| 1 |
On Wed, 6 Mar 2002 19:53:12 +0100 |
| 2 |
P.Gnodde <peter@××××××××××××.nl> wrote: |
| 3 |
|
| 4 |
> Hi all, |
| 5 |
> |
| 6 |
> It has not been long ago since I've installed Gentoo, but at the moment it's running on my desktop, laptop and 1 of my servers (the other 2 run openbsd and slackware and I do not plan at replacing them :). I really like this distribution and am still learning new things about linux because of it :). |
| 7 |
> |
| 8 |
> Back to the topic at hand ... I am just starting to get interested in security issues with linux. The company I work for has some sensative data of customers, so I used the kerneli patch to create an encrypted filesystem. And I like it. I've also been reading up on other issues, like random filehandles and stuff like that. I'd really like to learn more about it, so perhaps I can help in some ways with this Secure Gentoo project if it's needed (testing of beta patches/packages, etc.) (btw, I'm a coder, but I do not have much experience in kernelhacking or security related projects) |
| 9 |
> |
| 10 |
> > * Make a kernel patch, probably based on the Gentoo kernel, but with |
| 11 |
> > GrSecurity, kerneli, a few netfilter patches etc. |
| 12 |
> At the moment I have the gentoo kernel running with the kerneli patch. The GrSecurity patch had a few failed hunks, I'm integrating them now. If your interested I could send you a patch after I'm done. I also have a ready to install package of util-linux, with the kerneli patch. I don't yet know if the combination is stable :). |
| 13 |
> |
| 14 |
> > Will the Gentoo kernel use Andrea Arcangeli's VM or Rik van Riel's (-aa |
| 15 |
> > or rmap)? |
| 16 |
> I think rmap is pretty stable now and most problems have been solved, it's been good for Rik van Riel to have a little freedom in developing the VM :). Although I do know that Rik used to work for a (network) security company here in Holland :). |
| 17 |
> |
| 18 |
> > How will this be done practically? I'm thinking in particular about the |
| 19 |
> > freeze, and the proposed unstable branch. |
| 20 |
> Perhaps start a new branch, so we have a 'stable', 'unstable' and 'secure' branch. |
| 21 |
> |
| 22 |
> > How paranoid should it be? My first plan was to create ACLs for each and |
| 23 |
> > every binary and deny almost everything else, but that might be too |
| 24 |
> > paranoid for most people. What do you think? How about three security |
| 25 |
> > levels (no ACLs, normal ACLs and very strict ACls)? |
| 26 |
> The levels idea sounds like a nice idea, but it should be documented really good, so users can choose a good security level for their purposes. |
| 27 |
> |
| 28 |
|
| 29 |
I must make a note here, usually with security levels its too, how can I say this... 'generic', I mean you could look at how buggy a daemon has been in the past and have it marked level 4 security and other stuff too, but I usually think of security as something the user sets up himself. I like it this way. |
| 30 |
The other thing is, the user installs/starts the servers he wants, so there is no real need for security levels since the user will really do whatever he wants. |
| 31 |
|
| 32 |
Nic D. |
| 33 |
|
| 34 |
> Regards, |
| 35 |
> |
| 36 |
> Peter Gnodde |
| 37 |
> PCS Webdesign BV |
| 38 |
> http://www.pcswebdesign.nl/ |
| 39 |
> _______________________________________________ |
| 40 |
> gentoo-dev mailing list |
| 41 |
> gentoo-dev@g.o |
| 42 |
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev |
Archives