lib ext3 defaults 1 2

To read:

LABEL=/home /home ext3 defaults,nosuid 1 2

LABEL=/tmp /tmp ext3 defaults,nosuid,noexec 1 2
LABEL=/var/lib /var/lib ext3 defaults,nodev 1 2

88
 General Security 0
CHAPTER 3

Meaning, <nosuid>, do not allow set-user-identifier or set-group-identifier bits to take effect,

<nodev>, do not interpret character or block special devices on this file system partition, and
<noexec>, do not allow execution of any binaries on the mounted file system.

Step 2
Once you have made the necessary adjustments to the /etc/fstab file, it is time to inform the
Linux system about the modifications.

• This can be accomplished with the following commands:

[root@deep /]# mount /var/lib -oremount
[root@deep /]# mount /home -oremount
[root@deep /]# mount /tmp -oremount

Each file system that has been modified must be remounted with the command show above. In
our example we have modified the /var/lib, /home, and /tmp file system and it is for this
reason that we remount these files systems with the above commands.

• You can verify if the modifications have been correctly applied to the Linux system with
the following command:
[root@deep /]# cat /proc/mounts
rootfs / rootfs rw 0 0
/dev/root / ext3 rw 0 0
/proc /proc proc rw 0 0
/dev/sda1 /boot ext3 rw 0 0
/dev/sda8 /chroot ext3 rw 0 0
none /dev/pts devpts rw 0 0
/dev/sda7 /home ext3 rw,nosuid 0 0
none /dev/shm tmpfs rw 0 0
/dev/sda11 /tmp ext3 rw,nosuid,noexec 0 0
/dev/sda6 /usr ext3 rw 0 0
/dev/sda9 /var ext3 rw 0 0
/dev/sda10 /var/lib ext3 rw,nodev 0 0

This command will show you all the files systems on your Linux server with parameters applied to
them.

Mounting the /usr directory of Linux as read-only

It is allowable to mount your /usr partition read-only since this is, by definition, static data. Of
course, anyone with root access can remount it as writable, but a generic attack script may not
know this. On many Linux variants this directory resides in its own partition and the default
parameter is to mount it as read-write. We can change this parameter to make it read-only for
better security. Please be sure that your /usr directory is on its own partition or the following
hack will not work for you.

89
Step 1
Mounting the /usr partition as read-only eliminates possible problems that someone may try to
change or modify vital files inside it. To mount the /usr file system of Linux as read-only, follow
the simple steps below.

• Edit the fstab file (vi /etc/fstab) and change the line:

LABEL=/usr /usr ext3 defaults 1 2

To read:

LABEL=/usr /usr ext3 defaults,ro 1 2

We add the “ro” option to this line to specify to mount this partition as read-only.

Step 2
Make the Linux system aware about the modification you have made to the /etc/fstab file.

• This can be accomplished with the following command:

[root@deep /]# mount /usr -oremount

• Then test your results with the following command:

[root@deep /]# cat /proc/mounts
rootfs / rootfs rw 0 0
/dev/root / ext3 rw 0 0
/proc /proc proc rw 0 0
/dev/sda1 /boot ext3 rw 0 0
/dev/sda8 /chroot ext3 rw 0 0
none /dev/pts devpts rw 0 0
/dev/sda7 /home ext3 rw,nosuid 0 0
none /dev/shm tmpfs rw 0 0
/dev/sda11 /tmp ext3 rw,nosuid,noexec 0 0
/dev/sda6 /usr ext3 ro 0 0
/dev/sda9 /var ext3 rw 0 0
/dev/sda10 /var/lib ext3 rw,nodev 0 0

If you see something like: /dev/sda6 /usr ext3 ro 0 0, congratulations!

WARNING: If in the future you want to install some RPM package or program from source code, it is
important to reset the modification you have made to the /usr directory to its initial state (read-
write) or you will not be able to install new software because the /usr partition is set as read-
only. All you have to do if you want to put the /usr partition to its original state is to edit the
/etc/fstab file again and remove the “ro” option then remount the /usr file system with the
“mount -oremount” command again.

90
 General Security 0
CHAPTER 3

Tighten scripts under /etc/init.d

Fix the permissions of the script files that are responsible for starting and stopping all your normal
processes that need to run at boot time.

• To fix the permissions of those files, use the following command:

[root@deep /]# chmod 0700 /etc/init.d/*

Which means just the super-user “root” is allowed to Read, Write, and Execute scripts files on
this directory. I don’t think regular users need to know what’s inside those script files.

WARNING: If you install a new program or update a program that use the init system V script
located under /etc/init.d/ directory, don’t forget to change or verify the permission of this
script file again.

Tighten scripts under /etc/cron.daily/

As for the above hack, we can tighten the security of all script files that are responsible for
executing scheduled job on our server. Those files have a default permission mode of (0755-
rwxr-xr-x), which is too high for what they should accomplish.

• To fix the permissions of those files, use the following command:

[root@deep /]# chmod 0550 /etc/cron.daily/*

The same is true for other cron directories under the /etc directory of your system. If files exist
under the other cron directories, then use the above command to change their default permission
mode for better security.

WARNING: If you install a new program or update a program that provides and install a cron file on
your server, don’t forget to change or verify the permission of this script file again.

Bits from root-owned programs

A regular user will be able to run a program as root if it is set to SUID root. All programs and files
on your computer with the ’s’ bits appearing on its mode, have the SUID (-rwsr-xr-x) or SGID
(-r-xr-sr-x) bit enabled. Because these programs grant special privileges to the user who is
executing them, it is important to remove the 's' bits from root-owned programs that won't
absolutely require such privilege.

This can be accomplished by executing the command chmod a-s with the name(s) of the
SUID/SGID files as its arguments.

Such programs include, but aren't limited to:

Programs you never use.

Programs that you don't want any non-root users to run.
Programs you use occasionally, and don't mind having to su (1) to root to run.

91
Step 1
We've placed an asterisk (*) next to each program we personally might disable and consider
being not absolutely required for the duty work of the server. Remember that your system needs
some suid root programs to work properly, so be careful.

• To find all files with the ‘s’ bits from root-owned programs, use the command:
[root@deep]# find / -type f \( -perm -04000 -o -perm -02000 \) -exec ls -l {} \;

*-rwsr-xr-x 1 root root 34296 Mar 27 20:40 /usr/bin/chage

*-rwsr-xr-x 1 root root 36100 Mar 27 20:40 /usr/bin/gpasswd
-rwxr-sr-x 1 root slocate 25020 Jun 25 2001 /usr/bin/slocate
-r-s--x--x 1 root root 15104 Mar 13 20:44 /usr/bin/passwd
*-r-xr-sr-x 1 root tty 6920 Mar 14 15:24 /usr/bin/wall
*-rws--x--x 1 root root 12072 Apr 1 18:26 /usr/bin/chfn
*-rws--x--x 1 root root 11496 Apr 1 18:26 /usr/bin/chsh
*-rws--x--x 1 root root 4764 Apr 1 18:26 /usr/bin/newgrp
*-rwxr-sr-x 1 root tty 8584 Apr 1 18:26 /usr/bin/write
-rwsr-xr-x 1 root root 21080 Apr 15 00:49 /usr/bin/crontab
*-rwsr-xr-x 1 root root 32673 Apr 18 17:40 /usr/sbin/ping6
*-rwsr-xr-x 1 root root 13994 Apr 18 17:40 /usr/sbin/traceroute6
-rwxr-sr-x 1 root utmp 6604 Jun 24 2001 /usr/sbin/utempter
-rws--x--x 1 root root 22388 Apr 15 18:15 /usr/sbin/userhelper
*-rwsr-xr-x 1 root root 17461 Apr 19 12:35 /usr/sbin/usernetctl
*-rwsr-xr-x 1 root root 35192 Apr 18 17:40 /bin/ping
*-rwsr-xr-x 1 root root 60104 Apr 1 18:26 /bin/mount
*-rwsr-xr-x 1 root root 30664 Apr 1 18:26 /bin/umount
-rwsr-xr-x 1 root root 19116 Apr 8 12:02 /bin/su
-r-sr-xr-x 1 root root 120264 Apr 9 23:24 /sbin/pwdb_chkpwd
-r-sr-xr-x 1 root root 16992 Apr 9 23:24 /sbin/unix_chkpwd
*-rwxr-sr-x 1 root root 14657 Apr 19 12:35 /sbin/netreport

Step 2
• To disable the suid bits on selected programs above, use the following commands:
[root@deep /]# chmod a-s /usr/bin/chage
[root@deep /]# chmod a-s /usr/bin/gpasswd
[root@deep /]# chmod a-s /usr/bin/wall
[root@deep /]# chmod a-s /usr/bin/chfn
[root@deep /]# chmod a-s /usr/bin/chsh
[root@deep /]# chmod a-s /usr/bin/newgrp
[root@deep /]# chmod a-s /usr/bin/write
[root@deep /]# chmod a-s /usr/sbin/ping6
[root@deep /]# chmod a-s /usr/sbin/traceroute6
[root@deep /]# chmod a-s /usr/sbin/usernetctl
[root@deep /]# chmod a-s /bin/ping
[root@deep /]# chmod a-s /bin/mount
[root@deep /]# chmod a-s /bin/umount
[root@deep /]# chmod a-s /sbin/netreport

92
 General Security 0
CHAPTER 3

Don’t let internal machines tell the server what their MAC address is
To avoid the risk that a user could easily change a computers IP address and appear as
someone else to the firewall, you can force the ARP cache entries of Linux using the arp
command utility. A special option can be used with the arp utility to avoid letting INTERNAL
machines tell the server what their MAC (Media Access Control) address is and the IP address
associated with it.

Step1
ARP is a small utility, which manipulates the kernel’s ARP (Address Resolution Protocol) cache.
Through all possible options associated with this utility, the primary one is clearing an address
mapping entry and manually setting up one. In the hope to more secure our server from the
INTERNAL, we will manually set MAC address (sometimes called Hardware addresses) of all
known computers in our network statically by using static ARP entries.

• For each IP address of INTERNAL computers in your network, use the following
command to know the MAC address associate with the IP address:
[root@deep /]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:DA:C6:D3:FF
inet addr:207.35.78.3 Bcast:207.35.78.32 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1887318 errors:0 dropped:0 overruns:1 frame:0
TX packets:2709329 errors:0 dropped:0 overruns:0 carrier:1
collisions:18685 txqueuelen:100
Interrupt:10 Base address:0xb000

eth1 Link encap:Ethernet HWaddr 00:50:DA:C6:D3:09

inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:182937 errors:0 dropped:0 overruns:0 frame:0
TX packets:179612 errors:0 dropped:0 overruns:0 carrier:0
collisions:7434 txqueuelen:100
Interrupt:11 Base address:0xa800

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:7465 errors:0 dropped:0 overruns:0 frame:0
TX packets:7465 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

The MAC (Media Access Control) address will be the letters and numbers that come after
“HWaddr” (the Hardware Address). In the above example our MAC address are:

00:50:DA:C6:D3:FF for the interface eth0 and 00:50:DA:C6:D3:09 for the interface eth1.

Step 2
Once we know the MAC (Media Access Control) address associated with IP address, we can add
them manually to the ARP entries of the Linux server.

• To add manually MAC address to ARP entries, use the following commands:
[root@deep /]# arp -s 207.35.78.3 00:50:DA:C6:D3:FF
[root@deep /]# arp -s 192.168.1.11 00:50:DA:C6:D3:09

93
The “-s” option means to manually create an ARP address mapping entry for host hostname with
hardware address set to hw_addr class. You can add you ARP commands to the
/etc/rc.local file if you want to keep your configuration if the system reboots.

Step 3
• To verify if the modifications have been added to the system, use the following command:
[root@deep /]# arp
Address Hwtype Hwaddress Flags Mask Iface
207.35.78.3 ether 00:20:78:13:86:92 CM eth1
192.168.1.11 ether 00:E0:18:90:1B:56 CM eth1

WARNING: If you receive error message like: SIOCSARP: Invalid argument, it is because the MAC
(Media Access Control) address you want to add is the one of your server. You must add only MAC
address of INTERNAL computers in your private network. This hack doesn’t apply to external
node on the Internet.

You can now be reassured that someone will not change the system's IP address of an
INTERNAL system and get through. If they do change the IP address, the server simply won't
talk to them. With the new iptables tool of Linux, which replace the old ipchains utility for
packet filter administration and firewall setup, MAC addresses can be filtered and configured in the
firewall rules too.

Unusual or hidden files

It is important to look everywhere on the system for unusual or hidden files (files that start with a
period and are normally not shown by the “ls” command), as these can be used to hide tools and
information (password cracking programs, password files from other systems, etc.). A common
technique on UNIX systems is to put a hidden directory or file in a user's account with an unusual
name, something like '...' or '.. ' (dot dot space) or '..^G' (dot dot control-G). The find
program can be used to look for hidden files.

• To look for hidden files, use the following commands:

[root@deep /]# find / -name ".. " -print -xdev

[root@deep /]# find / -name ".*" -print -xdev | cat –v

/etc/skel/.bash_logout
/etc/skel/.bash_profile
/etc/skel/.bashrc
/etc/.pwd.lock
/root/.bash_logout
/root/.Xresources
/root/.bash_profile
/root/.bashrc
/root/.cshrc
/root/.tcshrc
/root/.bash_history
/usr/lib/perl5/5.6.1/i386-linux/.packlist
/home/admin/.bash_logout
/home/admin/.bash_profile
/home/admin/.bashrc
/.autofsck

94
 General Security 0
CHAPTER 3

Finding Group and World Writable files and directories

Group and world writable files and directories, particularly system files (partitions), can be a
security hole if a cracker gains access to your system and modifies them. Additionally, world-
writable directories are dangerous, since they allow a cracker to add or delete files as he or she
wishes in these directories. In the normal course of operation, several files will be writable,
including some from the /dev, /var/mail directories, and all symbolic links on your system.

• To locate all group & world-writable files on your system, use the command:
[root@deep /]# find / -type f \( -perm -2 -o -perm -20 \) -exec ls -lg {} \;
-rw-rw-r-- 1 root utmp 107904 Jun 17 12:04 /var/log/wtmp
-rw-rw-r-- 1 root utmp 4608 Jun 17 12:04 /var/run/utmp

• To locate all group & world-writable directories on your system, use the command:
[root@deep /]# find / -type d \( -perm -2 -o -perm -20 \) -exec ls -ldg {} \;
drwxrwxr-x 12 root man 4096 Jun 17 06:50 /var/cache/man/X11R6
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/X11R6/cat1
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/X11R6/cat2
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/X11R6/cat3
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/X11R6/cat4
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/X11R6/cat5
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/X11R6/cat6
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/X11R6/cat7
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/X11R6/cat8
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/X11R6/cat9
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/X11R6/catn
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/cat1
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/cat2
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/cat3
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/cat4
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/cat5
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/cat6
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/cat7
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/cat8
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/cat9
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/catn
drwxrwxr-x 12 root man 4096 Jun 17 06:50 /var/cache/man/local
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/local/cat1
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/local/cat2
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/local/cat3
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/local/cat4
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/local/cat5
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/local/cat6
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/local/cat7
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/local/cat8
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/local/cat9
drwxrwxr-x 2 root man 4096 Mar 25 09:17 /var/cache/man/local/catn
drwxrwxr-x 3 root lock 4096 Jun 17 06:49 /var/lock
drwxrwxr-x 2 root root 4096 Apr 19 12:35 /var/run/netreport
drwxrwxr-x 2 root 12 4096 Jun 17 12:30 /var/spool/mail
drwxrwxrwt 2 root root 4096 Jun 17 11:29 /var/tmp
drwxrwxrwt 2 root root 4096 Jun 17 06:52 /tmp

WARNING: A file and directory integrity checker like “Tripwire” software can be used regularly to
scan, manage and find modified group or world writable files and directories easily. See later in
this book for more information about Tripwire.

95
Unowned files
Don’t permit any unowned file on your server. Unowned files may also be an indication that an
intruder has accessed your system. If you find unowned file or directory on your system, verify its
integrity, and if all looks fine, give it an owner name. Some time you may uninstall a program and
get an unowned file or directory related to this software; in this case you can remove the file or
directory safely.

• To locate files on your system that do not have an owner, use the following command:
[root@deep /]# find / -nouser -o -nogroup

WARNING: It is important to note that files reported under /dev/ directory don’t count.

Finding .rhosts files

Finding all existing .rhosts files that could exist on your server should be a part of your regular
system administration duties, as these files should not be permitted on your system. Remember
that a cracker only needs one insecure account to potentially gain access to your entire network.

Step 1
If you are doing a new install of Linux (like we did) you should not have any .rhosts files on
your system. If the result returns nothing, then you are safe and your system contain no .rhosts
files in the /home directory at this time.

• You can locate all existing .rhosts files on your system with the following command:
[root@deep /]# find /home -name .rhosts

Step 2
You can also use a cron job to periodically check for, report the contents of, and delete
$HOME/.rhosts files. Also, users should be made aware that you regularly perform this type of
audit, as directed by your security policy.

• Create the rhosts.cron file (touch /etc/cron.daily/rhosts.cron) and add the

following lines inside the script file.

#!/bin/sh

/usr/bin/find /home -name .rhosts | (cat <<EOF

This is an automated report of possible existent ..rhosts files on
the server deep.openna.com, generated by the find utility command.

New detected ..rhosts. files under the ./home/. directory include:

EOF
cat
) | /bin/mail -s "Content of .rhosts file audit report" root

• Now make this script executable, verify the owner, and change the group to “root”.
[root@deep /]# chmod 550 /etc/cron.daily/rhosts.cron
[root@deep /]# chown 0.0 /etc/cron.daily/rhosts.cron

Each day mail will be sent to “root” with a subject:” Content of .rhosts file audit report” containing
potential new .rhosts files.

96
 General Security 0
CHAPTER 3

Physical hard copies of all-important logs

One of the most important security considerations is the integrity of the different log files under
the /var/log directory on your server. If despite each of the security functions put in place on
our server, a cracker can gain access to it; our last defence is the log file system, so it is very
important to consider a method of being sure of the integrity of our log files.

If you have a printer installed on your server, or on a machine on your network, a good idea
would be to have actual physical hard copies of all-important logs. This can be easily
accomplished by using a continuous feed printer and having the syslog program sending all
logs you think are important out to /dev/lp0 (the printer device). Cracker can change the files,
programs, etc on your server, but can do nothing when you have a printer that prints a real paper
copy of all of your important logs.

As an example:
For logging of all telnet, mail, boot messages and ssh connections from your server to the
printer attached to THIS server, you would want to add the following line to the
/etc/syslog.conf file:

Step 1
• Edit the syslog.conf file (vi /etc/syslog.conf) and add at the end of this file the
following line:

authpriv.*;mail.*;local7.*;auth.*;daemon.info /dev/lp0

Step 2
• Now restart your syslog daemon for the change to take effect:
[root@deep /]# /etc/init.d/syslog restart
Shutting down kernel logger: [OK]
Shutting down system logger: [OK]
Starting system logger: [OK]
Starting kernel logger: [OK]

As an example:
For logging of all telnet, mail, boot messages and ssh connections from your server to the
printer attached to a REMOTE server in your local network, then you would want to add the
following line to /etc/syslog.conf file on the REMOTE server.

Step 1
• Edit the syslog.conf file (vi /etc/syslog.conf) on the REMOTE server (for
example: printer.openna.com) and add at the end of this file the following line:

authpriv.*;mail.*;local7.*;auth.*;daemon.info /dev/lp0

If you don’t have a printer in your network, you can also copy all the log files to another machine;
simply omit the above first step of adding /dev/lp0 to your syslog.conf file on remote and go
directly to the “-r” option second step on remote. Using the feature of copying all the log files to
another machine will give you the possibility to control all syslog messages on one host and will
tear down administration needs.

97
Step 2
Since the default configuration of the syslog daemon is to not receive any messages from the
network, we must enable on the REMOTE server the facility to receive messages from the
network. To enable the facility to receive messages from the network on the REMOTE server,
add the following option “-r” to your syslog daemon script file (only on the REMOTE host):

• Edit the syslog daemon (vi +24 /etc/rc.d/init.d/syslog) and change:

daemon syslogd -m 0

To read:

daemon syslogd -r -m 0

Step 3
• Restart your syslog daemon on the remote host for the change to take effect:
[root@mail /]# /etc/init.d/syslog restart
Shutting down kernel logger: [OK]
Shutting down system logger: [OK]
Starting system logger: [OK]
Starting kernel logger: [OK]

Step 4
• Edit the syslog.conf file (vi /etc/syslog.conf) on the LOCAL server, and add at
the end of this file the following line:

authpriv.*;mail.*;local7.*;auth.*;daemon.info @printer

Where (printer) represent the hostname of the REMOTE server. Now if anyone ever hacks
your machine and attempts to erase vital system logs, you still have a hard copy of everything. It
should then be fairly simple to trace where they came from and deal with it accordingly.

Step 5
• Restart your syslog daemon on the LOCAL server for the change to take effect:
[root@deep /]# /etc/init.d/syslog restart
Shutting down kernel logger: [OK]
Shutting down system logger: [OK]
Starting system logger: [OK]
Starting kernel logger: [OK]

WARNING: Never use your Gateway Server as a host to control all syslog messages; this is a
very bad idea. More options and strategies exist with the sysklogd program, see the man pages
about sysklogd (8), syslog(2), and syslog.conf(5) for more information.

98
 General Security 0
CHAPTER 3

Getting some more security by removing manual pages

Here we have to think a little bit about manual pages installed on all Linux system. Manual pages
also known as man-pages are compressed files located under the /usr/share/man directory
on your system. These documentation files are very useful to get quick information on how
service, program, commands, and configuration files of specific software work. These files are
readable by the man program and depend of other installed software on Linux to work and display
the information.

On production servers where specific task are assigned and where we only run services to the
internal or external, does we really need to have these manual pages and related software
installed? Do we will connect to these production servers to read these manual pages? Does this
is really important to have them duplicated on all of our different servers? Personally, I don’t think
because we can have all of these useful documentation files available on our Linux workstation or
development server each time we need to consult them.

If you have made attention to what we have done previously to secure our server, you will
remember that most of all group and world-writable directories on our system comes from the
/var/cache directory which is owned by the man program associated with manual pages. By
removing manual pages and related software from our server, we can get some more security
and save some not negligible space which could help when we scan our server with integrity tool
like Tripwire. This also allow us to remove other software directly related to man program and
limit the number of installed component on our production server without scarifying in the
functionally of the server. If this is what you want to do, here are the steps to follow.

Step 1
First of all, we should remove the man software from our system. The man software is the
program we use to read manual pages. By removing this software we eliminate most of all group
and world-writable directories from our system.

• To remove the man software, use the following command:

[root@deep /]# rpm -e man

Step 2
Once the above software has been removed, we can continue with groff. Groff is a document
formatting system that takes standard text and formatting commands as input and produces
formatted output. This software is used by man to format man-pages.

• To remove the groff software, use the following command:

[root@deep /]# rpm -e groff

Step 3
Because we don’t use manual pages anymore on our production servers, we can remove all
man-pages that are already installed and available under the /usr/share/man directory.

• To remove all preinstalled man-pages from your server, use the following commands:
[root@deep /]# cd /usr/share/man/
[root@deep man]# rm -f man*/*.gz

99
Step 4
Finally, it is important to note that any future installation and upgrade of RPM packages on the
system should be made with the “--excludedocs” option. This RPM option allow us to install or
upgrade the RPM package without the need to install the documentation part that may comes with
the software. For example, if I want to install or upgrade the bind package, I will use the
following RPM command.

• To install or upgrade RPM without documentation, use the following command:

[root@deep /]# rpm –Uvh --exculdedocs bind-version.i386.rpm

System is compromised!
If you believe that your system has been compromised, contact CERT ® Coordination Center or
your representative in FIRST (Forum of Incident Response and Security Teams).

Internet Email: [email protected]

CERT Hotline: (+1) 412-268-7090
Facsimile: (+1) 412-268-6989
CERT/CC personnel answer 8:00 a.m. – 8:00 p.m. EST (GMT –5)/EDT (GMT –4)) on working
days; they are on call for emergencies during other hours and on weekends and holidays.

100
Pluggable Authentication Modules
IN THIS CHAPTER

1. The password length

2. Disabling console program access
3. Disabling all console access
4. The Login access control table
5. Tighten console permissions for privileged users
6. Putting limits on resource
7. Controlling access time to services
8. Blocking; su to root, by one and sundry
9. Using sudo instead of su for logging as super-user
 Pluggable Authentication Modules 0
CHAPTER 4

Linux PAM

Abstract
The Pluggable Authentication Modules (PAM) consists of shared libraries, which enable
administrators to choose how applications authenticate users.

Basically, PAM enables the separation of authentication schemes from the applications. This is
accomplished by providing a library of functions that applications can use for requesting user
authentications. ssh, pop, imap, etc. are PAM-aware applications, hence these applications can
be changed from providing a password to providing a voice sample or fingerprint by simply
changing the PAM modules without having to rewrite any code in these applications.

The configuration files of the PAM modules are located in the directory /etc/pam.d and the
modules (shared libraries) themselves are located in the directory /lib/security. The
/etc/pam.d directory has a collection of named files of its own, e.g. ssh, pop, imap, etc. PAM-
aware applications that do not have a configuration file will automatically be pointed to the default
configuration file 'other'.

In the next section we will set up some recommended minimum-security restrictions using PAM.

The password length

The minimum acceptable password length by default when you install your Linux system is five.
This means that when a new user is given access to the server, his/her password length will be at
minimum five mixes of character strings, letter, number, special character etc. This is not enough
and must be eight or more. The password length under Linux by the use of its PAM feature is
controlled by five arguments: minlen, dcredit, ucredit, lcredit, and ocredit.

Step 1
To prevent non-security-minded people or administrators from being able to enter just five
characters for the valuable password, edit the rather important /etc/pam.d/system-auth file
and enforce the minimum password length.

• Edit the system-auth file (vi /etc/pam.d/system-auth) and change the line:

password required /lib/security/pam_cracklib.so retry=3 type=

To read:

password required /lib/security/pam_cracklib.so retry=3 minlen=12 type=

After changing the above line, the /etc/pam.d/system-auth file should look like this:

#%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3 minlen=12 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so

103
WARNING: It is important to note that when you set the password for a user under ‘root’ account,
then these restrictions don't apply!! This is the case on all Unix OS. The super-user ‘root’ can
override pretty much everything. Instead, log as the user account from which you apply this
restriction and try to change the password. You will see that it works.

You need to keep in mind that this module includes a credit mechanism. E.g. if you define
minlen=12, then you will get 1 credit for e.g. including a single digit number in your password, or
for including a non-alphanumeric character. Getting 1 credit means that the module will accept a
password of the length of minlen-credit. When you check the parameters of the cracklib module,
you will see that it has some parameters that let you define what a credit is
(http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html).

For example:

minlen The following password was accepted

--------- ---------------------------------------------------
14 gjtodgsdf1$

You can see that I got 1 credit for a alphanumeric character and a credit for each non-
alphanumeric character. "gjtodgsdf1$" has a length of 11, 1 credit for alpha-numeric, 2 credits
for non-alphanumeric character (1 and $) which gives me a credit of 3, hence the password
length of 11 was accepted.

At any rate, the minimum length is adjusted by the mixture of types of characters used in the
password. Using digits (up to the number specified with the "dcredit=" parameter, which
defaults to 1) or uppercase letters "ucredit" or lowercase letters "lcredit" or other types of
letters "ocredit" will decrease the minimum length by up to four since the default parameter for
these arguments is 1 and there is four different arguments that you can add.

A password with 9 lowercase letters in it will pass a minimum length set to 10 unless
"lcredit=0" is used, because a credit is granted for the use of a lowercase letter. If the mixture
includes an uppercase letter, a lowercase letter, and a digit, then a minlength of 8 effectively
becomes 5.

NOTE: With the new MD5 passwords capability, which is installed by default in all modern Linux
operating system, a long password can be used now (up to 256 characters), instead of the Unix
standard eight letters or less. If you want to change the password length of 8 characters to
example 16 characters, all you have to do is to replace the number 12 by 20 in the “minlen=12”
line of the /etc/pam.d/system-auth file.

104
 Pluggable Authentication Modules 0
CHAPTER 4

Disabling console program access

In a safe environment, where we are sure that console is secured because passwords for BIOS
and GRUB or LILO are set and all physical power and reset switches on the system are disabled,
it may be advantageous to entirely disable all console-equivalent access to programs like
poweroff, reboot, and halt for regular users on your server.

• To do this, run the following command:

[root@deep /]# rm -f /etc/security/console.apps/<servicename>

Where <servicename> is the name of the program to which you wish to disable console-
equivalent access.

• To disable console program access, use the following commands:

[root@deep /]# rm -f /etc/security/console.apps/halt
[root@deep /]# rm -f /etc/security/console.apps/poweroff
[root@deep /]# rm -f /etc/security/console.apps/reboot

This will disable console-equivalent access to programs halt, poweroff, and reboot.

Disabling all console access

The Linux-PAM library installed by default on your system allows the system administrator to
choose how applications authenticate users, such as for console access, program and file
access.

Step 1
In order to disable all these accesses for the users, you must comment out all lines that refer to
pam_console.so in the /etc/pam.d directory. This step is a continuation of the hack
“Disabling console program access”. The following script will do the trick automatically for you.

• As ‘root’ creates the disabling.sh script file (touch disabling.sh) and add the
following lines inside:

# !/bin/sh
cd /etc/pam.d
for i in * ; do
sed '/[^#].*pam_console.so/s/^/#/' < $i > foo && mv foo $i
done

Step 2
Now, we have to make the script executable and run it.

• This can be done with the following commands:

[root@deep /]# chmod 700 disabling.sh
[root@deep /]# ./disabling.sh

This will comment out all lines that refer to pam_console.so for all files located under
/etc/pam.d directory. Once the script has been executed, you can remove it from your system.

105
The Login access control table
On a server environment where authorized and legitimate logins can come from everywhere, it is
important to have the possibility to use a security file which allows us to have more control over
users who can connect to the server. What we are looking here is to have more control on not
allowing some legitimated accounts to login from anywhere. Fortunately, this file exists and is
called "access.conf", you can find it under your /etc/security directory.

The access.conf file which comes already installed with your native Linux system allow us to
control which authorized users can/cannot log in to the server or to the console and from where.
Don't forget that users access can come everywhere from remote host or directly from the
console of the system. Configuration of the access.conf file of Linux is not complicated to
understand. Below I show you how to configure it to be very restrictive and secure.

Step 1
By default denying access to every one, is the first step of a reliable security policy. In this way
we eliminate the possibility of forgetting someone or to making a mistake.

• Edit the access.conf file (vi /etc/security/access.conf) and add the following
line at the end of the file.

-:ALL EXCEPT root gmourani:ALL

This access policy means to disallow console logins as well as remote accounts login to all from
anywhere except for user ‘root’ and ‘gmourani’. With this choice of policy, we deny non-
networked and remote logins to every user with a shell account on the system from everywhere
and allow only the selected users.

Take a note that many possibilities exist as for example allowing the same users ‘root’ and
‘gmourani’ to log only to the system from remote host with IP address 207.35.78.2. To
enable this policy, all we need to do is to change the above policy to this one:

• Edit the access.conf file (vi /etc/security/access.conf) and add the following
lines at the end of the file.

-:ALL EXCEPT root gmourani:207.35.78.2

-:ALL:LOCAL

Here the second policy line means to disallow all local access to the console for every users even
for the super-user ‘root’, therefore if you want to log as ‘root’ you need first to log as user
‘gmourani’ from remote host with IP address 207.35.78.2 and su to ‘root’ (this is why I
added ‘root’ to the users allowed to connect from remote host 207.35.78.2).

106
 Pluggable Authentication Modules 0
CHAPTER 4

Step 2
To be able to use the access.conf feature of Linux, make sure to add the following line to
/etc/pam.d/system-auth and sshd if you use this service or it will not work.

• Edit the login file (vi /etc/pam.d/system-auth) and add the following line.

account required /lib/security/pam_access.so

After adding the above line, the /etc/pam.d/system-auth file should look like this:

#%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account required /lib/security/pam_access.so
password required /lib/security/pam_cracklib.so retry=3 minlen=12 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so

NOTE: Please read information about possible configurations of this file inside the access.conf
file since your policies will certainly differ from the example that I show you above.

Tighten console permissions for privileged users

The console.perms security file of Linux, which use the pam_console.so module to operate,
is designed to give to privileged users at the physical console (virtual terminals and local xdm-
managed X sessions) capabilities that they would not otherwise have, and to take those
capabilities away when they are no longer logged in at the console.

It provides two main kinds of capabilities: file permissions and authentication. When a user logs in
at the console and no other user is currently logged in at the console, the pam_console.so
module will change permissions and ownership of files as described in the file
/etc/security/console.perms.

Please note that privileged users are nothing in common with regular users you may add to the
server, they are special users like floppy, cdrom, scanner, etc which in an networking server
environment are also considered and treated as users.

107
Step 1
The default console.perms configuration file of Linux is secure enough for regular use of the
system where an Xwindow interface is considered to be installed but in a highly secure
environment where the Graphical User Interface (GUI) is not installed or where some special
devices like sound, jaz, etc have no reason to exist, we can tighten the console.perms
security file of Linux to be more secure by eliminating non-existent or unneeded privileged users
to have capabilities that they would not otherwise have.

• Edit the console.perms file (vi /etc/security/console.perms), and change the

default lines inside this file:

# file classes -- these are regular expressions

<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
<xconsole>=:[0-9]\.[0-9] :[0-9]

# device classes -- these are shell-style globs

<floppy>=/dev/fd[0-1]* \
/dev/floppy/* /mnt/floppy*
<sound>=/dev/dsp* /dev/audio* /dev/midi* \
/dev/mixer* /dev/sequencer \
/dev/sound/* /dev/beep
<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*
<pilot>=/dev/pilot
<jaz>=/mnt/jaz*
<zip>=/mnt/pocketzip* /mnt/zip*
<ls120>=/dev/ls120 /mnt/ls120*
<scanner>=/dev/scanner /dev/usb/scanner*
<rio500>=/dev/usb/rio500
<camera>=/mnt/camera* /dev/usb/dc2xx* /dev/usb/mdc800*
<memstick>=/mnt/memstick*
<flash>=/mnt/flash*
<diskonkey>=/mnt/diskonkey*
<rem_ide>=/mnt/microdrive*
<fb>=/dev/fb /dev/fb[0-9]* \
/dev/fb/*
<kbd>=/dev/kbd
<joystick>=/dev/js[0-9]*
<v4l>=/dev/video* /dev/radio* /dev/winradio* /dev/vtx* /dev/vbi* \
/dev/video/*
<gpm>=/dev/gpmctl
<dri>=/dev/nvidia* /dev/3dfx*
<mainboard>=/dev/apm_bios

# permission definitions
<console> 0660 <floppy> 0660 root.floppy
<console> 0600 <sound> 0600 root
<console> 0600 <cdrom> 0660 root.disk
<console> 0600 <pilot> 0660 root.uucp
<console> 0600 <jaz> 0660 root.disk
<console> 0600 <zip> 0660 root.disk
<console> 0600 <ls120> 0660 root.disk
<console> 0600 <scanner> 0600 root
<console> 0600 <camera> 0600 root
<console> 0600 <memstick> 0600 root
<console> 0600 <flash> 0600 root
<console> 0600 <diskonkey> 0660 root.disk
<console> 0600 <rem_ide> 0660 root.disk
<console> 0600 <fb> 0600 root
<console> 0600 <kbd> 0600 root
<console> 0600 <joystick> 0600 root

108
 Pluggable Authentication Modules 0
CHAPTER 4

<console> 0600 <v4l> 0600 root

<console> 0700 <gpm> 0700 root
<console> 0600 <mainboard> 0600 root
<console> 0600 <rio500> 0600 root

<xconsole> 0600 /dev/console 0600 root.root

<xconsole> 0600 <dri> 0600 root

To read :

# file classes -- these are regular expressions

<console>=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]

# device classes -- these are shell-style globs

<floppy>=/dev/fd[0-1]* \
/dev/floppy/* /mnt/floppy*
<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*
<pilot>=/dev/pilot
<fb>=/dev/fb /dev/fb[0-9]* \
/dev/fb/*
<kbd>=/dev/kbd
<gpm>=/dev/gpmctl
<mainboard>=/dev/apm_bios

# permission definitions
<console> 0660 <floppy> 0660 root.floppy
<console> 0600 <cdrom> 0660 root.disk
<console> 0600 <pilot> 0660 root.uucp
<console> 0600 <fb> 0600 root
<console> 0600 <kbd> 0600 root
<console> 0700 <gpm> 0700 root
<console> 0600 <mainboard> 0600 root

Here we removed every privileged user related to the Graphical User Interface and others related
to sound, zip drive, jaz drive, scanner, joystick and video media at the physical console
on the server.

Putting limits on resource

The limits.conf file located under the /etc/security directory can be used to control and
limit resources for the users on your system. It is important to set resource limits on all your users
so they can't perform Denial of Service attacks (number of processes, amount of memory, etc) on
the server. These limits will have to be set up for the user when he or she logs in.

