On Fri, 2012-12-21 at 17:48 +0100, daniel curtis wrote: > Hi Mr Hutchings, > > Could you explain, in short, why it is more secure? It seems, that > cryptographically signed modules are something... don't know, > more secure, because before loading the module, the kernel can > check the signature and refuse to load any that can't be verified. ;-) I suppose you're right. If an attacker can overwrite modules but not the kernel image, and they can force a reboot, then a signature check will prevent the modified modules being loaded whereas setting kernel.modules_disabled=1 during the boot process will not. > symlink and hardlink protection also applies to the 2.6.32-5 kernel > or it is backported only to the 3.2 version? Both protection seems > to be implemented some time ago, right? I mean patch for kernel > (not only Debian). Only for 3.2. > I have to apologize for such naive questions, but I started to using > Debian a couple of weeks ago and I want to know something more > about Project, Debian and everything related etc. One more thing; > Is there any website where I can to find any informations about > patches, changes backported, for example, from PAX/Grsecurity > projects to the Debian kernel - 2.6.32 and 3.2? I don't think there's any summary of that, though I am intending to write a blog entry along these lines for the wheezy release (based on 3.2). Ben. -- Ben Hutchings Make three consecutive correct guesses and you will be considered an expert.
Attachment:
signature.asc
Description: This is a digitally signed message part