[grsec] grsecurity RPMs for RHEL/CentOS/Fedora

Brad Spengler spender at grsecurity.net
Sat Apr 10 21:04:53 EDT 2010 

Just wanted to update everyone on the options available for using the 
latest version of grsecurity.  Though for a long time now the main site 
has been linking to grsecurity RPMs provided by Corey Henderson, the 
RPMs had fluxed in and out of states of up-to-dateness.  Recently, Corey 
has set up a system that automatically builds and boot-tests the latest 
stable and test versions of grsecurity, then creates RPMs.  So for those 
of you using RHEL/CentOS/Fedora, this is an easy way to obtain the 
latest versions of grsecurity.

Though the packages are linked to from the download section of the 
website, the direct links to the repositories are:
http://rpm.cormander.com/repo/grsec/kernel-stable/
http://rpm.cormander.com/repo/grsec/kernel-latest/

I've worked with Corey to make sure that these packages provide high 
security configurations while not causing any major incompatibilities.

Two things to note about using these kernel packages:
* The benefit from GRKERNSEC_HIDESYM may be greatly reduced as the 
  packages are publicly available.
* Remember that the sysctl option is enabled, so any grsecurity option 
  with a sysctl entry must be turned on at boot time via an init script.
  For reference, the list of these options is provided at:
  http://en.wikibooks.org/wiki/Grsecurity/Appendix/Sysctl_Options

Thanks to Corey for putting the time and effort into something that I 
think will be useful for many people.

Finally, thanks to the PaX Team for their hard work on UDEREF for x64; 
it was a long time in the making and something I had personally been 
looking forward to for some time.  You'd be hard-pressed to find any 
public (or private) exploit for a local kernel memory corruption bug 
that didn't involve returning to userland to execute code that sets the 
attacker's UIDs to 0, disables LSM, etc, because it's the easiest and 
most effective method of executing attacker-controlled code.  With 
UDEREF for x64 (combined with other features that have existed for 
years, like KERNEXEC and HIDESYM), these exploits are as painful to 
develop as they have been for x86.

-Brad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20100410/67baaac8/attachment.pgp

More information about the grsecurity mailing list