Step 1
For example, limits for all users on your system might look like this:

• Edit the limits.conf file (vi /etc/security/limits.conf) and change the lines:

#* soft core 0
#* hard rss 10000
#@student hard nproc 20

To read:

* hard core 0
* hard rss 5000
* hard nproc 35

109
This says to prohibit the creation of core files “core 0”, restrict the number of processes to 35
“nproc 35”, and restrict memory usage to 5M “rss 5000” for everyone except the super user
“root”. All of the above only concerns users who have entered through the login prompt on your
system. With this kind of quota, you have more control on the processes, core files, and memory
usage that users may have on your system. The asterisk “*” mean: all users that logs in on the
server.

Putting an asterisk “*” to cover all users can pose problem with daemon users account like “www”
for a web server, “mysql” for a SQL database server, etc. If we put an asterisk, then, these users
will be affected by the restriction and limitation of processes or memory usage.

To solve the problem, we can choose an existing group name in our system and add every
regular user to this group. In this manner, the restrictions and limitations will apply to all users
who are members of this group name only. A special group account named “users” can be used
for this purpose. This is the recommended method on putting limit on user resources.

• Edit the limits.conf file (vi /etc/security/limits.conf) and change the lines:

#* soft core 0
#* hard rss 10000
#@student hard nproc 20

To read:

@users hard core 0

@users hard rss 5000
@users hard nproc 35

If you decide to use a group name like “@users” to control and limit resources for the users on
your system, then it is important to not forget to change the GUI (Group User ID) of these users
to be “100”. “100” is the numeric value of the user’s ID “users”.

• The command to create a new user with group name which is set by default to users is:
[root@deep /]# useradd -g100 admin

The “-g100” option represents the number of the user’s initial login group and in our case “100”
is the group account name “users”. The “admin” parameter is the user name we want to add to
the group name “users”.

WARNING: Use the same command above for all users on your system you want to be member of
the “users” group account. It is also preferable to set this parameter first before adding users to
the system.

110
 Pluggable Authentication Modules 0
CHAPTER 4

Controlling access time to services

As the Linux-PAM system said, running a well-regulated system occasionally involves restricting
access to certain services in a selective manner. The time.conf security file, which is provided
by the pam_time.so module of Linux, offers some time control for access to services offered by
a system. Its actions are determined through the configuration file called time.conf and located
under /etc/security directory.

Step 1
The time.conf file can be configured to deny access to (individual) users based on their name,
the time of day, the day of week, the service they are applying for and their terminal from which
they are making their request.

• Edit the time.conf file (vi /etc/security/time.conf), and add the following line:

login ; tty* & !ttyp* ; !root & gmourani ; !Al0000-2400

The above time control access line means to deny all user access to console-login at all times
except for the super-user 'root' and the user 'gmourani'.

Take a note that many combinations exist as described in the time.conf file, we can, for
example, allow user ‘admin’ to access the console-login any time except at the weekend and on
Tuesday from 8AM to 6PM with the following statement.

• Edit the time.conf file (vi /etc/security/time.conf), and add the following line:

login ; * ; !admin ; !Wd0000-2400 & Tu0800-1800

Step 2
To be able to use the time.conf feature of Linux, make sure to add the following line to
/etc/pam.d/system-auth and sshd if you use this service or nothing will work.

• Edit the system-auth file (vi /etc/pam.d/system-auth) and add the line.

account required /lib/security/pam_time.so

After adding the line above, the /etc/pam.d/system-auth file should look like this:

#%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account required /lib/security/pam_access.so
account required /lib/security/pam_time.so
password required /lib/security/pam_cracklib.so retry=3 minlen=12 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so

session required /lib/security/pam_limits.so

session required /lib/security/pam_unix.so

111
Blocking; su to root, by one and sundry
The su (Substitute User) command allows you to become other existing users on the system. For
example you can temporarily become ‘root’ and execute commands as the super-user ‘root’.

Step 1
If you don’t want anyone to su to root or want to restrict the su command to certain users then
uncomment the following line of your su configuration file in the /etc/pam.d directory. We
highly recommend that you limit the persons allowed to su to the root account.

• Edit the su file (vi /etc/pam.d/su) and uncomment the following line in the file:

auth required /lib/security/pam_wheel.so use_uid

After this line has been uncommented, the /etc/pam.d/su file should look like this:

#%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
auth required /lib/security/pam_wheel.so use_uid
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_xauth.so

Which means only those who are members of the “wheel” group can su to root; it also includes
logging. Note that the “wheel” group is a special account on your system that can be used for
this purpose. You cannot use any group name you want to make this hack. This hack combined
with specifying which TTY and VC devices super-user root is allowed to login on will improve
your security a lot on the system.

Step 2
Now that we have defined the “wheel” group in our /etc/pam.d/su file configuration, it is time
to add some users who will be allowed to su to super-user “root” account.

• If you want to make, for example, the user “admin” a member of the “wheel” group, and
thus be able to su to root, use the following command:

[root@deep /]# usermod -G10 admin

Which means “G” is a list of supplementary groups, where the user is also a member of. “10” is
the numeric value of the user’s ID “wheel”, and “admin” is the user we want to add to the
“wheel” group. Use the same command above for all users on your system you want to be able
to su to super-user “root” account.

NOTE: For Linux users, who use the Xwindow interface, it is important to note that if you can't su
in a GNOME terminal, it’s because you’ve used the wrong terminal. (So don't think that this advice
doesn't work simply because of a GNOME terminal problem!)

112
 Pluggable Authentication Modules 0
CHAPTER 4

Facultative:
A special line exists in the su file /etc/pam.d/su which allows you to implicitly trust users in the
“wheel” group (for security reasons, I don’t recommend using this option). This mean that all
users who are members of the “wheel” group can su to root without the need to enter the
super-user “root” password.

• To allow users who are members of the “wheel” group to su to root account without the
need to enter the “root” password, edit the su file (vi /etc/pam.d/su) and
uncomment the following line in the file:

auth sufficient /lib/security/pam_wheel.so trust use_uid

After this line has been uncommented, the /etc/pam.d/su file should look like this:

#%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
auth sufficient /lib/security/pam_wheel.so trust use_uid
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_xauth.so

Using sudo instead of su for logging as super-user

There is a security tool called “sudo” that we discuss into this book. This security software allow
us to archive the same result as using the su command to get root privilege on the server but in
a more secure and informative way. With sudo installed in our server, we can get information
about who is connected as super-user root as well as many other useful features. Please see
the chapter related to this security program into this book for more information about sudo.

If you want to use sudo to allow and control which is allowed to logging as super-user root on
your server, then you no longer need to use the su command of Linux to archive this task and we
can remove the SUID bit on this command to completely disable su and use sudo.

This let us remove one more SUID bit on our secure server and have a more complete and
powerful security software to control access to super-user root. This is the method I highly
recommend you to use instead of the su command of Linux.

Step 1
To archive this result, we have to remove the SUID bit of the su command and install the sudo
security software as explained further down in this book. This also implies that we don’t need to
modify the above su configuration file on our system. To recap, all we need to do is to remove
the SUID bit on the su command, and install sudo in our server.

• To remove the SUID bit on the su binary, use the following command:
[root@deep /]# chmod a-s /bin/su

113
General Optimization
IN THIS CHAPTER

1. Static vs. shared libraries

2. The Glibc 2 library of Linux
3. Why Linux programs are distributed as source
4. Some misunderstanding in the compiler flags options
5. The gcc specs file
6. Striping all binaries and libraries files
7. Tuning IDE Hard Disk Performance
 General Optimization 0
CHAPTER 5

Linux General Optimization

Abstract
At this stage of your configuration, you should now have a Linux server optimally configured and
secured. Our server contains the most essential package and programs installed to be able to
work properly and the most essential general system security configuration. Before we continue
and begin to install the services we want to share with our customers, it is important to tune our
Linux server to make it runs faster.

The tuning we will perform in the following part will be applied to the whole system. It also applies
to present as well as future programs, such as services that we will later install. Generally, if you
don’t use an x386 Intel processor, Red Hat Linux out of the box is not optimized for your specific
CPU architecture (most people now run Linux on a Pentium processor). The sections below will
guide you through different steps to optimize your Linux server for your specific processor,
memory, and network.

Static vs. shared libraries

During compilation and build time of a program, the last stage (where all the parts of the program
are joined together) is to link the software through the Linux libraries if needed. These libraries,
which come in both shared and static formats, contain common system code which are kept in
one place and shared between programs. Obviously there are some tasks that many programs
will want to do, like opening files, and the codes that perform these functions are provided by the
Linux libraries. On many Linux system these libraries files can be found into the /lib,
/usr/lib, and /usr/share directories. The default behavior of Linux is to link shared and if it
cannot find the shared libraries, then is to link statically.

One of the differences between using static or shared libraries are: When using a static library,
the linker finds the bits that the program modules need, and directly copies them into the
executable output file that it generates. For shared libraries, it leaves a note in the output saying,
“When this program is run, it will first have to load this library”.

Performance-wise, for most systems, worrying about static vs. dynamic is a moot point. There
simply isn’t enough difference to measure.

Security-wise there are valid arguments both ways. Static linking is less secure because it locks
in the library bugs; unless you rebuild all such programs, your system won’t be properly secured.
Static linking is more secure because it avoids library attacks. The choice is yours: run a daemon
which will remain vulnerable to library attacks, or run one which remains vulnerable to library
bugs.

Portability-wise, the only difference is the size of the file you’ll be transferring between systems.

To make setup easier, a statically linked daemon is only needed when the libraries are
completely unavailable. That is rarely the case. Finally, on a busy system (when performance
becomes a true issue), by statically linking you’ll be DEGRADING performance. Being bigger, as
more and more statically linked daemons are running, your system begins to swap sooner and
since none of the code is shared, swapping will have a larger effect on performance. So, when
looking to improve performance, you’ll want to use shared libraries as much as possible.
<Gregory A Lundberg>

118
 General Optimization 0
CHAPTER 5

If you decide to compile program statically, you will generally need to add the “-static” and/or
“--disable-shared” options flag to your compile line during compilation of your software. Be
aware that it is not always possible to use and compile statically all programs, this highly depends
on how developers are coding and developed the software.

To resume:

1. If you want to compile program with shared libraries, you will use something like:
CFLAGS="-O2 -march=i686 -funroll-loops"; export CFLAGS
./Configure \

2. If you want to compile program with static libraries, you will use something like:
CFLAGS="-O2 –static -march=i686 -funroll-loops"; export CFLAGS
./Configure \
--disable-shared \

WARNING: On Linux, static libraries have names like libc.a, while shared libraries are called
libc.so.x.y.z where x.y.z is some form of version number since it would be quite a pain to
recompile programs each time the version number changed so instead programs reference
libraries by these shorter names and depend on the dynamic linker to make these shorter names
symlinks to the current version. Shared libraries often have links pointing to them.

The Glibc 2.2 library of Linux

The Glibc 2.2, which replaces the libc4 and libc5 that came before it, is the latest version
of the GNU C Library for Linux and it contains standard libraries used by multiple programs on the
system as described in the previous section. This particular package contains the most important
sets of shared and static libraries, which provides the core functionality for C programs to run and
without it, a Linux system would not function.

Under Red Hat Linux and most other Linux variant this package comes configured to run under
i386 processor for portability reasons and this will pose problems for us if we want to compile
programs under Linux because even if we have put in all the optimization flags we need to
improve the speed of our server, when the compiler includes static or shared libraries files to our
program, these library files will run optimized for an i386 processor.

In this case, our program will have some parts of its binaries optimized for an i686 processor (the
program itself) and another parts optimized for an i386 processor (the GLIBC libraries). To solve
the problem, you have to check inside your vendor CD-ROM media for available GLIBC RPM
packages made to run on i686 CPU architecture. All vendors known about this issue and provide
alternative GLIBC packages for i686 processors.

119
 General Optimization 0
CHAPTER 5

Why Linux programs are distributed as source

Linux has been ported to run on a large number of different machines and rather than provide a
copy for each machine Linux can run on, it's much simpler just to distribute the source and let the
end user compile it.

The creators of the distribution have no idea if you're going to be running it on a 386 or on a
Pentium III and above so they have to write programs that work on all processors and this is
where the problem comes, because all the programs that were installed with your distribution are
going to be compiled so they work on the 386 for portability, meaning that they don't use any new
feature like MMX which can only be found on newer generation of processors.

Fortunately, various compiler options exist to optimize program you want to install under Linux for
your specific CPU architecture. This is great for those of us that want to tweak every ounce of
performance out of the program, now we get to decide how the program is compiled. If you want
some speed out of your programs you've got to know a fair amount about the various option flags
you can use to compile.

The first thing you want to set is your CPU type, that's done with the “-march=cpu_type”
(processor machine architecture) flag, an example would be “-march=i686” or “-march=k6”,
this will allow the compiler to select the appropriate optimizations for the processor, but this is
only the beginning of what can be done.

You can set the “-O” flag anywhere from 1 to 3 to tell the compiler how aggressive to be with the
optimizations, “-O3” will produce the fastest programs assuming the compiler didn't optimize an
important part of a subroutine out. The next thing you might want to do is check out the “-f”
options of the compiler, these are things like “-funroll-loops”, and “-fomit-frame-
pointer”.

WARNING: Compiling with the “-fomit-frame-pointer” switch option will use the stack for
accessing variables. Unfortunately, debugging is almost impossible with this option. Also take
special attention to the above optimization number “-O3”; “O” is a capital o and not a 0 (zero).

What I recommend you to use for all software that you want to compile on your server is the
following optimizations FLAGS:

CFLAGS="-O2 -march=i686 -funroll-loops"

As you can see, I don’t use the “-O3” and “-fomit-frame-pointer” options because some
software have problem to run with these optimization options.

120
 General Optimization 0
CHAPTER 5

Some misunderstanding in the compiler flags options

At lot of discussions exist in the Linux community about the “-O” option and its level numbers.
Some Linux users try to convince that level number up to “-O3” like “-O9” will produce faster
program. The “-O9” flag doesn't do anything over “-O3”, if you don't believe me make a small file,
call it testO3.c and see:

Step 1
• Create the testO3.c file with the following command:
[root@deep tmp]# touch testO3.c

Step 2
• Run the GCC compiler with “-O3” flag through the testO3.c file with the command:
[root@deep tmp]# gcc -O3 -S -fverbose-asm testO3.c

Step 3
Look at testO3.s that it made, then run again with “-O9” and compare the output.

• Create the testO9.c file with the following command:

[root@deep tmp]# touch testO9.c

Step 4
• Run the GCC compiler again with “-O9” flag through the testO9.c file with command:
[root@deep tmp]# gcc -O9 -S -fverbose-asm testO9.c

Step 5
Now if you compare the output you will see no difference between the both files.

• To compare the output, use the following command:

[root@deep tmp]# diff testO3.s testO9.s > difference

WARNING: The “-O3” flag level number is the best and highest optimization flag you can use
during optimization of programs under Linux.

121
 General Optimization 0
CHAPTER 5

The gcc specs file

The /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs file of Red Hat Linux is a set of
defines that the gcc compiler uses internally to set various aspects of the compile environment.
All customizations that you put in this file will apply for the entire variable environment on your
system, so putting optimization flags in this file is a good choice.

To squeeze the maximum performance from your x86 programs, you can use full optimization
when compiling with the “-O3” flag. Many programs contain “-O2” in the Makefile. The “-O3”
level number is the highest level of optimization. It will increase the size of what it produces, but it
runs faster in most case. You can also use the “-march=cpu_type” switch to optimize the
program for the CPU listed to the best of GCC’s ability. However, the resulting code will only be run
able on the indicated CPU or higher.

Below are the optimization flags that we recommend you to put in your /usr/lib/gcc-
lib/i386-redhat-linux/2.96/specs file depending on your CPU architecture. The
optimization options apply only when we compile and install a new program in our server. These
optimizations don’t play any role in our Linux base system; it just tells our compiler to optimize the
new programs that we will install with the optimization flags we have specified in the
/usr/lib/gcc-lib/i386-redhat-linux/2.96/specs file. Adding options listed below
depending of your CPU architecture to the gcc 2.96 specs file will save you having to change
every CFLAGS in future Makefiles.

Step 1
The first thing to do is to verify the compiler version installed on your Linux server.

• To verify the compiler version installed on your system, use the command:
[root@deep /]# gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs
gcc version 2.96 20000731 (Red Hat Linux 7.3 2.96-110)

Step 2
For CPU i686 or PentiumPro, Pentium II, Pentium III, and Athlon
Edit the /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs file, scroll down a ways...
You'll see a section like the following:

*cpp_cpu_default:
-D__tune_i386__

*cpp_cpu:
-Acpu(i386) -Amachine(i386) %{!ansi:-Di386} -D__i386 -D__i386__
%{march=i386:%{!mcpu*:-D__tune_i386__ }}%{march=i486:-D__i486 -D__i486__
%{!mcpu*:-D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -D__pentium__
%{!mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro -
D__pentiumpro__ %{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__
%{!mcpu*:-D__tune_k6__ }}%{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:-
D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:-
D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__
}%{mpentiumpro|mcpu=pentiumpro|mcpu=i686:-D__tune_pentiumpro__ }%{mcpu=k6:-
D__tune_k6__ }%{mcpu=athlon:-D__tune_athlon__
}%{!march*:%{!mcpu*:%{!m386:%{!m486:%{!mpentium*:%(cpp_cpu_default)}}}}}

*cc1_cpu:
%{!mcpu*: %{m386:-mcpu=i386} %{m486:-mcpu=i486} %{mpentium:-mcpu=pentium}
%{mpentiumpro:-mcpu=pentiumpro}}

122
 General Optimization 0
CHAPTER 5

Change it for the following:

*cpp_cpu_default:
-D__tune_i686__

*cpp_cpu:
-Acpu(i386) -Amachine(i386) %{!ansi:-Di386} -D__i386 -D__i386__
%{march=i386:%{!mcpu*:-D__tune_i386__ }}%{march=i486:-D__i486 -D__i486__
%{!mcpu*:-D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -D__pentium__
%{!mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro -
D__pentiumpro__ %{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__
%{!mcpu*:-D__tune_k6__ }}%{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:-
D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:-
D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__
}%{mpentiumpro|mcpu=pentiumpro|mcpu=i686:-D__tune_pentiumpro__ }%{mcpu=k6:-
D__tune_k6__ }%{mcpu=athlon:-D__tune_athlon__
}%{!march*:%{!mcpu*:%{!m386:%{!m486:%{!mpentium*:%(cpp_cpu_default)}}}}}

*cc1_cpu:
%{!mcpu*: -O2 -march=i686 -funroll-loops %{m386:-mcpu=i386} %{m486:-mcpu=i486}
%{mpentium:-mcpu=pentium} %{mpentiumpro:-mcpu=pentiumpro}}

WARNING: Make sure that you’re putting –O2 and not -02 (dash zero three).

For CPU i586 or Pentium

Edit the /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs file, scroll down a ways...
You'll see a section like the following:

*cpp_cpu_default:
-D__tune_i386__

*cpp_cpu:
-Acpu(i386) -Amachine(i386) %{!ansi:-Di386} -D__i386 -D__i386__
%{march=i386:%{!mcpu*:-D__tune_i386__ }}%{march=i486:-D__i486 -D__i486__
%{!mcpu*:-D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -D__pentium__
%{!mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro -
D__pentiumpro__ %{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__
%{!mcpu*:-D__tune_k6__ }}%{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:-
D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:-
D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__
}%{mpentiumpro|mcpu=pentiumpro|mcpu=i686:-D__tune_pentiumpro__ }%{mcpu=k6:-
D__tune_k6__ }%{mcpu=athlon:-D__tune_athlon__
}%{!march*:%{!mcpu*:%{!m386:%{!m486:%{!mpentium*:%(cpp_cpu_default)}}}}}

*cc1_cpu:
%{!mcpu*: %{m386:-mcpu=i386} %{m486:-mcpu=i486} %{mpentium:-mcpu=pentium}
%{mpentiumpro:-mcpu=pentiumpro}}

Change it for the following:

*cpp_cpu_default:
-D__tune_i586__

*cpp_cpu:
-Acpu(i386) -Amachine(i386) %{!ansi:-Di386} -D__i386 -D__i386__
%{march=i386:%{!mcpu*:-D__tune_i386__ }}%{march=i486:-D__i486 -D__i486__
%{!mcpu*:-D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -D__pentium__
%{!mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro -

123
 General Optimization 0
CHAPTER 5

D__pentiumpro__ %{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__

%{!mcpu*:-D__tune_k6__ }}%{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:-
D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:-
D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__
}%{mpentiumpro|mcpu=pentiumpro|mcpu=i686:-D__tune_pentiumpro__ }%{mcpu=k6:-
D__tune_k6__ }%{mcpu=athlon:-D__tune_athlon__
}%{!march*:%{!mcpu*:%{!m386:%{!m486:%{!mpentium*:%(cpp_cpu_default)}}}}}

*cc1_cpu:
%{!mcpu*: -O2 -march=i586 -funroll-loops %{m386:-mcpu=i386} %{m486:-mcpu=i486}
%{mpentium:-mcpu=pentium} %{mpentiumpro:-mcpu=pentiumpro}}

WARNING: Make sure that you’re putting –O2 and not -02 (dash zero three).

For CPU i486

Edit the /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs file, scroll down a ways...
You'll see a section like the following:

*cpp_cpu_default:
-D__tune_i386__

*cpp_cpu:
-Acpu(i386) -Amachine(i386) %{!ansi:-Di386} -D__i386 -D__i386__
%{march=i386:%{!mcpu*:-D__tune_i386__ }}%{march=i486:-D__i486 -D__i486__
%{!mcpu*:-D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -D__pentium__
%{!mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro -
D__pentiumpro__ %{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__
%{!mcpu*:-D__tune_k6__ }}%{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:-
D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:-
D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__
}%{mpentiumpro|mcpu=pentiumpro|mcpu=i686:-D__tune_pentiumpro__ }%{mcpu=k6:-
D__tune_k6__ }%{mcpu=athlon:-D__tune_athlon__
}%{!march*:%{!mcpu*:%{!m386:%{!m486:%{!mpentium*:%(cpp_cpu_default)}}}}}

*cc1_cpu:
%{!mcpu*: %{m386:-mcpu=i386} %{m486:-mcpu=i486} %{mpentium:-mcpu=pentium}
%{mpentiumpro:-mcpu=pentiumpro}}

Change it for the following:

*cpp_cpu_default:
-D__tune_i486__

*cpp_cpu:
-Acpu(i386) -Amachine(i386) %{!ansi:-Di386} -D__i386 -D__i386__
%{march=i386:%{!mcpu*:-D__tune_i386__ }}%{march=i486:-D__i486 -D__i486__
%{!mcpu*:-D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -D__pentium__
%{!mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro -
D__pentiumpro__ %{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__
%{!mcpu*:-D__tune_k6__ }}%{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:-
D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:-
D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__
}%{mpentiumpro|mcpu=pentiumpro|mcpu=i686:-D__tune_pentiumpro__ }%{mcpu=k6:-
D__tune_k6__ }%{mcpu=athlon:-D__tune_athlon__
}%{!march*:%{!mcpu*:%{!m386:%{!m486:%{!mpentium*:%(cpp_cpu_default)}}}}}

*cc1_cpu:

124
 General Optimization 0
CHAPTER 5

%{!mcpu*: -O2 -march=i486 -funroll-loops %{m386:-mcpu=i386} %{m486:-mcpu=i486}

%{mpentium:-mcpu=pentium} %{mpentiumpro:-mcpu=pentiumpro}}

WARNING: Make sure that you’re putting –O2 and not -02 (dash zero three).

For CPU AMD K6 or K6-2

Edit the /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs file, scroll down a ways...
You'll see a section like the following:

*cpp_cpu_default:
-D__tune_i386__

*cpp_cpu:
-Acpu(i386) -Amachine(i386) %{!ansi:-Di386} -D__i386 -D__i386__
%{march=i386:%{!mcpu*:-D__tune_i386__ }}%{march=i486:-D__i486 -D__i486__
%{!mcpu*:-D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -D__pentium__
%{!mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro -
D__pentiumpro__ %{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__
%{!mcpu*:-D__tune_k6__ }}%{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:-
D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:-
D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__
}%{mpentiumpro|mcpu=pentiumpro|mcpu=i686:-D__tune_pentiumpro__ }%{mcpu=k6:-
D__tune_k6__ }%{mcpu=athlon:-D__tune_athlon__
}%{!march*:%{!mcpu*:%{!m386:%{!m486:%{!mpentium*:%(cpp_cpu_default)}}}}}

*cc1_cpu:
%{!mcpu*: %{m386:-mcpu=i386} %{m486:-mcpu=i486} %{mpentium:-mcpu=pentium}
%{mpentiumpro:-mcpu=pentiumpro}}

Change it for the following:

*cpp_cpu_default:
-D__tune_k6__

*cpp_cpu:
-Acpu(i386) -Amachine(i386) %{!ansi:-Di386} -D__i386 -D__i386__
%{march=i386:%{!mcpu*:-D__tune_i386__ }}%{march=i486:-D__i486 -D__i486__
%{!mcpu*:-D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -D__pentium__
%{!mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro -
D__pentiumpro__ %{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__
%{!mcpu*:-D__tune_k6__ }}%{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:-
D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:-
D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__
}%{mpentiumpro|mcpu=pentiumpro|mcpu=i686:-D__tune_pentiumpro__ }%{mcpu=k6:-
D__tune_k6__ }%{mcpu=athlon:-D__tune_athlon__
}%{!march*:%{!mcpu*:%{!m386:%{!m486:%{!mpentium*:%(cpp_cpu_default)}}}}}

*cc1_cpu:
%{!mcpu*: -O2 -march=k6 -funroll-loops %{m386:-mcpu=i386} %{m486:-mcpu=i486}
%{mpentium:-mcpu=pentium} %{mpentiumpro:-mcpu=pentiumpro}}

WARNING: Make sure that you’re putting –O2 and not -02 (dash zero three).

125
 General Optimization 0
CHAPTER 5

Step3
Once our optimization flags have been applied to the gcc 2.96 specs file, it time to verify if the
modification work.

• To verify if the optimization work, use the following commands:

[root@deep tmp]# touch cpu.c
[root@deep tmp]# gcc cpu.c -S -fverbose-asm
[root@deep tmp]# less cpu.s

What you'll get is a file that contains depending of options you have chose, something like:

.file "ccnVPjeW.i"
.version "01.01"
# GNU C version 2.96 20000731 (Red Hat Linux 7.3 2.96-110) (i386-redhat-linux)
compiled by GNU C version 2.96 20000731 (Red Hat Linux 7.3 2.96-110).
# options passed: -O2 -march=i686 -funroll-loops -fverbose-asm
# options enabled: -fdefer-pop -foptimize-sibling-calls -fcse-follow-jumps
# -fcse-skip-blocks -fexpensive-optimizations -fthread-jumps
# -fstrength-reduce -funroll-loops -fpeephole -fforce-mem -ffunction-cse
# -finline -fkeep-static-consts -fcaller-saves -fpcc-struct-return -fgcse
# -frerun-cse-after-loop -frerun-loop-opt -fdelete-null-pointer-checks
# -fschedule-insns2 -fsched-interblock -fsched-spec -fbranch-count-reg
# -fnew-exceptions -fcommon -fverbose-asm -fgnu-linker -fregmove
# -foptimize-register-move -fargument-alias -fstrict-aliasing
# -fmerge-constants -fident -fpeephole2 -fmath-errno -m80387 -mhard-float
# -mno-soft-float -mieee-fp -mfp-ret-in-387 -march=i686

gcc2_compiled.:
.ident "GCC: (GNU) 2.96 20000731 (Red Hat Linux 7.3 2.96-110)"

WARNING: In our example we are optimized the specs file for a i686 CPU processor. It is important
to note that most of the “-f” options are automatically included when you use “-O2” and don't
need to be specified again. The changes that were shown were made so that a command like
"gcc" would really be the command "gcc -march=i686" without having to change every single
Makefile which can really be a pain.

Below is the explanation of the different optimization options we use:

• The “-march=cpu_type” optimization flag

The “-march=cpu_type” optimization option will set the default CPU to use for the
machine type when scheduling instructions.

• The “-funroll-loops” optimization flag

The “-funroll-loops” optimization option will perform the optimization of loop
unrolling and will do it only for loops whose number of iterations can be determined at
compile time or run time.

• The “-fomit-frame-pointer” optimization flag

The “-fomit-frame-pointer” optimization option, one of the most interesting, will
allow the program to not keep the frame pointer in a register for functions that don't need
one. This avoids the instructions to save, set up and restores frame pointers; it also
makes an extra register available in many functions and makes debugging impossible on
most machines.

126
 General Optimization 0
CHAPTER 5

WARNING: All future optimizations that we will describe in this book refer by default to a Pentium
PRO/II/III and higher i686 CPU family. So you must adjust the compilation flags for your specific
CPU processor type in the /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs file and
during your compilation time.

Striping all binaries and libraries files

When compiler builds program it add many comments and other stuffs inside the resulting binary
and library code which are used to debug application on the system or to make the code more
readable by developers. To get the latest bit of optimization, we can remove all comments and
other unneeded stuffs since there are only used for debugging purpose. This will make the
software runs a little bit faster because it will have fewer codes to read when executing.

I don’t know if it’s a good idea to talk about this hack because it’s really dangerous to apply and
can make your system unstable or completely unworkable if you don’t take care of what you do.
The process of eliminating all unneeded comments and other unneeded stuffs from your binaries
and libraries files is made by the use of the strip command of Linux. This command should be
used with care and in the good manner or you will certainly have a bad surprise.

Bellow, I will explain you how to apply it on your system and on which files or where you should
use it. It is very important to know that it’s NOT all binaries and especially libraries files that need
to be striped by this method but ONLY some of them. If you apply this hack on your entire
system, then something will inevitably break, you have been warned.

Finally, you should use this hack on servers where you DON’T compile software. If you compile
software on the server where you want to apply this hack, then nothing will work and you will not
be able to compile any software on it. Use this hack on server which doesn’t have any compiler
packages installed to make compilation.

Step 1
The first step in our procedure will be to be sure that the strip command is available on our
server; this command comes from the “binutils” RPM package. Therefore, if it is not installed,
install it from your CD-ROM.

Step 2
Once the strip program is installed on our server, it’s time to strip the required files. With the
commands below, we strip all binaries program available under the /bin, /sbin, /usr/bin and
/usr/sbin directories of your server.

• To strip all binaries program, use the following commands:

[root@deep /]# strip /bin/*
[root@deep /]# strip /sbin/*
[root@deep /]# strip /usr/bin/*
[root@deep /]# strip /usr/sbin/*

NOTE: When issuing the above commands, you will receive some error messages like “File
format not recognized” on your terminal. This is normal because some of the binaries files
are symbolic link pointing to other binaries on your system and the strip command generate the
warning because it cannot strip symbolic links.

127
 General Optimization 0
CHAPTER 5

Step 3
Now, it’s time to strip the libraries files. This is where the action can become dangerous if you
don’t take care or abuse the strip command. With the commands below, we strip all libraries
files available under the /lib and /usr/lib directory of the system.

• To strip all libraries files, use the following command:

[root@deep /]# strip -R .comment /usr/lib/*.so.*
[root@deep /]# strip -R .comment /lib/*.so.*

NOTE: Make attention to the above command, you can see here that I use the “-R” option with the
strip command. This option allows us to select a specific name to strip from the target libraries
files. With the “.comment” name, we inform the command to remove any lines inside the libraries
codes where this name appears. You can see that I don’t use the strip command without any
option as I do for the above step related to binaries program. This is very important and you
should never use the strip command without the above option to strip libraries files on your
system.

Tuning IDE Hard Disk Performance

Accessing a hard disk can be 50 to 100 times slower than reading data from RAM. File caches
using RAM can alleviate this. However, low memory conditions will reduce the amount of memory
available for the file-system cache slowing things down. File systems can also become heavily
fragmented, slowing down disk accesses. Heavy use of symbolic links on Unix systems can slow
down disk accesses too.

Default Linux installs are also notorious for setting hard disk default settings which are tuned for
compatibility and not for speed. Use the command hdparm to tune your Linux hard disk settings.

The hdparm is a tool, which can be used to tune and improve the performance of your IDE hard
disk. By default, any IDE drives you have in your Linux system are not optimized. Even if you
have an ULTRA DMA system you will not be able to take full advantage of its speed if you are not
using the hdparm tool to enable its features. This is because there is many different hard drive
makes and models and Linux cannot know every feature of each one.

Performance increases have been reported on massive disk I/O operations by setting the IDE
drivers to use DMA, 32-bit transfers and multiple sector modes. The kernel seems to use more
conservative settings unless told otherwise. The magic command to change the setting of your
drive is hdparm.

Before going into the optimization of your hard drive, it is important to verify that the hdparm
package is installed in your system. If you have followed every step during the installation of
Linux on your computer, then this package is not installed.

To verify if hdparm package is installed on your system, use the command:

[root@deep /]# rpm -q hdparm
package hdparm is not installed

If the hdparm package seems not to be installed, you’ll need to mount your CD-ROM drive
containing the Linux CD-ROM Part 1 and install it.

128
 General Optimization 0
CHAPTER 5

• To mount the CD-ROM drive, use the following commands:

[root@deep /]# mount /dev/cdrom /mnt/cdrom/
had: ATAPI 32X CD-ROM drive, 128kB Cache
mount: block device dev/cdrom is write-protected, mounting read-only

• To install the hdparm package on your Linux system, use the following command:
[root@deep /]# cd /mnt/cdrom/RedHat/RPMS/
[root@deep RPMS]# rpm -Uvh hdparm-version.i386.rpm
hdparm ##################################################

• To unmount your CD-ROM drive, use the following command:

[root@deep RPMS]# cd /; umount /mnt/cdrom/

Once hdparm package is installed on the system, it is time to go into the optimization of your
hard drive. It is important to note that depending on your model and make, there will be some
parameters that will apply and other that don’t. It is to your responsibility to know and understand
your disk drive before applying any optimization parameters as described below.

Finally, and especially for UltraDMA systems, it is vital to verify under your BIOS settings if the
parameters related to DMA support on your computer are enabled or you will inevitably break your
hard disk. You have been warned.

Step 1
The first parameter applies to the majority of all modern drives and models in the market and
enables 32-bit I/O over PCI buses. This option is one of the most important and will usually
double the speed of your drive.

• To enable 32-bit I/O over the PCI buses, use the following command:
[root@deep /]# /sbin/hdparm -c3 /dev/hda (or hdb, hdc etc).

This will usually, depending on your IDE Disk Drive model, cut the timing buffered disk reads time
by two. The hdparm (8) manpage says that you may need to use “-c3” for many chipsets since it
works with nearly all 32-bit IDE chipsets. All (E)IDE drives still have only a 16-bit connection
over the ribbon cable from the interface card.

Step 2
The second parameter applies only on standard DMA disk and will activate the simple DMA feature
of the disk. This feature is for old disk drives with DMA capabilities.

• To enable DMA, use the following command:

[root@deep /]# /sbin/hdparm -d1 /dev/hda (or hdb, hdc etc).

This may depend on support for your motherboard chipset being compiled into your kernel. Also,
this command will enable DMA support for your hard drive only for interfaces which support DMA, it
will cut the timing buffered disk reads time and will improve the performance by two.

129
 General Optimization 0
CHAPTER 5

Step 3
Multiword DMA mode 2, also known as ATA2 disk drive is the successor of the simple DMA drive. If
you have this kind of hard drive, then you must enable the parameter in your Linux system.

• To enable multiword DMA mode 2 transfers, use the following command:

[root@deep /]# /sbin/hdparm -d1 -X34 /dev/hda (or hdb, hdc etc).

This sets the IDE transfer mode for newer (E)IDE/ATA2 drives. (Check your hardware manual
to see if you have it).

Step 4
As for DMA mode 2, the UltraDMA mode 2 is an improvement of the DMA technology. If you have
this kind of drive in your system, then choose this mode.

• To enable UltraDMA mode 2 transfers, use the following command:

[root@deep /]# /sbin/hdparm -d1 -X66 /dev/hda (or hdb, hdc etc)

See your manual page about hdparm for more information. USE THIS OPTION WITH EXTREME
CAUTION!

Step 5
The UltraDMA mode 4 is one of the latest entries and one of the most popular at this time; it is
also known and referred as ATA/66. I guess that most of you have this kind of drive installed and
if it is the case then it is the one that you must choose for sure.

• To enable UltraDMA mode4 transfers, use the following command:

[root@deep /]# /sbin/hdparm -d1 -X12 -X68 /dev/hda (or hdb, hdc etc)

This will enable UltraDMA ATA/66 mode on your drive. See your manual page about hdparm
for more information. USE THIS OPTION WITH EXTREME CAUTION!

Step 6
Multiple sector mode (aka IDE Block Mode), is a feature of most modern IDE hard drives,
permitting the transfer of multiple sectors per I/O interrupt, rather than the usual one sector per
interrupt. When this feature is enabled, it typically reduces operating system overhead for disk I/O
by 30-50%. On many systems it also provides increased data throughput of anywhere from 5% to
50%.

• To set multiple sector mode I/O, use the following command:

[root@deep /]# /sbin/hdparm -mXX /dev/hda (or hdb, hdc etc)

Where “XX” represent the maximum setting supported by your drive. The “-i” flag can be used to
find the maximum setting supported by an installed drive: look for MaxMultSect in the output.

130
 General Optimization 0
CHAPTER 5

• To find the maximum setting of your drive, use the following command:
[root@deep /]# /sbin/hdparm -i /dev/hda (or hdb, hdc etc)

/dev/hda:

Model=QUANTUM FIREBALLP LM15, FwRev=A35.0700, SerialNo=883012661990

Config={ HardSect NotMFM HdSw>15uSec Fixed DTR>10Mbs }
RawCHS=16383/16/63, TrkSize=32256, SectSize=21298, ECCbytes=4
BuffType=3(DualPortCache), BuffSize=1900kB, MaxMultSect=16, MultSect=16
DblWordIO=no, OldPIO=2, DMA=yes, OldDMA=2
CurCHS=16383/16/63, CurSects=-66060037, LBA=yes, LBAsects=29336832
tDMA={min:120,rec:120}, DMA modes: mword0 mword1 mword2
IORDY=on/off, tPIO={min:120,w/IORDY:120}, PIO modes: mode3 mode4
UDMA modes: mode0 mode1 mode2 mode3 *mode4

Step 7
The get/set sector count is used to improve performance in sequential reads of large files! The
default setting is 8 sectors (4KB) and we will double and change it for 16. USE THIS OPTION
WITH EXTREME CAUTION!

• To improve the get/set sector count for file system read-ahead, use the command:
[root@deep /]# /sbin/hdparm -a16 /dev/hda (or hdb, hdc etc)

Step 8
The get/set interrupt-unmask flag will greatly improve Linux's responsiveness and eliminates
"serial port overrun" errors. USE THIS OPTION WITH EXTREME CAUTION!

• To improve and get/set interrupt-unmask flag for the drive, use the command:
[root@deep /]# /sbin/hdparm -u1 /dev/hda (or hdb, hdc etc)

Step 9
The IDE drive's write-caching feature will improve the performance of the hard disk. USE THIS
OPTION WITH EXTREME CAUTION!

• To enable the IDE drive's write-caching feature, use the following command:
[root@deep /]# /sbin/hdparm -W1 /dev/hda (or hdb, hdc etc)

Step 10
These options will allow the drive to retain your settings over a soft reset (as done during the error
recovery sequence). It is important to note that not all drives support this feature.

• To enables the drive to retain your settings, use the command:

[root@deep /]# /sbin/hdparm -K1 -k1 /dev/hda (or hdb, hdc etc)

131
 General Optimization 0
CHAPTER 5

Step 11
Once every tuning related to your specific drive have been set, you can test the results and see if
you want to keep them or not.

• You can test the results of your changes by running hdparm in performance test mode:
[root@deep /]# /sbin/hdparm -vtT /dev/hda (or hdb, hdc etc).

/dev/hda:
multcount = 16 (on)
I/O support = 3 (32-bit w/sync)
unmaskirq = 1 (on)
using_dma = 1 (on)
keepsettings = 1 (on)
nowerr = 0 (off)
readonly = 0 (off)
readahead = 16 (on)
geometry = 1826/255/63, sectors = 29336832, start = 0
Timing buffer-cache reads: 128 MB in 0.85 seconds = 150.59 MB/sec
Timing buffered disk reads: 64 MB in 2.54 seconds = 25.20 MB/sec

Once you have a set of hdparm options, you can put the commands in your /etc/rc.local file
to run it every time you reboot the machine. When running from /etc/rc.local, you can add
the “-q” option for reducing screen clutter. In my case, I will put the following configuration in the
end of my rc.local file:

/sbin/hdparm -q -c3 -d1 -X12 -X68 -m16 -a16 -u1 -W1 -k1 -K1 /dev/had

132
Kernel Security & Optimization
IN THIS CHAPTER

1. Difference between a Modularized Kernel and a Monolithic Kernel

2. Making an emergency boot floppy
3. Preparing the Kernel for the installation
4. Applying the Grsecurity kernel patch
5. Obtaining and Installing Grsecurity
6. Tuning the Kernel
7. Cleaning up the Kernel
8. Configuring the Kernel
9. Compiling the Kernel
10. Installing the Kernel
11. Verifying or upgrading your boot loader
12. Reconfiguring /etc/modules.conf file
13. Rebooting your system to load the new kernel
14. Delete programs, edit files pertaining to modules
15. Making a new rescue floppy for Modularized Kernel
16. Making a emergency boot floppy disk for Monolithic Kernel
 Kernel Security & Optimization 0
CHAPTER 6

Linux Kernel

Abstract
Well, our Linux server seems to be getting in shape now! But wait, what is the most important part
of our server? Yes, it’s the kernel. The Linux kernel is the core of our operating system, and
without it there is no Linux at all. So we must configure the kernel to fit our needs and compile
only the features we really need.

The new generation of Linux Kernel 2.4 was seemingly written with the server in mind. Many of
the old limits, which prevented Linux being adopted in the “enterprise” market, have been lifted.
The first thing to do next is to build a kernel that best suits your system. It’s very simple to do but,
in any case, refer to the README file in the /usr/src/linux source directory after
uncompressing the archive on your system. When configuring your kernel, only compile in code
that you need. A few reasons that come to mind are:

The Kernel will be faster (less code to run);

You will have more memory (Kernel parts are NEVER swapped to the virtual memory);

More stable (Ever probed for a non-existent card?);

Unnecessary parts can be used by an attacker to gain access to the machine or other
machines on the network.

Modules are also slower than support compiled directly in the kernel.

In our configuration and compilation we will firstly show you how to build a monolithic kernel,
which is the recommended method for better performance and security and a modularized
kernel for easily portability between different Linux systems. Monolithic kernel means to
only answer yes or no to the questions (don’t make anything modular) and omits the steps: make
modules and make modules_install.

Difference between a Modularized Kernel and a Monolithic Kernel

I don't want to go into deeply technical descriptions here. I'll try to stay as simple as I can in my
explanation, this will allow us to better understand the differences. Firstly, it is evident that not all
computers are identical; someone may have a new computer with the latest processor, a lot of
memory, running on a SCSI sub-system with a good motherboard, where others may have an old
computer with an older Pentium II processor, 128 MB of memory, on an IDE sub-system with a
standard motherboard. These differences push kernel developers to constantly add or update for
new drivers and features into the kernel code and are one of the reasons why a Modularized
Kernel exists.

Without all of those differences, it would be simple to provide a kernel where all the drivers and
features are already included, but this is impossible because we all have different computers.
Someone may say: “ok we can include all presently available drivers and features into the kernel
and it will run on any computer”. This approach poses some problems. Firstly, it will make the
kernel binary bigger and slower. Secondly, the Kernel will probe for nonexistent hardware,
features and maintenance of other programs that directly depend on the kernel and will become
more complicated.

135
 Kernel Security & Optimization 0
CHAPTER 6

A solution was found and this was the Modularized Kernel approach. A technique that allows
small pieces of compiled code to be inserted in or removed from the running kernel. In this way
the Kernel will only load and run drivers and features that your computer have and will forget
about the others. This practice is what all Linux vendors use to provide Linux kernels. They build
and link every driver and feature as a module (which keeps the binary kernel smaller) that can be
recognized and loaded if, and only if, they are needed by the kernel or the system.

Kernel developers provide the ability to build a Modularized kernel, through an option that asks
you during kernel configuration if you want to build the available drivers/features as a module.
This option appears at the beginning of the Kernel configuration in the following form "Enable
loadable module support (CONFIG_MODULES) [Y/n/?]". If you answer "Yes" here,
then the compiled Kernel will be a Modularized Kernel and all future questions appearing during
kernel configuration will give you the choice to compile the drivers/features into the Kernel code
as a module by answering "m" for module, "y" for yes includes the code, or "n" do not include the
code. Alternatively, if you answer "No" to the question "Enable loadable module support
(CONFIG_MODULES) [Y/n/?]", then the corresponding Kernel will be a Monolithic kernel and
all future questions appearing during kernel configuration will let you answer either "y" (yes,
include the driver/feature) or "n" (no, do not include the drivers/feature). This allows you to build a
Kernel where every driver/feature is compiled into it.

To recap, Modularized Kernels allow small pieces of compiled code, which reside under the
/lib/modules/2.4.x-x/ kernel directory to be inserted into or removed from the running
kernel and a Monolithic Kernel contains the drivers/features into its compiled code.

Some people will say that a loadable module is as good as hard-linked code. But what sort of
speed difference is seen when using loadable modules instead of hard-linked code? Well, here’s
an extract of the kernel mailing list archive:

The immediate response from some was "almost nothing," but further consideration has shown
this not to be true. There are, in fact, a number of costs associated with loadable modules. The
biggest, perhaps, relates to how loadable modules are placed in kernel memory. The code for a
module needs to live in a contiguous address space. The kernel sets up that address space with
a function called vmalloc, which allocates memory with virtual addresses. In other words, a
loadable module is in an address space that is visible to the kernel, but which is separate from
where the core kernel code goes. This difference is important. The core kernel address space is a
direct map of physical memory; it can be handled very efficiently in the processor's page table.
Indeed, on some processors, a single page table entry covers the entire kernel. Space obtained
from vmalloc, instead, uses one page table entry per memory page. A greater number of page
table entries mean more lookups, and more translation buffer misses.

One estimate is that the slowdown can be as much as 5%. Given this problem, why not load
modules into the regular kernel memory space? Module code requires a contiguous address
space. Since the standard kernel space is a direct map of physical memory, contiguous address
spaces must also be contiguous in physical memory. Once the system has been running for a
while, finding even two physically contiguous pages can be a challenge; finding enough to load a
large module can be almost impossible. Modules also seem to have endemic problems with race
conditions - it is possible, for example, for the kernel to attempt to access a newly-loaded module
before it is fully initialized. Modules can also, in some situations, be removed while still in use.
Such occurrences are obviously quite rare, but they can be catastrophic when they happen. The
race conditions can be fixed with enough work, but that may require changing some fundamental
kernel interfaces. In general, dealing with loadable modules is not an easy task; as one kernel
hacker told us in a private message: "Doing live surgery on the kernel is never going to be pretty."

136
 Kernel Security & Optimization 0
CHAPTER 6

These installation instructions assume

Commands are Unix-compatible.
The source path is /usr/src.
Installations were tested on OpenNA Linux & Red Hat Linux 7.3.
All steps in the installation will happen using the super-user account “root”.
Latest Kernel version number is 2.4.18

The procedures given in this chapter are likely to work on all Linux platforms, but we have only
tested it on OpenNA Linux and Red Hat Linux.

Packages
The following is based on information listed by the Linux Kernel Archives as of 2002/06/04.
Please check http://www.kernel.org/ regularly for the latest status. We chose to install from
source because it provides the facility to fine tune the installation.

Source code is available from:

Kernel Homepage: http://www.kernel.org/
Kernel FTP Site: 204.152.189.116
You must be sure to download: linux-2.4.18.tar.gz

Prerequisites
Depending on whether you want a firewall, user quota support with your system or if you have a
SCSI/RAID controller, the Linux Kernel requires that the listed software below be already
installed on your system to be able to compile successfully. If this is not the case, you must install
them from your Linux CD-ROM or source archive files. Please make sure you have all of these
programs installed on your system before proceeding with this chapter.

iptables package, is the new secure and more powerful program used by Linux to set
up firewalls as well as IP masquerading on your system. Install this package if you want
to support Firewalls on your server.

quota package, is a system administration tool for monitoring and limiting users' and/or
groups' disk usage, per file system. Install this package if you want a tool to control the
size of user’s directories on your server.

mkinitrd package, creates filesystem images for use as initial ramdisk (initrd)
images. These ramdisk images are often used to preload the block device modules
(SCSI or RAID) needed to access the root filesystem. Install this package if you have a
SCSI or RAID system where the Kernel is compiled as a Modularized Kernel.

mkbootdisk package, creates a standalone boot floppy disk for booting the running
system. Install this package only if you have a Modularized Kernel installed on your
system. This package is not needed for Monolithic Kernel.

The dosfstools package includes the mkdosfs and dosfsck utilities, which make
and check MS-DOS FAT filesystems on hard drives or on floppies. You only need to
install this package on Modularized Kernel.

NOTE: For more information on Iptables Netfilter Firewall configuration or quota software, see
the related chapters later in this book.

137
 Kernel Security & Optimization 0
CHAPTER 6

Pristine source
If you don’t use the RPM package to install the kernel, it will be difficult for you to locate all the files
installed onto the system if you want to update your kernel in the future. To solve this problem, it’s
a good idea to make a list of files on the system before you install the kernel, and then one
afterwards, and then compare them using the diff utility to find out what files were placed
where.

• Simply run the following command before installing the kernel:

[root@deep root]# find /* > Kernel1

• And the following one after you install the kernel:

[root@deep root]# find /* > Kernel2

• Then use this command to get a list of what changed:

[root@deep root]# diff Kernel1 Kernel2 > Kernel-Installed

With this procedure, if any upgrade appears, all you have to do is to read the generated list of
what files were added or changed by the program and remove them manually from your system
before installing the new kernel. In our example above, we use the /root directory of the system
to store all the generated file lists.

Making an emergency boot floppy

The first step before going into the configuration and compilation of our new kernel is to create an
emergency boot floppy in case something goes wrong during the build of your new Linux Kernel.
Here we create the boot floppy for a modularized kernel since the kernel that is presently installed
on our system should be a modularized kernel. We’ll see later that a method for creating the boot
disk for mololithic kernel exists and is different from what we use here. To create the emergency
boot floppy for a modularized kernel, follow these steps.

Step1
We have to find the present modularized kernel version used on our system. We need this
information to be able to create our emergency boot floppy disk.

• To know which kernel version is running on your system, use the command:
[root@dev /]# uname -a
Linux dev 2.4.18-3 #1 Thu Apr 18 07:37:53 EDT 2002 i686 unknown

From the above command, we know now that our kernel version is 2.4.18-3. Therefore we will
use this information in the next step to create the boot disk.

Step2
Once we know which kernel version we are currently running, we can use the command below to
create the boot disk.

• Put a floppy in your system and execute the following command as root:
[root@deep /]# mkbootdisk --device /dev/fd0H1440 2.4.18-3
Insert a disk in /dev/fd0. Any information on the disk will be lost.
Press <Enter> to continue or ^C to abort:

138
 Kernel Security & Optimization 0
CHAPTER 6

NOTE: In this example, the current kernel on our system is version 2.4.18-3 and this is why we
use “2.4.18-3” here. If you kernel version is different from what we use here, you just have to
change the example version number for the one that you have according to the result returned by
the “uname -a” command.

Following these guidelines, you will now have a boot floppy with a known working kernel in case
of problems with the upgrade. I recommend rebooting the system with the floppy to make sure
that the floppy works correctly before continuing.

Preparing the Kernel for the installation

We have to copy the new kernel tar archive to the appropriate location on our server /usr/src
and then we remove the old kernel from our system before installing a new one. Removing the
old kernel will not freeze your computer until you try to reboot it before installing the new one
because the Linux kernel resides in memory.

Step 1
We must copy the archive file of the kernel to the /usr/src directory and move to this directory.

• To copy the tar archive of the Linux kernel to the /usr/src directory, use the command:
[root@deep /]# cp linux-version.tar.gz /usr/src/

• To move to the /usr/src directory, use the following command:

[root@deep /]# cd /usr/src/

Step 2
Depending on how the Linux Kernel has been previously installed on your system, there are two
ways to uninstall it, these are shown below.

If you already have installed a Linux kernel with a tar archive before
These steps are required ONLY if you have previously installed a Linux kernel from a tar archive.
If it is a fresh, first install of the kernel, then uninstall the kernel-headers-version.
i386.rpm, kernel-version.i386.rpm packages that are on your system.

• Move to the /usr/src directory if you are not already in it with the following command:
[root@deep /]# cd /usr/src/

• Remove the Linux symbolic link with the following command:

[root@deep src]# rm -f linux

• Remove the Linux kernel headers directory with the following command:
[root@deep src]# rm -rf linux-2.4.x/

• Remove the Linux kernel with the following command:

[root@deep src]# rm -f /boot/vmlinuz-2.4.x

• Remove the Linux System.map file with the following command:

[root@deep src]# rm -f /boot/System.map-2.4.x

• Remove the Linux kernel modules directory (if available) with the following command:
[root@deep src]# rm -rf /lib/modules/2.4.x/

139
 Kernel Security & Optimization 0
CHAPTER 6

NOTE: Removing the old kernel modules is only required if you have installed a modularized
kernel version before. If the modules directory doesn’t exist under the /lib/modules directory,
it’s because your old kernel version is not a modularized kernel.

If the original kernel’s RPM packages are installed on your system

If the original kernel RPM packages are installed on your system, instead of the Linux kernel tar
archive, which they would be if you have just finished installing your new Linux system, or have
previously used an RPM package to upgrade your system, then use the following command to
uninstall the Linux kernel:

• Verify which kernel RPM packages are installed on your server with the command:
[root@deep src]# rpm -qa | grep kernel
kernel-2.4.18-3

• Also, verify if Kernel header package is installed on your server with the command:
[root@deep src]# rpm -q glibc-kernheaders
glibc-kernheaders-2.4-7.14

The above command shows us that kernel and glibc-kernheaders are the only kernel RPM
packages installed on our system. We uninstall them as show below.

• To uninstall the linux kernel RPM, use the following command:

[root@deep src]# rpm -e --nodeps kernel glibc-kernheaders

NOTE: If you receive an error message like: cannot remove /lib/modules/2.4.x directory,
directory not empty, then remove the directory manually with command like: rm –rf
/lib/modules/2.4.x/ form your system. This directory is related to the old kernel and it is not
required for the new kernel we want to install.

Step 3
Once we have uninstalled the old kernel and our new kernel tar archive has been copied to the
/usr/src directory, we must uncompress it and remove the tar archive (linux-version.
tar.gz) from the system to conserve disk space.

• To uncompress the kernel, use the following command:

[root@deep src]# tar xzpf linux-version.tar.gz

• To remove the kernel tar archive from the system, use the following command:
[root@deep src]# rm -f linux-version.tar.gz

WARNING: If kernel compilation is something new for you, then it is recommended to keep the
kernel tar archive (linux-version.tar.gz) until the end of the installation. This way, if you
make a mistake during compilation, you have the source available to try again.

140
 Kernel Security & Optimization 0
CHAPTER 6

Applying the Grsecurity kernel patch

Grsecurity is a single patch file for the newest stable versions of Linux kernel that is an
attempt to greatly improve the security of a Linux system. It mainly accomplishes this by
physically patching the Linux kernel to make processes more restricted.

Many other projects like Grsecurity exist on the Internet. There are some well know like the
RSBAC (www.rsbac.org), LIDS (www.lids.org), SELinux (www.nsa.gov/selinux/), and OpenWall
(www.openwall.com/linux/), projects, all of which fulfills only one part of a complete security
system.

What makes Grsecurity so different and better than these other projects is mainly because
Grsecurity provides greatly needed additional security to Linux systems. In other words, it
covers all features of the other projects and adds additional security features that the other
projects do NOT cover. The types of added Grsecurity security are categorized as:

1. Complete Buffer Overflow Exploitation Protection.

2. File system Race Protection.
3. System Auditing.
4. Change-root Protections.
5. Portscan and OS Fingerprinting Protection.
6. Restricted Users.
7. Configurability Options.
8. Access Control.

Grsecurity patch may change from version to version, and some may contain various other
security features. It is important to use the Grsecurity patch that corresponds to the Linux
Kernel version that you compile on your server. If you compile kernel version 2.4.18, you have to
download Grsecurity patch for kernel version 2.4.18, etc.

WARNING: When applying the Grsecurity patch to the Kernel, a new “Grsecurity”
configuration section will be added at the end of your Linux Kernel configuration allowing you to
configure and enable the security features that you want.

Obtaining and Installing Grsecurity

To obtain the Grsecurity patch suitable for your Linux Kernel, simply follow the "download" link
on the Grsecurity home page, and download the file listed there. Grsecurity patch is
available directly via http://www.grsecurity.org/. Remember that Grsecurity is specific to one
kernel version, and as of this writing that version is 2.4.18.

• To apply the Grsecurity patch to the Linux kernel, use the commands:
[root@deep /]# cp grsecurity-1.9.4-2.4.18.patch /usr/src/
[root@deep /]# cd /usr/src/linux/
[root@deep linux]# patch -p1 < ../grsecurity-1.9.4-2.4.18.patch
[root@deep linux]# cd ../
[root@deep src]# rm -f grsecurity-1.9.4-2.4.18.patch

The step of patching your new kernel with Grsecurity patch is completed. Now follow the rest
of this Kernel installation guide to build the Linux kernel and reboot your system. Configuration
relating to Grsecurity will appears at the end of your Kernel configuration.

141
 Kernel Security & Optimization 0
CHAPTER 6

Tuning the Kernel

Ok, the old kernel has been uninstalled from our system; we have copied the new one to its
appropriate location, uncompressed it, and added the Grsecurity patch (if wanted). Now, we
must tune our new kernel to the maximum of its capabilities. All optimizations shown below are
just increases of the default kernel parameters.

• Edit the sem.h file (vi +66 /usr/src/linux/include/linux/sem.h) and change

the following parameter:

#define SEMMNI 128 /* <= IPCMNI max # of semaphore identifiers */

To read:

#define SEMMNI 512 /* <= IPCMNI max # of semaphore identifiers */

• Edit the limits.h file (vi /usr/src/linux/include/linux/limits.h) and

change the following parameters:

#define NR_OPEN 1024

To read:

#define NR_OPEN 8192

#define OPEN_MAX 256 /* # open files a process may have */

To read:

#define OPEN_MAX 8192 /* # open files a process may have */

• Edit the posix_types.h file (vi +25 /usr/src/linux/include/linux/posix_types.h) and

change the following parameter:

#define __FD_SETSIZE 1024

To read:

#define __FD_SETSIZE 8192

Finally, we must instruct the kernel to fit our specific CPU architecture and optimization flags.
Depending on your CPU architecture and optimization flags, this step will improve the
performance of the kernel. As an example with a PII 400MHz the BogoMIPS will become 799.54
instead of the default number of 400.00.

Take note that it is not because BogoMIPS show you a number of 799.54 for a 400MHz CPU that
your processor runs at this speed now. The BogoMIPS result can just be considered as a
benchmark since it is a meaningless benchmark measurement.

142
 Kernel Security & Optimization 0
CHAPTER 6

• Edit the Makefile file (vi +20 /usr/src/linux/Makefile) and change the line:

HOSTCFLAGS = -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer

To read:

HOSTCFLAGS = -Wall -Wstrict-prototypes -O2 -march=i686 -funroll-loops -

fomit-frame- pointer

• Edit the Makefile file (vi +91 /usr/src/linux/Makefile) and change the line:

CFLAGS := $(CPPFLAGS) -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer

-fno-strict-aliasing

To read:

CFLAGS := $(CPPFLAGS) -Wall -Wstrict-prototypes -O2 -march=i686 -funroll-

loops -fomit-frame-pointer -fno-strict-aliasing

WARNING: In the last example, we optimize the code for an i686 CPU architecture, if you have a
different processor, you'll have to adjust the “-march=i686" options for your specific processor.

Never compile the Kernel with optimization code number superior to “-O2”, this do nothing more
and should produce an unstable kernel in some cases. Therefore use “-O2” at the maximum
optimization number but never something superior to it.

Cleaning up the Kernel

It is important to make sure that your /usr/include/asm, and /usr/include/linux
subdirectories are just symlinks to the kernel sources.

Step 1
The asm and linux subdirectories are soft links to the real include kernel source header
directories needed for our Linux architecture, for example /usr/src/linux/include/asm-
i386 for asm.

• To symlink the asm, and linux subdirectories to the kernel sources, type the following
commands on your terminal:
[root@deep src]# cd /usr/include/
[root@deep include]# rm -f asm linux
[root@deep include]# ln -s /usr/src/linux/include/asm-i386 asm
[root@deep include]# ln -s /usr/src/linux/include/linux linux

This is a very important part of the configuration: we remove the asm, and linux directories
under /usr/include then create new links that point to the same name directories under the
new kernel source version directory. The /usr/include directory contains important header
files needed by your kernel and programs to be able to compile on your system.

143
 Kernel Security & Optimization 0
CHAPTER 6

WARNING: If the previously installed kernel in your system was made by RPM packages, then the
asm and linux soft links will not exist since the uninstall of kernel-headers RPM package
removes them automatically for you. Don’t forget to create them.

Step 2
Make sure you have no stale .o files or dependencies lying around.

• To be sure that we have no stale .o files or dependencies lying around, type the
following commands on your terminal:
[root@deep include]# cd /usr/src/linux/
[root@deep linux]# make mrproper

WARNING: These two steps simply clean up anything that might have accidentally been left in the
source tree by the development team.

You should now have the source correctly installed. You can configure the kernel in one of three
ways. The first method is to use the make config command. It provides you with a text-based
interface for answering all the configuration options. You are prompted for all the options you
need to set up your kernel.

The second method is to use the make menuconfig command, which provides all the kernel
options in an easy-to-use menu. The third is to use the make xconfig command (only available
if the graphical interface of Linux is installed on the system), which provides a full graphical
interface to all the kernel options.

Step 3
For configuration in this guide, we will use the make config command because we have not
installed the XFree86 Window Interface on our Linux server or the necessary packages to use the
make menuconfig command.

• Type the following commands on your terminal to load the kernel configuration:
[root@deep /]# cd /usr/src/linux/ (if you are not already in this directory).
[root@deep linux]# make config
rm -f include/asm
( cd include ; ln -sf asm-i386 asm)
/bin/sh scripts/Configure arch/i386/config.in
#
# Using defaults found in arch/i386/defconfig
#

144
 Kernel Security & Optimization 0
CHAPTER 6

Configuring the Kernel

As soon as you enter make config at the prompt as described in the previous step, a list of
kernel configurable options will be displayed for you to choose to configure the kernel, you must
indicate what features and devices drivers you want to include on your system and select how to
include support for specific devices. Typically, for each configuration option, you have to respond
with one of the following choices:

[y] To compile into the kernel and always be loaded.

[m] To use a module for that feature and load that segment of code on demand.
[n] To skip and excludes the support for that specific device from the kernel.

WARNING: It is important to note that an [n] or [y] means the default choice. If a device does not
have a modular device driver or you have not compiled the Kernel as a Modularized Kernel, you
will not see the [m] option. Some time an [?] option will appear in the choices. This mean that
you can get more information about the feature when you type the ? + ENTER key. Choosing the
[?] help option opens another terminal describing the option.

A new Linux kernel is very specific to our computer hardware since we have to choose the right
drivers as well as features that we need to include and compile into the Kernel code. This implies
a good understanding and knowledge of your computer hardware. It is simply inconceivable to
build a Linux system if you don't know what hardware your computer has, especially if you spend
money to buy a computer and then take time to configure it. Therefore we assume that you know
all of your hardware and be aware that during the kernel configuration, you will be asked to
answer some important questions related to your specific computer hardware.

Be prepared to answer the following questions:

1. What type of processor do you have on your computer (i.e. Pentium III, AMD)?
2. How many processor do you have on your computer (i.e. 1, 2, 3)?
3. What kind of hard drive do you have on your computer (i.e. IDE, SCSI) ?
4. How many hard drives do you have on your computer? (i.e. want to make RAID)?
5. How much memories (RAM) do you have on your computer (i.e. 512 MB RAM)?
6. Do you have a network card? If so, who made it and what model is it?
7. Do you have a SCSI adapter? If so, who made it and what model is it?
8. Do you have a RAID system? If so, who made it and what model is it?
9. What type of mouse do you have (eg, PS/2, Microsoft, Logitech)?
10. If you have a serial mouse, what COM port is it connected to (eg, COM1)?
11. What is the make and model of your video card?

All of the above questions are very important and if you don't know the answers for all of them,
then it is recommended to get the information before going into Linux kernel configuration,
compilation and installation. If you have all of the information, then you can read the rest of this
guide.

145
 Kernel Security & Optimization 0
CHAPTER 6

Monolithic kernel configuration

As we know now, they are two possible different configurations for the kernel. The first is called a
monolithic kernel the second is called a modularized kernel. Below we begin by
showing you the configuration of a monolithic kernel which is to compile the required code
and drivers directly into the kernel by answering the different kernel questions only by yes or no.
Don’t forget to only compile code that you need and use.

A new kernel is very specific to your computer hardware, in the monolithic kernel
configuration part below; we have the following hardware for our example. Of course you must
change them to fit whatever components you have in your system.

1 Pentium II 400 MHz (i686) processor

1 SCSI Motherboard
1 SCSI Hard Disk
1 SCSI Controler Adaptec AIC 7xxx
1 CD-ROM ATAPI IDE
1 Floppy Disk
2 Ethernet Cards Intel EtherExpressPro 10/100
1 Mouse PS/2

If you don’t want some of the options listed in the monolithic kernel configuration that I
enable by default, answer n (for no) instead of y (for yes) to the related questions. If you want
some other options that I disable, then answer y instead of n. Finally, the procedure of building a
new kernel is quite long, therefore I recommend you to take your time. Some coffees and
cigarettes will surely be welcome during these steps.

# Using defaults found in arch/i386/defconfig

#
*
* Code maturity level options
* Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL)
[N/y/?] Press Enter
This option relates to features or drivers that are currently considered to be in the alpha-test
phase and for a production system, it is highly recommended to answer by N to this question. Just
hit [Enter] to approve the default choice, which is NO (Do not prompt for development and/or
incomplete code/drivers).

*
* Loadable module support
* Enable loadable module support (CONFIG_MODULES) [Y/n/?] n
This option is very important since it asks us if we want to enable loadable module support into
the Kernel. Remember that our goal in this part of the guide is to build a Monolithic Linux Kernel
where all drivers and features are directly integrated and compiled into the Kernel code, therefore
our answer to this question must be No (Do not enable loadable module support). This means
that we have to enter n as the answer to this question to change the default value, which is Y for
Yes.

146
 Kernel Security & Optimization 0
CHAPTER 6

*
* Processor type and features
* Processor family (386, 486, 586/K5/5x86/6x86/6x86MX, Pentium-Classic,
Pentium-MMX, Pentium-Pro/Celeron/Pentium-II, Pentium-III/Celeron(Coppermine),
Pentium-4, K6/K6-II/K6-III, Athlon/Duron/K7, Crusoe, Winchip-C6, Winchip-2,
Winchip-2A/Winchip-3, CyrixIII/C3) [Pentium-III/Celeron(Coppermine)] Pentium-4
This option asks you what type of processor you have on your computer and the default choice is
in brackets [Pentium-III/Celeron(Coppermine)]. Therefore, if you processor is not a
Pentium-III/Celerom(Coppermine) model, you have to enter your processor model here. The
available choices are listed in the question. In the above example, I changed the default value
[Pentium-III/Celeron(Coppermine)] and chose a Pentium-4 model.

Toshiba Laptop support (CONFIG_TOSHIBA) [N/y/?] Press Enter

This option asks you if you want to add a driver support for Toshiba Laptop. If you intend to run
this kernel on a Toshiba portable, then you have to answer Yes to this question and change the
default value which is No. In our example, we keep the default value of No by pressing the
[Enter] key.

Dell Inspiron 8000 support (CONFIG_I8K) [N/y/?] Press Enter

As for the previous option, this one asks you if you want to add a driver support for Dell Inspiron
8000 Laptop. If you intend to run this kernel on a Dell Inspiron 8000, then you have to answer
Yes to this question and change the default value which is No. In our example, we keep the
default value of No by pressing the [Enter] key again.

/dev/cpu/microcode - Intel IA32 CPU microcode support (CONFIG_MICROCODE)

[N/y/?] Press Enter
This option allows you to update the microcode on Intel processors in the IA32 family, e.g.
Pentium Pro, Pentium II, Pentium III, Pentium 4, Xeon etc. If you say Y here and change the
default value of N, then you'll need to say Y also to "/dev file system support" in the 'File
systems' section below. In most situations, this option is simply not needed and you can safety
keep the default setting of N by pressing the [Enter] key.

/dev/cpu/*/msr - Model-specific register support (CONFIG_X86_MSR) [N/y/?] y

This option allows you to enable a device that gives privileged processes access to the x86
Model-Specific Registers (MSRs). On multi-processor the MSR accesses are directed to a
specific CPU. It is a good idea to answer Y to this option to enable it, even if you only have one
processor on your system. Therefore answer Y to this question.

/dev/cpu/*/cpuid - CPU information support (CONFIG_X86_CPUID) [N/y/?] y

This option allows you to enable a device that gives processes access to the x86 CPUID
instructions to be executed on a specific processor. As for the previous option, it is a good idea to
change the default value of N to Y.

High Memory Support (off, 4GB, 64GB) [off] Press Enter

This option allows you to be able to use up to 64 Gigabytes of physical memory on x86 systems.
Usually, and it’s true for most of us, we have a system that will never run with more than 1
Gigabyte total physical RAM and if this is you case, then answer "off" here (default choice and
suitable for most users). In other part if you have a system that has between 1 and 4 Gigabytes
physical RAM, then answer "4GB" here. If more than 4 Gigabytes is used then answer "64GB"
here. In our example, we will configure the kernel to use a maximum of 1 Gigabyte total physical
RAM by pressing the [Enter] key to accept the default choice "off".

147
 Kernel Security & Optimization 0
CHAPTER 6

Math emulation (CONFIG_MATH_EMULATION) [N/y/?] Press Enter

This option allows Linux to emulate a math coprocessor (a feature used for floating point
operations). In general, only old 486SX and 386 processors do not have a a math coprocessor
built in. All modern Pentium I, II, III, IV and later, AMD, Cyrix, etc have a math coprocessor built in
and do not require this option to be turned on. If you have a very old 486SX or 386 processor in
your computer, then you will have to change the default value of N here to become Y, but in
general, everyone will keep the default value of N here since they have a math coprocessor built
in their processor chip.

MTRR (Memory Type Range Register) support (CONFIG_MTRR) [N/y/?] Press Enter
This option on Intel family processors (Pentium Pro, Pentium II and later) allows the Memory
Type Range Registers (MTRRs) to be used to control processor access to memory ranges. This
is most useful if you have XFree86 graphical interface installed on your computer or have more
than 1 processor on your system. Changing the default value of N here to become Y on a Linux
system where a graphical interface or multiple processors are present will increase the
performance of the system. If you don't use a graphical interface, or do not have more than one
processor installed on you system, you must keep the default value of N by pressing the
[Enter] key. Finally, it is important to note that this option is valid only if you have Intel family
processors (Pentium Pro, Pentium II and later) installed on your computer. It doesn't work with
AMD or Cyrix processors.

Symmetric multi-processing support (CONFIG_SMP) [Y/n/?] n

This option enables support for systems with more than one CPU. If you have a system with only
one CPU, like most personal computers, say N. If you have a system with more than one CPU,
say Y. In our example, we only have one processor installed on our computer and will change the
default value of Y to become N.

Local APIC support on uniprocessors (CONFIG_X86_UP_APIC) [N/y/?] (NEW) Press

Enter
This option appears only if you have answered N to the previous option and will let you enable
support for local APIC on system with single processor. Local APIC (Advanced Programmable
Interrupt Controller) is an integrated interrupt controller in the CPU that supports CPU-generated
self-interrupts (timer, performance counters), and the NMI watchdog, which detects hard lockups
on the server. On systems with single processor, you may have to answer Y here, but on systems
with multiple processors, you don't have to answer this question since the kernel will
automatically enable it. Usually we keep the default choice of N here since the feature is available
only on modern Pentium processors like the IV family. Pentium I, II, and III don’t support this
option, as well as AMD and Cyrix processors.

*
* General setup
* Networking support (CONFIG_NET) [Y/n/?] Press Enter
This option is very important and must be set to Y all the time, which is the default value. It allows
your Linux system to support and use networking. We use the default value of Y by pressing the
[Enter] key.

PCI support (CONFIG_PCI) [Y/n/?] Press Enter

This option allows us to enable or disable PCI support on Linux. In most cases, we have to say Y
here. PCI's are the white slots on your motherboard where you can add network cards, video
cards, etc. Since most of us use a PC and have this kind of slot available, it is important to say Y
here by pressing the [Enter] key to use the default choice.

148
 Kernel Security & Optimization 0
CHAPTER 6

PCI access mode (BIOS, Direct, Any) [Any] Press Enter

On PCI systems, the BIOS can be used to detect the PCI devices and determine their
configuration. However, some old PCI motherboards have BIOS bugs and may crash if this is
done. Also, some embedded PCI-based systems don't have any BIOS at all. Linux can also try to
detect the PCI hardware directly without using the BIOS. With this option, you can specify how
Linux should detect the PCI devices. If you choose "BIOS", the BIOS will be used, if you choose
"Direct", the BIOS won't be used, and if you choose "Any", the kernel will try the direct access
method and falls back to the BIOS if that doesn't work. If unsure, go with the default, which is
"Any" by pressing the [Enter] key.

PCI device name database (CONFIG_PCI_NAMES) [Y/n/?] n

This option lets you enable a feature that allows the Kernel to contain a database of all known
PCI device names via different files under the /proc filesystem and make the information
comprehensible to the user or disable this feature and get device ID numbers instead of names.
Disabling this feature will save you about 80KB of kernel image size and will make the kernel
smaller in size, which is a good thing for increased performance. If you disable this feature, the
kernel will still run as usual, but will show you device ID numbers instead of names. Therefore, we
will change the default value of Y (get PCI device by names) to become N (get PCI device by ID
numbers) and will save 80KB of Kernel image size.

EISA support (CONFIG_EISA) [N/y/?] Press Enter

This option allows you to enable support for the Extended Industry Standard Architecture (EISA)
bus. EISA is now obsolete by the PCI bus and you may enable this option only if you use some
older ISA card on your system. Since most of us don't have these types of card, we can safety
keep the default value of N here by pressing the [Enter] key.

MCA support (CONFIG_MCA) [N/y/?] Press Enter

This option allows us to enable MCA support with the kernel. MCA (MicroChannel Architecture) is
found in some IBM PS/2 machines and laptops. It is a bus system similar to PCI or ISA. It is rare
that we have this kind of bus on our system and we can safety keep the default value of N (do not
support MCA on this kernel) by pressing the [Enter] key again.

Support for hot-pluggable devices (CONFIG_HOTPLUG) [Y/n/?] n

This option is often required only on laptop computer where you have a PCMCIA or PC-cards that
you can plug or unplug at any time. If the kernel that you compile is made to run on a standard
computer (not laptop, portable), then you have to say N here by changing the default option of Y
to become N.

System V IPC (CONFIG_SYSVIPC) [Y/n/?] Press Enter

This option allows us to enable IPC on Linux. IPC (Inter Process Communication) is a suite of
library functions and system calls which let processes (running programs) synchronize and
exchange information. It is generally considered to be a good thing, and some programs won't
run unless you say Y here. Therefore, we keep the default setting of Y by pressing the [Enter]
key.

BSD Process Accounting (CONFIG_BSD_PROCESS_ACCT) [N/y/?] Press Enter

This option allows us to enable a user level programs, which will be able to instruct the kernel (via
a special system call) to write process accounting information to a file. It is not vital or even really
necessary to enable this kind of option to get a working Linux kernel. Therefore, we keep the
default value of N here by pressing the [Enter] key.

149
 Kernel Security & Optimization 0
CHAPTER 6

Sysctl support (CONFIG_SYSCTL) [Y/n/?] Press Enter

This option is very important and especially with Linux kernel 2.4.x generation. It is the feature
that allows us to dynamically change certain kernel parameters and variables on the fly through
the /proc filesystem with the use of the /etc/sysctl.conf file. We keep the default value of
Y by pressing the [Enter] key.

Kernel core (/proc/kcore) format (ELF, A.OUT) [ELF] Press Enter

This option allows a file under the /proc filesystem, which is called "kcore" to contain the
Kernel core image in two different formats, which are ELF or A.OUT. For newer Linux systems,
ELF (Executable and Linkable Format) is highly recommended and is the default option that we
choose by pressing the [Enter] key. A.OUT (Assembler.OUTput) was the old format method
used, but is now really obsolete.

Kernel support for a.out binaries (CONFIG_BINFMT_AOUT) [Y/n/?] n

This option is very important and allows us to provide support for A.OUT. A.OUT
(Assembler.OUTput) is a set of formats for libraries and executables used in the earliest versions
of UNIX and, as we said before, it is now really obsolete and was replaced with the ELF format.
To be sure none of our programs will use this older executable format, we will change the default
value of Y to become N.

Kernel support for ELF binaries (CONFIG_BINFMT_ELF) [Y/n/?] Press Enter

Here, it is important to answer Y to this question since this binary format is the one used now on
modern Linux systems. ELF (Executable and Linkable Format) is a format for libraries and
executables used across different architectures and operating systems. Many new executables
are distributed solely in ELF format and you definitely want to say Y to this option by pressing the
[Enter] key.

Kernel support for MISC binaries (CONFIG_BINFMT_MISC) [Y/n/?] Press Enter

This option enables wrapper-driven binary formats into the kernel. This feature is required by
programs that need an interpreter to run, like Java, Python or Emacs-Lisp. Since we're sure to
use one of these types of programs, it is safe to accept the default value of Y by pressing the
[Enter] key.

Power Management support (CONFIG_PM) [Y/n/?] n

This option allows Power Management Support for your computer. With this feature parts of your
computer are shut off or put into a power conserving "sleep" mode if they are not being used. In
general it is good to enable this option on portable computer (Laptop) only. Note that, even if you
say N here, Linux, on the x86 architecture, will issue the hlt instruction if nothing is to be done,
thereby sending the processor to sleep and saving power. Therefore our choice will be N here.

*
* Memory Technology Devices (MTD)
* Memory Technology Device (MTD) support (CONFIG_MTD) [N/y/?] Press Enter
This option enables MTD (Memory Technology Devices) on your computer. MTD are flash, RAM
and similar chips, often used for solid-state file systems on embedded devices. If you have some
of these devices in your system, then answer Y to the question. In most cases, the default choice
of N is recommended.

*
* Parallel port support
* Parallel port support (CONFIG_PARPORT) [N/y/?] Press Enter
If you want to use devices connected to your machine's parallel port like a printer, zip drive, etc,
then you need to say Y here otherwise the default value N is recommended.

150
 Kernel Security & Optimization 0
CHAPTER 6

*
* Plug and Play configuration
* Plug and Play support (CONFIG_PNP) [Y/n/?] n
Plug and Play (PnP) is a standard for peripherals which allows those peripherals to be configured
by software. If you answer to this question by Y, then Linux will be able to configure your Plug and
Play devices. Under Linux, we really don't need to enable PNP support and our choice will be N
here.

*
* Block devices
* Normal PC floppy disk support (CONFIG_BLK_DEV_FD) [Y/n/?] Press Enter
This option allows us to use the floppy disk drive(s) in our PC under Linux. Since everyone has
and usually needs a floppy disk in their computer, the answer to this question will be Y. If you run
a Linux server in highly secure environment, you could answer to this question by N since we
never use floppy disk on this type of system.

XT hard disk support (CONFIG_BLK_DEV_XD) [N/y/?] Press Enter

This option allows us to enable the very old 8 bit hard disk controllers used in the IBM XT
computer and since it's pretty unlikely that you have one of these then you must answer to this
question by N. Therefore we simply press [Enter] because the default answer to this question
is N.

Compaq SMART2 support (CONFIG_BLK_CPQ_DA) [N/y/?] Press Enter

This option allows us to enable support for the Compaq Smart Array controllers. If you use these
kinds of boards in your system, then you should say Y here, otherwise the default value of N is
recommended.

Compaq Smart Array 5xxx support (CONFIG_BLK_CPQ_CISS_DA) [N/y/?] Press Enter

This option allows us to enable support for the Compaq Smart Array 5xxx controllers. If you use
these kinds of boards in your system, then you should say Y here, otherwise the default value of
N is recommended.

Mylex DAC960/DAC1100 PCI RAID Controller support (CONFIG_BLK_DEV_DAC960)

[N/y/?] Press Enter
This option enables support for the Mylex DAC960, AcceleRAID, and eXtremeRAID PCI RAID
controllers. If you use these kinds of boards in your system, then you should say Y here,
otherwise the default value of N is recommended.

Loopback device support (CONFIG_BLK_DEV_LOOP) [N/y/?] Press Enter

This option is a little different from other kernel options and if you enable it, you will be able to use
a regular file as a block device that let you have access to some special advanced features and
possibilities under Linux. The default value for this option will be ok for most of us and only
advanced users or user that know why they need these features will enable the "Loopback
device support" option. For SCSI systems with a modularized kernel, it is important to say Y
here since SCSI drivers will use this device.

Network block device support (CONFIG_BLK_DEV_NBD) [N/y/?] Press Enter

This option enables another advanced feature under Linux, the possibility for your system to be a
client for network block devices. The default value for this option would be ok for most of us and
only advanced users or user that know why they need this feature will enable it.

151
 Kernel Security & Optimization 0
CHAPTER 6

RAM disk support (CONFIG_BLK_DEV_RAM) [N/y/?] Press Enter

This option will allow you to use a portion of your RAM memory as a block device, so that you can
make file systems on it, read and write to it and do all the other things that you can do with normal
block devices (such as hard drives). It is usually used to load and store a copy of a minimal root
file system off of a floppy into RAM during the initial install of Linux. Again, most normal users
won't need the RAM disk functionality and will answer N to this question. For SCSI systems with a
modularized kernel, it is important to say Y here since SCSI drivers will use this feature.

*
* Multi-device support (RAID and LVM)
* Multiple devices driver support (RAID and LVM) (CONFIG_MD) [N/y/?] Press
Enter
This option is required only for RAID and logical volume management (LVM). If you use them,
then change the default value of N to become Y.

*
* Networking options
* Packet socket (CONFIG_PACKET) [Y/n/?] Press Enter
This option allows you to enable applications, which communicate directly with network devices
without an intermediate network protocol implemented in the kernel like the tcpdump program. It
is a good idea to enable this feature for most of us.

Packet socket: mmapped IO (CONFIG_PACKET_MMAP) [N/y/?] y

This option allows packet protocol driver to use an IO (Input/Output) mechanism that results in
faster communication. Say Y here.

Kernel/User netlink socket (CONFIG_NETLINK) [N/y/?] y

This option allows us to enable two-way communication between the kernel and user processes.
Say Y here.

Routing messages (CONFIG_RTNETLINK) [N/y/?] (NEW) y

If we have said Y to the previous option, we must say Y here too or the previous option will not
work. Therefore our choice is Y.

Netlink device emulation (CONFIG_NETLINK_DEV) [N/y/?] (NEW) y

This option is a backward compatibility option, and we have to choose Y for now.

Network packet filtering (replaces ipchains) (CONFIG_NETFILTER) [N/y/?] y

This option enables support for a packet filter firewall on your system (Netfilter). It is very
important to answer to this question by Y if you want to support firewall and IPTables on your
computer. If you answer N to this question, then the firewalling features will not be available, even
if your have the IPTables software installed on your system.

Network packet filtering debugging (CONFIG_NETFILTER_DEBUG) [N/y/?] (NEW) y

This option turns on support for debugging the netfilter code. It is a good idea to enable it.

Socket Filtering (CONFIG_FILTER) [N/y/?] Press Enter

This option allows us to enable Linux Socket Filter, a feature needed by PPP packet filtering in
general. Therefore you only need to say Y here if you want to use PPP packet filtering on your
system. Since we use a network card to get a connection to the Internet and not PPP (modem
link), we keep the default value of N here.

152
 Kernel Security & Optimization 0
CHAPTER 6

Unix domain sockets (CONFIG_UNIX) [Y/n/?] Press Enter

This option is very important and must always be set to Y. It allows us to include support for Unix
domain sockets; sockets are the standard Unix mechanism for establishing and accessing
network connections. It is vital to say Y to this option.

TCP/IP networking (CONFIG_INET) [Y/n/?] Press Enter

Another very important and vital option under Linux. This option allows us to enable support for
TCP/IP networking on the computer. TCP/IP are the protocols used on the Internet and on most
local Ethernets. It is highly recommended to say Y here even if you are not connected to the
Internet.

IP: multicasting (CONFIG_IP_MULTICAST) [Y/n/?] n

This option allows us to enable a code that addresses several networked computers at once. You
need it if you intend to participate in the MBONE, a high bandwidth network on top of the Internet
which carries audio and video broadcasts. For most people, it's safe to say N here.

IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [N/y/?] n

This option allows us to configure our Linux system to run mostly as a router. The answer to this
question won't directly affect the kernel: answering N will just cause the configuration to skip all
the questions about advanced routing. In many cases, we can safety keep the default value of N
here. Only users that want to run their Linux system primarily as a router will answer to this
question by Y to be presented a list of advanced routing features to enable or reject. If you want
to configure your Linux server as a Gateway server, you need to answer Y to this question and all
questions related to this option.

IP: kernel level autoconfiguration (CONFIG_IP_PNP) [N/y/?] Press Enter

This option must be set to Y only for diskless machines requiring network access to boot. For
most people, it's safe to say N here.

IP: tunneling (CONFIG_NET_IPIP) [N/y/?] Press Enter

This option will enable Tunneling on our system. Tunneling is a means of encapsulating data of
one protocol type within another protocol and sending it over a channel that understands the
encapsulating protocol. This is an advanced feature and only advanced users who know why they
need it must answer Y to this question.

IP: GRE tunnels over IP (CONFIG_NET_IPGRE) [N/y/?] Press Enter

This option will enable another kind of Tunneling feature on our system. This method is known as
GRE (Generic Routing Encapsulation). This is an advanced feature and only advanced users that
know why they need it must answer Y to this question.

IP: TCP Explicit Congestion Notification support (CONFIG_INET_ECN) [N/y/?]

Press Enter
This option enables Explicit Congestion Notification on your system. ECN allows routers to notify
clients about network congestion, resulting in fewer dropped packets and increased network
performance. This is a very good feature but, unfortunately, there are many broken firewalls on
the Internet, which refuse connections from ECN-enabled machines, and it may be a while before
these firewalls are fixed. Until then, to access a site behind such a firewall you will have to disable
this option by saying N here.

153
 Kernel Security & Optimization 0
CHAPTER 6

IP: TCP syncookie support (disabled per default) (CONFIG_SYN_COOKIES) [N/y/?] y

This option is very important and every one must answer to this question by Y because normal
TCP/IP networking is open to an attack known as "SYN flooding". This denial-of-service attack
prevents legitimate remote users from being able to connect to your computer during an ongoing
attack and requires very little work from the attacker, who can operate from anywhere on the
Internet. SYN cookies provide protection against this type of attack. Therefore don't forget to
answer Y to this question.

*
* IP: Netfilter Configuration
All questions under the "IP: Netfilter Configuration" section of the Kernel configuration
are related to packet filter firewall support and features. We recommend you enable everything.
Below, we show you the answer for each question without any explanation on the features. If you
need to get more information about the features that you don't understand, you can simply type ?
[Enter] at the prompt to get help.

*
Connection tracking (required for masq/NAT) (CONFIG_IP_NF_CONNTRACK) [N/y/?]
(NEW) y
FTP protocol support (CONFIG_IP_NF_FTP) [N/y/?] (NEW) y
IRC protocol support (CONFIG_IP_NF_IRC) [N/y/?] (NEW) y
IP tables support (required for filtering/masq/NAT) (CONFIG_IP_NF_IPTABLES)
[N/y/?] (NEW) y
limit match support (CONFIG_IP_NF_MATCH_LIMIT) [N/y/?] (NEW) y
MAC address match support (CONFIG_IP_NF_MATCH_MAC) [N/y/?] (NEW) y
netfilter MARK match support (CONFIG_IP_NF_MATCH_MARK) [N/y/?] (NEW) y
Multiple port match support (CONFIG_IP_NF_MATCH_MULTIPORT) [N/y/?] (NEW) y
TOS match support (CONFIG_IP_NF_MATCH_TOS) [N/y/?] (NEW) y
LENGTH match support (CONFIG_IP_NF_MATCH_LENGTH) [N/y/?] (NEW) y
TTL match support (CONFIG_IP_NF_MATCH_TTL) [N/y/?] (NEW) y
tcpmss match support (CONFIG_IP_NF_MATCH_TCPMSS) [N/y/?] (NEW) y
Connection state match support (CONFIG_IP_NF_MATCH_STATE) [N/y/?] (NEW) y
Packet filtering (CONFIG_IP_NF_FILTER) [N/y/?] (NEW) y
REJECT target support (CONFIG_IP_NF_TARGET_REJECT) [N/y/?] (NEW) y
Full NAT (CONFIG_IP_NF_NAT) [N/y/?] (NEW) y
Packet mangling (CONFIG_IP_NF_MANGLE) [N/y/?] (NEW) y
TOS target support (CONFIG_IP_NF_TARGET_TOS) [N/y/?] (NEW) y
MARK target support (CONFIG_IP_NF_TARGET_MARK) [N/y/?] (NEW) y
LOG target support (CONFIG_IP_NF_TARGET_LOG) [N/y/?] (NEW) y
TCPMSS target support (CONFIG_IP_NF_TARGET_TCPMSS) [N/y/?] (NEW) y

WARNING: If you want to enable IPTables support into the kernel, the iptables program must
be installed first or you will receive error messages during kernel compilation. This is because
when IPTables support is enabled, the kernel will associate some part of the iptables
program with it configuration. Therefore don’t forget to install IPTables before configuring kernel
with IPTables support. Finally the same warning is true for quota support into the kernel.

*
*
* The IPX protocol (CONFIG_IPX) [N/y/?] Press Enter
This option allows us to enable Novell networking protocol support on Linux. You need it if you
want to access Novell NetWare file or print servers using Linux or if you want to configure your
Linux system to run as a Novell NetWare file or print server. In most cases, this is not required
and we can answer N to this question.

154
 Kernel Security & Optimization 0
CHAPTER 6

Appletalk protocol support (CONFIG_ATALK) [N/y/?] Press Enter

This option allows us to enable AppleTalk protocol support on Linux. You need it if you want to
access Apple computers using Linux. In most cases, this is not required and we can answer N to
this question.

DECnet Support (CONFIG_DECNET) [N/y/?] Press Enter

This option allows us to enable DECnet networking protocol support on Linux. The DECnet
networking protocol was used in many products made by Digital (now Compaq). In most cases,
this is not required and we can answer N to this question.

802.1d Ethernet Bridging (CONFIG_BRIDGE) [N/y/?] Press Enter

This option will allow your Linux system to act as an Ethernet bridge, which means that the
different Ethernet segments it is connected to will appear as one Ethernet to the participants.
Several such bridges can work together to create even larger networks of Ethernets using the
IEEE 802.1 spanning tree algorithm. In most cases, this is not required and we can answer N to
this question.

*
* QoS and/or fair queueing
* QoS and/or fair queueing (CONFIG_NET_SCHED) [N/y/?] Press Enter
This option allows us to enable QoS (Quality of Service) support on Linux. When the kernel has
several packets to send out over a network device, it has to decide which ones to send first,
which ones to delay, and which ones to drop. This is the job of the packet scheduler, and several
different algorithms for how to do this "fairly" have been proposed. If we answer N to this
question, the standard packet scheduler, which is a FIFO (first come, first served) will be used by
default. The standard packet scheduler is enough for most of us and if you are running a router
system or are an advanced user who wants to experiment in some new way with TCP/IP
networking, then you can say Y to this question and be able to choose from among several
alternative algorithms which can then be attached to different network devices. In most cases, we
say N to this question.

*
* Telephony Support
* Linux telephony support (CONFIG_PHONE) [N/y/?] Press Enter
This option allows us to use a regular phone for voice-over-IP applications. This also means that
you have to have a telephony card attached to your computer and you know what to do. Most
people will simply answer N to this question.

*
* ATA/IDE/MFM/RLL support
* ATA/IDE/MFM/RLL support (CONFIG_IDE) [Y/n/?] Press Enter
This option allows the kernel to manage low cost mass storage units such as ATA/(E)IDE and
ATAPI units. The most common cases are IDE hard drives and ATAPI CD-ROM drives and
since we all have one of these devices attached to our computer we can safety say Y to this
question. The only time that you can answer to this question by N is when you know that your
system is pure SCSI.

*
* IDE, ATA and ATAPI Block devices
* Enhanced IDE/MFM/RLL disk/cdrom/tape/floppy support (CONFIG_BLK_DEV_IDE)
[Y/n/?] Press Enter
This option allows us to enable the new enhanced driver with IDE/MFM/RLL
disk/cdrom/tape/floppy drives. If you have one or more IDE drives, it is required to answer Y to
this question.

155
 Kernel Security & Optimization 0
CHAPTER 6

Use old disk-only driver on primary interface (CONFIG_BLK_DEV_HD_IDE) [N/y/?]

Press Enter
This option allows us to enable the old hard disk driver to control IDE/MFM/RLL
disk/cdrom/tape/floppy drives. It is highly recommended not to enable it, since we've already used
the new enhanced driver option with IDE/MFM/RLL disk/cdrom/tape/floppy drives above. This
option may be useful for older systems.

Include IDE/ATA-2 DISK support (CONFIG_BLK_DEV_IDEDISK) [Y/n/?] Press Enter

This option allows us to enable another enhanced support for MFM/RLL/IDE hard disks. The only
time that you can answer N to this question is when you know that your system is pure SCSI.
Therefore, we'll enable support for this option by saying Y to the question.

Use multi-mode by default (CONFIG_IDEDISK_MULTI_MODE) [Y/n/?] n

This option allows us to fix possible error messages that can appear on IDE systems. This error
message may look like:

hda: set_multmode: status=0x51 { DriveReady SeekComplete Error }

hda: set_multmode: error=0x04 { DriveStatusError }

If you get this kind of error message on your system, then you have to say Y to this option. We
suppose that you have a good IDE disk drive and that this error will never appear for you, in this
case, we will change the default value of Y to become N.

Include IDE/ATAPI CDROM support (CONFIG_BLK_DEV_IDECD) [Y/n/?] n

This option allows us to instruct Linux to identify more than one CD-ROM drive along with other
IDE devices, as "hdb" or "hdc", or something similar at boot time. If you have only one CD-ROM
drive installed on your system, you can say N to this question even if it uses the ATAPI protocol
and save some KB into the kernel. You have to say Y to this option only if you handle more than
one CD-ROM drive in your computer. Since most people will usually have only one CD-ROM
installed into their computer, we will change the default value of Y to become N. If you have one
CD-ROM and another one CD-ROM for burning disk, then you have answer Y to this question.

Include IDE/ATAPI TAPE support (CONFIG_BLK_DEV_IDETAPE) [N/y/?] Press Enter

This option allows us to enable an IDE tape drive using the ATAPI protocol. If you have an IDE
tape drive installed on your system, you must answer Y to this question. Most people will say N
here.

Include IDE/ATAPI FLOPPY support (CONFIG_BLK_DEV_IDEFLOPPY) [N/y/?] Press Enter

This option allows us to enable an IDE floppy drive which uses the ATAPI protocol. If you have
this kind of floppy drive installed on your system, you must answer this question Y. Most people
will say N here.

SCSI emulation support (CONFIG_BLK_DEV_IDESCSI) [N/y/?] Press Enter

This option provides SCSI host adapter emulation for IDE ATAPI devices, and will allow us to
use a SCSI device driver instead of a native ATAPI driver. If you intend to install and use a CD-
RW drive on your computer, then you have to say Y here. Again, most people will say N here.

156
 Kernel Security & Optimization 0
CHAPTER 6

*
* IDE chipset support/bugfixes
* CMD640 chipset bugfix/support (CONFIG_BLK_DEV_CMD640) [Y/n/?] n
This option allows us to include code which tries to automatically detect and correct the CMD640
problems under Linux. The CMD-Technologies CMD640 IDE chip is used on many common 486
and Pentium motherboards, usually in combination with a "Neptune" or "SiS" chipset.
Unfortunately, it has a number of rather nasty design flaws that can cause severe data corruption
under many common conditions. To know if you need to enable this option for your system to
correct this bug, edit the /proc/cpuinfo file and see if the parameter "f00f_bug" is set to no
or yes. If the "f00f_bug" value is set to no, then you don't need to enable this option and can
say N to the question, otherwise you have to say Y here.

RZ1000 chipset bugfix/support (CONFIG_BLK_DEV_RZ1000) [Y/n/?] n

This option allows us to include code which tries to automatically detect and correct the RZ1000
problems under Linux. The PC-Technologies RZ1000 IDE chip is used on many common 486
and Pentium motherboards, usually along with the "Neptune" chipset. As for the CMD640 bug
above, it also has a number of rather nasty design flaws that can cause severe data corruption
under many common conditions. To know if you need to enable this option for your system to
correct this bug, edit the /proc/cpuinfo file and see if the parameter "coma_bug" is set to no
or yes. If the "coma_bug" value is set to no, then you don't need to enable this option and can
say N to the question, otherwise you have to say Y here.

Generic PCI IDE chipset support (CONFIG_BLK_DEV_IDEPCI) [Y/n/?] Press Enter

This option helps the IDE driver to automatically detect and configure all PCI-based IDE
interfaces in your system. If you have PCI systems which use IDE drive(s), then say Y to this
question. Most of us have PCI systems which use IDE and have answer Y this question.

Sharing PCI IDE interrupts support (CONFIG_IDEPCI_SHARE_IRQ) [Y/n/?] Press

Enter
This option allows us to enable support for sharing a single IRQ with other cards under ATA/IDE
chipsets. In general, everyone has answer Y this question.

Generic PCI bus-master DMA support (CONFIG_BLK_DEV_IDEDMA_PCI) [Y/n/?] Press

Enter
This option allows us to reduce CPU overhead with IDE drive(s) on PCI system capable of bus-
master DMA operation. If you have a modern IDE ATA/33/66/100 hard drive, then it is
recommended to answer this question Y.

Boot off-board chipsets first support (CONFIG_BLK_DEV_OFFBOARD) [N/y/?] Press

Enter
This option allows us to reverse the device scan order to improve the usability of some boot
managers such as lilo when booting from a drive on an off-board controller. In many cases, this
option is really not required and you can accept the default value of N here.

Use PCI DMA by default when available (CONFIG_IDEDMA_PCI_AUTO) [Y/n/?] Press

Enter
A very important option to enable on all modern IDE disk drives. This option allows us to use the
DMA feature of our disk drive under Linux to improve performance. Most people running a capable
DMA drive will answer to this question by Y.

157
 Kernel Security & Optimization 0
CHAPTER 6

All of the following Kernel options are related to the special onboard chipsets that you may have
on your motherboard. Therefore, specific drivers are provided for each of them and you have to
choose from the list the one that matches you chipset. If you have an Intel onboard chipset, then
you can safety choose the default answer of N to all of the questions, since the kernel supports it
naturally.

Other chipset models must be selected from the list. In many cases, if your chipset is not listed,
this means that it is automatically supported by the Kernel. Note that two options have their
default answer set to Y (Intel PIIXn chipsets support (CONFIG_BLK_DEV_PIIX)
[Y/n/?] and PIIXn Tuning support (CONFIG_PIIX_TUNING) [Y/n/?]). If you have a
Pentium II or later processor, you must keep the default value of these two option to Y.

AEC62XX chipset support (CONFIG_BLK_DEV_AEC62XX) [N/y/?] Press Enter

ALI M15x3 chipset support (CONFIG_BLK_DEV_ALI15X3) [N/y/?] Press Enter
CMD64X chipset support (CONFIG_BLK_DEV_CMD64X) [N/y/?] Press Enter
CY82C693 chipset support (CONFIG_BLK_DEV_CY82C693) [N/y/?] Press Enter
Cyrix CS5530 MediaGX chipset support (CONFIG_BLK_DEV_CS5530) [N/y/?] Press
Enter
HPT34X chipset support (CONFIG_BLK_DEV_HPT34X) [N/y/?] Press Enter
HPT366 chipset support (CONFIG_BLK_DEV_HPT366) [N/y/?] Press Enter
Intel PIIXn chipsets support (CONFIG_BLK_DEV_PIIX) [Y/n/?] Press Enter
PIIXn Tuning support (CONFIG_PIIX_TUNING) [Y/n/?] Press Enter
NS87415 chipset support (EXPERIMENTAL) (CONFIG_BLK_DEV_NS87415) [N/y/?] Press
Enter
PROMISE PDC202{46|62|65|67|68} support (CONFIG_BLK_DEV_PDC202XX) [N/y/?] Press
Enter
ServerWorks OSB4/CSB5 chipsets support (CONFIG_BLK_DEV_SVWKS) [N/y/?] Press
Enter
SiS5513 chipset support (CONFIG_BLK_DEV_SIS5513) [N/y/?] Press Enter
SLC90E66 chipset support (CONFIG_BLK_DEV_SLC90E66) [N/y/?] Press Enter
Tekram TRM290 chipset support (EXPERIMENTAL) (CONFIG_BLK_DEV_TRM290) [N/y/?]
Press Enter
VIA82CXXX chipset support (CONFIG_BLK_DEV_VIA82CXXX) [N/y/?] Press Enter
Other IDE chipset support (CONFIG_IDE_CHIPSETS) [N/y/?] Press Enter
IGNORE word93 Validation BITS (CONFIG_IDEDMA_IVB) [N/y/?] Press Enter

*
* SCSI support
* SCSI support (CONFIG_SCSI) [Y/n/?] Press Enter
This option allows us to enable SCSI hard disks, SCSI tape drives, SCSI CD-ROM's or any other
SCSI devices under Linux. If you have a SCSI like system, you need to answer Y to this question.
If you don't have any SCSI devices on your system, you can safety answer N to the question. For
users that have a SCSI system, it is very important for you to know the name of your SCSI host
adapter (the card inside your computer that "speaks" the SCSI protocol, also called SCSI
controller), because you will be asked for it if you enable this option. Once again, if you don't have
a SCSI system, simply answer N to this question and skip this section of the Linux Kernel
configuration.

*
* SCSI support type (disk, tape, CD-ROM)
* SCSI disk support (CONFIG_BLK_DEV_SD) [Y/n/?] Press Enter
This option allows us to enable support for a SCSI hard disk under Linux. If you have enabled the
SCSI support feature above because you have a SCSI hard drive on your system, then it's here
that you have to specify it by answering Y to the question.

158
 Kernel Security & Optimization 0
CHAPTER 6

Maximum number of SCSI disks that can be loaded as modules

(CONFIG_SD_EXTRA_DEVS) [40] Press Enter
This option allows us to control the amount of additional space allocated in tables for drivers that
are loaded as modules after the kernel is booted. In the event that the SCSI core itself was
loaded as a module, this value is the number of additional disks that can be loaded after the first
host driver is loaded. Since we're compiling a Monolithic Kernel where no modules are available,
this option doesn't concern us and we can safety press the [Enter] key to accept the default
value.

SCSI tape support (CONFIG_CHR_DEV_ST) [N/y/?] Press Enter

This option allows us to enable support for a SCSI tape drive under Linux. If you have enabled
the SCSI support feature above because you have a SCSI tape drive on your system, then it's
here that you have to specify it by answering Y to the question. For most SCSI users, the answer
is N (no, we don't have a SCSI tape drive on this computer).

SCSI OnStream SC-x0 tape support (CONFIG_CHR_DEV_OSST) [N/y/?] Press Enter

This option allows us to enable support for the OnStream SC-x0 SCSI tape drives under Linux. If
you have this kind of SCSI tape drive installed on your computer, then you have to answer to this
question by Y. Most SCSI users will simply say N to this question.

SCSI CD-ROM support (CONFIG_BLK_DEV_SR) [N/y/?] Press Enter

This option allows us to enable support for a SCSI CD-ROM under Linux. If you have enabled the
SCSI support feature above because you have a SCSI CD-ROM on your system, then it's here
that you have to specify it by answering Y to the question. For most SCSI users, the answer is N
(no, we don't have a SCSI CD-ROM on this computer).

SCSI generic support (CONFIG_CHR_DEV_SG) [N/y/?] Press Enter

This option allows us to enable support to use SCSI scanners, synthesizers or CD-writers or just
about anything having "SCSI" in its name other than hard disks, CD-ROMs or tapes. If you have
one of these SCSI items installed on your computer, then you have to say Y here as well as for
the "SCSI disk support" option above to enable the driver.

VERY IMPORTANT NOTE: For users having IDE CD-writers, you have to say Y to this question too,
even if your CD-writers are not SCSI CD-writers. Most SCSI users will simply say N to his
question.

*
* Some SCSI devices (e.g. CD jukebox) support multiple LUNs
* Enable extra checks in new queueing code (CONFIG_SCSI_DEBUG_QUEUES) [Y/n/?]
Press Enter
This option turns on a lot of additional consistency checking for the new queuing code on SCSI
devices. It is a good idea to enable it by saying Y to the question.

Probe all LUNs on each SCSI device (CONFIG_SCSI_MULTI_LUN) [Y/n/?] n

This option force the SCSI driver to probe for multiple LUN's (Logical Unit Number) on your
system and will certainly affect the performance of the system. Most SCSI users will simply
disable this option by saying N to this question to improve performance. If you enable this option,
then we assume that you know what you're doing.

159
 Kernel Security & Optimization 0
CHAPTER 6

Verbose SCSI error reporting (kernel size +=12K) (CONFIG_SCSI_CONSTANTS)

[Y/n/?] n
This option allows any error messages regarding your SCSI hardware to be more
understandable, this enlarges your kernel by about 12 KB. If performance is important to you, we
highly recommend you to disable this option by answering the question N.

SCSI logging facility (CONFIG_SCSI_LOGGING) [N/y/?] Press Enter

This option allows us to turns on a logging facility that can be used to debug a number of SCSI
related problems. Again, if performance is important to you, we highly recommend you to disable
this option by keeping the default value of N here.

*
* SCSI low-level drivers
Below you will be presented a list of available SCSI controllers to choose from, simply select the
SCSI controller that is installed on your system and disable all the others. As an example, we will
pretend that we have an Adaptec AIC7080 controller and will enable it further down. We chose
an Adaptec AIC7080 model for our example; don't forget to change our choice if you have
another kind of SCSI controller installed on your system.

*
3ware Hardware ATA-RAID support (CONFIG_BLK_DEV_3W_XXXX_RAID) [N/y/?] Press
Enter
7000FASST SCSI support (CONFIG_SCSI_7000FASST) [N/y/?] Press Enter
ACARD SCSI support (CONFIG_SCSI_ACARD) [N/y/?] Press Enter
Adaptec AHA152X/2825 support (CONFIG_SCSI_AHA152X) [N/y/?] Press Enter
Adaptec AHA1542 support (CONFIG_SCSI_AHA1542) [N/y/?] Press Enter
Adaptec AHA1740 support (CONFIG_SCSI_AHA1740) [N/y/?] Press Enter
Adaptec AIC7xxx support (CONFIG_SCSI_AIC7XXX) [N/y/?] y
Maximum number of TCQ commands per device (CONFIG_AIC7XXX_CMDS_PER_DEVICE)
[253] (NEW) Press Enter
Initial bus reset delay in milli-seconds (CONFIG_AIC7XXX_RESET_DELAY_MS)
[15000] (NEW) Press Enter
Build Adapter Firmware with Kernel Build (CONFIG_AIC7XXX_BUILD_FIRMWARE)
[N/y/?] (NEW) Press Enter
Adaptec I2O RAID support (CONFIG_SCSI_DPT_I2O) [N/y/?] Press Enter
AdvanSys SCSI support (CONFIG_SCSI_ADVANSYS) [N/y/?] Press Enter
Always IN2000 SCSI support (CONFIG_SCSI_IN2000) [N/y/?] Press Enter
AM53/79C974 PCI SCSI support (CONFIG_SCSI_AM53C974) [N/y/?] Press Enter
AMI MegaRAID support (CONFIG_SCSI_MEGARAID) [N/y/?] Press Enter
BusLogic SCSI support (CONFIG_SCSI_BUSLOGIC) [N/y/?] Press Enter
Compaq Fibre Channel 64-bit/66Mhz HBA support (CONFIG_SCSI_CPQFCTS) [N/y/?]
Press Enter
DMX3191D SCSI support (CONFIG_SCSI_DMX3191D) [N/y/?] Press Enter
DTC3180/3280 SCSI support (CONFIG_SCSI_DTC3280) [N/y/?] Press Enter
EATA ISA/EISA/PCI (DPT and generic EATA/DMA-compliant boards) support
(CONFIG_SCSI_EATA) [N/y/?] Press Enter
EATA-DMA [Obsolete] (DPT, NEC, AT&T, SNI, AST, Olivetti, Alphatronix) support
(CONFIG_SCSI_EATA_DMA) [N/y/?] Press Enter
EATA-PIO (old DPT PM2001, PM2012A) support (CONFIG_SCSI_EATA_PIO) [N/y/?] Press
Enter
Future Domain 16xx SCSI/AHA-2920A support (CONFIG_SCSI_FUTURE_DOMAIN) [N/y/?]
Press Enter
Intel/ICP (former GDT SCSI Disk Array) RAID Controller support
(CONFIG_SCSI_GDTH) [N/y/?] Press Enter
Generic NCR5380/53c400 SCSI support (CONFIG_SCSI_GENERIC_NCR5380) [N/y/?] Press
Enter
IBM ServeRAID support (CONFIG_SCSI_IPS) [N/y/?] Press Enter
Initio 9100U(W) support (CONFIG_SCSI_INITIO) [N/y/?] Press Enter
Initio INI-A100U2W support (CONFIG_SCSI_INIA100) [N/y/?] Press Enter

160
 Kernel Security & Optimization 0
CHAPTER 6

NCR53c406a SCSI support (CONFIG_SCSI_NCR53C406A) [N/y/?] Press Enter

NCR53c7,8xx SCSI support (CONFIG_SCSI_NCR53C7xx) [N/y/?] Press Enter
SYM53C8XX Version 2 SCSI support (CONFIG_SCSI_SYM53C8XX_2) [N/y/?] Press Enter
NCR53C8XX SCSI support (CONFIG_SCSI_NCR53C8XX) [N/y/?] Press Enter
SYM53C8XX SCSI support (CONFIG_SCSI_SYM53C8XX) [Y/n/?] n
PAS16 SCSI support (CONFIG_SCSI_PAS16) [N/y/?] Press Enter
PCI2000 support (CONFIG_SCSI_PCI2000) [N/y/?] Press Enter
PCI2220i support (CONFIG_SCSI_PCI2220I) [N/y/?] Press Enter
PSI240i support (CONFIG_SCSI_PSI240I) [N/y/?] Press Enter
Qlogic FAS SCSI support (CONFIG_SCSI_QLOGIC_FAS) [N/y/?] Press Enter
Qlogic ISP SCSI support (CONFIG_SCSI_QLOGIC_ISP) [N/y/?] Press Enter
Qlogic ISP FC SCSI support (CONFIG_SCSI_QLOGIC_FC) [N/y/?] Press Enter
Qlogic QLA 1280 SCSI support (CONFIG_SCSI_QLOGIC_1280) [N/y/?] Press Enter
Seagate ST-02 and Future Domain TMC-8xx SCSI support (CONFIG_SCSI_SEAGATE)
[N/y/?] Press Enter
Simple 53c710 SCSI support (Compaq, NCR machines) (CONFIG_SCSI_SIM710) [N/y/?]
Press Enter
Symbios 53c416 SCSI support (CONFIG_SCSI_SYM53C416) [N/y/?] Press Enter
Tekram DC390(T) and Am53/79C974 SCSI support (CONFIG_SCSI_DC390T) [N/y/?] Press
Enter
Trantor T128/T128F/T228 SCSI support (CONFIG_SCSI_T128) [N/y/?] Press Enter
UltraStor 14F/34F support (CONFIG_SCSI_U14_34F) [N/y/?] Press Enter
UltraStor SCSI support (CONFIG_SCSI_ULTRASTOR) [N/y/?] Press Enter

*
* Fusion MPT device support
* Fusion MPT (base + ScsiHost) drivers (CONFIG_FUSION) [N/y/?] Press Enter

*
* I2O device support
* I2O support (CONFIG_I2O) [N/y/?] Press Enter
This option allows us to enable support for Intelligent Input/Output (I2O) architecture. In order for
this to work, you need to have an I2O interface adapter card in your computer. If you have this
kind of I2O interface adapter card installed on your system, then you can say Y to the question
and you will get a choice of interface adapter drivers and OSM's. Most users simply say N here.

