kernel + security patch
Christopher James Coleman
ug97cjc at cs.bham.ac.uk
Thu Feb 19 09:08:17 PST 2004
On Thu, 19 Feb 2004, BARRE Arnaud wrote:
> Do you think it's a good thing to patch the kernel with grsecurity
> patch (http://www.grsecurity.net) or openwall patch
> (http://openwall.com/linux/) ? Are there many differences with
> SElinux ?
The general recommendation on the list at the moment appears to be to at
least apply PaX ( http://pax.grsecurity.net/ ). Realize that PaX is made
to protect running processes, it has no bearing the ability to run those
processes or what those processes are (legally) capable of.
GRSecurity and SELinux are designed to protect the integrity of the areas
that PaX does not deal with. They have different models, but which is more
effective really depends on what you want them to do. In this area you may
also wish to look at RSBAC. As a personal note, I use GRSecurity and I am
about to try out RSBAC.
Openwall is a set of hardening patches and a non-executable stack. If you
are going to be using Openwall it is worth tracking Owl's current CVS. It
does not offer any MAC capabilities or similar. Really, Openwall is like
GRSecurity, without access control and with PaX replaced by a non-exec
stack. However, Openwall is very well-tested and often has proactive
patching (Openwall was not vulnerable to the second mremap bug, as they
had already fixed the issue involved when fixing the last issue). Note
that GRSecurity contains many of the Openwall patches.
Really, as stated in the second paragraph, what you use is dictated by
what your security policy is. All of the projects contain good
documentation about there capabilities (if sometimes lacking how to
utilize those capabilities).
This is by no means a complete review of the systems for you, but
hopefully it should be a step in the correct direction.
More information about the hlfs-dev