[CentOS-devel] [SIG Hardening] hardening classes

Fri May 8 16:25:12 UTC 2015
Tim <lists at kiuni.de>

This would be typical case for hardening classes as I have suggested in my initial mail I guess.

Regards
Tim

Am 8. Mai 2015 17:17:47 MESZ, schrieb "Ezequiel Brizuela [aka EHB or qlixed]" <qlixed at gmail.com>:
>2015-05-08 8:01 GMT-03:00 Leam Hall <leamhall at gmail.com>:
>
>> On 05/07/15 18:32, Ezequiel Brizuela [aka EHB or qlixed] wrote:
>>
>>> I really like to participate in this SIG, I mostly want to add a
>support
>>> for grsecurity hardened kernel, this can be an option/part of this
>SIG?
>>> Grsecurity have patches as stable for the Kernel 3.2 and 3.14
>Branches,
>>> I know that is not the same branches that currently handle Centos7
>>> Kernel, so I want to put this clear for the first moment and get
>your
>>> feedback about.
>>>
>>
>> Ezequiel, that would be interesting. A couple of questions come to
>mind.
>> First, will it be optional? That is, can the grsecurity stuff be a
>choice
>> of someone implementing our hardening recommendations? There are
>reasons,
>> either lack of testing framework or application requirements, that
>might
>> make a CentOS user want parts of the hardening stuff without all of
>it.
>>
>
>I suppose that we can make the kernel optional, not as an addon but as
>a
>alternative kernel, the grsecurity kernel (http://grsecurity.net/),
>involves the use of pax for executable access control and have multiple
>level of security preconfigured to choose, so
>
>
>> The second question, and this is based off my lack of knowledge, is
>how
>> future open is your idea? Can it grow to cover the current kernels as
>well
>> as the 4.x series?
>>
>
>Currently the grsecurity got 'stable' patches for:
>
>* 3.1-3.2.68 - Last updated: 05/07/15
>
>* 3.1-3.14.41 - Last updated: 05/07/15
>
>And the 'test' patches for:
>
>* 3.1-4.0.2 - Last updated: 05/07/15
>
>(Quick explanation of versioning: [grsec version]-[kernel vers])
>
>So we have the long term branches 3.2.x, 3.14.x, and the stable 4.x as
>a
>test. I dunno when is going to change this from test to stable, but It
>will
>eventually happen.
>So, if this gain some interest, I can make a draft of how we can make
>this
>integration happen.
>
>I'm going to read and recapitulate the last SIG Security mails and
>review
>them to see actual status/next meetings to going forward with this.
>
>~ Ezequiel Brizuela - AKA QliXeD ~
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>CentOS-devel mailing list
>CentOS-devel at centos.org
>http://lists.centos.org/mailman/listinfo/centos-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20150508/ffcc3771/attachment-0008.html>