LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > SUSE / openSUSE
User Name
Password
SUSE / openSUSE This Forum is for the discussion of Suse Linux.

Notices


Reply
  Search this Thread
Old 08-31-2007, 04:38 AM   #1
Lyaios
LQ Newbie
 
Registered: Jun 2007
Posts: 6

Rep: Reputation: 0
10.x OpenSuse-distro working with grsecurity?


I am using OpenSuse v10.1 and I want to harden my OS, a least for the servers.
I do not want to use AppArmor, missing important features (protection for /dev/[k]mem, proc-FS, ASLR,...).

SELinux is too complex for my requirements, recompilation is required for all apps/libs, problem if closed-source.

It further mandates filesystem, bec. of required capabilities and labelling of each file.Once up and running Grsecurity should be relatively trouble-free.

I found some postings in forums referring to the SuSE-Linux pre-9.1-versions.

With 9.0 the 'Suse-Distro' could be run with Vanilla-Kernel patched with grsecurity. In the threads found, there was no clear solution and no indication whether somebody succeeded meanwhile.

I believe many OpenSuse-users were 'auto-migrated' when AppArmor was enabled by default and sticked with it.

Is there some experience available about current versions of OpenSuse, whether there are conflicting portions of Kernel-code-changes, not possible to merge with e.g. the current Suse-Patches?

I do not want to dig into Kernel-Hacking, besides manually resolving some trivial patch-conflicts. Or can I run a recent 10.x version of OpenSuse with Vanilla-Kernel patched with grsecurity?

Do you know of / can you recommend other Linux-distributions supporting grsecurity?

Last edited by Lyaios; 08-31-2007 at 04:41 AM. Reason: re-formating layout
 
Old 09-01-2007, 08:50 PM   #2
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 78
My knowledge of openSUSE is limited, so I’ll answer only one of your questions.
Quote:
Originally Posted by Lyaios View Post
Do you know of / can you recommend other Linux-distributions supporting grsecurity?
Hardened Gentoo. You mentioned the non-desire of recompilation, yet it’s the best way to take advantage of kernel-level disability of relocations (by compiling everything—not just libs—as position-independent).
 
Old 09-02-2007, 12:34 AM   #3
Lyaios
LQ Newbie
 
Registered: Jun 2007
Posts: 6

Original Poster
Rep: Reputation: 0
Smile

Quote:
Originally Posted by osor View Post
My knowledge of openSUSE is limited, so I’ll answer only one of your questions.

Hardened Gentoo. You mentioned the non-desire of recompilation, yet it’s the best way to take advantage of kernel-level disability of relocations (by compiling everything—not just libs—as position-independent).
Hello osor,

thank you for your reply.

On some other forum, I was recommended Hardened Gentoo, too. I am currently looking into it and what I have read/seen by now, it looks *very* promising.

I am not against (re)compilation per se, doing it quite frequently, but not if I do not have to. I meant digging deep into Kernel-internals/structures just to apply the security-patches, manually resolve/merge Suse- and grsecurity-patches, which is currently too much overhead.

The portage system with its ebuilds are a clever way IMO, reverse dependencies are not resolved AFAIK, is this still true and have you experienced problems with this?

If recompilation is relatively easy, it's more than welcome. The GCC nested functions trampoline is not broken anymore, I can build for all architectures specifically, the 'genkernel' is also a good way to find out which modules each server/PC needs to later build a monilithic kernel...

The module-based approach, using SSP,PaX and either grsecurity or RSBAC or SELinux brings freedom-of-choice, unlike Suse's current approach with AppArmor.

I need to aquaint myself more with Hardened Gentoo, but so far:

The more I see, the more I like it :-)
 
  


Reply

Tags
apparmor, grsecurity, hardening, kernel, security, suse


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Help getting multimedia working on openSUSE win_hungund Linux - Desktop 7 03-14-2007 04:19 PM
SB Audigy on OpenSuse 10.2 not be working :( Tom211 Linux - Hardware 2 12-30-2006 11:31 AM
Microphone not working on OpenSuse 10.1 WiseCookie Linux - Hardware 9 06-14-2006 06:26 PM
Distro: OpenSuse/Fedora drethenerd Linux - Distributions 5 02-20-2006 08:34 AM
XMMS not working in OpenSuSe zatka SUSE / openSUSE 5 12-16-2005 05:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > SUSE / openSUSE

All times are GMT -5. The time now is 10:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration