1 |
Hi all, |
2 |
|
3 |
It has not been long ago since I've installed Gentoo, but at the moment it's running on my desktop, laptop and 1 of my servers (the other 2 run openbsd and slackware and I do not plan at replacing them :). I really like this distribution and am still learning new things about linux because of it :). |
4 |
|
5 |
Back to the topic at hand ... I am just starting to get interested in security issues with linux. The company I work for has some sensative data of customers, so I used the kerneli patch to create an encrypted filesystem. And I like it. I've also been reading up on other issues, like random filehandles and stuff like that. I'd really like to learn more about it, so perhaps I can help in some ways with this Secure Gentoo project if it's needed (testing of beta patches/packages, etc.) (btw, I'm a coder, but I do not have much experience in kernelhacking or security related projects) |
6 |
|
7 |
> * Make a kernel patch, probably based on the Gentoo kernel, but with |
8 |
> GrSecurity, kerneli, a few netfilter patches etc. |
9 |
At the moment I have the gentoo kernel running with the kerneli patch. The GrSecurity patch had a few failed hunks, I'm integrating them now. If your interested I could send you a patch after I'm done. I also have a ready to install package of util-linux, with the kerneli patch. I don't yet know if the combination is stable :). |
10 |
|
11 |
> Will the Gentoo kernel use Andrea Arcangeli's VM or Rik van Riel's (-aa |
12 |
> or rmap)? |
13 |
I think rmap is pretty stable now and most problems have been solved, it's been good for Rik van Riel to have a little freedom in developing the VM :). Although I do know that Rik used to work for a (network) security company here in Holland :). |
14 |
|
15 |
> How will this be done practically? I'm thinking in particular about the |
16 |
> freeze, and the proposed unstable branch. |
17 |
Perhaps start a new branch, so we have a 'stable', 'unstable' and 'secure' branch. |
18 |
|
19 |
> How paranoid should it be? My first plan was to create ACLs for each and |
20 |
> every binary and deny almost everything else, but that might be too |
21 |
> paranoid for most people. What do you think? How about three security |
22 |
> levels (no ACLs, normal ACLs and very strict ACls)? |
23 |
The levels idea sounds like a nice idea, but it should be documented really good, so users can choose a good security level for their purposes. |
24 |
|
25 |
Regards, |
26 |
|
27 |
Peter Gnodde |
28 |
PCS Webdesign BV |
29 |
http://www.pcswebdesign.nl/ |