Compile the linux kernel for Manjaro with audit support

How to compile the linux kernel for Manjaro with audit support?


The default Manjaro kernel has no audit support, so we need to recompile it.

I would like to recompile the linux kernel within the Manjaro standard setup and just adding the support to the audit and nothing else.

At the moment I’m using the following linux kernel:

Linux 4.4.39-1 (“linux44”)


From what I understand until now we have to add the following parameters in the file “config.x86_64”…

CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y

NOTE: I do not know if all these is needed…


I’m not sure about doing this. Please guide me! I do not want to risk being without my beloved Manjaro! =D

As far as I know, systemd provides audit functionality.

That said, what purpose has your request?
For example, I would like to have an audit enabled kernel in repos for consolekit to work properly, but I lack time to maintain it.

1 Like

@artoo
Use “auditctl” to list all files that are accessed by a particular application in a folder. For this I use the script…


… that I created.

About “As far as I know, systemd provides audit functionality.” see what Octopi says when installing audit …

CONFIG_AUDIT is disabled in the Arch kernel packages so a custom kernel
is required for most components of this package. However, some features
like the utility methods in libaudit work without kernel support.

I also did the test and it really is not working.

I told you, kernel audit is disabled, since packages rely on systemd’s audit.
I run a custom kernel on my system with kernel audit enabled, however, to make it clear, I don’t run systemd, I run openrc and consolekit.

1 Like

To compile your kernel, you can use the PKGBUILD found here:

That way you can use pacman to manage your kernel. Also, you may want to get familiar with modprobed-db and make local config to drastically reduce the compile time, if you are compiling it just for yourself: https://wiki.archlinux.org/index.php/Modprobed-db

And makepkg.conf https://wiki.archlinux.org/index.php/makepkg

2 Likes

Okay friends. Here is the procedure I used…

Install dependencies…

# pacman -S git
# pacman -S vim
# pacman -S xmlto

Clone the official Manjaro’s packages-core…

$ git clone https://github.com/manjaro/packages-core.git
$ cd ./packages-core/linux44

NOTE: linux44 is the kernel version I want to compile!

Open…

$ vim ./config.x86_64

… and add this…

CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y

Add permissions to your user…

chown -R <your_user> /home/<your_user>/packages-core
chown -R :<your_user> /home/<your_user>/packages-core

Enter de folder…

$ cd /home/<your_user>/packages-core/linux44


NOTE: To workarounding the error "==> ERROR: Failure while downloading "…

$ wget ftp://teambelgium.net/bfq/patches/4.3.0-v7r8/0001-block-cgroups-kconfig-build-bits-for-BFQ-v7r8-4.3.patch
$ mv "0001-block-cgroups-kconfig-build-bits-for-BFQ-v7r8-4.3.patch" "0001-block-cgroups-kconfig-build-bits-for-BFQ-v7r8.patch"

$ wget ftp://teambelgium.net/bfq/patches/4.3.0-v7r8/0002-block-introduce-the-BFQ-v7r8-I-O-sched-for-4.3.patch
$ mv "0002-block-introduce-the-BFQ-v7r8-I-O-sched-for-4.3.patch" "0002-block-introduce-the-BFQ-v7r8-I-O-sched.patch"

$ wget ftp://teambelgium.net/bfq/patches/4.3.0-v7r8/0003-block-bfq-add-Early-Queue-Merge-EQM-to-BFQ-v7r8-for-4.3.0.patch
$ mv "0003-block-bfq-add-Early-Queue-Merge-EQM-to-BFQ-v7r8-for-4.3.0.patch" "0003-block-bfq-add-Early-Queue-Merge-EQM-to-BFQ-v7r8.patch"

Make the package…

Regenerate checksums…

$ makepkg -g >> PKGBUILD

Make the package…

$ makepkg -s


NOTE: “y”, “n” and “m” meaning during compilation…
[Ref.: http://stackoverflow.com/questions/5392756/what-does-m-mean-in-kernel-configuration-file]

I assume, this refers to the same as the (y,n,m) prompt when running make config; in that case it would be “module”.

