[CentOS-devel] [SIG Hardening] hardening classes

Fri May 8 15:17:47 UTC 2015
Ezequiel Brizuela [aka EHB or qlixed] <qlixed at gmail.com>

2015-05-08 8:01 GMT-03:00 Leam Hall <leamhall at gmail.com>:

> On 05/07/15 18:32, Ezequiel Brizuela [aka EHB or qlixed] wrote:
>
>> I really like to participate in this SIG, I mostly want to add a support
>> for grsecurity hardened kernel, this can be an option/part of this SIG?
>> Grsecurity have patches as stable for the Kernel 3.2 and 3.14 Branches,
>> I know that is not the same branches that currently handle Centos7
>> Kernel, so I want to put this clear for the first moment and get your
>> feedback about.
>>
>
> Ezequiel, that would be interesting. A couple of questions come to mind.
> First, will it be optional? That is, can the grsecurity stuff be a choice
> of someone implementing our hardening recommendations? There are reasons,
> either lack of testing framework or application requirements, that might
> make a CentOS user want parts of the hardening stuff without all of it.
>

I suppose that we can make the kernel optional, not as an addon but as a
alternative kernel, the grsecurity kernel (http://grsecurity.net/),
involves the use of pax for executable access control and have multiple
level of security preconfigured to choose, so


> The second question, and this is based off my lack of knowledge, is how
> future open is your idea? Can it grow to cover the current kernels as well
> as the 4.x series?
>

Currently the grsecurity got 'stable' patches for:

* 3.1-3.2.68 - Last updated: 05/07/15

* 3.1-3.14.41 - Last updated: 05/07/15

And the 'test' patches for:

* 3.1-4.0.2 - Last updated: 05/07/15

(Quick explanation of versioning: [grsec version]-[kernel vers])

So we have the long term branches 3.2.x, 3.14.x, and the stable 4.x as a
test. I dunno when is going to change this from test to stable, but It will
eventually happen.
So, if this gain some interest, I can make a draft of how we can make this
integration happen.

I'm going to read and recapitulate the last SIG Security mails and review
them to see actual status/next meetings to going forward with this.

~ Ezequiel Brizuela - AKA QliXeD ~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20150508/c6da01ad/attachment-0008.html>