*
* Network device support
* Network device support (CONFIG_NETDEVICES) [Y/n/?] Press Enter
This option is one of the most important and allows us to enable support and feature for network
cards under Linux. Therefore, we have to answer Y to this question.

*
* ARCnet devices
* ARCnet support (CONFIG_ARCNET) [N/y/?] Press Enter
This option allows us to enable ARCnet chipset support under Linux. If you have a network card
of this type installed on your system, then say Y here, otherwise and for most users, you have to
keep the default value of N here.

Dummy net driver support (CONFIG_DUMMY) [Y/n/?] n

This option is only useful for PPP dial up modem users on Linux. If you don't use your system to
make PPP connections, then you can safety answer N to this question. Only users who have a
modem and want to use it to establish a connection via PPP or SLIP need to say Y here. Since,
in our example, we use a network card to make a network connection, we will answer the
question N.

161
 Kernel Security & Optimization 0
CHAPTER 6

Bonding driver support (CONFIG_BONDING) [N/y/?] Press Enter

This option allows us to 'bond' multiple Ethernet Channels together. This is called 'Etherchannel'
by Cisco, 'Trunking' by Sun, and 'Bonding' in Linux. It is a technique to merge Ethernet segments
together for doubling the speed of a connection. In most cases, we can safety choose the default
choice of N here. You must have two Ethernet cards installed on your system and on the remote
computer where you want to use this technique to be able to use it. Also, this is an advanced
feature and only experienced Linux users may need it. Therefore, we will answer to the question
by N.

EQL (serial line load balancing) support (CONFIG_EQUALIZER) [N/y/?] Press Enter
This option allows us to enable the same feature as the previous option, but this time for two
modems and two telephone lines. Therefore, we will simply say N to this question.

Universal TUN/TAP device driver support (CONFIG_TUN) [N/y/?] Press Enter

This option allows us to enable TUN/TAP support under Linux. TUN/TAP provides packet
reception and transmission for user space programs. It can be viewed as a simple Point-to-Point
or Ethernet device, which instead of receiving packets from a physical media, receives them from
user space program and instead of sending packets via physical media, writes them to the user
space program. It is rare that we need this feature, if you need it then simply say Y here. Most
users will say N here.

*
* Ethernet (10 or 100Mbit)
* Ethernet (10 or 100Mbit) (CONFIG_NET_ETHERNET) [Y/n/?] Press Enter
This option is very important and allows us to enable support for Ethernet Network Interface
Cards (NIC's) under Linux. Now, everyone has a NIC in their computer and if you want to be able
to use your network card, then you have to say Y here. Note that the answer to this question
won't directly affect the kernel: saying N will just cause the configuration to skip all the questions
about Ethernet network cards. We must say Y here to be able to select the network card that we
have in our computer from the list of supported network cards.

It is very important to know the name of the network card(s) installed in your system because you
will be asked for it. As an example we will pretend that we have an "EtherExpressPro/100"
network card in our computer and we will enable support for it. This is an example and don't
forget to change our default choice if you have another kind of network card installed in your
system. In general, we say Y for the network card that we have and N for all other network cards.

Sun Happy Meal 10/100baseT support (CONFIG_HAPPYMEAL) [N/y/?] Press Enter

Sun GEM support (CONFIG_SUNGEM) [N/y/?] Press Enter
3COM cards (CONFIG_NET_VENDOR_3COM) [N/y/?] Press Enter
AMD LANCE and PCnet (AT1500 and NE2100) support (CONFIG_LANCE) [N/y/?] Press
Enter
Western Digital/SMC cards (CONFIG_NET_VENDOR_SMC) [N/y/?] Press Enter
Racal-Interlan (Micom) NI cards (CONFIG_NET_VENDOR_RACAL) [N/y/?] Press Enter
DEPCA, DE10x, DE200, DE201, DE202, DE422 support (CONFIG_DEPCA) [N/y/?] Press
Enter
HP 10/100VG PCLAN (ISA, EISA, PCI) support (CONFIG_HP100) [N/y/?] Press Enter
Other ISA cards (CONFIG_NET_ISA) [N/y/?] Press Enter
EISA, VLB, PCI and on board controllers (CONFIG_NET_PCI) [Y/n/?] Press Enter
AMD PCnet32 PCI support (CONFIG_PCNET32) [N/y/?] Press Enter
Apricot Xen-II on board Ethernet (CONFIG_APRICOT) [N/y/?] Press Enter
CS89x0 support (CONFIG_CS89x0) [N/y/?] Press Enter
DECchip Tulip (dc21x4x) PCI support (CONFIG_TULIP) [N/y/?] Press Enter
Generic DECchip & DIGITAL EtherWORKS PCI/EISA (CONFIG_DE4X5) [N/y/?] Press
Enter
Digi Intl. RightSwitch SE-X support (CONFIG_DGRS) [N/y/?] Press Enter
Davicom DM910x/DM980x support (CONFIG_DM9102) [N/y/?] Press Enter

162
 Kernel Security & Optimization 0
CHAPTER 6

EtherExpressPro/100 support (CONFIG_EEPRO100) [Y/n/?] Press Enter

Myson MTD-8xx PCI Ethernet support (CONFIG_FEALNX) [N/y/?] Press Enter
National Semiconductor DP8381x series PCI Ethernet support (CONFIG_NATSEMI)
[N/y/?] Press Enter
PCI NE2000 and clones support (see help) (CONFIG_NE2K_PCI) [N/y/?] Press Enter
RealTek RTL-8139 PCI Fast Ethernet Adapter support (CONFIG_8139TOO) [N/y/?]
Press Enter
SiS 900/7016 PCI Fast Ethernet Adapter support (CONFIG_SIS900) [N/y/?] Press
Enter
SMC EtherPower II (CONFIG_EPIC100) [N/y/?] Press Enter
Sundance Alta support (CONFIG_SUNDANCE) [N/y/?] Press Enter
TI ThunderLAN support (CONFIG_TLAN) [N/y/?] Press Enter
VIA Rhine support (CONFIG_VIA_RHINE) [N/y/?] Press Enter
Winbond W89c840 Ethernet support (CONFIG_WINBOND_840) [N/y/?] Press Enter
Pocket and portable adapters (CONFIG_NET_POCKET) [N/y/?] Press Enter
*
* Ethernet (1000 Mbit)
* Alteon AceNIC/3Com 3C985/NetGear GA620 Gigabit support (CONFIG_ACENIC)
[N/y/?] Press Enter
D-Link DL2000-based Gigabit Ethernet support (CONFIG_DL2K) [N/y/?] Press Enter
National Semiconduct DP83820 support (CONFIG_NS83820) [N/y/?] Press Enter
Packet Engines Hamachi GNIC-II support (CONFIG_HAMACHI) [N/y/?] Press Enter
SysKonnect SK-98xx support (CONFIG_SK98LIN) [N/y/?] Press Enter

FDDI driver support (CONFIG_FDDI) [N/y/?] Press Enter

This option allows us to enable FDDI card support under Linux. FDDI (Fiber Distributed Data
Interface) is a high speed local area network design to runs over copper or fiber. If you are
connected to such a network and want a driver for the FDDI card in your computer, say Y here.
Most users will simply say N here.

PPP (point-to-point protocol) support (CONFIG_PPP) [N/y/?] Press Enter

This option allows us to enable PPP support under Linux. PPP (Point to Point Protocol) is the
protocol used by modern modems to establish a remote connection with your ISP. If you have a
modem card installed on your system to make a remote connection with your ISP, then you need
to answer Y to this question. If you don't use PPP to connect on the Internet, then you can safety
say N here. In our example, we assume that you use another method, like a network interface, to
connect to the Internet and say N here.

SLIP (serial line) support (CONFIG_SLIP) [N/y/?] Press Enter

This option allows us to enable SLIP or CSLIP support under Linux. These protocols are really
old now and have been replaced by the PPP protocol (see the above option). If for any reason
you still use them, then say Y here. Most users will answer this question N.

*
* Wireless LAN (non-hamradio)
* Wireless LAN (non-hamradio) (CONFIG_NET_RADIO) [N/y/?] Press Enter
This option allows us to enable support for wireless LANs and everything having to do with radio,
but not with amateur radio or FM broadcasting. If you need such support on your system, then
say Y here, also if you need Wireless Extensions with wireless PCMCIA (PC-) cards on Linux, you
need to say Y here too. Most users will simply say N here.

*
* Token Ring devices
* Token Ring driver support (CONFIG_TR) [N/y/?] Press Enter
This option allows us to enable support for Token Ring under Linux. Token Ring is IBM's way of
communication on a local network; the rest of the world uses Ethernet. If you need Token Ring
support on your computer, then say Y here. Most people will select the default choice of N here.

163
 Kernel Security & Optimization 0
CHAPTER 6

Fibre Channel driver support (CONFIG_NET_FC) [N/y/?] Press Enter

This option allows us to enable Fibre Channel support under Linux. Fibre Channel is a high speed
serial protocol mainly used to connect large storage devices to the computer. If you have a Fibre
channel adapter card in your computer, then you can say Y here. Most users will simply say N
here.

*
* Wan interfaces
* Wan interfaces support (CONFIG_WAN) [N/y/?] Press Enter
This option allows us to enable support for Wan interfaces under Linux. Wide Area Networks
(WANs), such as X.25, frame relay and leased lines, are used to interconnect Local Area
Networks (LANs) over vast distances. If you have these kinds of cards installed on your system,
then you can answer Y to the question. Most users will say N here.

*
* Amateur Radio support
* Amateur Radio support (CONFIG_HAMRADIO) [N/y/?] Press Enter
This option allows us to enable Amateur Radio support under Linux. If you want to connect your
Linux box to an amateur radio, answer Y here. Note that the answer to this question won't directly
affect the kernel: saying N will just cause the configuration to skip all the questions about amateur
radio. Most people will say N here.

*
* IrDA (infrared) support
* IrDA subsystem support (CONFIG_IRDA) [N/y/?] Press Enter
This option allows us to enable support for the IrDA (TM) protocols under Linux. IrDA (Infrared
Data Associations) is a support for wireless infrared communication. Laptops or computers that
use infrared and PDA's users will say Y here. Most users will say N here.

*
* ISDN subsystem
* ISDN support (CONFIG_ISDN) [N/y/?] Press Enter
This option allows us to enable ISDN support under Linux. ISDN (Integrated Services Digital
Networks) is a special type of fully digital telephone service; it's mostly used to connect to your
Internet service provider (with SLIP or PPP). If you have this type of card installed on your
computer (popular in Europe), then you have to say Y here otherwise, you will certainly keep the
default value of N here.

*
* Old CD-ROM drivers (not SCSI, not IDE)
* Support non-SCSI/IDE/ATAPI CDROM drives (CONFIG_CD_NO_IDESCSI) [N/y/?] Press
Enter
If you have a CD-ROM drive that is neither SCSI nor IDE/ATAPI, say Y here, otherwise N. Note
that the answer to this question doesn't directly affect the kernel: saying N will just cause the
configuration to skip all the questions about these CD-ROM drives. Most users will say N here.

*
* Input core support
* Input core support (CONFIG_INPUT) [N/y/?] Press Enter
This option allows us to enable any of the USB HID (Human Interface Device) options in the USB
support section which require Input core support. If you intended to use USB on Linux, say Y here
otherwise, you can safety say N here. It is rare that we have to use USB on server systems.

164
 Kernel Security & Optimization 0
CHAPTER 6

*
* Character devices
* Virtual terminal (CONFIG_VT) [Y/n/?] Press Enter
This option is very important and allows us to enable support for terminal devices with display and
keyboard devices. On Linux, you need at least one virtual terminal device in order to make use of
your keyboard and monitor. Therefore, we have to say Y here.

Support for console on virtual terminal (CONFIG_VT_CONSOLE) [Y/n/?] Press Enter

This option allows us to enable support for consoles on virtual terminals. Most users will simply
keep the default value of Y here.

Standard/generic (8250/16550 and compatible UARTs) serial support

(CONFIG_SERIAL) [Y/n/?] n
This option allows us to use serial mice, modems and similar devices that connect to the standard
serial ports under Linux. If you use your Linux system as a workstation with graphical interface
installed, then you must answer Y to the question. If you use your Linux system for dedicated
Ethernet WWW/FTP servers, then you can say N here. In our example, we assume that your
Linux system is dedicated and configured to run as a server only and answer N to the question.

Non-standard serial port support (CONFIG_SERIAL_NONSTANDARD) [N/y/?] Press

Enter
This option allows us to enable support for any non-standard serial boards under Linux. These
are usually used for systems that need many serial ports, because they serve many terminals or
dial-in connections. If this is not true in your case, then you can safety say N here. Most people
will simply say N here.

Unix98 PTY support (CONFIG_UNIX98_PTYS) [Y/n/?] Press Enter

This option is important in modern Linux system and allows us to enable pseudo terminal (PTY)
support under Linux. Everyone must say Y here. Information about pseudo terminal (PTY) can be
found in the Kernel documentation.

Maximum number of Unix98 PTYs in use (0-2048) (CONFIG_UNIX98_PTY_COUNT) [256]

128
This option allows us to set the maximum number of Unix98 PTY's that can be used at any one
time. It is important to note that each additional set of 256 PTY's occupy approximately 8 KB of
kernel memory on 32-bit architectures and for security as well as performance reasons, we must
keep the number as low as possible. Therefore, we will change the default value of 256 to 128.

*
* I2C support
* I2C support (CONFIG_I2C) [N/y/?] Press Enter
This option allows us to enable I2C and SMBus support under Linux. IC2 is a slow serial bus
protocol used in many micro controller applications and developed by Philips. If you need this
feature, then say Y to the question otherwise say N here. Most people will say N here.

Bus Mouse Support (CONFIG_BUSMOUSE) [N/y/?] Press Enter

This option allows us to enable bus mouse support under Linux. All modern computer now use a
serial mouse. If you still continue to use a bus mouse on your system, then you have to say Y
here. Laptop users also need to say Y here. Most users will simply say N here.

165
 Kernel Security & Optimization 0
CHAPTER 6

Mouse Support (not serial and bus mice) (CONFIG_MOUSE) [Y/n/?] Press Enter
This option allows us to enable support for no serial or bus mice support under Linux. This is for
machines with a mouse, which is neither a serial, nor a bus mouse. Examples are PS/2 mice. If
you have a PS/2 mouse, then say Y here, otherwise say N here. Laptop and workstation users
also need to say Y here. If you use your Linux system for dedicated Ethernet WWW/FTP servers,
then you can say N here and save some space in your Kernel code.

PS/2 mouse (aka "auxiliary device") support (CONFIG_PSMOUSE) [Y/n/?] Press

Enter
This option enables support for a PS/2 mouse on your system. The PS/2 mouse connects to a
special mouse port that looks much like the keyboard port (small circular connector with 6 pins). If
you have this kind of mouse (most modern computers and laptops have and use it), then say Y
here otherwise say N.

C&T 82C710 mouse port support (as on TI Travelmate) (CONFIG_82C710_MOUSE)

[N/y/?] Press Enter
This option allows us to enable support for a certain kind of PS/2 mouse used on the TI
Travelmate. If you have this kind of mouse installed on your system, then say Y here. Most users
will say N to this question.

PC110 digitizer pad support (CONFIG_PC110_PAD) [N/y/?] Press Enter

This drives the digitizer pad on the IBM PC110 palmtop. It can turn the digitizer pad into PS/2
mouse emulation with tap gestures or into an absolute pad. Most users will answer this question
N.

QIC-02 tape support (CONFIG_QIC02_TAPE) [N/y/?] Press Enter

This option allows us to enable QIC-02 tape support under Linux. QIC-02 is a non-SCSI tape
drive and if you use it, then says Y to the question. Most users will say N here.

*
* Watchdog Cards
* Watchdog Timer Support (CONFIG_WATCHDOG) [N/y/?] Press Enter
This option enables Watchdog Timer support under Linux. For details about watchdog, please
read Documentation/watchdog.txt in the kernel source. Most users will say N here.

Intel i8x0 Random Number Generator support (CONFIG_INTEL_RNG) [N/y/?] Press

Enter
This option allows us to enable support for a driver that provides kernel-side support for the
Random Number Generator hardware found on Intel i8xx-based motherboards. If you have this
generator hardware installed on your computer, then you can say Y to the question. Most people
will say N here.

/dev/nvram support (CONFIG_NVRAM) [N/y/?] Press Enter

This option allows us to get read and write access to the 50 bytes of non-volatile memory in the
real time clock (RTC). This memory is conventionally called "CMOS RAM" on PCs and may be
used to view settings there, or to change them (with some utility). Most users will say N to this
question.

Enhanced Real Time Clock Support (CONFIG_RTC) [N/y/?] Press Enter

This option allows us to get access to the real time clock (or hardware clock) built into the
computer. If you run Linux on a multiprocessor machine and said Y to "Symmetric Multi
Processing" above, you should say Y here to read and set the RTC in an SMP compatible
fashion.

166
 Kernel Security & Optimization 0
CHAPTER 6

Double Talk PC internal speech card support (CONFIG_DTLK) [N/y/?] Press Enter
This option allows us to enable support for the DoubleTalk PC under Linux. If you have a speech
card installed on your computer, then answer to this question by Y. Most users will say N here.

Siemens R3964 line discipline (CONFIG_R3964) [N/y/?] Press Enter

This option allows synchronous communication with devices using the Siemens R3964 packet
protocol. Unless you are dealing with special hardware like PLC's, you are unlikely to need this.
Most users will simply say N here.

Applicom intelligent fieldbus card support (CONFIG_APPLICOM) [N/y/?] Press

Enter
This option provides the kernel-side support for the intelligent fieldbus cards made by Applicom
International. Unless you are dealing with such a card, you are unlikely to need this. Most users
will simply say N here.

*
* Ftape, the floppy tape device driver
* Ftape (QIC-80/Travan) support (CONFIG_FTAPE) [N/y/?] Press Enter
This option allows us to enable support for some well know tape drives under Linux. If you enable
this option, then you'll be asked to select your make and model from the available list. If you don't
use tape drive on your computer, then you can say N to this option.

/dev/agpgart (AGP Support) (CONFIG_AGP) [Y/n/?] n

This option is only pertinent if you use XFree86 on your computer and want to use the GLX or
DRI features for better performance. Enable this option only if you use graphical interface on your
computer. If you system is a server, then you really don't need this option. In our example, we are
configuring the kernel for a server purpose, therefore, we will say N here.

Direct Rendering Manager (XFree86 4.1.0 and higher DRI support) (CONFIG_DRM)
[Y/n/?] n
This option is directly related to the use of XFree86 and graphical interface on your computer. It
allows us to enable Kernel-level support for the Direct Rendering Infrastructure (DRI) for better
performance of the system. If your computer doesn't have a graphical interface installed, and is
configured as a server, then you don't need to enable this option. If you say Y here because you
have and use a graphical interface, then you need to select the module that's right for your
graphics card from the available list. In our example, we are configuring the kernel for a server
purpose, therefore, we will say N here.

ACP Modem (Mwave) support (CONFIG_MWAVE) [N/y/?] Press Enter

This option allows us to enable ACP modem (Mwave) support under Linux. ACP is a WinModem
composed of a kernel driver and a user level application. Together these components support
direct attachment to public switched telephone networks (PSTNs) and support selected countries.
Most user will simply say N here.

*
* Multimedia devices
* Video For Linux (CONFIG_VIDEO_DEV) [N/y/?] Press Enter
This option allows us to enable support for audio/video capture and overlay devices and FM radio
cards under Linux. If you use graphical interface on your system, you need to say Y here. If your
system is configured as a server and you don't have graphical interface installed on it, then you
can safety say N here. In our example, we are configuring the kernel for a server purpose,
therefore, we will say N here.

167
 Kernel Security & Optimization 0
CHAPTER 6

*
* File systems
* Quota support (CONFIG_QUOTA) [N/y/?] y
This option is important to allow us to set per user/group limits for disk usage (also called disk
quotas) under Linux. It is sometimes required on server environments where such a purpose is
required. If you use Linux as a workstation with graphical interface, it is not useful to enable it.
Only enable this option on server environment when required.

Kernel automounter support (CONFIG_AUTOFS_FS) [N/y/?] Press Enter

This option allows us to automatically mount remote file systems on demand. A newer version of
the automounter with more features is now available; therefore we really don't need to enable this
option. Say N here.

Kernel automounter version 4 support (also supports v3) (CONFIG_AUTOFS4_FS)

[Y/n/?] n
This option allows us to enable support for the new automounter tool. If you are not a part of a
fairly large, distributed network or don't have a laptop which needs to dynamically reconfigure to
the local network, you probably do not need an automounter, and can say N here.

Ext3 journalling file system support (EXPERIMENTAL) (CONFIG_EXT3_FS) [N/y/?] y

This option is very important and allows us to enable support for the new EXT3 journaling file
system support under Linux. EXT3 is the journaling version of the Second extended file system
(often called ext3), the de facto standard Linux file system (method to organize files on a storage
device) for hard disks. Most users will say Y here to be able to get advantage of the new EXT3
journaling file system.

JBD (ext3) debugging support (CONFIG_JBD_DEBUG) [N/y/?] y

This option allows us to enable debugging output while the system is running EXT3 under Linux,
in order to help track down any problems you are having. It is a good idea to enable it, therefore
answer Y to the question.

DOS FAT fs support (CONFIG_FAT_FS) [N/y/?] Press Enter

If you want to use one of the FAT-based file systems (the MS-DOS, VFAT (Windows 95) and
UMSDOS (used to run Linux on top of an ordinary DOS partition) file systems, then you must say Y
here. In many case, we really don't need this kind of feature and can safety say N here.
Recommended choice is N and especially for a linux server system.

Compressed ROM file system support (CONFIG_CRAMFS) [N/y/?] Press Enter

This option allows us to enable CramFs support under Linux. CramFs (Compressed ROM File
System) is designed to be a simple, small, and compressed file system for ROM based embedded
systems. Most users will simply say N here.

Virtual memory file system support (former shm fs) (CONFIG_TMPFS) [Y/n/?] Press
Enter
This option allows us to enable support for Tmpfs under Linux. Tmpfs is a file system which
keeps all files in virtual memory. It is a good idea to enable it on your computer.

Simple RAM-based file system support (CONFIG_RAMFS) [N/y/?] Press Enter

This option allows us to enable support for Ramfs under Linux. Ramfs is a file system which
keeps all files in RAM. It allows read and write access. Most users will say N here.

ISO 9660 CDROM file system support (CONFIG_ISO9660_FS) [Y/n/?] Press Enter
This option is important and allows Linux to access and read your CD-ROM. Since everyone has
and uses a CD-ROM, it is vital to say Y to this question.

168
 Kernel Security & Optimization 0
CHAPTER 6

Microsoft Joliet CDROM extensions (CONFIG_JOLIET) [N/y/?] Press Enter

This option allows us to be able to read Joliet CD-ROM's under Linux. Joliet is a Microsoft
extension for the ISO 9660 CD-ROM file system, which allows for long filenames in unicode
format. If you think that you'll need to access some files written in this format under Linux with
your CD-ROM, then you need to say Y here. For workstations, you may need to say Y here but
for Linux servers, you have to say N here.

Transparent decompression extension (CONFIG_ZISOFS) [N/y/?] Press Enter

This is a Linux-specific extension to RockRidge which lets you store data in compressed form on
a CD-ROM and have it transparently decompressed when the CD-ROM is accessed. Again, for
workstations you may need it but for servers, you don't need it. Say N.

Minix fs support (CONFIG_MINIX_FS) [N/y/?] Press Enter

This option allows us to enable Minix fs support with Linux. The minix file system (method to
organize files on a hard disk partition or a floppy disk) was the original file system for Linux, but
has been superseded by the second extended file system (ext2fs). Simply say N here.

FreeVxFS file system support (VERITAS VxFS(TM) compatible) (CONFIG_VXFS_FS)

[N/y/?] Press Enter
FreeVxFS is a file system driver that support the VERITAS VxFS(TM) file system format.
VERITAS VxFS(TM) is the standard file system of SCO UnixWare (and possibly others) and
optionally available for Sunsoft Solaris, HP-UX and many other operating systems. If you want to
support such file system on your computer, then say Y here otherwise say N.

NTFS file system support (read only) (CONFIG_NTFS_FS) [N/y/?] Press Enter
NTFS is the file system of Microsoft Windows NT. Say Y if you want to get read access to files on
NTFS partitions of your hard drives otherwise say N here. Most users will say N.

OS/2 HPFS file system support (CONFIG_HPFS_FS) [N/y/?] Press Enter

OS/2 is IBM's operating system for PC's, the same as Warp, and HPFS is the file system used for
organizing files on OS/2 hard disk partitions. Say Y if you want to be able to read files from and
write files to an OS/2 HPFS partition on your hard drive. Most users will say N here.

/proc file system support (CONFIG_PROC_FS) [Y/n/?] Press Enter

This is a virtual file system providing information about the status of the system. Several
programs depend on this, so everyone should say Y here.

/dev/pts file system for Unix98 PTYs (CONFIG_DEVPTS_FS) [Y/n/?] Press Enter
This option allows us to get a virtual file system which can be mounted on /dev/pts with
"mount -t devpts". This, together with the pseudo terminal master multiplexer /dev/ptmx, is
used for pseudo terminal support as described in The Open Group's Unix98 standard. Again,
everyone should say Y here.

ROM file system support (CONFIG_ROMFS_FS) [N/y/?] Press Enter

This is a very small read-only file system mainly intended for initial ram disks of installation disks,
but it could be used for other read-only media as well. Most people will simply say N to this
question. If you want to run SCSI system on modularized kernel, you should say Y here.

Second extended fs support (CONFIG_EXT2_FS) [Y/n/?] Press Enter

This is the de facto standard Linux file system (method to organize files on a storage device) for
hard disks and you must say Y to this question.

169
 Kernel Security & Optimization 0
CHAPTER 6

System V/Xenix/V7/Coherent file system support (CONFIG_SYSV_FS) [N/y/?] Press

Enter
SCO, Xenix and Coherent are commercial Unix systems for Intel machines, and Version 7 was
used on the DEC PDP-11. Saying Y here would allow you to read from their floppies and hard
disk partitions. Most people will say N to this question.

UDF file system support (read only) (CONFIG_UDF_FS) [N/y/?] Press Enter
This is the new file system used on some CD-ROMs and DVD's. Say Y if you intend to mount
DVD discs or CD-RW's written in packet mode, or if written to by other UDF utilities, such as
DirectCD. Only enable this option if you have some such need.

UFS file system support (read only) (CONFIG_UFS_FS) [N/y/?] Press Enter
BSD and derivative versions of Unix (such as SunOS, FreeBSD, NetBSD, OpenBSD and
NeXTstep) use a file system called UFS. Some System V Unixes can create and mount hard disk
partitions and diskettes using this file system as well. Saying Y here will allow you to read from
these partitions. Most users will say N here.

*
* Network File Systems
* Coda file system support (advanced network fs) (CONFIG_CODA_FS) [N/y/?] Press
Enter
Coda is an advanced network file system, similar to NFS in that it enables you to mount file
systems of a remote server and access them with regular Unix commands as if they were sitting
on your hard disk. Enable this option only if you need it otherwise disable it.

NFS file system support (CONFIG_NFS_FS) [Y/n/?] n

If you are connected to some other (usually local) Unix computer (using SLIP, PLIP, PPP or
Ethernet) and want to mount files residing on that computer (the NFS server) using the Network
File Sharing protocol, say Y here.

NFS server support (CONFIG_NFSD) [Y/n/?] n

If you want your Linux box to act as an NFS *server*, so that other computers on your local
network which support NFS can access certain directories on your box transparently, you have
two options: you can use the self-contained user space program nfsd, in which case you should
say N here, or you can say Y and use the kernel based NFS server. The advantage of the kernel
based solution is that it is faster. Finally, if you don't want to support NFS server at all, simply say
N here.

SMB file system support (to mount Windows shares etc.) (CONFIG_SMB_FS) [N/y/?]
Press Enter
SMB (Server Message Block) is the protocol Windows for Workgroups (WfW), Windows 95/98,
Windows NT, 2000, XP and OS/2 Lan Manager use to share files and printers over local
networks. Saying Y here allows you to mount their file systems (often called "shares" in this
context) and access them just like any other Unix directory. Enable this option only if you need it.
In most cases the answer to this question will be N even if you install Samba on your system.

NCP file system support (to mount NetWare volumes) (CONFIG_NCP_FS) [N/y/?]
Press Enter
NCP (NetWare Core Protocol) is a protocol that runs over IPX and is used by Novell NetWare
clients to talk to file servers. It is to IPX what NFS is to TCP/IP, if that helps. Saying Y here allows
you to mount NetWare file server volumes and to access them just like any other Unix directory.
Enable this option only if you need it. In most cases the answer to this question will be N. You do
not have to say Y here if you want your Linux box to act as a file *server* for Novell NetWare
clients.

170
 Kernel Security & Optimization 0
CHAPTER 6

*
* Partition Types
* Advanced partition selection (CONFIG_PARTITION_ADVANCED) [N/y/?] Press Enter
This option allows us to enable the use of hard disks under Linux which were partitioned under an
operating system running on a different architecture than the Linux system. Note that the answer
to this question won't directly affect the kernel: saying N will just cause the configuration to skip all
the questions about foreign partitioning schemes.

*
* Console drivers
* VGA text console (CONFIG_VGA_CONSOLE) [Y/n/?] Press Enter
This option allows us to use Linux in text mode through a display that complies with the generic
VGA standard. Virtually everyone wants that. Everyone should say Y here.

Video mode selection support (CONFIG_VIDEO_SELECT) [N/y/?] Press Enter

This option allows us to enable support for text mode selection on kernel startup. In general we
don't need to enable this option. Say N here and read the file Documentation/svga.txt for
more information about the Video mode selection support if you are curious.

*
* Sound
* Sound card support (CONFIG_SOUND) [Y/n/?] n
This option allows us to enable sound support under Linux. If you have a sound card in your
computer, then say Y here and select from the available list of sound card the one that you have.
If you run Linux as a workstation, you may need to say Y here, if you run Linux as a server, you
really don't need to enable this option and can safety say N here.

*
* USB support
* Support for USB (CONFIG_USB) [Y/n/?] n
This option allows us to enable USB support under Linux. If your computer has a USB port and
you want to use USB devices, then you have to say Y here. For servers you really don't need to
say Y here and can safety say N.

*
* Kernel hacking
* Kernel debugging (CONFIG_DEBUG_KERNEL) [N/y/?] Press Enter
You have to say Y here only if you are developing drivers or trying to debug and identify kernel
problems. Most users will simply say N here.
*
* Grsecurity
*
Grsecurity (CONFIG_GRKERNSEC) [N/y/?] y
This option allows us to enable Grsecurity support under Linux. If you say Y to this option, you
will be able to configure many Grsecurity features that will enhance the security of your Linux
system in many ways. This option is available ONLY if you have patched your Linux kernel with
the Grsecurity patch as discussed previously in this chapter. For best security of your Linux
server say Y here.

Security level (Low, Medium, High, Customized) [Customized] Press Enter

This Grsecurity option allows us to choose between three predefined Grsecurity
configurations or to customize the Grsecurity configuration as we want. For better control of
what the patch does and what we may or may not need, we chose to have full control about what
should or shouldn’t be enable with Grsecurity by pressing the [Enter] key to accept the
default choice of [Customized], which let us see all available security features and chose only
the one we need for our server and kernel security setup.

171
 Kernel Security & Optimization 0
CHAPTER 6

*
* Buffer Overflow Protection
*
Openwall non-executable stack (CONFIG_GRKERNSEC_STACK) [N/y/?] y
This Grsecurity option allows us to enable the non-executable stack protection on the system.
If you say Y here, your system will not allow execution of code on the stack, making buffer
overflow exploitation more difficult. It’s a good idea to say Y here.

Gcc trampoline support (CONFIG_GRKERNSEC_STACK_GCC) [N/y/?] Press Enter

This Grsecurity option allows us to support trampoline code along with the above stack
protection. Trampolining is an action to use the ability of the stack to contain executable code,
which can improve program efficiency in a few cases. Since few programs and some version of
GCC use and need 'trampolining', it is preferable to NOT enable this option to avoid break of some
program on the system. Say N here by pressing the [Enter] key.

Read-only kernel memory (CONFIG_GRKERNSEC_KMEM) [N/y/?] y

This Grsecurity option allows us to enable the read-only kernel memory protection on the
system. If you say Y here, root will not be able to modify the contents of kernel memory. It’s a
good idea to say Y here. If you are building a Monolithic Kernel, then the ability of an attacker to
insert foreign code into a running kernel is completely removed. Yes, another good idea to build a
Monolithic Kernel instead of a Modularized Kernel. Say Y here.

*
* Access Control Lists
*
Grsecurity ACL system (CONFIG_GRKERNSEC_ACL) [N/y/?] y
This Grsecurity option allows us to enable the Access Control List system (ACL) for
Grsecurity. It’s a good idea to say Y here. ACL allows us to better control what program, files,
etc on the system are allowed to do. We use it to apply a security policy that will work for the
entire system. You can install and run Grsecurity without ACL but it is recommended for
optimum security to enable this feature and use it. Once properly implemented, it will become
impossible for a cracker to access and damage your Linux server. Personally, with Grsecurity
ACL, I don’t know how someone could break into a Linux system. Say Y here.

ACL Debugging Messages (CONFIG_GR_DEBUG) [N/y/?] y

This Grsecurity option allows the Grsecurity ACL system to print debugging messages as
an aid to finding problems in your ACL sets. It’s really a good idea to say Y here since it can
become very difficult to debug problems with ACL if this option is not enable. Say Y here.

Extra ACL Debugging Messages (CONFIG_GR_SUPERDEBUG) [N/y/?] Press Enter

This Grsecurity option allows us to enable additional debugging messages that can help in
finding problems in ACL sets or to gain a better understanding of the internal workings of the ACL
system. In many cases, it is not necessary to enable this additional debugging messages feature
for ACL and we will say N here.

Denied capability logging (CONFIG_GRKERNSEC_ACL_CAPLOG) [N/y/?] y

This Grsecurity option allows us to enable the denied capability logging support protection with
ACL. If you say Y here, logs will be produced when a root-owned process does not have a
needed capability raised in his set. This can help to debug the ACL of Grsecurity again. It’s a
good idea to say Y here.

172
 Kernel Security & Optimization 0
CHAPTER 6

Path to gradm (CONFIG_GRADM_PATH) [/sbin/gradm] Press Enter

This Grsecurity option allows us to specify the path of the gradm binary installed on the
system. gradm is the binary program used to manage Grsecurity ACL on the server. You have
to download and install it to be able to use ACL on your server. Please read the next chapter in
this book to get information about gradm and how to setup Grsecurity ACL on your system.
The default path for gradm as shown above is correct and we press the [Enter] key to accept
the default value for the path.

Maximum tries before password lockout (CONFIG_GR_MAXTRIES) [3] 2

Once the gradm program is installed on your server to control and manage Grsecurity ACL,
you will have to create a password for gradm to work. This option allows us to specify the number
of times a user can attempt to authorize them selves with the Grsecurity ACL system. Here we
change the default value of 3 to become 2, meaning that users are allowed to authorize
themselves with the Grsecurity ACL system twice.

Time to wait after max password tries, in seconds (CONFIG_GR_TIMEOUT) [30]

Press Enter
This option specifies the time the user must wait after attempting to authorize to the ACL system
with the maximum number of invalid passwords. Just press [Enter] to accept the default entry.

*
* Filesystem Protections
*
Proc restrictions (CONFIG_GRKERNSEC_PROC) [N/y/?] y
This Grsecurity option allows us to enable the proc restrictions protection on the system. If you
say Y here, the permissions of the /proc file system will be altered to enhance system security
and privacy. It’s a very good idea to say Y here.