Note that compiling Unix domain sockets (CONFIG_UNIX) as module is probably not a good idea. A lot of system components and programs depend on them, and some services might fail to start up if the module has not been loaded at that time.

Most functionality in the Linux kernel can either be compiled in (“y”) or left out (“n”), and much of it can also be compiled as a loadable module. This makes sense when you don’t know for certain whether you will need some feature in the future.

If you compile it as module and it turns out that it is needed, it will work, but until then it will not bloat the kernel.

It does not, however, really make sense to configure Unix domain sockets as a module, because they are needed almost everywhere (e.g. udev will fail to launch at startup).

If you know you will need something anyway, that should be “y”, not “m”


Install the package…

# pacman -U linux44-4.4.42-1-x86_64.pkg.tar.xz

[Ref.: https://airtoncs.wordpress.com/tag/makepkg/]

Install audit framework…

# pacman -S audit

Reboot!

Start auditd service…

# systemctl start auditd.service

Testing…

Add a watch…

cd /home/<your_user>
echo "Manjaro rules!" > /home/<your_user>/audittest/foo.txt
auditctl -w /home/<your_user>/audittest/foo.txt -p war -k audittestkey

Check if the watch has been set…

auditctl -l

Make an edit…

sed -i 's/Manjaro/My Manjaro/g' /home/<your_user>/audittest/foo.txt

Find out who changed or accessed the file /home/<your_user>/audittest/foo.txt…

ausearch -f /home/<your_user>/audittest/foo.txt -k audittestkey

Remove watch…

auditctl -D -k audittestkey

Done! =D


Further question:

Audit is a source of vulnerabilities and performance problems…

It was also done to get rid of CONFIG_AUDIT, which has a high cost. It’s the source of a significant number of kernel vulnerabilities, fills the kernel log with nonsense by default and forces all system calls down the slow path by default which has a high performance cost.

[Ref.: https://github.com/manjaro/packages-core/issues/49]

Is there any way I can disable audit in the kernel or choose the kernel I want to boot?


Thanks to @artoo and @Chrysostomus!

2 Likes

Is there any way I can disable audit in the kernel or choose the kernel I want to boot?

Yes, that way…

In the file…

vim /etc/default/grub

… add the value…

audit=0

… to the parameter…

GRUB_CMDLINE_LINUX_DEFAULT

… and update grub…

update-grub


Further question:

Is there any way I can choose the kernel I want to boot?


1 Like

Install multiple kernels with mhwd and run

  sudo update-grub 

Grub should automatically find your kernels and generate menu entries for them. Refind also finds kernels automatically.

In /etc/default/grub you can set GRUB_DISABLE_SUBMENU=y
https://wiki.archlinux.org/index.php/GRUB/Tips_and_tricks#Disable_submenu
Thus you will avoid entering a submenu in Grub to select between different kernels.

1 Like

Guys,

The idea is (example) have two selectable boot options. One with…

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash resume=UUID=1124be92-118c-4a04-81ad-35c4d91e1c4e audit=1"

… “audit=1” and other with…

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash resume=UUID=1124be92-118c-4a04-81ad-35c4d91e1c4e audit=0"

… “audit=0”.

Is possible? Thanks!

@Chrysostomus @eugen-b @artoo

You can create custom Grub entries in /etc/grub.d/40_custom.
Copy the code snippet from /boot/grub/grub.cfg there and adjust it to your liking.

1 Like

@eduardolucioac

I am not sure you can enable/disable audit in kernel command line.

If you enable audit in kernel config, you gonna need to rebuild all (external) kernel modules.

Compile the linux kernel for Manjaro with audit support (include grub bootloader customization)

This is the revised procedure with some additions (UPDATED):

WARNING I: Make a backup of your Manjaro and test this procedure on a virtual machine before!
WARNING II: This procedure is generic and may be outdated at the time you use it! Be wise and use your head! :grin:

COMPILE YOUR CUSTOMIZED KERNEL:

Install dependencies…

# pacman -S git
# pacman -S vim
# pacman -S xmlto

NOTE:
$ - regular user;
# - root user.


