10.x OpenSuse-distro working with grsecurity?
 

I am using OpenSuse v10.1 and I want to harden my OS, a least for the servers.
I do not want to use AppArmor, missing important features (protection for /dev/[k]mem, proc-FS, ASLR,...).

SELinux is too complex for my requirements, recompilation is required for all apps/libs, problem if closed-source.

It further mandates filesystem, bec. of required capabilities and labelling of each file.Once up and running Grsecurity should be relatively trouble-free.

I found some postings in forums referring to the SuSE-Linux pre-9.1-versions.

With 9.0 the 'Suse-Distro' could be run with Vanilla-Kernel patched with grsecurity. In the threads found, there was no clear solution and no indication whether somebody succeeded meanwhile.

I believe many OpenSuse-users were 'auto-migrated' when AppArmor was enabled by default and sticked with it.

Is there some experience available about current versions of OpenSuse, whether there are conflicting portions of Kernel-code-changes, not possible to merge with e.g. the current Suse-Patches?

I do not want to dig into Kernel-Hacking, besides manually resolving some trivial patch-conflicts. Or can I run a recent 10.x version of OpenSuse with Vanilla-Kernel patched with grsecurity?

Do you know of / can you recommend other Linux-distributions supporting grsecurity?

My knowledge of openSUSE is limited, so I’ll answer only one of your questions.
Hardened Gentoo. You mentioned the non-desire of recompilation, yet it’s the best way to take advantage of kernel-level disability of relocations (by compiling everything—not just libs—as position-independent).

Hello osor,

thank you for your reply.

On some other forum, I was recommended Hardened Gentoo, too. I am currently looking into it and what I have read/seen by now, it looks *very* promising.

I am not against (re)compilation per se, doing it quite frequently, but not if I do not have to. I meant digging deep into Kernel-internals/structures just to apply the security-patches, manually resolve/merge Suse- and grsecurity-patches, which is currently too much overhead.

The portage system with its ebuilds are a clever way IMO, reverse dependencies are not resolved AFAIK, is this still true and have you experienced problems with this?

If recompilation is relatively easy, it's more than welcome. The GCC nested functions trampoline is not broken anymore, I can build for all architectures specifically, the 'genkernel' is also a good way to find out which modules each server/PC needs to later build a monilithic kernel...

The module-based approach, using SSP,PaX and either grsecurity or RSBAC or SELinux brings freedom-of-choice, unlike Suse's current approach with AppArmor.

I need to aquaint myself more with Hardened Gentoo, but so far:

The more I see, the more I like it :-)