This section applies only if you chose to install a Modularized Kernel on your system.
Immediately after you successfully start your system and log in as root, you should create a new emergency boot floppy disk. The procedure to achieve it is the same as shown at the beginning of this chapter related to Linux Kernel.
Please go back to the beginning of this chapter and follow the procedures to recreate a new emergency boot floppy disk suitable for the new install Linux kernel on your system. Don’t forget to test the boot disk to be sure that it works.
The mkbootdisk program runs only on Modularized Kernel. So you can’t use it on a Monolithic Kernel; instead create an emergency boot floppy disk for Monolithic kernel as shown below.
Making a emergency boot floppy disk for Monolithic Kernel
This section applies only if you chose to install a Monolithic Kernel in your system. Because it is possible to create a rescue floppy only on modularized kernel, we must find another way to boot our Linux system for a monolithic kernel if the Linux kernel on the hard disk is damaged.
This is possible with a Linux emergency boot floppy disk. You should create it immediately after you successfully start your system and log in as root. To create the emergency boot floppy, follow these steps:
Step 1
Insert a floppy disk and format it with the following command:
[root@deep /]# fdformat /dev/fd0H1440
Double-sided, 80 tracks, 18 sec/track. Total capacity 1440 kB. Formatting ... done
Verifying ... done
Step 2
Copy the actual file “vmlinuz” from the /boot directory to the floppy disk:
[root@deep /]# cp /boot/vmlinuz /dev/fd0H1440
cp: overwrite `/dev/fd0H1440'? y
NOTE: The vmlinuz file is a symbolic link that points to the real Linux kernel.
Step 3
Determine the kernel’s root device with the following command:
[root@deep /]# rdev
/dev/sda6 /
NOTE: The kernel’s root device is the disk partition where the root file system is located. In this example, the root device is /dev/sda6; the device name should be different on your system.
Kernel Security & Optimization 0 CHAPTER 6
Step 4
Set the kernel’s root device with the following command:
[root@deep /]# rdev /dev/fd0H1440 /dev/sda6
NOTE: To set the kernel’s root device, use the device reported by the “rdev” command utility in the previous step.
Step 5
Mark the root device as read-only with the following command:
[root@deep /]# rdev -R /dev/fd0H1440 1
NOTE: This causes Linux to initially mount the root file system as read-only. By setting the root device as read-only, you avoid several warnings and error messages.
Step 6
Now put the boot floppy in the drive A: and reboot your system with the following command to be sure that your new boot disk is working:
[root@something /]# reboot
Following these guidelines, you will now have a boot floppy with a known working kernel in case of problems with the upgrade. I recommend rebooting the system with the floppy to make sure that the floppy works correctly.
Step 7
Because the mkbootdisk and dosfstools program are required only when you have a Modularized kernel installed in your Linux system, we can remove the unneeded mkbootdisk and dosfstools packages from the system when we have a Monolithic kernel installed on our server.
• To uninstall the mkbootdisk and dosfstools utility, use the following command:
IN THIS CHAPTER 1. What is sysctl?
2./proc/sys/vm: The virtual memory subsystem of Linux
3./proc/sys/fs: The file system data of Linux
4./proc/sys/net/ipv4: IPV4 settings of Linux 5. Other possible optimization of the system
Kernel Security & Optimization 0 CHAPTER 6
Linux /proc
Abstract
The /proc (the process file system), also known as a pseudo-filesystem, is used as an interface to kernel data structures. It doesn’t exist, neither the /proc directory nor its subdirectories or its files actually exist. Most of the files in this special directory are read-only and cannot be changed, but some kernel variables can be changed. It is these files that we will talk about in this chapter of the book.
It is important to note that the /proc filesystem is structured in a hierarchy. Most of the entries in the /proc directory are a decimal number, corresponding to a process-ID running on the system. These entries are themselves subdirectories and access to process state that is provided by additional files contained within each subdirectory. Have you ever thought about where all the processes running in the background of your system are handled and managed by the kernel? The answer is the /proc filesystem directory of Linux.
But the /proc filesystem doesn’t handle only process ID of the system; it is also responsible for providing and managing all access to the state of each information on the system. This
information is comprised of CPU, devices, IDE, SCSI, interrupts, io-ports, memories, modules, partitions, PCI information and much more. Just take a quick look inside your /proc filesystem directory to get an idea of the available features controlled by the kernel through the /proc filesystem. We can read the contents of this information to get an idea of what processor, PCI, network cards, kernel version, partitions, etc that we have on our system.
As we said before, not all features available in the /proc filesystem are customizable, most are managed by the kernel and cannot be changed. Most are well controlled by the kernel and should not require any modifications since the kernel does a good job with them. Some can, and need to be, changed and customized to better fit your system resources, and increase security. It is those customizable features related to performance and security of the Linux system under the /proc filesystem that we will explain and customize in this chapter.
This is possible with the /etc/sysctl.conf file which contains values that change the default parameters of customizable features in the /proc filesystem. To recap, systcl.conf is the configuration file that talks to sysctl(8) which is an interface that allows you to make changes to a running Linux system. We use systcl.conf to talk to the kernel and say for example: hey, I need more power on the virtual memory, please change your value to this value.
Throughout this chapter, we’ll often use it to customize our /proc filesystem on Linux to better utilize resources, power and security of our particular machine. Remember that everyone have a different computer with different hardware, setting and this is why changing some default
customizable values in the /proc directory could make the difference on security and speed. In this chapter, we will talk about customized parameters available under the /proc/sys directory since most of all changeable parameters are located under this directory. We will talk about virtual memory, file system, TCP/IP stack security and performance.