<html><head></head><body>This would be typical case for hardening classes as I have suggested in my initial mail I guess.<br>
<br>
Regards<br>
Tim<br><br><div class="gmail_quote">Am 8. Mai 2015 17:17:47 MESZ, schrieb "Ezequiel Brizuela [aka EHB or qlixed]" <qlixed@gmail.com>:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div dir="ltr"><br /><div class="gmail_extra"><br /><div class="gmail_quote">2015-05-08 8:01 GMT-03:00 Leam Hall <span dir="ltr"><<a href="mailto:leamhall@gmail.com" target="_blank">leamhall@gmail.com</a>></span>:<br /><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="">On 05/07/15 18:32, Ezequiel Brizuela [aka EHB or qlixed] wrote:<br />
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
I really like to participate in this SIG, I mostly want to add a support<br />
for grsecurity hardened kernel, this can be an option/part of this SIG?<br />
Grsecurity have patches as stable for the Kernel 3.2 and 3.14 Branches,<br />
I know that is not the same branches that currently handle Centos7<br />
Kernel, so I want to put this clear for the first moment and get your<br />
feedback about.<br />
</blockquote>
<br /></span>
Ezequiel, that would be interesting. A couple of questions come to mind. First, will it be optional? That is, can the grsecurity stuff be a choice of someone implementing our hardening recommendations? There are reasons, either lack of testing framework or application requirements, that might make a CentOS user want parts of the hardening stuff without all of it.<br /></blockquote><div><br /></div><div>I suppose that we can make the kernel optional, not as an addon but as a alternative kernel, the grsecurity kernel (<a href="http://grsecurity.net/">http://grsecurity.net/</a>), involves the use of pax for executable access control and have multiple level of security preconfigured to choose, so <br /></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
The second question, and this is based off my lack of knowledge, is how future open is your idea? Can it grow to cover the current kernels as well as the 4.x series?<span class=""><font color="#888888"><br /></font></span></blockquote><div><br /></div><div>Currently the grsecurity got 'stable' patches for:<br /><br />* 3.1-3.2.68 - Last updated: 05/07/15<br /><br />* 3.1-3.14.41 - Last updated: 05/07/15<br /><br />And the 'test' patches for:<br /><br />* 3.1-4.0.2 - Last updated: 05/07/15<br /><br /></div><div>(Quick explanation of versioning: [grsec version]-[kernel vers])<br /><br /></div><div>So we have the long term branches 3.2.x, 3.14.x, and the stable 4.x as a test. I dunno when is going to change this from test to stable, but It will eventually happen.<br /></div><div>So, if this gain some interest, I can make a draft of how we can make this integration happen.<br /><br /></div><div>I'm going to read and recapitulate the last SIG Security mails and review
them to see actual status/next meetings to going forward with this.<br /><br /></div><div>~ Ezequiel Brizuela - AKA QliXeD ~<br /></div></div><br /></div></div>
<p style="margin-top: 2.5em; margin-bottom: 1em; border-bottom: 1px solid #000"></p><pre class="k9mail"><hr /><br />CentOS-devel mailing list<br />CentOS-devel@centos.org<br /><a href="http://lists.centos.org/mailman/listinfo/centos-devel">http://lists.centos.org/mailman/listinfo/centos-devel</a><br /></pre></blockquote></div></body></html>