Clone the official Manjaro’s packages-core…

$ cd /home/[your_user]
$ git clone https://github.com/manjaro/packages-core.git

NOTE: linux44 (4.4.41-1) is the kernel version I want to compile! Below is how to check the kernel version currently (officially) in use by Manjaro! I recommend you choosing the same version of the kernel in use to avoid surprises!

Do a checkout (back the repository version) for the exact version of your current kernel…

$ cd /home/[your_user]/packages-core
$ git checkout bf16fc0b5cefc3d8710c1bd8793ac5d5cb68fc13

… which is version “4.4.41-1” (in my case).

You can try to figure out which commit refers to your version using these commands…

$ cd /home/[your_user]/packages-core
$ git log --all --grep='4.4.4'

… or…

$ cd /home/[your_user]/packages-core
$ git log --all > ver.txt

… or simply…

$ cd /home/[your_user]/packages-core
$ git log --all

TIP: The stable version (image above) of the kernel is the version immediately before the next update. In the example below the version 4.4.45-1 (stable) is the commit immediately before the commit that generated the version 4.4.46 ("- bump to 4.4.46")…

commit ec324ef83a24d894ac7e30bf2bb2869bab762763
Author: Philip <philm@manjaro.org>
Date:   Thu Feb 2 08:40:34 2017 +0100

    Kernels (312, 44, 49, 410)
    - bump to 3.12.70
    - bump to 4.4.46
    - bump to 4.9.7
    - bump to 4.10-rc6

… which is the commit…

commit 4c5fe6d34ec3238fbbfd4d81c537236563bba7be
Author: Bernhard Landauer <oberon@manjaro.org>
Date:   Tue Jan 24 19:31:02 2017 +0100

    [grub] update-grub on remove kernels https://forum.manjaro.org/t/grub-libalpm-hook-problem/16283

WARNING: This practical rule used to define kernel version (using commit’s logs) is generic and does not always work. Be aware! We can only “be sure” about the kernel version with this procedure…


NOTE: In the thread below there is a complete discussion on how to set the commit (checkout) for a given version…


Open…

$ cd /home/[your_user]
$ vim ./packages-core/linux44/config.x86_64

… and add this…

CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y

… below “# CONFIG_AUDIT is not set” segment.

Enter de folder…

$ cd /home/[your_user]/packages-core/linux44

Update the checksums…

$ updpkgsums

[Ref.: https://airtoncs.wordpress.com/tag/makepkg/]


NOTE: To workarounding the error (if it happens) "==> ERROR: Failure while downloading "…

$ wget ftp://teambelgium.net/bfq/patches/4.3.0-v7r8/0001-block-cgroups-kconfig-build-bits-for-BFQ-v7r8-4.3.patch
$ mv "0001-block-cgroups-kconfig-build-bits-for-BFQ-v7r8-4.3.patch" "0001-block-cgroups-kconfig-build-bits-for-BFQ-v7r8.patch"

$ wget ftp://teambelgium.net/bfq/patches/4.3.0-v7r8/0002-block-introduce-the-BFQ-v7r8-I-O-sched-for-4.3.patch
$ mv "0002-block-introduce-the-BFQ-v7r8-I-O-sched-for-4.3.patch" "0002-block-introduce-the-BFQ-v7r8-I-O-sched.patch"

$ wget ftp://teambelgium.net/bfq/patches/4.3.0-v7r8/0003-block-bfq-add-Early-Queue-Merge-EQM-to-BFQ-v7r8-for-4.3.0.patch
$ mv "0003-block-bfq-add-Early-Queue-Merge-EQM-to-BFQ-v7r8-for-4.3.0.patch" "0003-block-bfq-add-Early-Queue-Merge-EQM-to-BFQ-v7r8.patch"

… and run “updpkgsums” again!


Prepare and install the package (be patient)…

$ makepkg -si


NOTE: “y”, “n” and “m” meaning during compilation…

[…] I assume, this refers to the same as the (y,n,m) prompt when running make config; in that case it would be “module”.

