[grsec] Grsec distro?

John Logsdon j.logsdon at quantex-research.com
Sun Nov 27 09:08:49 EST 2005


Thanks to news from Bill, Jan and Chris it seems that there are some folk
out there helping to promote grsec.  But I guess these distros are really
for a niche market.

What would be _really_ cool is if a mainstream distro took an interest and
included the latest version (and implemented the latest version via an
update facility).  

That way we would not all be re-inventing the wheel when generating ACLs
as much of the difference between individual's ACLs are to do with
locations and which files exist etc.  Then the main difference would be
the user and group names that we all implement differently and domains
could be used here.  Plus of course binding and connecting to different
IPs.  

Wrapping it all up in a system installer for grsec (which prompts for
user/group names, IPs etc and sets up a reasonable policy) would make it
much easier to promote.  The difficult think about grsec (and other
systems like SEL look even more difficult BTW), is getting the ACLs right
for your particular environment.  Other than that, patching the kernel etc
is a wheeze and we need no recompiled userland tools.

Just a thought.:)

Best wishes and thanks to all - Brad and PaXMan particularly.

John

John Logsdon                               "Try to make things as simple
Quantex Research Ltd, Manchester UK         as possible but not simpler"
j.logsdon at quantex-research.com              a.einstein at relativity.org
+44(0)161 445 4951/G:+44(0)7717758675       www.quantex-research.com


On Sun, 27 Nov 2005, Bill Nash wrote:

> 
> Some of my looney co-workers rolled a pretty solid LFS+grsec installer. 
> Given the complexity that can be involved with building packages and 
> policies, that might be the route to go if someone decides to build one.
> 
> Loons. Seriously.
> 
> - billn
> 
> On Sat, 26 Nov 2005, John Logsdon wrote:
> 
> > Jan and list
> >
> > Thanks for this link.  Debian/Ubuntu Hardened seem to be rather like
> > Gentoo which is Debian-based and offers the options for Grsec and SEL when
> > you build it.  Again there is the problem of what version of grsec.
> >
> > I followed the vSecurity link and note that that seems to take some of
> > grsec (I don't know how old) and Openwall and puts this within an LSM
> > framework.  I thought LSM was rather frowned on in the grsec community -
> > see Brad's comments LSM on the web site.  So that's a bit of a puzzle.
> >
> > One of the issues of course is that RH have clearly decided to bundle SEL
> > in and this means that any of the downstream distros like CentOS inherit
> > that problem.  Now I am sure SEL works well - there have been some rather
> > silly spats on the CentOS list recently - but it does mean that many
> > userland tools are broken or need to be recompiled against libselinux,
> > that the attributes have to work (eg can't use Reiser) and a rather
> > cumbersome command system when compared to the simple elegance of grsec.
> >
> > So I thought that a ready-rolled grsec version either built on RH or
> > Debian with sensible packages (well a minimalist anyway) would make it
> > much more attractive and therefore marketable.
> >
> > Things change quite quickly and I can also see the benefit of only being
> > concerned with the kernel and patches...  I was just wondering whether it
> > was on anyone's road map.
> >
> > Best wishes
> >
> > John
> >
> > John Logsdon                               "Try to make things as simple
> > Quantex Research Ltd, Manchester UK         as possible but not simpler"
> > j.logsdon at quantex-research.com              a.einstein at relativity.org
> > +44(0)161 445 4951/G:+44(0)7717758675       www.quantex-research.com
> >
> >
> > On Sat, 26 Nov 2005, Jan Krueger wrote:
> >
> >> Hi,
> >>
> >>> Has anyone thought of setting up a grsec distro?
> >>
> >> The folks at [1]Debian Hardened are trying to do just that. I don't know
> >> what progress they've made so far, though.
> >>
> >> [1] http://www.debian-hardened.org/
> >>
> >> --
> >> # Best regards, Jan 'jast' Krueger <jast at ruby-co de>
> >> print'text: ';l=gets;I=['%q,0-9a-f,',',','%q,(-/:-@[,'];i="pack"+
> >> "('H*')";l=eval("l.un#{i}[0].tr #{I}"); $><<"$><<[%q_#{l.gsub /(^
> >> \W{64}|\W{72})/x,"\\1\n"}_.\ngsub(/\\s/,'').tr(#{I.reverse})]."+i
> >>
> >
> > _______________________________________________
> > grsecurity mailing list
> > grsecurity at grsecurity.net
> > http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
> >
> 



More information about the grsecurity mailing list