kernel + security patch

Christopher James Coleman ug97cjc at cs.bham.ac.uk
Thu Feb 19 09:08:17 PST 2004


On Thu, 19 Feb 2004, BARRE Arnaud wrote:
> Do you think it's a good thing to patch the kernel with grsecurity 
> patch (http://www.grsecurity.net) or openwall patch 
> (http://openwall.com/linux/) ? Are there many differences with 
> SElinux ?

The general recommendation on the list at the moment appears to be to at 
least apply PaX ( http://pax.grsecurity.net/ ). Realize that PaX is made 
to protect running processes, it has no bearing the ability to run those 
processes or what those processes are (legally) capable of.

GRSecurity and SELinux are designed to protect the integrity of the areas 
that PaX does not deal with. They have different models, but which is more 
effective really depends on what you want them to do. In this area you may 
also wish to look at RSBAC. As a personal note, I use GRSecurity and I am 
about to try out RSBAC.

Openwall is a set of hardening patches and a non-executable stack. If you 
are going to be using Openwall it is worth tracking Owl's current CVS. It 
does not offer any MAC capabilities or similar. Really, Openwall is like 
GRSecurity, without access control and with PaX replaced by a non-exec 
stack. However, Openwall is very well-tested and often has proactive 
patching (Openwall was not vulnerable to the second mremap bug, as they 
had already fixed the issue involved when fixing the last issue). Note 
that GRSecurity contains many of the Openwall patches.

Really, as stated in the second paragraph, what you use is dictated by 
what your security policy is. All of the projects contain good 
documentation about there capabilities (if sometimes lacking how to 
utilize those capabilities).

This is by no means a complete review of the systems for you, but 
hopefully it should be a step in the correct direction.

- chris




More information about the hlfs-dev mailing list