Restrict to user only (CONFIG_GRKERNSEC_PROC_USER) [N/y/?] y

This Grsecurity option allows us to enable restrict to user only protection on the system. If you
say Y here, non-root users will only be able to view their own processes, restricts them from
viewing network-related information, viewing kernel symbol and module information. It’s a very
good idea to say Y here.

Additional restrictions (CONFIG_GRKERNSEC_PROC_ADD) [N/y/?] y

This Grsecurity option allows us to enable additional restrictions protection on the system. If
you say Y here, additional restrictions will be placed on the /proc file system that keep normal
users from viewing cpu and device information. Again, it’s a good idea to say Y here.

Linking restrictions (CONFIG_GRKERNSEC_LINK) [N/y/?] y

This Grsecurity option allows us to enable the linking restrictions protection on the system. If
you say Y here, /tmp race exploits will be prevented, since users will no longer be able to follow
symlinks owned by other users in world-writeable +t directories, unless the owner of the symlink
is the owner of the directory. Users will also not be able to hard link to files they do not own. It’s
really a good idea to say Y here.

FIFO restrictions (CONFIG_GRKERNSEC_FIFO) [N/y/?] y

This Grsecurity option allows us to enable FIFO restrictions protection on the system. If you
say Y here, users will not be able to write to FIFOs they don't own in world-writeable +t
directories, unless the owner of the FIFO is the same owner of the directory it's held in. It’s a
good idea to say Y here.

173
 Kernel Security & Optimization 0
CHAPTER 6

Secure file descriptors (CONFIG_GRKERNSEC_FD) [N/y/?] y

This Grsecurity option allows us to enable secure file descriptors protection on the system. If
you say Y here, binaries will be protected from data spoofing attacks. It’s a very good idea to say
Y here.

Chroot jail restrictions (CONFIG_GRKERNSEC_CHROOT) [N/y/?] y

This Grsecurity option allows us to enable chroot jail restrictions protection on the system. If
you say Y here, you will be able to choose several options that will make breaking out of a
chrooted jail much more difficult. It’s a very good idea to say Y here.

Restricted signals (CONFIG_GRKERNSEC_CHROOT_SIG) [N/y/?] y

This Grsecurity option allows us to enable the restricted signals protection on the system. If
you say Y here, processes inside a chroot will not be able to send signals outside of the chroot.
It’s a good idea to say Y here.

Deny mounts (CONFIG_GRKERNSEC_CHROOT_MOUNT) [N/y/?] y

This Grsecurity option allows us to enable deny mounts protection on the system. If you say Y
here, processes inside a chroot will not be able to mount or remount file systems. It’s a good idea
to say Y here.

Deny double-chroots (CONFIG_GRKERNSEC_CHROOT_DOUBLE) [N/y/?] y

This Grsecurity option allows us to enable the deny double-chroot protection on the system. If
you say Y here, processes inside a chroot will not be able to chroot again. This is a widely used
method of breaking out of a chroot jail and should not be allowed. It’s a good idea to say Y here.

Enforce chdir("/") on all chroots (CONFIG_GRKERNSEC_CHROOT_CHDIR) [N/y/?] y

This Grsecurity option allows us to enable the enforce chdir("/") on all chroots protection
on the system. If you say Y here, the current working directory of all newly-chrooted applications
will be set to the root directory of the chroot. It’s a good idea to say Y here.

Deny (f)chmod +s (CONFIG_GRKERNSEC_CHROOT_CHMOD) [N/y/?] y

This Grsecurity option allows us to enable the deny (f)chmod +s protection on the system.
If you say Y here, processes inside a chroot will not be able to chmod or fchmod files to make
them have suid or sgid bits. It’s a really good idea to say Y here.

Deny mknod (CONFIG_GRKERNSEC_CHROOT_MKNOD) [N/y/?] y

This Grsecurity option allows us to enable the deny mknod protection on the system. If you
say Y here, processes inside a chroot will not be allowed to mknod (create device on the system).
It’s a good idea to say Y here, unless you run into software incompatibilities.

Deny ptraces (CONFIG_GRKERNSEC_CHROOT_PTRACE) [N/y/?] y

This Grsecurity option allows us to enable the deny ptraces protection on the system. If you
say Y here, processes inside a chroot will not be able to ptrace other processes. It’s a good idea
to say Y here.

Restrict priority changes (CONFIG_GRKERNSEC_CHROOT_NICE) [N/y/?] y

This Grsecurity option allows us to enable the restrict priority changes protection on the
system. If you say Y here, processes inside a chroot will not be able to raise the priority of
processes in the chroot, or alter the priority of processes outside the chroot. It’s a good idea to
say Y here.

174
 Kernel Security & Optimization 0
CHAPTER 6

Capability restrictions within chroot (CONFIG_GRKERNSEC_CHROOT_CAPS) [N/y/?]

Press Enter
This Grsecurity option allows us to enable the capability restrictions within chroot protection on
the system. If you say Y here, the capabilities on all root processes within a chroot jail will be
lowered to stop module insertion, raw i/o, system and net admin tasks, rebooting the system,
modifying immutable files, and changing the system time. This option can break some
applications on the server and we disable it by answering to the question by N.

Secure keymap loading (CONFIG_GRKERNSEC_KBMAP) [N/y/?] y

This Grsecurity option allows us to enable the secure keymap loading protection on the
system. If you say Y here, KDSKBENT and KDSKBSENT ioctl calls being called by unprivileged
users will be denied. This means that unprivileged users with access to the console will NOT be
able to modify keyboard bindings. It’s a good idea to say Y here.

*
* Kernel Auditing
*
Single group for auditing (CONFIG_GRKERNSEC_AUDIT_GROUP) [N/y/?] Press Enter
This Grsecurity option allows us to enable single group for auditing protection on the system. If
you say Y here, the exec, chdir, (un)mount, and ipc logging features of Grsecurity will
only operate on a group you specify. By default Grsecurity produces a large amount of logs
from the entire system on a production server; we don’t really need the entire auditing feature
provided by Grsecurity even on specified group. Therefore we simply say N to this question
and enable later in this Grsecurity kernel configuration the auditing log that we really need for
production servers.

Exec logging (CONFIG_GRKERNSEC_EXECLOG) [N/y/?] Press Enter

This Grsecurity option allows us to enable the exec logging protection on the system. If you
say Y here, execution of any program on the server will be logged to syslog. This option when
enabled will produce a LOT of logs, especially on an active system. Therefore, we don’t
recommend you to enable this security option. If you are those people that like to spend all their
time reading log files, you could enable this option but be aware that it will take you a day to read
all the logs generated by this option on a production server. Be reasonable, and say N here.

Log execs within chroot (CONFIG_GRKERNSEC_CHROOT_EXECLOG) [N/y/?] y

This Grsecurity option allows us to enable the log execs within chroot protection on the
system. If you say Y here, all executions of any program inside a chroot jail environment will be
logged to syslog. Contrary to the previous option that logs execution of any program on the
system, this option ONLY logs the execution of program inside a chroot jail. In general, services
running in chroot jail environment are limited, meaning that your log file will not become too BIG
to read; therefore we can say Y here to enable this security option on the server.

Chdir logging (CONFIG_GRKERNSEC_AUDIT_CHDIR) [N/y/?] Press Enter

This Grsecurity option allows us to enable the chdir logging protection on the system. If you
say Y here, all chdir() calls will be logged. Chdir() calls is when you navigate via your console
on your server by using the ‘cd’ command. Imagine how many times you use the ‘cd’ command
on your server when you performing some administration tasks. I recommend you to NOT enable
this option if you want to avoid some BIG log files to read again. Say N here.

(Un)Mount logging (CONFIG_GRKERNSEC_AUDIT_MOUNT) [N/y/?] Press Enter

This Grsecurity option allows us to enable the (Un)Mount logging protection on the system. If
you say Y here, all mounts and unmounts calls will be logged to syslog. This means that each
time you mount or unmount drive on your server; the action will be logged to syslog. You can
enable this security option if you like, but personally, I prefer to disable it. Say N here.

175
 Kernel Security & Optimization 0
CHAPTER 6

IPC logging (CONFIG_GRKERNSEC_AUDIT_IPC) [N/y/?] y

This Grsecurity option allows us to enable the IPC logging protection on the system. If you say
Y here, creation and removal of message queues, semaphores, and shared memory will be
logged. It’s a good idea to say Y here.

Ptrace logging (CONFIG_GRKERNSEC_AUDIT_PTRACE) [N/y/?] Press Enter

This Grsecurity option allows us to enable the ptrace logging protection on the system. If you
say Y here, all successful ptraces will be logged. Ptraces are special operations performed
when programs like strace or gdb are run. In general we never install programs like strace
and gdb on a production server. These programs are only required on development server to
debug software. If you don’t have these kinds of programs installed on your server, you can
safety say N here, otherwise say Y to this security option.

Signal logging (CONFIG_GRKERNSEC_SIGNAL) [N/y/?] y

This Grsecurity option allows us to enable the signal logging protection on the system. If you
say Y here, certain important signals will be logged, such as SIGSEGV that will inform you of
when an error in a program occurred, which in some cases could mean a possible exploit
attempt. It’s a good idea to say Y here.

Fork failure logging (CONFIG_GRKERNSEC_FORKFAIL) [N/y/?] y

This Grsecurity option allows us to enable the fork failure logging protection on the system. If
you say Y here, all failed fork() attempts will be logged. This could suggest a fork bomb, or
someone attempting to overstep their process limit. It’s a good idea to say Y here.

Set*id logging (CONFIG_GRKERNSEC_SUID) [N/y/?] Press Enter

This Grsecurity option allows us to enable the set*id logging protection on the system. If you
say Y here, all set*id() calls will be logged. Enabling this security option could produce a lot of
logs on an active system that run some services that use set*id() calls to operate. Mailman,
Exim, Sendmail are known to software that uses many set*id() calls. Also, we already have
other security programs doing the same job like sXid, therefore we don’t really need to enable
this option. It is your’s to decide if you really need it or not. Personally, I disable this option by
saying N here and use sXid to achieve the same result.

Log set*ids to root (CONFIG_GRKERNSEC_SUID_ROOT) [N/y/?] y

This Grsecurity option allows us to enable the log set*ids to root protection on the system. If
you say Y here, only set*id() calls where a user is changing to the GID or UID of the root user
will be logged. Such information could be useful when detecting a possible intrusion attempt. This
option will produce smaller logs than logging all calls; therefore it’s a good idea to say Y here.

Time change logging (CONFIG_GRKERNSEC_TIME) [N/y/?] y

This Grsecurity option allows us to enable the time change logging protection on the system. If
you say Y here, any changes of the system clock will be logged. It’s a good idea to say Y here.

*
* Executable Protections
*
Exec process limiting (CONFIG_GRKERNSEC_EXECVE) [N/y/?] y
This Grsecurity option allows us to enable the exec process limiting protection on the system.
If you say Y here, users with a resource limit on processes will have the value checked during
execve() calls (execution of program). It’s really a good idea to say Y here.

176
 Kernel Security & Optimization 0
CHAPTER 6

Dmesg(8) restriction (CONFIG_GRKERNSEC_DMESG) [N/y/?] y

This Grsecurity option allows us to enable the dmesg restriction protection on the system. If
you say Y here, non-root users will not be able to use dmesg(8) to view up to the last 4kb of
messages in the kernel's log buffer. Again, it’s really a good idea to say Y here.

Randomized PIDs (CONFIG_GRKERNSEC_RANDPID) [N/y/?] y

This Grsecurity option allows us to enable the randomized PIDs protection on the system. If
you say Y here, all PIDs created on the system will be pseudo-randomly generated. This is
extremely effective to disallow an attacker from guessing pids of daemons, etc. It’s a good idea to
say Y here.

Altered default IPC permissions (CONFIG_GRKERNSEC_IPC) [N/y/?] Press Enter

This Grsecurity option allows us to enable the altered default IPC permissions protection on
the system. If you say Y here, the default permissions for IPC objects will be set based on the file
system umask of the user creating the object. This is a good security feature but unfortunately, it
is known to break software like Apache. Therefore we say N here.

Limit uid/gid changes to root (CONFIG_GRKERNSEC_TTYROOT) [N/y/?] y

This Grsecurity option allows us to enable the limit UID/GID changes to root protection on the
system. If you say Y here, you will be able choose from three options that will allow you to restrict
access to the root account by console type. Therefore we say Y here.

Deny physical consoles (tty) (CONFIG_GRKERNSEC_TTYROOT_PHYS) [N/y/?] Press

Enter
This Grsecurity option allows us to enable the deny physical consoles (tty) protection on the
system. If you say Y here, access to root from physical consoles will be denied. This is only
recommended for rare cases where you will never need to be physically at the machine. For most
of us, this is not the case and we have to say N here.

Deny serial consoles (ttyS) (CONFIG_GRKERNSEC_TTYROOT_SERIAL) [N/y/?] y

This Grsecurity option allows us to enable deny serial consoles (ttyS) protection on the
system. If you say Y here, access to root from serial consoles will be denied. Most people can say
Y here, since most don't use serial devices for their console access.

Deny pseudo consoles (pty) (CONFIG_GRKERNSEC_TTYROOT_PSEUDO) [N/y/?] Press

Enter
This Grsecurity option allows us to enable the deny pseudo consoles (pty) protection on the
system. If you say Y here, access to root from pseudo consoles will be denied. Pseudo consoles
include consoles from telnet, ssh, or any other kind of interactive shell initiated from the
network. In general, most of us use at least SSH to make a remote connection. Therefore we
have to say N here, if we want to continue to use SSH for secure remote connection.

Fork-bomb protection (CONFIG_GRKERNSEC_FORKBOMB) [N/y/?] y

This Grsecurity option allows us to enable fork-bomb protection on the system. If you say Y
here, you will be able to configure a group to add to users on your system that you want to be
unable to fork-bomb the system. It’s a good idea to say Y here and chose in the next security
option the GID to run this protection with.

GID for restricted users (CONFIG_GRKERNSEC_FORKBOMB_GID) [1006] Press Enter

This Grsecurity option allows us to enable the GID for restricted users’ protection on the
system. Here we have to enter a GID number as the value, the default value is 1006 and we can
keep it by pressing the [Enter] key. It is important to note that this GID should be added to any
user for which the feature should be activated. See the next chapter of this book for more
information about the procedures to follow. At this time you only need to accept the default value.

177
 Kernel Security & Optimization 0
CHAPTER 6

Forks allowed per second (CONFIG_GRKERNSEC_FORKBOMB_SEC) [40] Press Enter

This Grsecurity option allows us to enable the forks allowed per second protection on the
system. This option is a continuation of the above forks options, here we have to enter the
maximum number of forks allowed per second, and the default setting should be fine for most
users.

Maximum processes allowed (CONFIG_GRKERNSEC_FORKBOMB_MAX) [20] 35

This Grsecurity option allows us to enable the maximum processes allowed on the system.
Here we have to enter the maximum number of processes users in the fork-bomb protected
group can run. We change the default value of 20 to become 35. 35 is the number you have set
into the /etc/security/limit.conf file. Please see what is set into your limit.conf file
and report it here. In general, 35 is a good value to go with.

Trusted path execution (CONFIG_GRKERNSEC_TPE) [N/y/?] y

This Grsecurity option allows us to enable trusted path execution protection on the system. If
you say Y here, you will be able to choose a GID to add to the supplementary groups of users
you want to mark as "untrusted." These users will not be able to execute any files that are not in
root-owned directories writeable only by root. It’s a good idea to say Y here.

Glibc protection (CONFIG_GRKERNSEC_TPE_GLIBC) [N/y/?] y

This Grsecurity option allows us to enable the glibc protection on the system. If you say Y
here, all non-root users executing any files while glibc specific environment variables such as
LD_PRELOAD are set, will have their environment cleared of these variables, since they could be
used to evade the trusted path execution protection. It also protects against evasion through
executing the dynamic linker to run a rogue binary. It is highly recommended you say Y here.

Partially restrict non-root users (CONFIG_GRKERNSEC_TPE_ALL) [N/y/?] y

This Grsecurity option allows us to enable the partially restrict non-root users protection on the
system. If you say Y here, All non-root users other than the ones in the group specified in the
main TPE option will only be allowed to execute files in directories they own that are not group or
world-writeable, or in directories owned by root and writeable only by root. It’s a good idea to say
Y here.

GID for untrusted users: (CONFIG_GRKERNSEC_TPE_GID) [1005] Press Enter

This Grsecurity option allows us to enable the GID for untrusted user’s protection on the
system. Here we have to enter a GID number as the value, the default value is 1005 and we can
keep it by pressing the [Enter] key. It is important to note that this GID should be added to any
user for which the feature should be activated. See the next chapter of this book for more
information about the procedures to follow. At this time you only need to accept the default value.

Restricted ptrace (CONFIG_GRKERNSEC_PTRACE) [N/y/?] y

This Grsecurity option allows us to enable the restricted ptrace protection on the system. If
you say Y here, no one but root will be able to ptrace processes. Tracing syscalls inside the
kernel will also be disabled. It’s a good idea to say Y here.

Allow ptrace for group (CONFIG_GRKERNSEC_PTRACE_GROUP) [N/y/?] Press Enter

This Grsecurity option allows us to enable the allow ptrace for group protection on the system.
If you say Y here, you will be able to choose a GID of users will be able to ptrace. Remember
that ptraces are special operations performed when programs like strace or gdb are run for
debugging purpose. Since these kind of program should in general be run on development server
and by a root user only, we can safety say N here.

178
 Kernel Security & Optimization 0
CHAPTER 6

*
* Network Protections
*
Randomized IP IDs (CONFIG_GRKERNSEC_RANDID) [N/y/?] y
This Grsecurity option allows us to enable the allow randomized IP IDs protection on the
system. If you say Y here, the entire ID field on all outgoing packets will be randomized. This
hinders OS fingerprinters and keeps your machine from being used as a bounce for an
untraceable portscan. It’s a good idea to say Y here.

Randomized TCP source ports (CONFIG_GRKERNSEC_RANDSRC) [N/y/?] y

This Grsecurity option allows us to enable the randomized TCP source ports protection on the
system. If you say Y here, situations where a source port is generated on the fly for the TCP
protocol (ie. with connect() ) will be altered so that the source port is generated at random,
instead of a simple incrementing algorithm. It’s a good idea to say Y here.

Randomized RPC XIDs (CONFIG_GRKERNSEC_RANDRPC) [N/y/?] y

This Grsecurity option allows us to enable the randomized RPC XIDs protection on the
system. If you say Y here, the method of determining XIDs for RPC requests will be randomized,
instead of using linux's default behavior of simply incrementing the XID. This allows us to have a
more secure RPC connection on the system. It’s a good idea to say Y here.

Altered Ping IDs (CONFIG_GRKERNSEC_RANDPING) [N/y/?] y

This Grsecurity option allows us to enable the altered Ping IDs protection on the system. If you
say Y here, the way Linux handles echo replies will be changed so that the reply uses an ID equal
to the ID of the echo request. This will help in confusing OS detection. It’s a good idea to say Y
here.

Randomized TTL (CONFIG_GRKERNSEC_RANDTTL) [N/y/?] y

This Grsecurity option allows us to enable the randomized TTL protection on the system. If
you say Y here, your TTL (time to live) for packets will be set at random, with a base of the
sysctl ttl default, to further confuse OS detection. It’s a good idea to say Y here.

Socket restrictions (CONFIG_GRKERNSEC_SOCKET) [N/y/?] y

This Grsecurity option allows us to enable the socket restrictions protection on the system. If
you say Y here, you will be able to choose from three options related to socket protection on the
server. From these three available security options, you’ll have to choose the one that best fits
your requirements. Therefore, it’s a good idea to say Y here since we have to choose one of the
three available security options for our needs.

Deny any sockets to group (CONFIG_GRKERNSEC_SOCKET_ALL) [N/y/?] y

This Grsecurity option allows us to enable the socket restrictions protection on the system. If
you say Y here, you will be able to choose a GID of whose users will be unable to connect to
other hosts from your machine or run server applications from your machine. This is the security
option that we’ll choose. Say Y here.

GID to deny all sockets for: (CONFIG_GRKERNSEC_SOCKET_ALL_GID) [1004] Press

Enter
This Grsecurity option allows us to enable the GID to deny all sockets protection on the
system. Here we have to enter a GID number as the value, the default value is 1004 and we can
keep it by pressing the [Enter] key. It is important to note that this GID should be added to any
user for which the feature should be activated. See the next chapter of this book for more
information about the procedures to follow. At this time you only need to accept the default value.

179
 Kernel Security & Optimization 0
CHAPTER 6

Deny client sockets to group (CONFIG_GRKERNSEC_SOCKET_CLIENT) [N/y/?] Press

Enter
This Grsecurity option allows us to enable the deny client sockets to group protection on the
system. If you say Y here, you will be able to choose a GID of whose users will be unable to
connect to other hosts from your machine, but will be able to run servers. We have already
chosen the above option that enables socket protection on both ways (users cannot connect to
other hosts or run server applications from our machine), therefore we don’t need to say Y here.
Say N here.

Deny server sockets to group (CONFIG_GRKERNSEC_SOCKET_SERVER) [N/y/?] Press

Enter
This Grsecurity option allows us to enable the deny server sockets to group protection on the
system. If you say Y here, you will be able to choose a GID of whose users will be unable to run
server applications from your machine. As for the above option, we already have chosen the first
option that enable socket protection on both way (users cannot connect to other hosts or run
server applications from our machine), therefore we don’t need to say Y here. Say N here.

*
* Sysctl support
*
Sysctl support (CONFIG_GRKERNSEC_SYSCTL) [N/y/?] Press Enter
This Grsecurity option allows us to enable Grsecurity sysctl support protection on the
system. If you say Y here, you will be able to change the options that Grsecurity runs with at
bootup, without having to recompile your kernel. You can echo values to files in
/proc/sys/kernel/grsecurity to enable (1) or disable (0) various features. Enabling this
option will reduce the effectiveness of the added security of the Grsecurity patch, therefore we
say N here.

*
* Miscellaneous Features
*
Seconds in between log messages(minimum) (CONFIG_GRKERNSEC_FLOODTIME) [30]
Press Enter
This Grsecurity option allows us to enable the seconds in between log messages protection
on the system. This option allows you to enforce the number of seconds between Grsecurity
log messages. The default should be suitable for most people. Just press the [Enter] key here
to accept the default value.

BSD-style coredumps (CONFIG_GRKERNSEC_COREDUMP) [N/y/?] y

This Grsecurity option allows us to enable the BSD-style coredumps protection on the
system. If you say Y here, Linux will use a style similar to BSD for coredumps, core.processname.
Not a security feature, just a useful one. Say Y here.

*** End of Linux kernel configuration.

*** Check the top-level Makefile for additional configuration.
*** Next, you must run 'make dep'.

180
 Kernel Security & Optimization 0
CHAPTER 6

Modularized kernel configuration

Building kernel with modules (Modularized kernel) has some advantages. It allows easy
portability between different Linux systems, since you can choose and build different parts of the
kernel as a module and load that segment of code on demand. Below we show you the
configuration of Modularized kernel, which is to compile some needed codes and drivers as
a module into the kernel by answering the different questions using y, n or m. As for the previous
Monolithic kernel configuration, don’t forget to only compile code that you need and use.

A new kernel is very specific to your computer hardware, in the Modularized kernel
configuration part below; we assume the following hardware for our example. Of course you must
change them to fit your system components.

1 Pentium-III 667 MHz (i686) processor

1 Motherboard Asus P3V4X Pro 133Mhz EIDE
1 Hard Disk Ultra ATA/100 EIDE
1 Chipset Apollo Pro133A
1 CD-ROM ATAPI IDE
1 Floppy Disk
2 Ethernet Cards 3COM 3c597 PCI 10/100
1 Mouse PS/2

If you don’t want some options listed in the Modularized kernel configuration that I enable by
default, answer n (for no) instead of y (for yes) or m (for modularized if possible) to the related
questions. If you want some other options that I disable, then answer y or m instead of n.

rm -f include/asm
( cd include ; ln -sf asm-i386 asm)
/bin/sh scripts/Configure arch/i386/config.in
#
# Using defaults found in arch/i386/defconfig
#
*
* Code maturity level options
*
Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [N/y/?] Press
Enter
*
* Loadable module support
*
Enable loadable module support (CONFIG_MODULES) [Y/n/?] Press Enter
Set version information on all module symbols (CONFIG_MODVERSIONS) [Y/n/?] n
Kernel module loader (CONFIG_KMOD) [Y/n/?] Press Enter
*
* Processor type and features
*
Processor family (386, 486, 586/K5/5x86/6x86/6x86MX, Pentium-Classic, Pentium-MMX,
Pentium-Pro/Celeron/Pentium-II, Pentium-III/Celeron(Coppermine), Pentium-4, K6/K6-II/K6-
III, Athlon/Duron/K7, Elan, Crusoe, Winchip-C6, Winchip-2, Winchip-2A/Winchip-3,
CyrixIII/C3) [Pentium-III/Celeron(Coppermine)] Press Enter
Toshiba Laptop support (CONFIG_TOSHIBA) [N/y/m/?] Press Enter
Dell laptop support (CONFIG_I8K) [N/y/m/?] Press Enter
/dev/cpu/microcode - Intel IA32 CPU microcode support (CONFIG_MICROCODE) [N/y/m/?] m
/dev/cpu/*/msr - Model-specific register support (CONFIG_X86_MSR) [N/y/m/?] m
/dev/cpu/*/cpuid - CPU information support (CONFIG_X86_CPUID) [N/y/m/?] m
High Memory Support (off, 4GB, 64GB) [off] Press Enter
Math emulation (CONFIG_MATH_EMULATION) [N/y/?] Press Enter
MTRR (Memory Type Range Register) support (CONFIG_MTRR) [N/y/?] Press Enter
Symmetric multi-processing support (CONFIG_SMP) [Y/n/?] n
Local APIC support on uniprocessors (CONFIG_X86_UP_APIC) [N/y/?] (NEW) y
IO-APIC support on uniprocessors (CONFIG_X86_UP_IOAPIC) [N/y/?] (NEW) y
*
* General setup

181
 Kernel Security & Optimization 0
CHAPTER 6

*
Networking support (CONFIG_NET) [Y/n/?] Press Enter
PCI support (CONFIG_PCI) [Y/n/?] Press Enter
PCI access mode (BIOS, Direct, Any) [Any] Press Enter
PCI device name database (CONFIG_PCI_NAMES) [Y/n/?] n
EISA support (CONFIG_EISA) [N/y/?] Press Enter
MCA support (CONFIG_MCA) [N/y/?] Press Enter
Support for hot-pluggable devices (CONFIG_HOTPLUG) [Y/n/?] n
System V IPC (CONFIG_SYSVIPC) [Y/n/?] Press Enter
BSD Process Accounting (CONFIG_BSD_PROCESS_ACCT) [N/y/?] Press Enter
Sysctl support (CONFIG_SYSCTL) [Y/n/?] Press Enter
Kernel core (/proc/kcore) format (ELF, A.OUT) [ELF] Press Enter
Kernel support for a.out binaries (CONFIG_BINFMT_AOUT) [Y/m/n/?] m
Kernel support for ELF binaries (CONFIG_BINFMT_ELF) [Y/m/n/?] Press Enter
Kernel support for MISC binaries (CONFIG_BINFMT_MISC) [Y/m/n/?] m
Power Management support (CONFIG_PM) [Y/n/?] n
*
* Memory Technology Devices (MTD)
*
Memory Technology Device (MTD) support (CONFIG_MTD) [N/y/m/?] Press Enter
*
* Parallel port support
*
Parallel port support (CONFIG_PARPORT) [N/y/m/?] Press Enter
*
* Plug and Play configuration
*
Plug and Play support (CONFIG_PNP) [Y/m/n/?] n
*
* Block devices
*
Normal PC floppy disk support (CONFIG_BLK_DEV_FD) [Y/m/n/?] Press Enter
XT hard disk support (CONFIG_BLK_DEV_XD) [N/y/m/?] Press Enter
Compaq SMART2 support (CONFIG_BLK_CPQ_DA) [N/y/m/?] Press Enter
Compaq Smart Array 5xxx support (CONFIG_BLK_CPQ_CISS_DA) [N/y/m/?] Press Enter
Mylex DAC960/DAC1100 PCI RAID Controller support (CONFIG_BLK_DEV_DAC960) [N/y/m/?] Press
Enter
Loopback device support (CONFIG_BLK_DEV_LOOP) [N/y/m/?] Press Enter
Network block device support (CONFIG_BLK_DEV_NBD) [N/y/m/?] Press Enter
RAM disk support (CONFIG_BLK_DEV_RAM) [N/y/m/?] Press Enter
*
* Multi-device support (RAID and LVM)
*
Multiple devices driver support (RAID and LVM) (CONFIG_MD) [N/y/?] Press Enter
*
* Networking options
*
Packet socket (CONFIG_PACKET) [Y/m/n/?] Press Enter
Packet socket: mmapped IO (CONFIG_PACKET_MMAP) [N/y/?] y
Netlink device emulation (CONFIG_NETLINK_DEV) [N/y/m/?] (NEW) m
Network packet filtering (replaces ipchains) (CONFIG_NETFILTER) [N/y/?] y
Network packet filtering debugging (CONFIG_NETFILTER_DEBUG) [N/y/?] (NEW) y
Socket Filtering (CONFIG_FILTER) [N/y/?] Press Enter
Unix domain sockets (CONFIG_UNIX) [Y/m/n/?] Press Enter
TCP/IP networking (CONFIG_INET) [Y/n/?] Press Enter
IP: multicasting (CONFIG_IP_MULTICAST) [Y/n/?] n
IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [N/y/?] Press Enter
IP: kernel level autoconfiguration (CONFIG_IP_PNP) [N/y/?] Press Enter
IP: tunneling (CONFIG_NET_IPIP) [N/y/m/?] Press Enter
IP: GRE tunnels over IP (CONFIG_NET_IPGRE) [N/y/m/?] Press Enter
IP: TCP Explicit Congestion Notification support (CONFIG_INET_ECN) [N/y/?] Press Enter
IP: TCP syncookie support (disabled default) (CONFIG_SYN_COOKIES) [N/y/?] y
*
* IP: Netfilter Configuration
*
Connection tracking (required for masq/NAT) (CONFIG_IP_NF_CONNTRACK) [N/y/m/?] (NEW) m
FTP protocol support (CONFIG_IP_NF_FTP) [N/m/?] (NEW) m
IRC protocol support (CONFIG_IP_NF_IRC) [N/m/?] (NEW) m
IP tables support (required for filtering/masq/NAT) (CONFIG_IP_NF_IPTABLES) [N/y/m/?]
(NEW) m
limit match support (CONFIG_IP_NF_MATCH_LIMIT) [N/m/?] (NEW) m

182
 Kernel Security & Optimization 0
CHAPTER 6

MAC address match support (CONFIG_IP_NF_MATCH_MAC) [N/m/?] (NEW) m

netfilter MARK match support (CONFIG_IP_NF_MATCH_MARK) [N/m/?] (NEW) m
Multiple port match support (CONFIG_IP_NF_MATCH_MULTIPORT) [N/m/?] (NEW) m
TOS match support (CONFIG_IP_NF_MATCH_TOS) [N/m/?] (NEW) m
AH/ESP match support (CONFIG_IP_NF_MATCH_AH_ESP) [N/m/?] (NEW) m
LENGTH match support (CONFIG_IP_NF_MATCH_LENGTH) [N/m/?] (NEW) m
TTL match support (CONFIG_IP_NF_MATCH_TTL) [N/m/?] (NEW) m
tcpmss match support (CONFIG_IP_NF_MATCH_TCPMSS) [N/m/?] (NEW) m
Connection state match support (CONFIG_IP_NF_MATCH_STATE) [N/m/?] (NEW) m
Packet filtering (CONFIG_IP_NF_FILTER) [N/m/?] (NEW) m
REJECT target support (CONFIG_IP_NF_TARGET_REJECT) [N/m/?] (NEW) m
Full NAT (CONFIG_IP_NF_NAT) [N/m/?] (NEW) m
MASQUERADE target support (CONFIG_IP_NF_TARGET_MASQUERADE) [N/m/?] (NEW) m
REDIRECT target support (CONFIG_IP_NF_TARGET_REDIRECT) [N/m/?] (NEW) m
Packet mangling (CONFIG_IP_NF_MANGLE) [N/m/?] (NEW) m
TOS target support (CONFIG_IP_NF_TARGET_TOS) [N/m/?] (NEW) m
MARK target support (CONFIG_IP_NF_TARGET_MARK) [N/m/?] (NEW) m
LOG target support (CONFIG_IP_NF_TARGET_LOG) [N/m/?] (NEW) m
TCPMSS target support (CONFIG_IP_NF_TARGET_TCPMSS) [N/m/?] (NEW) m
ipchains (2.2-style) support (CONFIG_IP_NF_COMPAT_IPCHAINS) [N/y/m/?] (NEW) Press Enter
ipfwadm (2.0-style) support (CONFIG_IP_NF_COMPAT_IPFWADM) [N/y/m/?] (NEW) Press Enter
*
*
*
The IPX protocol (CONFIG_IPX) [N/y/m/?] Press Enter
Appletalk protocol support (CONFIG_ATALK) [N/y/m/?] Press Enter
DECnet Support (CONFIG_DECNET) [N/y/m/?] Press Enter
802.1d Ethernet Bridging (CONFIG_BRIDGE) [N/y/m/?] Press Enter
*
* QoS and/or fair queueing
*
QoS and/or fair queueing (CONFIG_NET_SCHED) [N/y/?] Press Enter
*
* Telephony Support
*
Linux telephony support (CONFIG_PHONE) [N/y/m/?] Press Enter
*
* ATA/IDE/MFM/RLL support
*
ATA/IDE/MFM/RLL support (CONFIG_IDE) [Y/m/n/?] Press Enter
*
* IDE, ATA and ATAPI Block devices
*
Enhanced IDE/MFM/RLL disk/cdrom/tape/floppy support (CONFIG_BLK_DEV_IDE) [Y/m/n/?] Press
Enter
*
* Please see Documentation/ide.txt for help/info on IDE drives
*
Use old disk-only driver on primary interface (CONFIG_BLK_DEV_HD_IDE) [N/y/?] Press
Enter
Include IDE/ATA-2 DISK support (CONFIG_BLK_DEV_IDEDISK) [Y/m/n/?] Press Enter
Use multi-mode by default (CONFIG_IDEDISK_MULTI_MODE) [Y/n/?] n
Include IDE/ATAPI CDROM support (CONFIG_BLK_DEV_IDECD) [Y/m/n/?] Press Enter
Include IDE/ATAPI TAPE support (CONFIG_BLK_DEV_IDETAPE) [N/y/m/?] Press Enter
Include IDE/ATAPI FLOPPY support (CONFIG_BLK_DEV_IDEFLOPPY) [N/y/m/?] Press Enter
SCSI emulation support (CONFIG_BLK_DEV_IDESCSI) [N/y/m/?] Press Enter
*
* IDE chipset support/bugfixes
*
CMD640 chipset bugfix/support (CONFIG_BLK_DEV_CMD640) [Y/n/?] n
RZ1000 chipset bugfix/support (CONFIG_BLK_DEV_RZ1000) [Y/n/?] n
Generic PCI IDE chipset support (CONFIG_BLK_DEV_IDEPCI) [Y/n/?] Press Enter
Sharing PCI IDE interrupts support (CONFIG_IDEPCI_SHARE_IRQ) [Y/n/?] Press Enter
Generic PCI bus-master DMA support (CONFIG_BLK_DEV_IDEDMA_PCI) [Y/n/?] Press Enter
Boot off-board chipsets first support (CONFIG_BLK_DEV_OFFBOARD) [N/y/?] Press Enter
Use PCI DMA by default when available (CONFIG_IDEDMA_PCI_AUTO) [Y/n/?] Press Enter
AEC62XX chipset support (CONFIG_BLK_DEV_AEC62XX) [N/y/?] Press Enter
ALI M15x3 chipset support (CONFIG_BLK_DEV_ALI15X3) [N/y/?] Press Enter
AMD Viper support (CONFIG_BLK_DEV_AMD74XX) [N/y/?] Press Enter
CMD64X chipset support (CONFIG_BLK_DEV_CMD64X) [N/y/?] Press Enter
CY82C693 chipset support (CONFIG_BLK_DEV_CY82C693) [N/y/?] Press Enter

