This would be typical case for hardening classes as I have suggested in my initial mail I guess.
Regards Tim
Am 8. Mai 2015 17:17:47 MESZ, schrieb "Ezequiel Brizuela [aka EHB or qlixed]" qlixed@gmail.com:
2015-05-08 8:01 GMT-03:00 Leam Hall leamhall@gmail.com:
On 05/07/15 18:32, Ezequiel Brizuela [aka EHB or qlixed] wrote:
I really like to participate in this SIG, I mostly want to add a
support
for grsecurity hardened kernel, this can be an option/part of this
SIG?
Grsecurity have patches as stable for the Kernel 3.2 and 3.14
Branches,
I know that is not the same branches that currently handle Centos7 Kernel, so I want to put this clear for the first moment and get
your
feedback about.
Ezequiel, that would be interesting. A couple of questions come to
mind.
First, will it be optional? That is, can the grsecurity stuff be a
choice
of someone implementing our hardening recommendations? There are
reasons,
either lack of testing framework or application requirements, that
might
make a CentOS user want parts of the hardening stuff without all of
it.
I suppose that we can make the kernel optional, not as an addon but as a alternative kernel, the grsecurity kernel (http://grsecurity.net/), involves the use of pax for executable access control and have multiple level of security preconfigured to choose, so
The second question, and this is based off my lack of knowledge, is
how
future open is your idea? Can it grow to cover the current kernels as
well
as the 4.x series?
Currently the grsecurity got 'stable' patches for:
3.1-3.2.68 - Last updated: 05/07/15
3.1-3.14.41 - Last updated: 05/07/15
And the 'test' patches for:
- 3.1-4.0.2 - Last updated: 05/07/15
(Quick explanation of versioning: [grsec version]-[kernel vers])
So we have the long term branches 3.2.x, 3.14.x, and the stable 4.x as a test. I dunno when is going to change this from test to stable, but It will eventually happen. So, if this gain some interest, I can make a draft of how we can make this integration happen.
I'm going to read and recapitulate the last SIG Security mails and review them to see actual status/next meetings to going forward with this.
~ Ezequiel Brizuela - AKA QliXeD ~
CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel