Hi,

I'm quite new to Linuxworld: it's less than 2 years I'm using it and I've not a "classical" informatic learning background.

I'm using Linux as workstation so I've not server-side problems, I'm obviously using iptables, clamav, rootkithunter and so on for granting me a good level of security.

My question is:

is it a good idea to install grsecurity patch or something similar on a workstation or is it only paranoia? I've to say my machine runs sometime services like p2p connections that could be a risk but maybe chrooting it could be sufficient...what do you thing about it?

sincerely,

deadlinx

I've not a "classical" informatic learning background.
That should not be a problem as long as you're willing to invest time, keep learning and experiment.


I'm using Linux as workstation so I've not server-side problems
You don't as long as you don't run (publicly) accessable services.


I'm obviously using iptables, clamav, rootkithunter and so on for granting me a good level of security.
...and you run a file integrity checker like Aide or Samhain, update the box when updates are released, etc, etc.


is it a good idea to install grsecurity patch or something similar on a workstation or is it only paranoia? I've to say my machine runs sometime services like p2p connections that could be a risk but maybe chrooting it could be sufficient...what do you thing about it?
First of all there is no "or something similar": the only (maintained, supported) choices you have are SELinux or GRSecurity, which happen to be 1) largely incomparable and 2) mutually exclusive (as in XOR). In short SELinux is an "on or off" proposition comprising of rulesets that work in tandem with and on top of the default UNIX permission scheme (the "rwx" DAC rights thing), while GRSecurity enhances auditing (logging), different forms of randomness (ports, PIDs), enhances chroot functionality, allows you to control access to executables (TPE), client and server ports even without PAX or without using it's process-detaining ruleset functionality (RBAC).
That is not to say GRSecurity is w/o problems since by default the patch will break certain things like X11 usage for the way it accesses memory. Unpatching that is possible and trivial, but at the expense of opening a security hole.

You will have to invest time wrt learning curve and you may encounter problems but if you look at recent exploits you will also see that SELinux effectively stops some, so if you run a distro that already supports SELinux then that really is the way to go if you want to stay with current developments in kernel security. If OTOH your distro does not support SELinux or you have special access restriction requirements that need fixing fast (running a public shell server for instance) or you just want extended auditing then the default security-enhancing features of GRSecurity are a worthy alternative IMHO.

Hi,

if you have to run X11, for instance for a Desktop,
you can configure GRSecurity in a custom way, so
you decide which features enable.

I always run GRSecurity in "custom way",
if I don't I could have problems like
you've written.


It's quite amazing Open Office needs
an executable stack it seems not to be
a way to run oowriter, as usual,
GRSecurity considers it a fork bomb :-)


What do you mean with enabled SELinux distro?
Do you mean a prepackaged solution like in Fedora?

There's no problem in rebuilding a kernel with SELinux
enabled, maybe you refer to the SELinux GUI frontend,
surely this could be useful, but I'm a Ubuntu user :-(


sincerely,


deadlinx