183
 Kernel Security & Optimization 0
CHAPTER 6

Cyrix CS5530 MediaGX chipset support (CONFIG_BLK_DEV_CS5530) [N/y/?] Press Enter

HPT34X chipset support (CONFIG_BLK_DEV_HPT34X) [N/y/?] Press Enter
HPT366 chipset support (CONFIG_BLK_DEV_HPT366) [N/y/?] Press Enter
Intel PIIXn chipsets support (CONFIG_BLK_DEV_PIIX) [Y/n/?] Press Enter
PIIXn Tuning support (CONFIG_PIIX_TUNING) [Y/n/?] Press Enter
NS87415 chipset support (EXPERIMENTAL) (CONFIG_BLK_DEV_NS87415) [N/y/?] Press Enter
PROMISE PDC202{46|62|65|67|68} support (CONFIG_BLK_DEV_PDC202XX) [N/y/?] Press Enter
ServerWorks OSB4/CSB5 chipsets support (CONFIG_BLK_DEV_SVWKS) [N/y/?] Press Enter
SiS5513 chipset support (CONFIG_BLK_DEV_SIS5513) [N/y/?] Press Enter
SLC90E66 chipset support (CONFIG_BLK_DEV_SLC90E66) [N/y/?] Press Enter
Tekram TRM290 chipset support (EXPERIMENTAL) (CONFIG_BLK_DEV_TRM290) [N/y/?] Press
Enter
VIA82CXXX chipset support (CONFIG_BLK_DEV_VIA82CXXX) [N/y/?] y
Other IDE chipset support (CONFIG_IDE_CHIPSETS) [N/y/?] Press Enter
IGNORE word93 Validation BITS (CONFIG_IDEDMA_IVB) [N/y/?] Press Enter
*
* SCSI support
*
SCSI support (CONFIG_SCSI) [Y/m/n/?] n
*
* Fusion MPT device support
*
*
* I2O device support
*
I2O support (CONFIG_I2O) [N/y/m/?] Press Enter
*
* Network device support
*
Network device support (CONFIG_NETDEVICES) [Y/n/?] Press Enter
*
* ARCnet devices
*
ARCnet support (CONFIG_ARCNET) [N/y/m/?] Press Enter
Dummy net driver support (CONFIG_DUMMY) [M/n/y/?] Press Enter
Bonding driver support (CONFIG_BONDING) [N/y/m/?] Press Enter
EQL (serial line load balancing) support (CONFIG_EQUALIZER) [N/y/m/?] Press Enter
Universal TUN/TAP device driver support (CONFIG_TUN) [N/y/m/?] Press Enter
*
* Ethernet (10 or 100Mbit)
*
Ethernet (10 or 100Mbit) (CONFIG_NET_ETHERNET) [Y/n/?] Press Enter
Sun Happy Meal 10/100baseT support (CONFIG_HAPPYMEAL) [N/y/m/?] Press Enter
Sun GEM support (CONFIG_SUNGEM) [N/y/m/?] Press Enter
3COM cards (CONFIG_NET_VENDOR_3COM) [N/y/?] y
3c501 "EtherLink" support (CONFIG_EL1) [N/y/m/?] (NEW) Press Enter
3c503 "EtherLink II" support (CONFIG_EL2) [N/y/m/?] (NEW) Press Enter
3c505 "EtherLink Plus" support (CONFIG_ELPLUS) [N/y/m/?] (NEW) Press Enter
3c509/3c529 (MCA)/3c579 "EtherLink III" support (CONFIG_EL3) [N/y/m/?] (NEW) Press
Enter
3c515 ISA "Fast EtherLink" (CONFIG_3C515) [N/y/m/?] (NEW) Press Enter
3c590/3c900 series (592/595/597) "Vortex/Boomerang" support (CONFIG_VORTEX) [N/y/m/?]
(NEW) y
AMD LANCE and PCnet (AT1500 and NE2100) support (CONFIG_LANCE) [N/y/m/?] Press Enter
Western Digital/SMC cards (CONFIG_NET_VENDOR_SMC) [N/y/?] Press Enter
Racal-Interlan (Micom) NI cards (CONFIG_NET_VENDOR_RACAL) [N/y/?] Press Enter
DEPCA, DE10x, DE200, DE201, DE202, DE422 support (CONFIG_DEPCA) [N/y/m/?] Press Enter
HP 10/100VG PCLAN (ISA, EISA, PCI) support (CONFIG_HP100) [N/y/m/?] Press Enter
Other ISA cards (CONFIG_NET_ISA) [N/y/?] Press Enter
EISA, VLB, PCI and on board controllers (CONFIG_NET_PCI) [Y/n/?] n
Pocket and portable adapters (CONFIG_NET_POCKET) [N/y/?] Press Enter
*
* Ethernet (1000 Mbit)
*
Alteon AceNIC/3Com 3C985/NetGear GA620 Gigabit support (CONFIG_ACENIC) [N/y/m/?] Press
Enter
D-Link DL2000-based Gigabit Ethernet support (CONFIG_DL2K) [N/y/m/?] Press Enter
National Semiconduct DP83820 support (CONFIG_NS83820) [N/y/m/?] Press Enter
Packet Engines Hamachi GNIC-II support (CONFIG_HAMACHI) [N/y/m/?] Press Enter
SysKonnect SK-98xx support (CONFIG_SK98LIN) [N/y/m/?] Press Enter
FDDI driver support (CONFIG_FDDI) [N/y/?] Press Enter

184
 Kernel Security & Optimization 0
CHAPTER 6

PPP (point-to-point protocol) support (CONFIG_PPP) [N/y/m/?] Press Enter

SLIP (serial line) support (CONFIG_SLIP) [N/y/m/?] Press Enter
*
* Wireless LAN (non-hamradio)
*
Wireless LAN (non-hamradio) (CONFIG_NET_RADIO) [N/y/?] Press Enter
*
* Token Ring devices
*
Token Ring driver support (CONFIG_TR) [N/y/?] Press Enter
Fibre Channel driver support (CONFIG_NET_FC) [N/y/?] Press Enter
*
* Wan interfaces
*
Wan interfaces support (CONFIG_WAN) [N/y/?] Press Enter
*
* Amateur Radio support
*
Amateur Radio support (CONFIG_HAMRADIO) [N/y/?] Press Enter
*
* IrDA (infrared) support
*
IrDA subsystem support (CONFIG_IRDA) [N/y/m/?] Press Enter
*
* ISDN subsystem
*
ISDN support (CONFIG_ISDN) [N/y/m/?] Press Enter
*
* Old CD-ROM drivers (not SCSI, not IDE)
*
Support non-SCSI/IDE/ATAPI CDROM drives (CONFIG_CD_NO_IDESCSI) [N/y/?] Press Enter
*
* Input core support
*
Input core support (CONFIG_INPUT) [N/y/m/?] Press Enter
*
* Character devices
*
Virtual terminal (CONFIG_VT) [Y/n/?] Press Enter
Support for console on virtual terminal (CONFIG_VT_CONSOLE) [Y/n/?] Press Enter
Standard/generic (8250/16550 and compatible UARTs) serial support (CONFIG_SERIAL)
[Y/m/n/?] Press Enter
Support for console on serial port (CONFIG_SERIAL_CONSOLE) [N/y/?] Press Enter
Extended dumb serial driver options (CONFIG_SERIAL_EXTENDED) [N/y/?] Press Enter
Non-standard serial port support (CONFIG_SERIAL_NONSTANDARD) [N/y/?] Press Enter
Unix98 PTY support (CONFIG_UNIX98_PTYS) [Y/n/?] Press Enter
Maximum number of Unix98 PTYs in use (0-2048) (CONFIG_UNIX98_PTY_COUNT) [256] 128
*
* I2C support
*
I2C support (CONFIG_I2C) [N/y/m/?] Press Enter
*
* Mice
*
Bus Mouse Support (CONFIG_BUSMOUSE) [N/y/m/?] Press Enter
Mouse Support (not serial and bus mice) (CONFIG_MOUSE) [Y/m/n/?] n
*
* Joysticks
*
*
* Input core support is needed for gameports
*
*
* Input core support is needed for joysticks
*
QIC-02 tape support (CONFIG_QIC02_TAPE) [N/y/m/?] Press Enter
*
* Watchdog Cards
*
Watchdog Timer Support (CONFIG_WATCHDOG) [N/y/?] Press Enter
Intel i8x0 Random Number Generator support (CONFIG_INTEL_RNG) [N/y/m/?] Press Enter

185
 Kernel Security & Optimization 0
CHAPTER 6

/dev/nvram support (CONFIG_NVRAM) [N/y/m/?] Press Enter

Enhanced Real Time Clock Support (CONFIG_RTC) [N/y/m/?] Press Enter
Double Talk PC internal speech card support (CONFIG_DTLK) [N/y/m/?] Press Enter
Siemens R3964 line discipline (CONFIG_R3964) [N/y/m/?] Press Enter
Applicom intelligent fieldbus card support (CONFIG_APPLICOM) [N/y/m/?] Press Enter
*
* Ftape, the floppy tape device driver
*
Ftape (QIC-80/Travan) support (CONFIG_FTAPE) [N/y/m/?] Press Enter
/dev/agpgart (AGP Support) (CONFIG_AGP) [Y/m/n/?] n
Direct Rendering Manager (XFree86 DRI support) (CONFIG_DRM) [Y/n/?] n
ACP Modem (Mwave) support (CONFIG_MWAVE) [N/y/m/?] Press Enter
*
* Multimedia devices
*
Video For Linux (CONFIG_VIDEO_DEV) [N/y/m/?] Press Enter
*
* File systems
*
Quota support (CONFIG_QUOTA) [N/y/?] y
Kernel automounter support (CONFIG_AUTOFS_FS) [N/y/m/?] Press Enter
Kernel automounter version 4 support (also supports v3) (CONFIG_AUTOFS4_FS) [Y/m/n/?] n
Reiserfs support (CONFIG_REISERFS_FS) [N/y/m/?] Press Enter
Ext3 journalling file system support (EXPERIMENTAL) (CONFIG_EXT3_FS) [N/y/m/?] y
JBD (ext3) debugging support (CONFIG_JBD_DEBUG) [N/y/?] y
DOS FAT fs support (CONFIG_FAT_FS) [N/y/m/?] m
MSDOS fs support (CONFIG_MSDOS_FS) [N/y/m/?] m
VFAT (Windows-95) fs support (CONFIG_VFAT_FS) [N/y/m/?] m
Compressed ROM file system support (CONFIG_CRAMFS) [N/y/m/?] Press Enter
Virtual memory file system support (former shm fs) (CONFIG_TMPFS) [Y/n/?] Press Enter
Simple RAM-based file system support (CONFIG_RAMFS) [N/y/m/?] Press Enter
ISO 9660 CDROM file system support (CONFIG_ISO9660_FS) [Y/m/n/?] m
Microsoft Joliet CDROM extensions (CONFIG_JOLIET) [N/y/?] y
Transparent decompression extension (CONFIG_ZISOFS) [N/y/?] Press Enter
Minix fs support (CONFIG_MINIX_FS) [N/y/m/?] Press Enter
FreeVxFS file system support (VERITAS VxFS(TM) compatible) (CONFIG_VXFS_FS) [N/y/m/?]
Press Enter
NTFS file system support (read only) (CONFIG_NTFS_FS) [N/y/m/?] Press Enter
OS/2 HPFS file system support (CONFIG_HPFS_FS) [N/y/m/?] Press Enter
/proc file system support (CONFIG_PROC_FS) [Y/n/?] Press Enter
/dev/pts file system for Unix98 PTYs (CONFIG_DEVPTS_FS) [Y/n/?] Press Enter
ROM file system support (CONFIG_ROMFS_FS) [N/y/m/?] Press Enter
Second extended fs support (CONFIG_EXT2_FS) [Y/m/n/?] Press Enter
System V/Xenix/V7/Coherent file system support (CONFIG_SYSV_FS) [N/y/m/?] Press Enter
UDF file system support (read only) (CONFIG_UDF_FS) [N/y/m/?] Press Enter
UFS file system support (read only) (CONFIG_UFS_FS) [N/y/m/?] Press Enter
*
* Network File Systems
*
Coda file system support (advanced network fs) (CONFIG_CODA_FS) [N/y/m/?] Press Enter
NFS file system support (CONFIG_NFS_FS) [Y/m/n/?] n
NFS server support (CONFIG_NFSD) [Y/m/n/?] n
SMB file system support (to mount Windows shares etc.) (CONFIG_SMB_FS) [N/y/m/?] Press
Enter
NCP file system support (to mount NetWare volumes) (CONFIG_NCP_FS) [N/y/m/?] Press Enter
*
* Partition Types
*
Advanced partition selection (CONFIG_PARTITION_ADVANCED) [N/y/?] Press Enter
*
* Native Language Support
*
Default NLS Option (CONFIG_NLS_DEFAULT) [iso8859-1] (NEW) Press Enter
Codepage 437 (United States, Canada) (CONFIG_NLS_CODEPAGE_437) [N/y/m/?] (NEW) Press
Enter
Codepage 737 (Greek) (CONFIG_NLS_CODEPAGE_737) [N/y/m/?] (NEW) Press Enter
Codepage 775 (Baltic Rim) (CONFIG_NLS_CODEPAGE_775) [N/y/m/?] (NEW) Press Enter
Codepage 850 (Europe) (CONFIG_NLS_CODEPAGE_850) [N/y/m/?] (NEW) Press Enter
Codepage 852 (Central/Eastern Europe) (CONFIG_NLS_CODEPAGE_852) [N/y/m/?] (NEW) Press
Enter
Codepage 855 (Cyrillic) (CONFIG_NLS_CODEPAGE_855) [N/y/m/?] (NEW) Press Enter

186
 Kernel Security & Optimization 0
CHAPTER 6

Codepage 857 (Turkish) (CONFIG_NLS_CODEPAGE_857) [N/y/m/?] (NEW) Press Enter

Codepage 860 (Portuguese) (CONFIG_NLS_CODEPAGE_860) [N/y/m/?] (NEW) Press Enter
Codepage 861 (Icelandic) (CONFIG_NLS_CODEPAGE_861) [N/y/m/?] (NEW) Press Enter
Codepage 862 (Hebrew) (CONFIG_NLS_CODEPAGE_862) [N/y/m/?] (NEW) Press Enter
Codepage 863 (Canadian French) (CONFIG_NLS_CODEPAGE_863) [N/y/m/?] (NEW) Press Enter
Codepage 864 (Arabic) (CONFIG_NLS_CODEPAGE_864) [N/y/m/?] (NEW) Press Enter
Codepage 865 (Norwegian, Danish) (CONFIG_NLS_CODEPAGE_865) [N/y/m/?] (NEW) Press Enter
Codepage 866 (Cyrillic/Russian) (CONFIG_NLS_CODEPAGE_866) [N/y/m/?] (NEW) Press Enter
Codepage 869 (Greek) (CONFIG_NLS_CODEPAGE_869) [N/y/m/?] (NEW) Press Enter
Simplified Chinese charset (CP936, GB2312) (CONFIG_NLS_CODEPAGE_936) [N/y/m/?] (NEW)
Press Enter
Traditional Chinese charset (Big5) (CONFIG_NLS_CODEPAGE_950) [N/y/m/?] (NEW) Press Enter
Japanese charsets (Shift-JIS, EUC-JP) (CONFIG_NLS_CODEPAGE_932) [N/y/m/?] (NEW) Press
Enter
Korean charset (CP949, EUC-KR) (CONFIG_NLS_CODEPAGE_949) [N/y/m/?] (NEW) Press Enter
Thai charset (CP874, TIS-620) (CONFIG_NLS_CODEPAGE_874) [N/y/m/?] (NEW) Press Enter
Hebrew charsets (ISO-8859-8, CP1255) (CONFIG_NLS_ISO8859_8) [N/y/m/?] (NEW) Press Enter
Windows CP1250 (Slavic/Central European Languages) (CONFIG_NLS_CODEPAGE_1250) [N/y/m/?]
(NEW) Press Enter
Windows CP1251 (Bulgarian, Belarusian) (CONFIG_NLS_CODEPAGE_1251) [N/y/m/?] (NEW) Press
Enter
NLS ISO 8859-1 (Latin 1; Western European Languages) (CONFIG_NLS_ISO8859_1) [N/y/m/?]
(NEW) Press Enter
NLS ISO 8859-2 (Latin 2; Slavic/Central European Languages) (CONFIG_NLS_ISO8859_2)
[N/y/m/?] (NEW) Press Enter
NLS ISO 8859-3 (Latin 3; Esperanto, Galician, Maltese, Turkish) (CONFIG_NLS_ISO8859_3)
[N/y/m/?] (NEW) Press Enter
NLS ISO 8859-4 (Latin 4; old Baltic charset) (CONFIG_NLS_ISO8859_4) [N/y/m/?] (NEW)
Press Enter
NLS ISO 8859-5 (Cyrillic) (CONFIG_NLS_ISO8859_5) [N/y/m/?] (NEW) Press Enter
NLS ISO 8859-6 (Arabic) (CONFIG_NLS_ISO8859_6) [N/y/m/?] (NEW) Press Enter
NLS ISO 8859-7 (Modern Greek) (CONFIG_NLS_ISO8859_7) [N/y/m/?] (NEW) Press Enter
NLS ISO 8859-9 (Latin 5; Turkish) (CONFIG_NLS_ISO8859_9) [N/y/m/?] (NEW) Press Enter
NLS ISO 8859-13 (Latin 7; Baltic) (CONFIG_NLS_ISO8859_13) [N/y/m/?] (NEW) Press Enter
NLS ISO 8859-14 (Latin 8; Celtic) (CONFIG_NLS_ISO8859_14) [N/y/m/?] (NEW) Press Enter
NLS ISO 8859-15 (Latin 9; Western European Languages with Euro) (CONFIG_NLS_ISO8859_15)
[N/y/m/?] (NEW) Press Enter
NLS KOI8-R (Russian) (CONFIG_NLS_KOI8_R) [N/y/m/?] (NEW) Press Enter
NLS KOI8-U/RU (Ukrainian, Belarusian) (CONFIG_NLS_KOI8_U) [N/y/m/?] (NEW) Press Enter
NLS UTF8 (CONFIG_NLS_UTF8) [N/y/m/?] (NEW) Press Enter
*
* Console drivers
*
VGA text console (CONFIG_VGA_CONSOLE) [Y/n/?] Press Enter
Video mode selection support (CONFIG_VIDEO_SELECT) [N/y/?] Press Enter
*
* Sound
*
Sound card support (CONFIG_SOUND) [Y/m/n/?] n
*
* USB support
*
Support for USB (CONFIG_USB) [Y/m/n/?] n
*
* USB Controllers
*
*
* USB Device Class drivers
*
*
* SCSI support is needed for USB Storage
*
*
* USB Human Interface Devices (HID)
*
*
* Input core support is needed for USB HID
*
*
* USB Imaging devices
*

187
 Kernel Security & Optimization 0
CHAPTER 6

*
* USB Multimedia devices
*
*
* Video4Linux support is needed for USB Multimedia device support
*
*
* USB Network adaptors
*
*
* USB port drivers
*
*
* USB Serial Converter support
*
*
* USB Miscellaneous drivers
*
*
* Kernel hacking
*
Kernel debugging (CONFIG_DEBUG_KERNEL) [N/y/?] Press Enter

*
* Grsecurity
*
Grsecurity (CONFIG_GRKERNSEC) [N/y/?] y
Security level (Low, Medium, High, Customized) [Customized] Press Enter
*
* Buffer Overflow Protection
*
Openwall non-executable stack (CONFIG_GRKERNSEC_STACK) [N/y/?] y
Gcc trampoline support (CONFIG_GRKERNSEC_STACK_GCC) [N/y/?] Press Enter
Read-only kernel memory (CONFIG_GRKERNSEC_KMEM) [N/y/?] y
*
* Access Control Lists
*
Grsecurity ACL system (CONFIG_GRKERNSEC_ACL) [N/y/?] y
ACL Debugging Messages (CONFIG_GR_DEBUG) [N/y/?] y
Extra ACL Debugging Messages (CONFIG_GR_SUPERDEBUG) [N/y/?] Press Enter
Denied capability logging (CONFIG_GRKERNSEC_ACL_CAPLOG) [N/y/?] y
Path to gradm (CONFIG_GRADM_PATH) [/sbin/gradm] Press Enter
Maximum tries before password lockout (CONFIG_GR_MAXTRIES) [3] 2
Time to wait after max password tries, in seconds (CONFIG_GR_TIMEOUT) [30] Press Enter
*
* Filesystem Protections
*
Proc restrictions (CONFIG_GRKERNSEC_PROC) [N/y/?] y
Restrict to user only (CONFIG_GRKERNSEC_PROC_USER) [N/y/?] y
Additional restrictions (CONFIG_GRKERNSEC_PROC_ADD) [N/y/?] y
Linking restrictions (CONFIG_GRKERNSEC_LINK) [N/y/?] y
FIFO restrictions (CONFIG_GRKERNSEC_FIFO) [N/y/?] y
Secure file descriptors (CONFIG_GRKERNSEC_FD) [N/y/?] y
Chroot jail restrictions (CONFIG_GRKERNSEC_CHROOT) [N/y/?] y
Restricted signals (CONFIG_GRKERNSEC_CHROOT_SIG) [N/y/?] y
Deny mounts (CONFIG_GRKERNSEC_CHROOT_MOUNT) [N/y/?] y
Deny double-chroots (CONFIG_GRKERNSEC_CHROOT_DOUBLE) [N/y/?] y
Enforce chdir("/") on all chroots (CONFIG_GRKERNSEC_CHROOT_CHDIR) [N/y/?] y
Deny (f)chmod +s (CONFIG_GRKERNSEC_CHROOT_CHMOD) [N/y/?] y
Deny mknod (CONFIG_GRKERNSEC_CHROOT_MKNOD) [N/y/?] y
Deny ptraces (CONFIG_GRKERNSEC_CHROOT_PTRACE) [N/y/?] y
Restrict priority changes (CONFIG_GRKERNSEC_CHROOT_NICE) [N/y/?] y
Capability restrictions within chroot (CONFIG_GRKERNSEC_CHROOT_CAPS) [N/y/?] Press Enter
Secure keymap loading (CONFIG_GRKERNSEC_KBMAP) [N/y/?] y
*
* Kernel Auditing
*
Single group for auditing (CONFIG_GRKERNSEC_AUDIT_GROUP) [N/y/?] Press Enter
Exec logging (CONFIG_GRKERNSEC_EXECLOG) [N/y/?] Press Enter
Log execs within chroot (CONFIG_GRKERNSEC_CHROOT_EXECLOG) [N/y/?] y
Chdir logging (CONFIG_GRKERNSEC_AUDIT_CHDIR) [N/y/?] Press Enter

188
 Kernel Security & Optimization 0
CHAPTER 6

(Un)Mount logging (CONFIG_GRKERNSEC_AUDIT_MOUNT) [N/y/?] Press Enter

IPC logging (CONFIG_GRKERNSEC_AUDIT_IPC) [N/y/?] y
Ptrace logging (CONFIG_GRKERNSEC_AUDIT_PTRACE) [N/y/?] Press Enter
Signal logging (CONFIG_GRKERNSEC_SIGNAL) [N/y/?] y
Fork failure logging (CONFIG_GRKERNSEC_FORKFAIL) [N/y/?] y
Set*id logging (CONFIG_GRKERNSEC_SUID) [N/y/?] Press Enter
Log set*ids to root (CONFIG_GRKERNSEC_SUID_ROOT) [N/y/?] y
Time change logging (CONFIG_GRKERNSEC_TIME) [N/y/?] y
*
* Executable Protections
*
Exec process limiting (CONFIG_GRKERNSEC_EXECVE) [N/y/?] y
Dmesg(8) restriction (CONFIG_GRKERNSEC_DMESG) [N/y/?] y
Randomized PIDs (CONFIG_GRKERNSEC_RANDPID) [N/y/?] y
Altered default IPC permissions (CONFIG_GRKERNSEC_IPC) [N/y/?] Press Enter
Limit uid/gid changes to root (CONFIG_GRKERNSEC_TTYROOT) [N/y/?] y
Deny physical consoles (tty) (CONFIG_GRKERNSEC_TTYROOT_PHYS) [N/y/?] Press Enter
Deny serial consoles (ttyS) (CONFIG_GRKERNSEC_TTYROOT_SERIAL) [N/y/?] y
Deny pseudo consoles (pty) (CONFIG_GRKERNSEC_TTYROOT_PSEUDO) [N/y/?] Press Enter
Fork-bomb protection (CONFIG_GRKERNSEC_FORKBOMB) [N/y/?] y
GID for restricted users (CONFIG_GRKERNSEC_FORKBOMB_GID) [1006] Press Enter
Forks allowed per second (CONFIG_GRKERNSEC_FORKBOMB_SEC) [40] Press Enter
Maximum processes allowed (CONFIG_GRKERNSEC_FORKBOMB_MAX) [20] 35
Trusted path execution (CONFIG_GRKERNSEC_TPE) [N/y/?] y
Glibc protection (CONFIG_GRKERNSEC_TPE_GLIBC) [N/y/?] y
Partially restrict non-root users (CONFIG_GRKERNSEC_TPE_ALL) [N/y/?] y
GID for untrusted users: (CONFIG_GRKERNSEC_TPE_GID) [1005] Press Enter
Restricted ptrace (CONFIG_GRKERNSEC_PTRACE) [N/y/?] y
Allow ptrace for group (CONFIG_GRKERNSEC_PTRACE_GROUP) [N/y/?] Press Enter
*
* Network Protections
*
Randomized IP IDs (CONFIG_GRKERNSEC_RANDID) [N/y/?] y
Randomized TCP source ports (CONFIG_GRKERNSEC_RANDSRC) [N/y/?] y
Randomized RPC XIDs (CONFIG_GRKERNSEC_RANDRPC) [N/y/?] y
Altered Ping IDs (CONFIG_GRKERNSEC_RANDPING) [N/y/?] y
Randomized TTL (CONFIG_GRKERNSEC_RANDTTL) [N/y/?] y
Socket restrictions (CONFIG_GRKERNSEC_SOCKET) [N/y/?] y
Deny any sockets to group (CONFIG_GRKERNSEC_SOCKET_ALL) [N/y/?] y
GID to deny all sockets for: (CONFIG_GRKERNSEC_SOCKET_ALL_GID) [1004] Press Enter
Deny client sockets to group (CONFIG_GRKERNSEC_SOCKET_CLIENT) [N/y/?] Press Enter
Deny server sockets to group (CONFIG_GRKERNSEC_SOCKET_SERVER) [N/y/?] Press Enter
*
* Sysctl support
*
Sysctl support (CONFIG_GRKERNSEC_SYSCTL) [N/y/?] Press Enter
*
* Miscellaneous Features
*
Seconds in between log messages(minimum) (CONFIG_GRKERNSEC_FLOODTIME) [30] Press Enter
BSD-style coredumps (CONFIG_GRKERNSEC_COREDUMP) [N/y/?] y

*** End of Linux kernel configuration.

*** Check the top-level Makefile for additional configuration.
*** Next, you must run 'make dep'.

189
 Kernel Security & Optimization 0
CHAPTER 6

Compiling the Kernel

This section applies to both Monolithic and Modularized kernels. Once the kernel configuration
has been completed, return to the /usr/src/linux directory (if you are not already in it) and
compile the new kernel. You do so by using the following command:

• To compile the Kernel, use the following command:

[root@deep linux]# make dep; make clean; make bzImage

This line contains three commands in one. The first one, make dep, actually takes your
configuration and builds the corresponding dependency tree. This process determines what gets
compiled and what doesn’t. The next step, make clean, erases all previous traces of a
compilation so as to avoid any mistakes in which the wrong version of a feature gets tied into the
kernel. Finally, make bzImage does the full compilation of the kernel.

After the process is complete, the kernel is compressed and ready to be installed on your system.
Before we can install the new kernel, we must know if we need to compile the corresponding
modules. This is required ONLY if you said yes to “Enable loadable module support
(CONFIG_MODULES)” and have compiled some options in the kernel configuration above as a
module (See Modularized kernel configuration). In this case, you must execute the following
commands:

• To compile the corresponding modules for your kernel, use the following commands:
[root@deep linux]# make modules
[root@deep linux]# make modules_install

WARNING: The make modules and make modules_install commands are required ONLY if
you say yes to “Enable loadable module support (CONFIG_MODULES)” in your kernel
configurations (See Modularized kernel configuration) because you want to build a
modularized kernel.

Installing the Kernel

This section applies to both the Monolithic and Modularized kernel. Ok, the kernel has been
configured, compiled and is now ready to be installed your system. Below are the steps required
to install all the necessary kernel components in your system.

Step 1
Copy the file /usr/src/linux/arch/i386/boot/bzImage from the kernel source tree to the
/boot directory, and give it an appropriate new name.

• To copy the bzImage file to the /boot directory, use the following commands:
[root@deep /]# cd /usr/src/linux/ (if you are not already in it)
[root@deep linux]# cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.18

190
 Kernel Security & Optimization 0
CHAPTER 6

Step 2
A new System.map file is generated when you compile a kernel, and is a list of all the addresses
in that kernel and their corresponding symbols. Every time that you create a new kernel, such a
file System.map is created and saved in /usr/src/linux. It's a text file, which is read by a
few programs to do address <-> symbol translation, and which you need if you ever get an Oops.

Certain commands, like klog, ps, and lsof, use the System.map file to get the name of kernel
symbols. Without it some commands like lsof will complain that they can't find a System.map
file to match the currently booted kernel.

Copy the file /usr/src/linux/System.map from the kernel source tree to the /boot
directory, and give it an appropriate new name.

• To copy the System.map file to the /boot directory, use the following commands:
[root@deep /]# cd /usr/src/linux/ (if you are not already in it)
[root@deep linux]# cp System.map /boot/System.map-2.4.18

Step 3
Move into the /boot directory and rebuild the links vmlinuz and System.map.

• To rebuild the vmlinuz and System.map files, use the following commands:
[root@deep linux]# cd /boot/
[root@deep /boot]# ln -fs vmlinuz-2.4.18 vmlinuz
[root@deep /boot]# ln -fs System.map-2.4.18 System.map

We must rebuild the links of vmlinuz and System.map to point them to the new installed kernel
version. Without the new links LILO or GRUB program will look, by default, for the old version of
your Linux kernel.

Step 4
Remove obsolete and unnecessary files under the /boot directory to increase disk space:

• To remove obsolete and unnecessary files under the /boot directory, use commands:
[root@deep /]# cd /boot/ (if you are not already in it)
[root@deep /boot]# rm -f module-info
[root@deep /boot]# rm -f initrd-2.4.x.img

The module-info is a link, which points to the old modules directory of your original kernel.
Since we have installed a brand new kernel, we don’t need to keep this broken link.

The initrd-2.4.x.img is a file that contains an initial RAM disk image that serves as a
system before the disk is available. This file is only available and is installed by the Linux initial
setup installation if your system has a SCSI adapter present and only if your system has a SCSI
adapter. If we use and have a SCSI system, the required driver now will have been incorporated
into our new Linux kernel since we have build it by answering Y to the question related to our
SCSI model during the configuration of the kernel, so we can safely remove this file (initrd-
2.4.x.img).

191
 Kernel Security & Optimization 0
CHAPTER 6

Step 5
Create a new Linux kernel directory that will handle all the header files related to Linux kernel for
future compilation of other programs on your system.

Recall, we had created two symlinks under the /usr/include directory that pointed to the Linux
kernel header files to be able to compile it without receiving errors and also be able to compile
future programs. The /usr/include directory is where all the header files for your Linux system
are kept for reference and dependencies when you compile and install new programs.

The asm, and linux links are used when programs need to know some functions which are
compile-time specific to the kernel installed on your system. Programs call other headers as well
in the /usr/include directory when they must know specific information, dependencies, etc of
your system.

• To create a new Linux kernel directory to handle all header files, use the commands:
[root@deep /]# mkdir -p /usr/src/linux-2.4.18/include
[root@deep /]# cd /usr/src/linux/
[root@deep linux]# cp -r include/asm-i386 ../linux-2.4.18/include/
[root@deep linux]# cp -r include/linux ../linux-2.4.18/include/
[root@deep linux]# cd ../
[root@deep src]# rm -rf /usr/src/linux
[root@deep src]# cd /usr/src/ (to be sure that we are into the src directory)
[root@deep src]# ln -s /usr/src/linux-2.4.18 linux

First we create a new directory named “linux-2.4.18” based on the version of the kernel we
have installed for easy interpretation, then we copy directories asm-i386, and linux from
/usr/src/linux/include to our new location /usr/src/linux-2.4.18/include. After
we remove the entire source directory where we compiled the new kernel, we create a new
symbolic link named “linux” under /usr/src that points to our new /usr/src/linux-
2.4.18 directory. With these steps, future compiled programs will know where to look for
headers related to the kernel on your server.

NOTE: This step will allow us to gain space on our hard drive and will reduce the security risks.
The Linux kernel source directory handles a lot files and is about 94M in size when
uncompressed. With the procedure described above, our Linux kernel directory began
approximately 4M in size so we save 90MB for the same functionalities.

Verifying or upgrading your boot loader

Once the new kernel image has been installed on your server, we have to inform our boot loader
about it. This is done inside the configuration file of your boot loader software. Below I show you
how to do it depending if you use GRUB or LILO as your boot loader.

LILO:
This step applies only if you use LILO as your boot loader on the system. If you use GRUB as
your boot loader instead of LILO (highly recommended), then you can skip this section and go
directly to the next one.

192
 Kernel Security & Optimization 0
CHAPTER 6

Step 1
You need to edit the lilo.conf file to make your new kernel one of the boot time options:

• Edit the lilo.conf file (vi /etc/lilo.conf) and make the appropriate change on
the line that reads “image=/boot/vmlinuz-x.x.x”.
[root@deep /]# vi /etc/lilo.conf

boot=/dev/sda
map=/boot/map
install=/boot/boot.b
timeout=00
default=linux
restricted
password=somepasswd

image=/boot/vmlinuz
label=linux
read-only
root=/dev/sda6

Step 2
Once the necessary modifications have been made in the /etc/lilo.conf file as shown
above, we update our lilo.conf file for the change to take effect.

• This can be done with the following command:

[root@deep /]# /sbin/lilo
Added linux *

GRUB:
This step applies only if you use GRUB as your boot loader on the system. In most case, GRUB
does not need to be updated when you install a new kernel on your computer but here we have to
verify inside our grub.conf file if all default setting are still available and configured because
when we uninstall Red Hat kernel RPM package, the software automatically remove some needed
parameters from the GRUB configuration file.

Step 1
Edit your GRUB configuration file and be sure that everything is correct and look like the following.
Your setting should differ from the example below.

• Edit the grub.conf file (vi /etc/grub.conf) and check your setting.
[root@deep /]# vi /etc/grub.conf

default 0
timeout 00
title Red Hat Linux
kernel (hd0,0)/vmlinuz ro root=/dev/sda5

193
 Kernel Security & Optimization 0
CHAPTER 6

Reconfiguring /etc/modules.conf file

This section applies only if you chose to install a Modularized Kernel on your system. The
/etc/modules.conf file represents the (optional) configuration file for loading kernel modules
on your system. It is used to modify the behavior of modprobe and depmod programs.

This file consists of a set of lines with different parameters. It is important after each upgrade of a
modularized kernel to verify if all the information and parameters contained inside it are valid
and correct.

All the contents of the /etc/modules.conf file apply only for systems where the kernel has
been configured with modules (modularized kernel). So if you have recompiled your new
kernel with some new options as modules or if you have removed some modules from it, it is
important to update or remove the modules.conf file to reflect the changes and eliminate
possible error message during booting.

As an example, the following is the content of the modules.conf file on my system. Linux has
added these parameters automatically, depending of the system hardware during the primary
install stage of the operating system.

alias scsi_hostadapter aic7xxx

alias eth0 eepro100
alias eth1 eepro100
alias parport_lowlevel parport_pc
alias usb-controller uhci

One important use of the modules.conf file is the possibility of using the “alias” directive to
give alias names to modules and link object files to a module.

After recompilation of the kernel, and depending on how we have answered the different kernel
questions during kernel configuration, it may be possible that we need to make some adjustments
to the default parameters, especially if we have answered yes during kernel configuration to
some devices available in our system, like network cards and SCSI adapters.

If the configuration file /etc/modules.conf is missing, or if any directive is not overridden, the
default will be to look under /lib/modules directory containing modules compiled for the
current release of the kernel. Therefore, we can remove the /etc/modules.conf file from the
system and let the modprobe and depmod programs manage all existing modules for us.

To summarize, you can:

1) Keep the modules.conf file; only kernel options which you have answered m during
kernel configuration time (of course only if these modules did exist into modules.conf).
Any kernel options where you have answered yes or no will not appear into the
modules.conf file.

2) Or remove the /etc/modules.conf file from your system and let modprobe and
depmod programs manage all existing modules for you. On a server environment, I
prefer to use this choice.

194
 Kernel Security & Optimization 0
CHAPTER 6

Rebooting your system to load the new kernel

Whether you have installed a new Monolithic Kernel where codes and drivers are compiled into
the kernel and are always loaded or a Modularized Kernel where some segment of codes are
compiled into the kernel as a module and loaded on demand, it is time to Reboot your system
and test your results.

• To reboot your Linux system, use the following command:

[root@deep /]# reboot

When the system is rebooted and you are logged in, verify the new version of your kernel with the
following command:

• To verify the version of your new kernel, use the following command:
[root@deep /]# uname -a
Linux dev 2.4.18-grsec-1.9.4 #1 Wed Jun 19 15:14:55 EDT 2002 i686 unknown

Congratulations!

Delete programs, edit files pertaining to modules

This section applies only if you chose to install a Monolithic Kernel on your system. By default
when you install Linux for the first time (like we did), the kernel is built as a Modularized Kernel.
This means that each device or function we need exists as a module and is controlled by the
Kernel Daemon program named kmod. kmod automatically loads some modules and functions
into memory as they are needed, and unloads them when they’re no longer being used.

kmod and other module management programs included in the modutils RPM package use the
modules.conf file located in the /etc directory to know for example which Ethernet card you
have, if your Ethernet card requires special configuration and so on. If we don’t use any modules
in our newly compiled kernel because we have compiled the kernel as a Monolithic Kernel and
ONLY in this case, we can remove the modules.conf file and completely uninstall the
modutils RPM package.