Note that compiling Unix domain sockets (CONFIG_UNIX) as module is probably not a good idea. A lot of system components and programs depend on them, and some services might fail to start up if the module has not been loaded at that time.

Most functionality in the Linux kernel can either be compiled in (“y”) or left out (“n”), and much of it can also be compiled as a loadable module. This makes sense when you don’t know for certain whether you will need some feature in the future.

If you compile it as module and it turns out that it is needed, it will work, but until then it will not bloat the kernel.

It does not, however, really make sense to configure Unix domain sockets as a module, because they are needed almost everywhere (e.g. udev will fail to launch at startup).

If you know you will need something anyway, that should be “y”, not “m” […]

[Ref.: http://stackoverflow.com/questions/5392756/what-does-m-mean-in-kernel-configuration-file]


For…

AUDIT target support (NETFILTER_XT_TARGET_AUDIT) [N/m/?] (NEW)

… choose “m” and press Enter.

For…

Enables integrity auditing support (INTEGRITY_AUDIT) [Y/n/?] (NEW)

… choose “Y” and press Enter.

INSTALL EXTRA PACKAGES:

WARNING: It is not always necessary to install the extra packages! This procedure should only be done if any problem is occurring!

Download/clone “packages-extra”…

cd /home/[your_user]
git clone https://github.com/manjaro/packages-extra.git

The “ndiswrapper” is the only standard (Manjaro standard/initial setup) module that needs to be compiled and installed (only if necessary)…

cd /home/[your_user]/packages-extra/linux44-extramodules/ndiswrapper
updpkgsums
makepkg -sri

The ndiswrapper module is used by network components. After install it reboot the machine.

If the network components still does not work, also install the r8168 module (only if necessary) then reboot again…

cd /home/[your_user]/packages-extra/linux44-extramodules/r8168
updpkgsums
makepkg -sri

As I have a GPU (NVIDIA Corporation GF108M [GeForce GT 630M] (rev a1)) then I compile and install these too (only if necessary)…

cd /home/[your_user]/packages-extra/linux44-extramodules/bbswitch
updpkgsums
makepkg -sri
cd /home/[your_user]/packages-extra/linux44-extramodules/nvidia
updpkgsums
makepkg -sri

TIP:

To find out which extra modules are need to be compiled and installed on your Manjaro run the command below…

pacman -Qg linux44-extramodules

INSTALL AUDIT FRAMEWORK:

Install audit framework…

# pacman -S audit

… and reboot.

Start auditd service…

# systemctl start auditd.service

Testing…

Add a watch…

$ cd /home/[your_user]
$ mkdir /home/[your_user]/audittest
$ echo "Manjaro rules!" > /home/[your_user]/audittest/foo.txt
# auditctl -w /home/[your_user]/audittest/foo.txt -p war -k audittestkey

Check if the watch has been set…

# auditctl -l

Make an edit…

$ sed -i 's/Manjaro/My Manjaro/g' /home/[your_user]/audittest/foo.txt

Find out who changed or accessed the file “/home/[your_user]/audittest/foo.txt”…

# ausearch -f /home/[your_user]/audittest/foo.txt -k audittestkey

NOTE: The above command will display a log.

Remove watch…

# auditctl -D -k audittestkey

CUSTOMIZE GRUB:

To enable/disable audit in your compiled kernel using grub bootloader.


NOTE:

Audit is a source of vulnerabilities and performance problems…

[…] It was also done to get rid of CONFIG_AUDIT, which has a high cost. It’s the source of a significant number of kernel vulnerabilities, fills the kernel log with nonsense by default and forces all system calls down the slow path by default which has a high performance cost […]

[Ref.: https://github.com/manjaro/packages-core/issues/49]


Open…

# vim -p /boot/grub/grub.cfg /etc/grub.d/40_custom

… and copy the section between “### BEGIN /etc/grub.d/10_linux ###” and “### END /etc/grub.d/10_linux ###” from “/boot/grub/grub.cfg” inside “/etc/grub.d/40_custom” just below the comments.