• To remove the modules.conf file, use the following command:

[root@deep /]# rm -f /etc/modules.conf

• To uninstall the modutils package, use the following command:

[root@deep /]# rpm -e --nodeps modutils

WARNING: Once again, the above is required only if you said no to “Enable loadable module
support (CONFIG_MODULES)” in your kernel configuration because you have decided to build
a Monolithic Kernel.

195
 Kernel Security & Optimization 0
CHAPTER 6

Making a new rescue floppy for Modularized Kernel

This section applies only if you chose to install a Modularized Kernel on your system.
Immediately after you successfully start your system and log in as root, you should create a new
emergency boot floppy disk. The procedure to achieve it is the same as shown at the beginning
of this chapter related to Linux Kernel.

Please go back to the beginning of this chapter and follow the procedures to recreate a new
emergency boot floppy disk suitable for the new install Linux kernel on your system. Don’t forget
to test the boot disk to be sure that it works.

The mkbootdisk program runs only on Modularized Kernel. So you can’t use it on a Monolithic
Kernel; instead create an emergency boot floppy disk for Monolithic kernel as shown below.

Making a emergency boot floppy disk for Monolithic Kernel

This section applies only if you chose to install a Monolithic Kernel in your system. Because it is
possible to create a rescue floppy only on modularized kernel, we must find another way to boot
our Linux system for a monolithic kernel if the Linux kernel on the hard disk is damaged.

This is possible with a Linux emergency boot floppy disk. You should create it immediately after
you successfully start your system and log in as root. To create the emergency boot floppy, follow
these steps:

Step 1
Insert a floppy disk and format it with the following command:
[root@deep /]# fdformat /dev/fd0H1440
Double-sided, 80 tracks, 18 sec/track. Total capacity 1440 kB.
Formatting ... done
Verifying ... done

Step 2
Copy the actual file “vmlinuz” from the /boot directory to the floppy disk:
[root@deep /]# cp /boot/vmlinuz /dev/fd0H1440
cp: overwrite `/dev/fd0H1440'? y

NOTE: The vmlinuz file is a symbolic link that points to the real Linux kernel.

Step 3
Determine the kernel’s root device with the following command:
[root@deep /]# rdev
/dev/sda6 /

NOTE:The kernel’s root device is the disk partition where the root file system is located. In this
example, the root device is /dev/sda6; the device name should be different on your system.

196
 Kernel Security & Optimization 0
CHAPTER 6

Step 4
Set the kernel’s root device with the following command:
[root@deep /]# rdev /dev/fd0H1440 /dev/sda6

NOTE: To set the kernel’s root device, use the device reported by the “rdev” command utility in
the previous step.

Step 5
Mark the root device as read-only with the following command:
[root@deep /]# rdev -R /dev/fd0H1440 1

NOTE: This causes Linux to initially mount the root file system as read-only. By setting the root
device as read-only, you avoid several warnings and error messages.

Step 6
Now put the boot floppy in the drive A: and reboot your system with the following command to be
sure that your new boot disk is working:
[root@something /]# reboot

Following these guidelines, you will now have a boot floppy with a known working kernel in case
of problems with the upgrade. I recommend rebooting the system with the floppy to make sure
that the floppy works correctly.

Step 7
Because the mkbootdisk and dosfstools program are required only when you have a
Modularized kernel installed in your Linux system, we can remove the unneeded mkbootdisk
and dosfstools packages from the system when we have a Monolithic kernel installed on our
server.

• To uninstall the mkbootdisk and dosfstools utility, use the following command:
[root@deep /]# rpm –e mkbootdisk dosfstools

197
Process file system management
IN THIS CHAPTER

1. What is sysctl?
2. /proc/sys/vm: The virtual memory subsystem of Linux
3. /proc/sys/fs: The file system data of Linux
4. /proc/sys/net/ipv4: IPV4 settings of Linux
5. Other possible optimization of the system
 Process file system management 0
CHAPTER 7

Linux /proc

Abstract
The /proc (the process file system), also known as a pseudo-filesystem, is used as an interface
to kernel data structures. It doesn’t exist, neither the /proc directory nor its subdirectories or its
files actually exist. Most of the files in this special directory are read-only and cannot be changed,
but some kernel variables can be changed. It is these files that we will talk about in this chapter of
the book.

It is important to note that the /proc filesystem is structured in a hierarchy. Most of the entries in
the /proc directory are a decimal number, corresponding to a process-ID running on the system.
These entries are themselves subdirectories and access to process state that is provided by
additional files contained within each subdirectory. Have you ever thought about where all the
processes running in the background of your system are handled and managed by the kernel?
The answer is the /proc filesystem directory of Linux.

But the /proc filesystem doesn’t handle only process ID of the system; it is also responsible for
providing and managing all access to the state of each information on the system. This
information is comprised of CPU, devices, IDE, SCSI, interrupts, io-ports, memories, modules,
partitions, PCI information and much more. Just take a quick look inside your /proc filesystem
directory to get an idea of the available features controlled by the kernel through the /proc
filesystem. We can read the contents of this information to get an idea of what processor, PCI,
network cards, kernel version, partitions, etc that we have on our system.

As we said before, not all features available in the /proc filesystem are customizable, most are
managed by the kernel and cannot be changed. Most are well controlled by the kernel and should
not require any modifications since the kernel does a good job with them. Some can, and need to
be, changed and customized to better fit your system resources, and increase security. It is those
customizable features related to performance and security of the Linux system under the /proc
filesystem that we will explain and customize in this chapter.

This is possible with the /etc/sysctl.conf file which contains values that change the default
parameters of customizable features in the /proc filesystem. To recap, systcl.conf is the
configuration file that talks to sysctl(8) which is an interface that allows you to make changes
to a running Linux system. We use systcl.conf to talk to the kernel and say for example: hey,
I need more power on the virtual memory, please change your value to this value.

Throughout this chapter, we’ll often use it to customize our /proc filesystem on Linux to better
utilize resources, power and security of our particular machine. Remember that everyone have a
different computer with different hardware, setting and this is why changing some default
customizable values in the /proc directory could make the difference on security and speed.

In this chapter, we will talk about customized parameters available under the /proc/sys
directory since most of all changeable parameters are located under this directory. We will talk
about virtual memory, file system, TCP/IP stack security and performance.

201
 Process file system management 0
CHAPTER 7

What is sysctl?
sysctl is an interface that allows you to make changes to a running Linux system. It serves two
functions: to read and to modify system settings.

• To view all readable variables, use the following command:

[root@deep /]# sysctl -a

• To read a particular variable, for example, fs.file-max, use the following command:
[root@deep /]# sysctl fs.file-max
fs.file-max = 8192

• To set a particular variable for fs.file-max, use the following command:

[root@deep /]# sysctl -w fs.file-max=5536
fs.file-max = 16384

Settings of sysctl variables are usually strings, numbers, or booleans (a boolean being 1 for
yes or a 0 for no). If you set and change variable manually with the sysctl command as show
above, your changes will not resists on the next reboot of the system. For this reason, we will use
and show you further down in this chapter how to make your changes permanent even on
possible reboot of the server by using the /etc/sysctl.conf file.

/proc/sys/vm: The virtual memory subsystem of Linux

All parameters described in this chapter reside under the /proc/sys/vm directory of the server
and can be used to tune the operation of the virtual memory (VM) subsystem of the Linux kernel.
Be very careful when attempting this. You can optimize your system, but you can also cause it to
crash. Since every system is different, you'll probably want some control over this piece of the
system.

Finally, these are advanced setting and if you don’t understand them, then don’t try to play in this
area or try to use all the examples below in your system. Remember that all systems are different
and require different settings and customizations. The majority of the following hacks will work
fine on a server with >= at 512MB of RAM or a minimum of 256MB of RAM. Below this amount of
memory, nothing is guaranteed and the default setting will just be fine for you.

Next I’ll show you parameters that can be optimized. All suggestions I make in this section are
valid for all kinds of servers. The only difference depends on the amount of RAM your machine
has and this is where the settings will change.

The above figure shows a snapshot of /proc/sys/vm directory on an OpenNA Linux & Red Hat
Linux system running kernel version 2.4. Please note that this picture may look different on your
system.

202
 Process file system management 0
CHAPTER 7

The bdflush parameters:

The bdflush file is closely related to the operation of the virtual memory (VM) subsystem of the
Linux kernel and has a little influence on disk usage. This file /proc/sys/vm/bdflush controls
the operation of the bdflush kernel daemon. We generally tune this file to improve file system
performance.

By changing some values from the defaults shown below, the system seems more responsive;
e.g. it waits a little more to write to disk and thus avoids some disk access contention. The
bdflush parameters currently contain 9 integer values, of which 4 are actually used by the
kernel. Only first, fifth, sixth and the seventh parameters are used by the kernel for bdflush
setup and all the other parameters are not used and their values are set to ‘0’.

Parameter 1 (nfract):
The bdflush parameter 1 governs the maximum number of dirty buffers in the buffer cache.
Dirty means that the contents of the buffer still have to be written to disk (as opposed to a clean
buffer, which can just be forgotten about). Setting this to a high value means that Linux can delay
disk writes for a long time, but it also means that it will have to do a lot of I/O (Input/Output) at
once when memory becomes short. A low value will spread out disk I/O more evenly at the cost
of more frequent I/O operations. The default value is 40%, the minimum is 0%, and the
maximum is 100%. We improve the default value here.

Parameter 2 (dummy1):
This parameter is unused by the system so we don’t need to change the default ones.

Parameter 3 (dummy2):
This parameter is unused by the system so we don’t need to change the default ones.

Parameter 4 (dummy3):
This parameter is unused by the system so we don’t need to change the default ones.

Parameter 5 (interval):
The bdflush parameter 5 specifies the minimum rate at which kupdate will wake and flush.
The value is expressed in jiffies (clockticks), the number of jiffies per second is normally 100.
Thus, x*HZ is x seconds. The default value is 5 seconds, the minimum is 0 seconds, and the
maximum is 600 seconds. We keep the default value here.

Parameter 6 (age_buffer):
The bdflush parameter 6 governs the maximum time Linux waits before writing out a dirty buffer
to disk. The value is in jiffies. The default value is 30 seconds, the minimum is 1 second, and the
maximum 6,000 seconds. We keep the default value here.

Parameter 7 (nfract_sync):
The bdflush parameter 7 governs the percentage of buffer cache that is dirty before bdflush
activates synchronously. This can be viewed as the hard limit before bdflush forces buffers to
disk. The default is 60%, the minimum is 0%, and the maximum is 100%. We improve the default
value here.

Parameter 8 (dummy4):
This parameter is unused by the system so we don’t need to change the default ones.

Parameter 9 (dummy5):
This parameter is unused by the system so we don’t need to change the default ones.

203
 Process file system management 0
CHAPTER 7

The default kernel setup for the bdflush parameters is:

"40 64 64 256 500 3000 60 0 0"

The default setup for the bdflush parameters under OpenNA Linux is:
"60 64 64 256 500 3000 80 0 0"

The default setup for the bdflush parameters under Red Hat Linux is:
"30 64 64 256 500 3000 60 0 0"

Step 1
To change the values of bdflush, type the following command on your terminal:

• Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following line:

# Improve file system performance

vm.bdflush = 60 64 64 256 500 3000 80 0 0

Step 2
You must restart your network for the change to take effect. The command to restart the network
is the following:

• To restart all network devices manually on your system, use the following command:
[root@deep /]# /etc/init.d/network restart
Setting network parameters [OK]
Bringing up interface lo [OK]
Bringing up interface eth0 [OK]
Bringing up interface eth1 [OK]

NOTE: There is another way to update the entry without restarting the network by using the
following command in your terminal screen:
[root@deep /]# sysctl -w vm.bdflush="60 64 64 256 500 3000 80 0 0"

The kswapd parameter:

The kswapd file is related to the kernel swapout daemon. This file /proc/sys/vm/kswapd
frees memory on the system when it gets fragmented or full. Its task is to keep the memory
management system operating efficiently. Since every system is different, you'll probably want
some control over this piece of the system.

There are three parameters to tune in this file and two of them (tries_base and
swap_cluster) have the largest influence on system performance. The kswapd file can be
used to tune the operation of the virtual memory (VM) subsystem of the Linux kernel.

Parameter 1 (tries_base):
The kswapd parameter 1 specifies the maximum number of pages kswapd tries to free in one
round. Usually this number will be divided by 4 or 8, so it isn't as big as it looks. Increase this
number to cause swap to be released faster, and increase overall swap throughput. The default
value is 512 pages. We keep the default value here.

204
 Process file system management 0
CHAPTER 7

Parameter 2 (tries_min):
The kswapd parameter 2 specifies the minimum number of pages kswapd tries to free a least
each time it is called. Basically it's just there to make sure that kswapd frees some pages even
when it's being called with minimum priority. The default value is 32 pages. We keep the default
value here.

Parameter 3 (swap_cluster):
The kswapd parameter 3 specifies the number of pages kswapd writes in one iteration. You
want this large to increase performance so that kswapd does its I/O in large chunks and the disk
doesn't have to seek often, but you don't want it to be too large since that would flood the request
queue. The default value is 8 pages. We improve the default value here.

The default kernel setup for the kswapd parameters is:

"512 32 8"

The default setup for the kswapd parameters under OpenNA Linux is:
"512 32 32"

The default setup for the kswapd parameters under Red Hat Linux is:
"512 32 8"

Step 1
To change the values of kswapd, type the following command on your terminal:

• Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following lines:

# Increase swap bandwidth system performance

vm.kswapd = 512 32 32

Step 2
You must restart your network for the change to take effect. The command to restart the network
is the following:

• To restart all network devices manually on your system, use the following command:
[root@deep /]# /etc/init.d/network restart
Setting network parameters [OK]
Bringing up interface lo [OK]
Bringing up interface eth0 [OK]
Bringing up interface eth1 [OK]

NOTE: There is another way to update the entry without restarting the network by using the
following command into your terminal screen:
[root@deep /]# sysctl -w vm.kswapd=”512 32 32”

205
 Process file system management 0
CHAPTER 7

The overcommit_memory parameter:

The overcommit_memory parameter is simply a flag that enables memory overcommitment.
Memory overcommitment is a procedure to check that a process has enough memory to allocate
a new virtual mapping. When this flag is 0, the kernel checks before each malloc() to see if
there's enough memory left. If the flag is 1, the system pretends there's always enough memory
and don't make the check on the system. This feature can be very useful ONLY on big servers
with a lot of pysical memories available (>= 2GB) because there are a lot of programs that
malloc() huge amounts of memory "just-in-case" and don't use much of it.

The default kernel setup for the overcommit_memory parameter is:

"0"

The default setup for the overcommit_memory parameter under OpenNA Linux is:
"0"

The default setup for the overcommit_memory parameter under Red Hat Linux is:
"0"

Step 1
To change the value of overcommit_memory, type the following command on your terminal:

• Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following lines:

# Enables/Disables memory overcommitment

vm.overcommit_memory = 0

Step 2
You must restart your network for the change to take effect. The command to restart the network
is the following:

• To restart all network devices manually on your system, use the following command:
[root@deep /]# /etc/init.d/network restart
Setting network parameters [OK]
Bringing up interface lo [OK]
Bringing up interface eth0 [OK]
Bringing up interface eth1 [OK]

WARNING:Only change the default value of 0 to become 1 on systems with more than 2GB of
RAM. Recall that on small systems the value must be set to 0 (overcommit_memory=0).

There is another way to update the entry without restarting the network by using the following
command into your terminal screen:
[root@deep /]# sysctl -w overcommit_memory=0

206
 Process file system management 0
CHAPTER 7

The page-cluster parameter:

The Linux virtual memory subsystem avoids excessive disk seeks by reading multiple pages on a
page fault. The number of pages it reads is highly dependent on the amount of memory in your
machine. The number of pages the kernel reads in at once is equal to 2 ^ page-cluster. Values
above 2 ^ 5 don't make much sense for swap because we only cluster swap data in 32-page
groups. The page-cluster parameter is used to tune the operation of the virtual memory (VM)
subsystem of the Linux kernel.

The default kernel setup for the kswapd parameter is:

"3"

The default setup for the kswapd parameter under OpenNA Linux is:
"5"

The default setup for the kswapd parameter under Red Hat Linux is:
"4"

Step 1
To change the value of page-cluster, type the following command on your terminal:

• Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following lines:

# Increase number of pages kernel reads in at once

vm.page-cluster = 5

Step 2
You must restart your network for the change to take effect. The command to restart the network
is the following:

• To restart all network devices manually on your system, use the following command:
[root@deep /]# /etc/init.d/network restart
Setting network parameters [OK]
Bringing up interface lo [OK]
Bringing up interface eth0 [OK]
Bringing up interface eth1 [OK]

NOTE: There is another way to update the entry without restarting the network by using the
following command into your terminal screen:
[root@deep /]# sysctl -w vm.page-cluster=5

207
 Process file system management 0
CHAPTER 7

The pagetable_cache parameter:

The kernel keeps a number of page tables in a per-processor cache (this helps a lot on SMP
systems). The cache size for each processor will be between the low and the high value. On SMP
systems it is used so that the system can do fast pagetable allocations without having to acquire
the kernel memory lock.

For large systems, the settings are probably OK. For normal systems they won't hurt a bit. For
small systems (<16MB RAM) and on a low-memory, single CPU system it might be
advantageous to set both values to 0 so you don't waste the memory.

The default kernel setup for the kswapd parameters is:

"25 50"

The default setup for the kswapd parameters under OpenNA Linux is:
"25 50"

The default setup for the kswapd parameters under Red Hat Linux is:
"25 50"

Step 1
To change the values of pagetable_cache, type the following command on your terminal:

• Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following lines:

# Improve number of page tables keeps in a per-processor cache

vm.pagetable_cache = 25 50

Step 2
You must restart your network for the change to take effect. The command to restart the network
is the following:

• To restart all network devices manually on your system, use the following command:
[root@deep /]# /etc/init.d/network restart
Setting network parameters [OK]
Bringing up interface lo [OK]
Bringing up interface eth0 [OK]
Bringing up interface eth1 [OK]

WARNING: Only change these values on systems with multiple processors (SMP) or on small
systems (single processor) with less than 16MB of RAM. Recall that on small systems the both
values must be set to 0 (vm.pagetable_cache = 0 0).

There is another way to update the entry without restarting the network by using the following
command into your terminal screen:
[root@deep /]# sysctl -w vm.pagetable_cache=”25 50”

208
 Process file system management 0
CHAPTER 7

/proc/sys/fs: The file system data of Linux

All parameters described later in this chapter reside under the /proc/sys/fs directory of the
server and can be used to tune and monitor miscellaneous things in the operation of the Linux
kernel. Be very careful when attempting this. You can optimize your system, but you can also
cause it to crash. Since every system is different, you'll probably want some control over these
pieces of the system.

Finally, these are advanced settings and if you don’t understand them, then don’t play in this area
or try to use all the examples below in your system. Remember that all systems are different and
required different setting and customization.

Below I show you only parameters that can be optimized for the system. All suggestions I
enumerate in this section are valid for every kind of servers. The only difference depends on the
amount of MB of RAM your machines have and this is where settings will change.

The above figure shows a snapshot of /proc/sys/fs directory on a OpenNA Linux & Red Hat
Linux system running kernel version 2.4. Please note that this picture may look different on your
system.

The file-max & file-nr parameters:

The file-max and file-nr files work together on Linux, we use the file-max parameter to
sets the maximum number of file-handles that the Linux kernel will allocate and the file-nr file
to get information about the number of allocated file handles, the number of used file handles and
the maximum number of file handles presently on the system. A large-scale production server
may easily require many thousands of file-handles, depending on the kind and number of
services running concurrently on the server. On busy servers where many services are running
concurrently, we generally tune this file (file-max) to improve the number of open files available
on the system.

It is important to note that you need to increase the limit of open files available on your server
ONLY when you get lots of error messages about running out of file handles. If you don’t receive
this kind of error message, you really DON’T need to increase the default value.

• To know the number of allocated file handles, the number of used file handles and the
maximum number of file handles on your system, use the following command:
[root@deep /]# cat /proc/sys/fs/file-nr
405 137 8192

209
 Process file system management 0
CHAPTER 7

The first value (405) in our result is the number of allocated file handles, the second value (137) is
the number of used file handles, and the last value (8192) is the maximum number of file handles.
When the allocated file handles (405) come close to the maximum (8192), but the number of
actually used ones (137) is far less, you've encountered a peak in your usage of file handles and
you don't need to increase the maximum. The default kernel setup is suitable for most of us.

The default kernel setup for the file-max parameter is:

"8192"

The default setup for the file-max parameter under OpenNA Linux is:
"8192"

The default setup for the file-max parameter under Red Hat Linux is:
"8192"

Step 1
To adjust the value of file-max, type the following command on your terminal:

• Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following lines:

# Increase limit of file-handles

fs.file-max = 8192

Step 2
You must restart your network for the change to take effect. The command to restart the network
is the following:

• To restart all network devices manually on your system, use the following command:
[root@deep /]# /etc/init.d/network restart
Setting network parameters [OK]
Bringing up interface lo [OK]
Bringing up interface eth0 [OK]
Bringing up interface eth1 [OK]

NOTE: There is another way to update the entry without restarting the network by using the
following command into your terminal screen:
[root@deep /]# sysctl -w fs.file-max=8192

210
 Process file system management 0
CHAPTER 7

/proc/sys/net/ipv4: IPV4 settings of Linux

All parameters described below reside under the /proc/sys/net/ipv4 directory of the server
and can be used to control the behavior of the IPv4 subsystem of the Linux kernel. Below I show
you only the parameters, which can be used for the network security of the system.

The above figure shows a snapshot of /proc/sys/net/ipv4 directory on a OpenNA Linux &
Red Hat Linux system running kernel version 2.4. Please note that this picture may look different
on your system.

211
 Process file system management 0
CHAPTER 7

Prevent your system responding to ping request:

Preventing your system for responding to ping requests can make a big improvement in your
network security since no one can ping your server and receive an answer. The TCP/IP
protocol suite has a number of weaknesses that allows an attacker to leverage techniques in the
form of covert channels to surreptitiously pass data in otherwise benign packets.

Step 1
Preventing your server from responding to ping requests can help to minimize this problem. Not
responding to pings would at least keep most "crackers" out because they would never know it's
there. ICMP blocking can hurt the performance of long-duration TCP connections, and this is due
to the fact that MTU discovery relies on ICMP packets to work.

• Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following lines:

# Enable/Disable ignoring ping request

net.ipv4.icmp_echo_ignore_all = 1

When this key is on (1), the computer will ignore all ICMP packets. It is not recommended to turn
on this key, except in special situations when you receive an ICMP packet based attack. In the
above parameter, we enable this option.

Step 2
Once the configuration has been set, you must restart your network for the change to take effect.
The command to restart the network is the following:

• To restart all network devices manually on your system, use the following command:
[root@deep /]# /etc/init.d/network restart
Setting network parameters [OK]
Bringing up interface lo [OK]
Bringing up interface eth0 [OK]
Bringing up interface eth1 [OK]

NOTE: There is another way to update the entry without restarting the network by using the
following command into your terminal screen:

[root@deep /]# sysctl -w net.ipv4.icmp_echo_ignore_all=1

212
 Process file system management 0
CHAPTER 7

Refuse responding to broadcasts request:

As for the ping request, it’s also important to disable broadcast requests. When a packet is
sent to an IP broadcast address (i.e. 192.168.1.255) from a machine on the local network,
that packet is delivered to all machines on that network. Then all the machines on a network
respond to this ICMP echo request and the result can be severe network congestion or outages
(Denial-of-Service attacks). See the RFC 2644 for more information.

Step 1
To disable broadcast requests, type the following command on your terminal.

• Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following lines:

# Enable/Disable ignoring broadcasts request

net.ipv4.icmp_echo_ignore_broadcasts = 1

When this key is on (1), the server will never answer to "ping" if its destination address is
multicast or broadcast. It is good to turn on (1) this key to avoid your server becoming an
involuntary partner of a DoS attack. In the above parameter, we enable this option.

Step 2
Once the configuration has been set, you must restart your network for the change to take effect.
The command to restart the network is the following:

• To restart all networks devices manually on your system, use the following command:
[root@deep /]# /etc/init.d/network restart
Setting network parameters [OK]
Bringing up interface lo [OK]
Bringing up interface eth0 [OK]
Bringing up interface eth1 [OK]

NOTE: There is another way to update the entry without restarting the network by using the
following command into your terminal screen:

[root@deep /]# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

213
 Process file system management 0
CHAPTER 7

Routing Protocols:
Routing and routing protocols can create several problems. IP source routing, where an IP packet
contains details of the path to its intended destination, is dangerous because according to RFC
1122 the destination host must respond along the same path. If an attacker was able to send a
source routed packet into your network, then he would be able to intercept the replies and fool
your host into thinking it is communicating with a trusted host.

Step 1
I strongly recommend that you disable IP source routing on all network interfaces on the system
to protect your server from this hole. If IP source routing is set to off (0), the server will not accept
source-routed frames. Remember that Source-routed frames have an embedded, explicit
description of the route between source and destination. Normally, IP packet routing is based
solely on destination's address.

• Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following lines:

# Enable/Disable IP source routing

net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

Source-routed packets are a powerful concept but were never used, and can bring security
problems because they allow a non-blind, REMOTE spoof. It is a very good idea to turn off (0)
these keys. In the above parameters, we disable these options.

Step 2
Once configurations have been set, you must restart your network for the change to take effect.
The command to restart the network is the following:

• To restart all network devices manually on your system, use the following command:
[root@deep /]# /etc/init.d/network restart
Setting network parameters [OK]
Bringing up interface lo [OK]
Bringing up interface eth0 [OK]
Bringing up interface eth1 [OK]

NOTE: There is another way to update the entry without restarting the network by using the
following command into your terminal screen:

[root@deep /]# sysctl -w net.ipv4.conf.all.accept_source_route=1

[root@deep /]# sysctl -w net.ipv4.conf.default.accept_source_route=1

214
 Process file system management 0
CHAPTER 7

Enable TCP SYN Cookie Protection:

A "SYN Attack" is a Denial of Service (DoS) attack that consumes all the resources on your
machine, forcing you to reboot. Denials of Service attacks (attacks which incapacitate a server
due to high traffic volume or ones those tie-up system resources enough that the server cannot
respond to a legitimate connection request from a remote system) are easily achievable from
internal resources or external connections via extranets and Internet. Enabling TCP SYN Cookie
Protection will help to eliminate the problem. Below is a simple explanation of the concept.

Every TCP/IP connection begins with a 3-way handshake:

1. Client sends a packet (packet 1) to server with SYN bit on, and waits;
2. Server sends a confirmation packet (packet 2) to client, and waits;
3. Client sends a third packet (packet 3) that consolidates the connection.

Once the 3-way handshake is done, the server keeps data of packet 1 in a queue to compare it
with packet 3 and establish the connection. This queue is limited in size and a quite high timeout.
The SYN-flood attack exploits this fact and sends a lot of type-1 packets with random IP source
addresses; the phase 3 answers never arrive; and once the queue is full, the server cannot
receive more connections, be they legitimate or forged.

The SYN cookie "trick" is to embed a code in the header of phase 2 packets, so server DOES
NOT NEED TO KEEP any information about the client. If the phase 3 packet arrives someday,
the server will calculate the port and client initial sequence number based solely on that packet -
and will be able to establish the connection.

Step 1
Since this embedded codification reduces randomness of the server initial sequence number, and
thus can increase the "chance" of IP spoof family attacks, SYN cookies are used only in
emergency situations, that is, when the half-open connections queue is full.

• Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following lines:

# Enable/Disable TCP SYN Cookie Protection

net.ipv4.tcp_syncookies = 1

If this key is on (1), the kernel will send "SYN cookies" ONLY and ONLY when the half-open
connections queue becomes full. This will mitigate the effects of SYN-flood DoS attacks. In the
above parameter, we enable this option.

Step 2
Once the configuration has been set, you must restart your network for the change to take effect.
The command to restart the network is the following:

• To restart all network devices manually on your system, use the following command:
[root@deep /]# /etc/init.d/network restart
Setting network parameters [OK]
Bringing up interface lo [OK]
Bringing up interface eth0 [OK]

WARNING: There is another way to update the entry without restarting the network by using the
following command into your terminal screen:

[root@deep /]# sysctl -w net.ipv4.tcp_syncookies=1

215
 Process file system management 0
CHAPTER 7

Disable ICMP Redirect Acceptance:

When hosts use a non-optimal or defunct route to a particular destination, an ICMP redirect
packet is used by routers to inform the hosts what the correct route should be. If an attacker is
able to forge ICMP redirect packets, he or she can alter the routing tables on the host and
possibly subvert the security of the host by causing traffic to flow via a path you didn't intend.

Step 1
A legitimate ICMP REDIRECT packet is a message from a router that says "router X is better
than me to reach network Y". Therefore, in complex networks, it will be highly recommended to
keep these keys activated. On simple networks, it’s strongly recommended to disable ICMP
Redirect Acceptance into all available interfaces on the server to protect it from this hole.

• Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following lines:

# Enable/Disable ICMP Redirect Acceptance

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

When these keys are off (0), the kernel does not honor ICMP_REDIRECT packets, thus avoiding
a whole family of attacks based on forging of this type of packet. In the above parameters, we
disable these options.

Step 2
Once the configurations have been set, you must restart your network for the change to take
effect. The command to restart the network is the following:

• To restart all networks devices manually on your system, use the following command:
[root@deep /]# /etc/init.d/network restart
Setting network parameters [OK]
Bringing up interface lo [OK]
Bringing up interface eth0 [OK]
Bringing up interface eth1 [OK]

NOTE: There is another way to update the entry without restarting the network by using the
following command into your terminal screen:

[root@deep /]# sysctl -w net.ipv4.conf.all.accept_redirects=0

[root@deep /]# sysctl -w net.ipv4.conf.default.accept_redirects=0

216
 Process file system management 0
CHAPTER 7

Enable bad error message Protection:

This option will alert you about all bad error messages on your network.

Step 1
• Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following line:

# Enable/Disable bad error message Protection

net.ipv4.icmp_ignore_bogus_error_responses = 1

Step 2
Once configuration has been set, you must restart your network for the change to take effect. The
command to restart the network is the following:

• To restart all network devices manually on your system, use the following command:
[root@deep /]# /etc/init.d/network restart
Setting network parameters [OK]
Bringing up interface lo [OK]
Bringing up interface eth0 [OK]
Bringing up interface eth1 [OK]

NOTE: There is another way to update the entry without restarting the network by using the
following command into your terminal screen:

[root@deep /]# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1

Enable IP spoofing protection:

The spoofing protection prevents your network from being the source of spoofed (i.e. forged)
communications that are often used in DoS Attacks.

Step 1
• Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following lines:

# Enable/Disable IP spoofing protection

net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2

These keys control IP Spoof detection and can have the following values:

0=absolutely no checking (the default)

1=simple checking (only obvious spoofs)
2=strong checking (positive source verification)

The recommended standard is level 2, which can bring "problems in complex (non loop free)
networks". In the above parameters, we enable the “strong checking” option.

217
 Process file system management 0
CHAPTER 7

Step 2
Once the configurations have been made, you must restart your network for the change to take
effect. The command to restart the network is the following:

• To restart all network devices manually on your system, use the following command:
[root@deep /]# /etc/init.d/network restart
Setting network parameters [OK]
Bringing up interface lo [OK]
Bringing up interface eth0 [OK]

NOTE: This parameter will prevent spoofing attacks against your internal networks but your
external addresses can still be spoofed.

There is another way to update the entry without restarting the network by using the following
command into your terminal screen:

[root@deep /]# sysctl -w net.ipv4.conf.all.rp_filter=2

[root@deep /]# sysctl -w net.ipv4.conf.default.rp_filter=2

Enable Log Spoofed, Source Routed and Redirect Packets:

This change will log all Spoofed Packets, Source Routed Packets, and Redirect Packets to your
log files.

Step 1
• Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following lines:

# Enable/Disable Log Spoofed, Source Routed, Redirect Packets

net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

When this key is on (1), the kernel will log any "impossible" packets, where the IP source address
spoofing is obvious. Example: packet with source address equal to 127.0.0.1 coming from an
Ethernet interface. In the above parameter, we enable this option.

Step 2
You must restart your network for the change to take effect. The command to restart the network
is the following:

• To restart all network devices manually on your system, use the following command:
[root@deep /]# /etc/init.d/network restart
Setting network parameters [OK]
Bringing up interface lo [OK]
Bringing up interface eth0 [OK]

NOTE: There is another way to update the entry without restarting the network by using the
following command into your terminal screen:

[root@deep /]# sysctl -w net.ipv4.conf.all.log_martians=1

[root@deep /]# sysctl -w net.ipv4.conf.default.log_martians=1

218
 Process file system management 0
CHAPTER 7

Other possible optimization of the system

All information described next relates to tuning we can make on the system. Be very careful when
attempting this. You can optimize your system, but you can also cause it to crash.

The shared memory limit parameters:

Shared memory is used for inter-process communication, and to store resources that are shared
between multiple processes such as cached data and code. If insufficient shared memory is
allocated any attempt to access resources that use shared memory such as database
connections or executable code will perform poorly.

Under UNIX world, shared memory is referred to as "System V IPC". Almost all modern operating
systems provide these features, but not all of them have them turned on or sufficiently sized by
default, especially systems with BSD heritage. With Linux the default shared memory limit (both
SHMMAX and SHMALL) is 32 MB in 2.4 kernels, but fortunately can be changed into the /proc file
system.

On system with small MB of RAM (>= 128MB), the default setting of 32MB for shared memory on
the system is enough and should not be changed. On system with lot of RAM, we can readjust
the default setting to better fit our machine and server performance.

Below, I show you an example, to allow 128MB of shared memory on the system. The new value
you enter for the shared memory should be four time less than what your total MB of RAM is. For
example if you have 512MB of RAM installed on your computer, then you can set the default
shared memory to 128MB as we do here. If you have less than what I use in this example, you
have to adjust the value to fit your needs.

Step 1
To change the default values of shared memory, type the following commands on your terminal:

• Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following lines:

# Improve shared memory size

kernel.shmall = 134217728
kernel.shmmax = 134217728

Step 2
You must restart your network for the change to take effect. The command to restart the network
is the following:

• To restart all network devices manually on your system, use the following command:
[root@deep /]# /etc/init.d/network restart
Setting network parameters [OK]
Bringing up interface lo [OK]
Bringing up interface eth0 [OK]
Bringing up interface eth1 [OK]

NOTE: There is another way to update the entry without restarting the network by using the
following commands into your terminal screen:
[root@deep /]# sysctl -w kernel.shmall="134217728"
[root@deep /]# sysctl -w kernel.shmmax="134217728"

219
 Process file system management 0
CHAPTER 7

Tuning the default and maximum window size parameters:

The following hack allow us to raise network limits on Linux by requesting that the kernel provide
a larger send buffer for the server's connections to its clients. This is possible by tuning the
"default send window" and "maximum send window" parameters.

Default parameter under Linux is 64kb, this is correct for regular use of the OS but if you run your
system as a server, it is recommended to change the default parameter to a sufficiently-high
value like 2000kb. 64kb is equal to 65536 (64 * 1024 = 65536), to set the values to 2000kb, we
should enter new values of 2048000 (2000 * 1024 = 2048000).

Step 1
To change the default values of default and maximum window size, type the following
commands on your terminal:

• Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following lines:

# Improve default and maximum window size

net.core.wmem_max = 2048000
net.core.wmem_default = 2048000

Step 2
You must restart your network for the change to take effect. The command to restart the network
is the following:

• To restart all network devices manually on your system, use the following command:
[root@deep /]# /etc/init.d/network restart
Setting network parameters [OK]
Bringing up interface lo [OK]
Bringing up interface eth0 [OK]
Bringing up interface eth1 [OK]

NOTE: There is another way to update the entry without restarting the network by using the
following commands into your terminal screen:
[root@deep /]# sysctl -w net.core.wmem_max="2048000"
[root@deep /]# sysctl -w net.core.wmem_default="2048000"

The ulimit parameter:

The ulimit command provides control over the resources available to the shell and to
processes started by it, on systems that allow such control. We can use it to change the default
resource set by the system to users or super user “root” but actually, we use it for changing
resources for the super user “root” only because resources for normal users are controlled and
managed through the /etc/security/limit.conf file.

It is not all default resources available through the ulimit parameter that need to be changed
but only those which can improve the performance of the server in a high load environment. Most
default values for the super user “root” are acceptable and should be kept unchanged. Linux itself
has a “Maximum Processes” per user limit. This feature allows us to control the number of
processes an existing user or the “root” super user on the server may be authorized to have. To
increase performance on highly loaded servers, we can safely set the limit of processes for the
super-user “root” to be unlimited. This is what we will do in the following steps.

220
 Process file system management 0
CHAPTER 7

One question remains, how can we change the default resources for a specific user on the
system? Each new user has a hidden file called “.bashrc” available in their home directory. It is
into this file that we can change the default value of resources for the specific user. In the
example below, we do it for the super user “root” but the procedure is the same for any users on
the system. Just edit their corresponding “.bashrc” file and make the change.

Step 1
• Edit the .bashrc file for super user “root” (vi /root/.bashrc) and add the line:

ulimit -u unlimited

NOTE: You must exit and re-login from your terminal for the change to take effect.

Step 2
To verify that you are ready to go, make sure that when you type as root the command ulimit
-a on your terminal, it shows "unlimited" next to max user processes.

[root@deep /]# ulimit -a

core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
file size (blocks, -f) unlimited