[Ref.: https://help.ubuntu.com/community/Grub2/CustomMenus]

Inside “# vim /etc/grub.d/40_custom” where a segments similar to this “gnulinux-simple-e312f949-c265-4236-9128-78cc466ada72” appears (in the copied section) change the last character/number to a different value.

Example…

"gnulinux-simple-e312f949-c265-4236-9128-78cc466ada72" to "gnulinux-simple-e312f949-c265-4236-9128-78cc466ada78"

NOTE: Without the changes just above the parameters “GRUB_DEFAULT=saved” and “GRUB_SAVEDEFAULT=true” of the file “/etc/default/grub” will not work.

Inside “# vim /etc/grub.d/40_custom” append the value " (audit)" where a segments similar to this “Manjaro Linux” appears (in the copied section). These are the values that will appear in the grub menu during boot. If there is any entry with “submenu” value also include this in the same procedures above.

Example…

"Manjaro Linux" to "Manjaro Linux (audit)"

Inside “# vim /etc/grub.d/40_custom” append the value “audit=1” where segments similar to this “linux /boot/vmlinuz-4.4-x86_64 root=UUID=e312f949-c265-4236-9128-78cc466ada72 rw quiet splash resume=UUID=1124be92-118c-4a04-81ad-35c4d91e1c4e” appears (in the copied section). These parameters will ENABLE audit in your compiled kernel during boot.

Example…

"linux /boot/vmlinuz-4.4-x86_64 root=UUID=e312f949-c265-4236-9128-78cc466ada72 rw quiet splash resume=UUID=1124be92-118c-4a04-81ad-35c4d91e1c4e" to "linux /boot/vmlinuz-4.4-x86_64 root=UUID=e312f949-c265-4236-9128-78cc466ada72 rw quiet splash resume=UUID=1124be92-118c-4a04-81ad-35c4d91e1c4e audit=1"

Inside “# vim /etc/default/grub” append the value “audit=0” where the parameter “GRUB_CMDLINE_LINUX_DEFAULT” appears. This parameter will DISABLE audit in your compiled kernel during boot.

Example…

"GRUB_CMDLINE_LINUX_DEFAULT="quiet splash resume=UUID=1124be92-118c-4a04-81ad-35c4d91e1c4e"" to "GRUB_CMDLINE_LINUX_DEFAULT="quiet splash resume=UUID=1124be92-118c-4a04-81ad-35c4d91e1c4e audit=0""

Also check…

GRUB_DEFAULT=saved
GRUB_SAVEDEFAULT=true

… parameters values.

Finally run…

# update-grub

… and reboot.

You will see entries like “Manjaro Linux (audit)” and “Manjaro Linux (Kernel: 4.4.43-1-MANJARO x64) (audit)” in the grub menu. These entries enable “audit”.

Done! =D

[Ref.: http://www.dedoimedo.com/computers/grub-2.html]


EXTRA:

If you use VMware, you may experience the following problem after compiling the kernel…

“Could not open /dev/vmmon: No such file or directory.
Please make sure that the kernel module `vmmon’ is loaded.”

“Failed to initialize monitor device.”

The solution is remove VMware…

sudo bash VMware-<other_installer_info>.bundle --uninstall-product=vmware-<type>

… then reinstall it…

sudo bash VMware-<other_installer_info>.bundle


Thanks to @artoo, @Chrysostomus, @Lolix and @oberon! You are amazing!


Further question:

What do you guys think about turning this procedure into a wiki?


2 Likes

Why not? Go ahead.

1 Like

It would require refinement, in my opinion.

For example, you ideally do kernel config with the proper tool instead of copy pasting stuff, that being menucoinfig, nconfig see PKGBUILD.

A good kernel guide in on gentoo wiki.
https://wiki.gentoo.org/wiki/Kernel/Gentoo_Kernel_Configuration_Guide
https://wiki.gentoo.org/wiki/Kernel/Configuration

note, the PKGBUILD create a package manager package, while gentoo is the old schoold manual way of doing things.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.